CTF on a Budget - Magnet User Summit 2018 (Part 3)

Posted by

For part 3, we are looking at the exfiltration section.

Previously: Part 1 (Misc) | Part 2 (Anti-Forensics)

Exfiltration

1. Application for Exfil: Which application was used to exfiltrate data on the compromised system? 

My first thought was to see what was installed so I took a peek in Program Files and Program Files (x86) as well as what the SOFTWARE registry file had. There was nothing of interest there so I decided to parse shellbags with SBECmd for each user and in doing so I came across Dropbox under "itsupport". This lead to finding the installer for Dropbox on the desktop as well.


2. Browser to Download Dropbox: Which browser was used to download the application that exfiltrated the data?

From previous questions, we knew Edge was a possibility. Google Chrome and Mozilla Firefox were also shown to be installed on the system. In parsing internet history for them all using BrowserHistoryView we don't see anything relevant to Dropbox. Something that did catch my eye in the Firefox history was a download for Maxthon mx5, a lesser known browser (which I only learned about during this CTF).


Digging through the folder structure from AppData we come across a task file:

/img_MaxPowersCDrive.E01/vol_vol2/Users/itsupport/AppData/Roaming/
Maxthon5/Public/Downloader/TaskList/{6F3E1C74-4C0A-4747-8B21-27D988BF985E}.tsk

In plain text we can see the download information for Dropbox including the download location, the executable name, and the URL path it came from:

DropboxInstaller.exe
C:\Users\itsupport\Desktop\
DropboxInstaller.exe.mxdl
https://dl-web.dropbox.com/installer?authenticode_sign=True&build_no=48.4.58&juno=True&juno_use_program_files=True&plat=win&tag=eyJUQUdTIjoiZUp5clZpcE9MUzdPek0tTHoweFJzbEl3dERBek1UY3p0VEEzc3pReXRqUzJ0RFF3c2pRRGNZek1MUXdzakN3TVRNMU5ETTBOYWdHdGN3M2hATUVUQSJ9&tag_token=AJ9qI4bmJ6CdwFIewmUY0_fl2HIFYQfIIw_-ka-83etQ7A

3. Data Exfiltrated: How much data was sent out via the application exfiltrating the data? [answer in bytes]

Going back to our SRUM output we grabbed for a previous question using srum_dump, we can look at NetworkUsage this time. We can open the CSV into TimelineExplorer, filter on application name and easily see that 1363639 bytes were sent.