In this post, i would like to share walkthrough on Recovery Room.

This room is been considered difficulty rated as MEDIUM machine

Malware Analysis is not really my forte and I learn a lot from this room. As a result, I have tried the Recovery Room multiple time which resulted in a different IP on my screenshot later on and I’m sorry for that.

Let’s Start!

We need to deploy the machine for us to play with the machine

Once the machine is fully up within 3 minutes, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

There are multiple ports that been open but the crucial port that caught my attention

  • 22: OpenSSH 7.2p2
  • 80: Apache httpd 2.4.43

However, we are provided with some useful information such as SSH credentials that we will need to use along the way. Aside that, we also can track the progress on the port 1337

Let’s see the website

Oh no! The website have been encrypted and nothing that we can do for now.

Let’s SSH into the machine

We cannot properly access the machine via ssh because the malware have affected the machine

let run the ssh service by execute ssh alex@<IP Address> “/bin/bash”

We can access the machine via /bin/bash

From the listing, I notice that .bashrc file was stored there.

Let’s re-name the file by execute mv .bashrc .bashrc_backup

Let’s try to login via SSH service again

Oh wow! We have successfully login without any error message appear like before.

However, you will be disconnected from the machine and we need to investigate later on.

Let’s grab the file by using scp alex@<IP Address>:fixutil .

We need to disable the file so that they will not affected our own machine.

We need to analyze the fixutil file where we might discover something important to us on getting everything back to normal.

While scrolling down the file, we found the malicious code that we need to delete from .bashrc (the file that we edited to .bashrc_backup file earlier)

There’s a line that execute the bash scripting at /opt/brilliant_script.sh location. Let’s grab the file for us to analyze further more.

We need to disable the file so that they will not affected our own machine.

We can see that some script been saved in the brilliant_script.sh file

We need to clear the content inside the file and replace it with the content as below

#!/bin/bash

cp /bin/bash /bin/shell
chmod +x /bin/shell
chmod u+s /bin/shell

We have to save the content so that it will take effect later on

We need to analyze the malware file using radare2.

* Reminder: There’s a lot of malware analysis tools such as IDA PRO, Ghidra and so on. I plan to use radare instead here

We need to run the command r2 fixutil and follow the next command as below:

> aaaa
> s main
> pdg

It will look like above.

While we analyze the malware file, I notice there’s a process going on such as malware file have been copy-paste with the old and legit file to /tmp/logging.so and rename it into oldliblogging.so

After successfully done the above process, the malware will automatically include a malicious code into the current file (liblogging.so)

What we need to do now is that revert back the oldliblogging.so to the current liblogging.so

I also notice there’s an SSH session that required authorised keys at /root/.ssh directory which the key need to be deleted

Next, we have to access the passwd file by executing nano /etc/passwd. When we are inside the file, we need to remove everything on “security user” which look like the screenshot above.

We also need to add alex privileges to ALL in the /etc/sudoers so that we can access as root.

For us to access the machine as root, we need to run the command sudo shell and then shell -p

Let’s find the malware’s key so that we can fix the website back to normal.

For us to achieve that purpose, we need to access /opt/.fiixutil and there’s a backup.txt file saved in the directory

We have got the key to decrypt the file

The files that required to decrypt can be found at /usr/local/apache2/htdocs

We need to transfer all the file over here into our own machine so that it will be easier to decrypt the file. Firstly, we need to tar -cvf backup.tar * where it will zip everything into tar file

Once that have completed, we can use the method belows:

  • On our own machine: We need to run nc -lvp any port > backup.tar
  • On Target’s machine: We need to run nc IP Address port < backup.tar

It should look like screenshot above

Let’s extract the tar file so that we can use those file to decrypt

For this purpose, i will use the XOR Recipe and use the key that we found just now. Aside that, we use UTF8 as output result where the encrypted file will be upload on Input section

We need to clean every content in the file and replace it with the decrypted content into the clean file

You will need to repeated the same process with the remaining 2 files which required to be decrypted too.

When you have finished replacing the actual content into the file, you will see the website interface just shown as above (You need to refresh back the affected page before)

On <IP Address>:1337, you will need to click the refresh button and all the flag will appear for you to key in the room.

Extra Work!

You have to deleted all the affected file in the machine to ensure the machine is clean from any malicious code

-The End-

Happy Learning Guys!

By Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *