Learning the craft of malware analysis requires for a lab to be built that allows for the malicious binaries and files to be safely analyzed and executed. This lab often involved multiple virtual machines that are able to interact with each other but not with any other computers on the network where the host OS resides or with the Internet, this means that it is necessary to create an isolated network that only those virtual machines can reach.
VirtualBox is one of the most common hypervisors that are used since it's free and runs in the most popular operating systems, it also has the features to configure the network that the virtual machines can use and generate snapshots of the virtual machine state.
In this post, the creation of the lab that uses VirtualBox and an isolated network is detailed. For the network configuration, the Internal Network is used and a DHCP server is configured in VirtualBox to hand out the IP addresses to the hosts, this is where this lab varies from other setups that I've seen.
During a penetration testing engagement it may be necessary to extract files from a target host, though many tools exist for this job, there may be instances where interaction with the host is done only via a reverse shell and this can limit the available options.
This post goes over one method that can be used, which leverages the usage of the
Invoke-WebRequest cmdlet in order to send data by using HTTP POST requests to send Base64 encoded data in the body of the request.
Having the possibility of including code within a file allows for certain tasks to be carried out when handling documents. Whether that is to enhance the content or to process data within the document. However, having this feature has been abused by malicious actors for a long time and little can be done to mitigate this attack vector without removing the functionality from the document.
Microsoft includes the ability to embed Visual Basic for Applications code within Office documents since 1993 with the first version being implemented in Excel. Allowing the users to record actions to automate working with documents.
Visual Basic for Applications or VBA is based off of Visual Basic 6, which it's Microsoft's event-driven programming language that was discontinued back in 2008. However, the language lives on in VBA and it facilitates automating tasks within Office Documents and also in VBScripts.
There are several commands and tools that can be used to establish a shell connection between hosts, on that is very useful in multiple ways is socat. There are several benefits to using socat over netcat, one being the ability of stabilizing the shell from the start and not having to run through a sequence of commands to do so. The only downside to this tool is that it requires the binary to exist in both ends, which might not be common in many cases, but can be easy to move the binary to the target system and start a better reverse shell.
This post covers establishing a shell session between two hosts in Windows and Linux environments, these are the commands I use when working on a Hack The Box machine when I want to use socat. It also covers compiling the binaries for Linux and Windows.
The same code is used for the binaries in either environment, the advantage of this is being able to use the same commands regardless of the environment and not having to remember the difference between one and the other, beside the program being used as the shell.
In Python, an object can be converted into a stream of bytes to allow for moving the object between environments or processes, this is known as serialization and deserialization. The Pickle library can be used in Python for this purpose, however, this is an insecure method that can allow an attacker to obtain remote code execution (RCE) on the target host.
The documentation includes a warning that points to this situation and pointing to the serialized data being processed only for trusted sources
Warning: The pickle module is not secure. Only unpickle data you trust. It is possible to construct malicious pickle data which will execute arbitrary code during unpickling.
There is a difference between how the object is serialized in Python 2 and Python 3, which can present an issue when dealing with applications that use the deprecated Python 2 version. However, the Pickle library in Python 3 is capable of generating a Python 2 compatible serialized object that can be used to generate the payload for these scenarios.
This is another Hack The Box machine that has a web application that has a vulnerability that allows for remote code execution (RCE). There's also a privilege escalation that is achived through a stack buffer overflow and using return oriented programming (ROP) technique.
For the reverse engineering part of the machine, Radare2 is used to analyze the binary and locate all of the necessary aspects.
I wanted to move the /var and /home directories from the MicroSD to a USB flash drive, this because those are the two directories that see much more movement and that could benefit from being moved away from the MicroSD.