I want to share some tips for approaching the Lockpick3.0 challenge.

Sherlock Scenario on Lockpick3.0

The threat actors of the Lockpick variant of Ransomware seem to have increased their skillset. Thankfully on this occasion they only hit a development, non-production server. We require your assistance performing some reverse engineering of the payload in addition to some analysis of some relevant artifacts. Interestingly, we can’t find evidence of remote access so there is likely an insider threat. Good luck! Please note on the day of release this is being utilized for a workshop, however, it will still be available (and free).

Artefacts for Lockpick3.0 challenge

Upon unzipping the file, we discover three items:

  • ubuntu-client – identified as malware.
  • ubuntu-client-Snapshot2.vmem – a memory dump from the developer server.
  • ubuntu-client-Snapshot2.vmsn – a snapshot capturing the developer server’s state.

Resolution for all questions on Lockpick3.0 Sherlock challenge

Task 1 Please confirm the file hash of the malware ? (MD5)

After executing the md5sum ubuntu-client command, I obtained the MD5 hash, which was confirmed to be correct.

Answer: a2444b61b65be96fc2e65924dee8febd

Task 2 Please confirm the XOR string utilized by the attacker for obfuscation?

Before starting the memory dump analysis with Volatility3, I opted to run the strings command first. By using strings ubuntu-client-Snapshot2.vmem | grep ubuntu-client, I could pinpoint the command the attacker used to execute the malicious software. The instances of this command were consistent and relatively few.

Answer: xGonnaGiveIt2Ya

Task 3 What is the API endpoint utilized to retrieve the key?

Before proceeding with dynamic analysis, I first tried to gather information about the binary using the strings command. I was looking for clues that might indicate the complete string necessary for performing the XOR operation. Although I didn’t find anything suitable, I did identify two endpoints: /connect and /upload/.

From the results, I gathered that the attacker first performs the XOR operation to retrieve the address and then combines it with the endpoint I found. I then decided to run ubuntu-client in GDB, but my initial attempt failed due to the absence of the libcrypto.so.1.1 library.

I couldn’t find a corresponding package for the libcrypto.so.1.1 library in the apt package manager, so I searched for a method to build it myself. Using the following commands, I successfully downloaded and compiled the missing library:

wget -c https://www.openssl.org/source/openssl-1.1.1s.tar.gz && \
tar xf openssl-1.1.1s.tar.gz && \
cd openssl-1.1.1s/ && \
./config --prefix="/usr/local/openssl" && \
make

Next, I used the LD_LIBRARY_PATH environment variable to specify where GDB should look for the missing dependencies. By running LD_LIBRARY_PATH=$LD_LIBRARY_PATH:openssl-1.1.1s gdb ubuntu-client, I was able to execute the program. For the malware analysis, I utilized a GDB extension called PEDA, which greatly simplifies software analysis. Within GDB, I ran the info functions command to list the functions used by the malicious software. One function that caught my attention was curl_easy_setopt@plt, indicating it was loaded from an external library. According to the documentation, curl_easy_setopt is used to establish a cURL connection. I then set a breakpoint on this function’s invocation using the command b curl_easy_setopt and began debugging with run xGonnaGiveIt2Ya.

Answer: https://plankton-app-3qigq.ondigitalocean.app/connect

Task 4 What is the API endpoint utilized for the upload of files?

Answer: https://plankton-app-3qigq.ondigitalocean.app/upload/

Task 5 What is the name of the service created by the malware?

This task took me the longest to complete. Initially, I felt confused about why Volatility3 and the other Volatility tools did not process the provided memory dumps correctly. Later, I realized I needed to use additional symbols not included by default in Volatility 3. I began by identifying the kernel version used by the machine that created the dump. I ran the command python3 vol.py -f ../ubuntu-client-Snapshot2.vmem banners and found that Ubuntu used kernel version 5.4.0-163-generic.

After spending some time searching through files without success, I decided to look for a .service file related to the execution of the command ubuntu-client xGonnaGiveIt2Ya.

Answer: ubuntu_running.service

Task 6 What is the technique ID utilized by the attacker for persistence?

Here’s a revision of the sentence to eliminate passive voice:

This task was straightforward; I entered some keywords and clicked on the second link, which took me to the needed answer.

Answer: T1543.002

Categories:

Tags:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *