The Tolkein Ring

As we walk into the Talkain Ring area we found our old friend Sparkle Redberry, and like always, he needs our help.

We download the PCAP through the link he provides and we enter the terminal to find more instructions

First question

We open the PCAP with Wireshark and go to the menu File –> Export Objects and choose HTTP… (that’s the answer, HTTP)

We immediately see the files downloaded, this also give us the answer to the next question

HTTP Objects Downloaded

Using the screenshot above we can answer question 2.

and 3

Now for question 4 we have to go a bit deeper and choose one of the HTTP streams to see that the responding HTTP headers says Server: Apache

And there we can see the IP address to answer the question

Now for question file, we can save the app.php file to our computer from the Wireshark File menu using the same Export Object option as above.

To look at the last few lines of the file we use the tail command and we can see there’s a blob being saved as Ref_Sept21-2020.zip, this is the answer.

For question 6, things get a little bit more complicated, we needed to find TLS certificates exchanged in the traffic, to do that we use binwalk on the pcap

There are a lot of certificates in the file so we need to extract them to examine them

To examine the extracted files we can use find with exec to use openssl to make sure they are certs in DER format

find . -type f -exec openssl x509 -inform der -in {} -noout -text \; 2>/dev/null

grep Issuer

This gives us all the Issuers of the certificates found including the Country (C), State (ST), City/Location (L).

We can see 3 main countries:

C = IL for Israel

C = SS for South Sudan

C = US for United States

And we enter those as our answer, completing our first objective to find the Tolkein Ring.

As we walk to the right on the same room we find Fitzy Shortstack and, of course, he has a problem to solve

We enter the terminal and find that we’ve been tasks with creating suricata rules to alert further communication with the Command and Control we discovered before

following the syntax we come up with arule for the first alert:

alert dns any any -> any any (msg:”Known bad DNS lookup, possible Dridex infection”; dns.query; content:”adv.epostoday.uk”; nocase; sid:20221211;rev:1;)

always changing the sid to avoid conflicts

We check our rule and get our next task

This one is bit trickier, we need 2 rules to catch of ways of communication, or at least with the little knowledge I have on suricata this is the way I found that worked find

alert http any any -> 192.185.57.242 any (msg:”Investigate suspicious connections, possible Dridex infection”;sid:2022121122;rev:1;)

alert http 192.185.57.242 any -> any any (msg:”Investigate suspicious connections, possible Dridex infection”;sid:2022121123;rev:1;)

We verify again, and get our new task to identify bad certificates in the traffic

To accomplish this, we need suricata to examine the certificate that is used in the TLS handshake by verifying the CommonName (CN) in it:

alert tls any any -> any any (msg:”Investigate bad certificates, possible Dridex infection”;tls.cert_subject; content:”CN=heardbellith.Icanwepeh.nagoya”;sid:202212114;rev:1;)

Once again, we verify our new rule and get one more task

We can find the malicous JavaScript by checking the body of the HTTP response to match the string we’re looking for

alert http any any -> any any (msg:”Suspicious JavaScript function, possible Dridex infection”; flow:to_client;http.response_body;content:”let byteCharacters = atob”;sid:5;)

And that’s it! 

Now we can walk to tend of the hall and find Snowrog (any similarities with a Balrog is just coincidence) 

And here’s the long lost Tolkein Ring

---

← Back to all posts