Module: INTRODUCTION TO MALWARE ANALYSIS - Debugging

HTB Content Academy
1

I’m having problems trying to open inetsim on the parrot and connect with the mandiant windows. i tried configure like this:

service_bind_address <Our machine's/VM's TUN IP>
dns_default_ip <Our machine's/VM's TUN IP>
dns_default_hostname www
dns_default_domainname iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

But the HTTP on port 80 never comes up. Does anyone know how to fix this?

2

Can you post the outcome of this command?

3

INetSim 1.3.2 (2020-05-19) by Matthias Eckert & Thomas Hungenberg
Main logfile ‘/var/log/inetsim/main.log’ does not exist. Trying to create it…
Main logfile ‘/var/log/inetsim/main.log’ successfully created.
Sub logfile ‘/var/log/inetsim/service.log’ does not exist. Trying to create it…
Sub logfile ‘/var/log/inetsim/service.log’ successfully created.
Debug logfile ‘/var/log/inetsim/debug.log’ does not exist. Trying to create it…
Debug logfile ‘/var/log/inetsim/debug.log’ successfully created.
Using log directory: /var/log/inetsim/
Using data directory: /var/lib/inetsim/
Using report directory: /var/log/inetsim/report/
Using configuration file: /etc/inetsim/inetsim.conf
Parsing configuration file.
Configuration file parsed successfully.
=== INetSim main process started (PID 2703) ===
Session ID: 2703
Listening on: 10.10.15.179
Real Date/Time: 2024-01-23 15:49:56
Fake Date/Time: 2024-01-23 15:49:56 (Delta: 0 seconds)
Forking services…

  • dns_53_tcp_udp - started (PID 2707)
  • echo_7_tcp - started (PID 2726)
  • ntp_123_udp - started (PID 2718)
  • time_37_tcp - started (PID 2722)
  • http_80_tcp - failed!
  • time_37_udp - started (PID 2723)
  • discard_9_udp - started (PID 2729)
  • daytime_13_tcp - started (PID 2724)
  • finger_79_tcp - started (PID 2719)
  • dummy_1_udp - started (PID 2735)
  • echo_7_udp - started (PID 2727)
  • dummy_1_tcp - started (PID 2734)
  • quotd_17_udp - started (PID 2731)
  • smtp_25_tcp - started (PID 2710)
  • irc_6667_tcp - started (PID 2717)
  • chargen_19_tcp - started (PID 2732)
  • ftps_990_tcp - started (PID 2715)
  • smtps_465_tcp - started (PID 2711)
  • daytime_13_udp - started (PID 2725)
  • quotd_17_tcp - started (PID 2730)
  • pop3s_995_tcp - started (PID 2713)
  • syslog_514_udp - started (PID 2721)
  • https_443_tcp - started (PID 2709)
  • ftp_21_tcp - started (PID 2714)
  • ident_113_tcp - started (PID 2720)
  • discard_9_tcp - started (PID 2728)
  • chargen_19_udp - started (PID 2733)
  • tftp_69_udp - started (PID 2716)
  • pop3_110_tcp - started (PID 2712)
    done.
    Simulation running.
4

Is ti possible that you already running something on port 80?

5

I just opened the HTB configure parrot and ran sudo inetsim there is something on port 80 by default???

6

To be honest I am not using HTB parrot machine so I dont know. But you can check, read this article How to check if port is in use on Linux or Unix - nixCraft and try to search is there is a service already running. Otherwise you can set up your own kali machine and everything will work fine.

7

Is it just me or this part to follow the exercise is kind of confusing?

Do we have to do the changes on all 3 “SandBox Detected” message?

8

yes we need to make changes on the 3 SandBox Detexted

9

Got C2 message trying to get notepad.exe to work

VirtualAllocEx , WriteProcessMemory , and CreateRemoteThread

10

I made changes only to two out of three “Sandbox Detected” messages. It took me a while to understand that, I used multiple breakpoints and actually got a feeling of how they work.

11

I’ve connected to HTB VPN and then started InetSim on my own VM. In configurations I put my VM’s enp0s3 address and the rest as per the exemplar screenshot; specified DNS ip address of my InetSim instance in IPv4 adapter settings but it still doesn’t have connection to internet and doesn’t load any pages (doesn’t display InetSim page). Is it supposed to be so at this part of the module? I can’t figure out what I missed.

12

Did you get this done ? For the inetsim, you need to put your tun0 address. The rest of details same as instructions. For the x64sbg remote VM, thats correct but put the same tun0 address into IPv4 settings. If its still not working, try changing the http port in Inetsim from port 80 to 81.

13

This is how I managed to complete it (using my own Kali Linux VM for running Inetsim).

  1. Changed the inetsim http port to port 80 in inetsim.conf, after a recommendation from another post. All the other lines were the same as the instructions.
    Just added the line - http_bind_port 81

  2. Copied my VM tun0 IP address to the remote machines IPv4 settings DNS server as per instructions.

  3. Ran Inetsim on my VM and it started up without errors.

  4. Edited shell.exe in all 3 locations, as per instructions. Left a breakpoint on kernell32/WriteProcessMemory and Start entry point only. Saved and Patched the shell.exe.

  5. Ran the .exe up to WriteProcessMemory breakpoint. Copied RDX value from here, as per instructions.

  6. Opened up second instance of x64dbg and searched for attached. Notepad was available to be selected.

  7. Searched for the copied RDX value in this notepad x64 instance, as per instructions. It appeared as blank value.

  8. Went back to the shell.exe x64dbg instance and hit Run. This is the important bit - I immediately switched back to the notepad x64 and pressed 'Pause’. The previously blank section immediately filled with the required data, where I could copy the answer from.

I had issues for a while with the notepad x64dbg simply closing completely, after I finished running the shell.exe instance from the WriteProcessMemory breakpoint. Theres probably something I missed that caused this, but the above process worked for me. Hope this helps someone. Note - I was using my own Kali VM and not Pwnbox.