TryHackMe: Event Horizon

Horizon simulates investigating a breach involving email compromise,phishing and covenant c2 framework deployment.Attack sequence was a phishing email with a a malicious powershell script disguised as a black hole mass calculator which had a covenant c2 binary command hidden.Extraction was done through pcap analysis and extraction of initial AES key for stage1 C2 traffic decryption using CovenantDecryptor tool and stage2 traffic decryption to reveal Administrator NTLM hash.

Objective 1

The attacker was able to find the correct pair of credentials for the email service.What were they? From the beginning we are given two files to analyze powershell.DMP and traffic.pcapng Using wireshark to scan the given pcapng file I use a filter pop || smtp to find any brute force happening.Noticing some base64 data I follow the TCP stream which reveals AUTH login details that upon decoding give us our answer.

Objective 2

What was the body of the email that was sent by the attacker Inspecting the same packet we got the email and password we get the contents of the email.

Objective 3

What command initiated the malicious script download Again we use the same result packet following the TCP stream and scrolling down more we see another base64 encoded data.Decoding this data we get the command at the end of the script.The malicious file downloaded is radius.p1

Objective 4

What is the initial AES key that is used for decrypting the C2 traffic To find the AES key we need to analyze the malicious script radius.ps1.Inside the script a base64 payload was running in memory.

Next I use cyberchef to decode the blob and apply the raw inflate recipe to reverse the compression.The binary is an MS-DOSexecutable identified by the MZ magic bytes. Saving the output into a file and obtain th file md5 hash.

$ md5sum script.bin 
124573df9de2b4ed8b7973ff25d2b33a  script.bin

Uploading the script to virus total we see it is a known malicious file in the wild and is related to Covenant.

The binary is a .NET assembly so I use dnSpy to decompile it where we locate the initial AES key within the script.

Objective 5

What is the Administrator NTLM hash that the attacker found Looking back at the virustotal results,the threat is related to covenant and after a little research I come across the CovenantDecryptor which is designed to decrypt the communication data of the covenant traffic. The following section from the CovenantDecryptor repository shows how the covenant communication is setup.

The Covenant communication initialization consists of 3 stages :

Stage0 :

The infected agent initiates an RSA session by transmitting a public key encrypted using the SetupAESKey, which is embedded in a malicious executable. Before sending, it formats the text as described in GruntHTTPStager with the type set to 0.

The C2 transfers a SessionKey, encrypted with the RSA public key, for subsequent communication.

Stage1 :

The infected agent employs the SetupAESKey to decrypt the message, and then leverages the RSA private key to decrypt the SessionKey. Afterwards, it encrypts 4 randomly generated bytes with the SessionKey and transmits them. Before sending, it formats the text as described in GruntHTTPStagerwith the type set to 1.

The C2 decrypts the 4 bytes using the SessionKey, appends 4 additional randomly generated bytes and transfers the resulting 8 bytes data to the infected agent.

Stage2 :

The infected agent decrypts the 8 bytes with the SessionKey. Subsequently, it checks if the first 4 bytes match the data it had previously transmitted, and proceeds transfer the last 4 bytes back to the C2. Before sending, it formats the text as described in GruntHTTPStager with the type set to 2.

The C2 decrypts the 4 bytes and verifies if they correspond to those it had transmitted earlier.

Once verification is complete, data can be exchanged.

CovenantDecryptor is composed of two utilities. The extract_privatekey script retrieves the p and q primes from a minidump file to construct an RSA private key by employing the public modulus. The decrypt_covenant_traffic script consists of 3 commands modulus, key and decrypt. The first command extracts the modulus from Covenant communication, while the second recovers the AES key used for encrypting data traffic. Lastly, the third command decrypts the traffic.

Based on this we need the data traffic from the capture file,the AES key embedded in the stage0 binary and a minidump file of an infected process.

Using tshark we only extract the POST data from the traffic and run the script to extract the modulus from the stage0 request.

$ sudo tshark -r traffic.pcapng -Y "http.request.method == POST" -T fields -e http.file_data > post.txt
Running as user "root" and group "root". This could be dangerous.
$ python3 decrypt_covenant_traffic.py modulus -i post.txt -k "l86TfRDvvJMtXWxr1PSoh1QlXHnZnLwn+wz+aYy3/s8=" -t base64
[+] Modulus: 
23598357097748257459001522193279615790098243077434211990285035650037416854557487153041543839145873504364661260258258145982196047593600838968159942365710600229632038220683588355292857269827627629441531340138232479903170003517767232123855
66948054937558535150506193211253701878984992093190251545741138372954862657873224149288482108172230406673971344452247271166682949433938495011408926510346160924628718625242381235316290101241607397954905888656721977303035450667162034069936
7692331670894450508006473829709777633739780055057830160764952533106717565747524530416092939471839209977509379614466680479399437631716767966582109
[+] Exponent: 65537

Next step is to retrieve the RSA private key from a minidump file of an infected covenant process.Now extracting the private key from the process dump using the modulus.

$ python3 extract_privatekey.py -i powershell.DMP -m $(cat mod.txt) -o /home/iam/evidence-horizon
[-] A pair of P and Q were located, but they do not match the modulus.
[-] A pair of P and Q were located, but they do not match the modulus.
[-] A pair of P and Q were located, but they do not match the modulus.
[-] A pair of P and Q were located, but they do not match the modulus.
[+] Saved private key /home/iam/evidence-horizon/privkey1.pem

The next step is to recover the SessionKey from the stage0 response of the Covenant C2.

$ python3 decrypt_covenant_traffic.py key -i test.txt --key "l86TfRDvvJMtXWxr1PSoh1QlXHnZnLwn+wz+aYy3/s8=" -t base64 -r /home/iam/evidence-horizon/privkey1.pem -s 1
[+] New AES key : 17cd8c53d0b0646186818913c140a201bb5cafee871e9e61ad94cb56614b2751

With the sessionkey we are now able to decrypt the covenant communication which gives us the administrator hash.

Objective 6

What is the flag From our previous communication decryption,we noticed that message 972 contains a big chunk of base64 encoded data.Using cyberchef to decode it we see it is actually an image by the magic bytes.Using the Render recipe it is a capture of the desktop which also contains the final flag at the bottom.