Day 1: Maybe SOC-mas music, he thought, doesn’t come from a store?

Notes:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

OPSEC originally a military concept “is a process used to protect sensitive information and prevent adversaries from gaining an advantage by exploiting unintentional leaks of critical data”. The last thing you want when Ethically-hacking someone with their permission of course, is for your hack to directly lead them to finding your government issued ID on the public internet.

In the context of cyber security OPSEC focuses on not making any mistakes like reusing usernames, exposing metadata, or failing to conceal IP addresses, while doing some malicious activities.

The Day 1 task shows how bad OPSEC can leave digital breadcrumbs that can lead to your attribution and compromise.

Q: Looks like the song.mp3 file is not what we expected! Run "exiftool song.mp3" in your terminal to find out the author of the song. Who is the author?

A: Start up the AttackBox, head over to the AttackBox IP in the browser. Looking around the website scrolling down we can see that it was made by “The Glitch” and it claims that it is “Safe” and “Secure”.

Alright paste in a Youtube video URL and click on “Convert”. Select either “mp3” or “mp4” it really doesn’t matter and download the “download.zip” file.

Extract the “download.zip” file.

As the question suggests we can run the “exiftool” on the “song.mp3” file. Open a terminal and run.

exiftool song.mp3

Q: The malicious PowerShell script sends stolen info to a C2 server. What is the URL of this C2 server?

A: There is another file that was also downloaded along side the “song.mp3” file, called “somg.mp3”. This file is a bit suspicious, from the filename it self something seems wrong.

To find out more lets run the “file” command on this file.

file somg.mp3

The output shows that this file is a “MS Windows shortcut” file or also called a “.link” file. This type of file is used to link a file, folder or application. Shortcuts can also be used to run commands.

Let’s inspect this file using “exfitool”.

exiftool somg.mp3

We can see that there is a “Command Line Arguments” in this file. The command line is downloading a Powershell script (ps1) from Github repo “IS” and running it. Lets download this file and open it in a text editor.

Looks like a Infostealer Created by the one and only M.M.

You can find the answer in the $c2Url variable

Q: Who is M.M? Maybe his Github profile page would provide clues?

A: Alright we need to find out who this “M.M” is, like the question says lets take a look at this persons Github.

Github has this nifty feature that allows us not only to search repository and user name, but also parts of code. As the creator of the infostealer left his mark in the code, lets search that.

Head over to Github and search for,

Created by the one and only M.M.

There is an issue open with the line of code in it, (With so many people commenting on the issue it has been buried here is the link to the issue → https://github.com/Bloatware-WarevilleTHM/CryptoWallet-Search/issues/1 )

The original creator of this issue is “M.M”

Q: What is the number of commits on the GitHub repo where the issue was raised?

A: From the issue we discovered in the last question lets navigate to the “Code” tab.

In this tab look around and you’ll find the number of commits.

Q: If you enjoyed this task, feel free to check out the OPSEC room!

A: No Answer needed!

Q: What's with all these GitHub repos? Could they hide something else?

A: No Answer needed!

That's it for Day 1. Thank you for reading my writeup.