HumanTwo: MoveIT IoC Analysis Challenge
The HumanTwo challenge is a malware CTF from the 2023
Huntress CTF. This write-up walks through the initial discovery,
de-obfuscation, and solving of the challenge. The actual flag will be redacted
from the document, but interested parties should be able to follow the steps
and derive it themselves. While the write-up assumes a base level of knowledge
regarding the command line and Linux. Most tools and commands will be
accompanied by short explanations.
Step 1: Initial Analysis
To start off, we are given an archive with 1000 files named
after their file hash. The hint we are given is that there are minor
differences between each file. We also know that HumanTwo relates to the MoveIT
vulnerability and exploit. The easy way to progress is to look up articles that
tell you about the vulnerability and what stands out in each exploit script.
However, I didn’t do that, so I’ll put the process I followed down instead.
First, because I knew that there were minor differences
between each file from the hint, I ran a “diff” command on some of the files.
We can see that the only difference between these files is
the pass comparison line. After finding this out, I used some basic bash to put
all of the pass comparison lines into a text file.
This gave me a list of all the pass lines. Originally, I
filtered out the unique strings being compared into another file using the
“cut” command. However, this approach isn’t necessary at all and ended up
wasting some time. Instead, we can simply look at the lines printed out from
our Diff.txt file.
As we can see, one line is much longer than the others.
Step 2: Solving
Now that we have this unique string, we can start looking
into what it is. This is the part I struggled with a lot because I tried to do things in CyberChef instead of just looking into what the format
was. After spending too much time on this, I finally decided to look at the
code a little more.
I noticed that the pass variable that’s being compared was
declared as the value of something called “X-siLock-Step1”, which seemed to be
some kind of web header.
After seeing this, I did a bunch of googling and came across a Mandiant article talking about MoveIT and referencing that X-siLock-Step1 was a 36-character GUID. https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
This helped out immensely, and
I was able to go down a rabbit hole on GUIDs and what they are. This rabbit
hole led to a stack overflow (where all internet roads lead to) that explained
that GUIDs are hex digits, which made a lot of sense, and I wish I had thought
about that far earlier.
I put the unique string into CyberChef and converted from
Hex and got the flag!