Skip to main content

Huntress CTF Challenge Writeups: HumanTwo: MoveIt IoC Analysis Challenge


HumanTwo: MoveIT IoC Analysis Challenge

The HumanTwo challenge is a malware CTF from the 2023 Huntress CTF. This write-up walks through the initial discovery, de-obfuscation, and solving of the challenge. The actual flag will be redacted from the document, but interested parties should be able to follow the steps and derive it themselves. While the write-up assumes a base level of knowledge regarding the command line and Linux. Most tools and commands will be accompanied by short explanations.

Step 1: Initial Analysis

To start off, we are given an archive with 1000 files named after their file hash. The hint we are given is that there are minor differences between each file. We also know that HumanTwo relates to the MoveIT vulnerability and exploit. The easy way to progress is to look up articles that tell you about the vulnerability and what stands out in each exploit script. However, I didn’t do that, so I’ll put the process I followed down instead.

First, because I knew that there were minor differences between each file from the hint, I ran a “diff” command on some of the files.



We can see that the only difference between these files is the pass comparison line. After finding this out, I used some basic bash to put all of the pass comparison lines into a text file.



This gave me a list of all the pass lines. Originally, I filtered out the unique strings being compared into another file using the “cut” command. However, this approach isn’t necessary at all and ended up wasting some time. Instead, we can simply look at the lines printed out from our Diff.txt file.


As we can see, one line is much longer than the others.


Step 2: Solving

Now that we have this unique string, we can start looking into what it is. This is the part I struggled with a lot because I tried to do things in CyberChef instead of just looking into what the format was. After spending too much time on this, I finally decided to look at the code a little more.

I noticed that the pass variable that’s being compared was declared as the value of something called “X-siLock-Step1”, which seemed to be some kind of web header.


After seeing this, I did a bunch of googling and came across a Mandiant article talking about MoveIT and referencing that X-siLock-Step1 was a 36-character GUID. https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft


This helped out immensely, and I was able to go down a rabbit hole on GUIDs and what they are. This rabbit hole led to a stack overflow (where all internet roads lead to) that explained that GUIDs are hex digits, which made a lot of sense, and I wish I had thought about that far earlier.



I put the unique string into CyberChef and converted from Hex and got the flag!



 

Labels:

Comments

Post a Comment

Popular posts from this blog

Using PGPy to encrypt and decrypt files and messages

 PGPy is a library for python that enables the creation, storage, and encryption/decryption of PGP keys and files in python. Recently, in a small project to reacquaint myself with python, I used PGPy for key generation and encryption and decryption. That project can be found in my github at  https://github.com/lpowell . The goal of the project was to use command-line switches to control the program, and to provide basic encryption and decryption capabilities, along with rot13 and base64 encoding.  First, to load in a key use key, _ = pgpy.PGPKey.from_file(keyfilename) . This loads the key from either a binary or ASCII armored file. You can swap out .from_file for .from_blob , if you plan on using a key stored in a string or bytes object rather than a file. In my example code, I pull the key from a file, as I found it to be the simpler method.  Next, you'll need to open a file or create a string or bytes object that contains the message you wish to encrypt. We'll call this file
3 comments
Read more

Using the Ubertooth One to sniff and intercept Bluetooth packets

While researching for my individual video project I came across this tool which allows for the sniffing and interception of bluetooth packets. This article covers some of the basic functionality of an Ubertooth One.  It's really quite interesting to see all the possibilities with devices like these. The tech behind them is very interesting as well. Hopefully, I'll be able to integrate some of this technology into my project video and include a demo of some of the interesting things it can do.
Post a Comment
Read more

Installing the Ubertooth on the Mac mini M1

 For my video project, one of the demonstrations included using an Ubertooth One to scan for Bluetooth and BLE packets. This blog post will cover the installation of the Ubertooth One on the Mac mini M1. The official install guide for Mac devices didn't work very well for me, and I had to install some extra tools in order to get it to work. The examples assume you are using Python 3, and have homebrew installed.  To begin, follow the instructions found here:  https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide . Additionally, you may find that you need to install pytq5, numpy, and qtpy. To do this, simply run Python3 pip install pyqt5, numpy, qtpy. This will install the required libraries needed to run the Ubertooth tools. There are multiple ways to install pip on an OS X device, but I suggest using homebrew to install python3, which should install pip as well. Next, you will need to update the firmware of the device. When downloading the tools, a firmware directory sh
Post a Comment
Read more