Hack The Box – Noted – Complete Guide

Noted is a Sherlock from Hack The Box, a challenge made for you to investigate a scenario using the files provided to answer a series of questions and solve a mystery. In this Sherlock, we will investigate Simon, a developer at Forela, who has reported a security breach to the CERT team after finding a threatening note on his desktop, claiming his system had been compromised and sensitive data stolen. The attackers are demanding ransom and threatening to leak the data on the dark web. Simon’s workstation contained valuable files, including software projects and development plans. Despite the threat actors’ mistakes, the company struggles to reach them. We are tasked with a specific DFIR investigation focusing on Notepad++ artifacts, aiming to uncover the attack’s origin, and find a way to contact the threat actors, as they’ve inadvertently obscured their own contact information.

Sherlock Scenario

Simon, a developer working at Forela, notified the CERT team about a note that appeared on his desktop. The note claimed that his system had been compromised and that sensitive data from Simon’s workstation had been collected. The perpetrators performed data extortion on his workstation and are now threatening to release the data on the dark web unless their demands are met. Simon’s workstation contained multiple sensitive files, including planned software projects, internal development plans, and application codebases. The threat intelligence team believes that the threat actor made some mistakes, but they have not found any way to contact the threat actors. The company’s stakeholders are insisting that this incident be resolved and all sensitive data be recovered. They demand that under no circumstances should the data be leaked. As our junior security analyst, you have been assigned a specific type of DFIR (Digital Forensics and Incident Response) investigation in this case. The CERT lead, after triaging the workstation, has provided you with only the Notepad++ artifacts, suspecting that the attacker created the extortion note and conducted other activities with hands-on keyboard access. Your duty is to determine how the attack occurred and find a way to contact the threat actors, as they accidentally locked out their own contact information.

Notepad++ Artifacts

For this challenge we will have access only to the notepad++ artifacts, that means we will have access only to files used/created by notepad++. On the folder provided we can have access to 4 files: config.xml, session.xml, LootAndPurge.java@2023-07-24_145332 and YOU HAVE BEEN HACKED.txt@2023-07-24_150548. The first 2 files are configuration/metadata used by notepad++, we will return to those files as we try to gather more information. The other 2 tiles are backups made by notepad++, the YOU HAVE BEEN HACKED.txt text file is the message left by the attacker:

HEllo

This note is placed in your desktop and copied to other locations too. You have been hacked and your data has been deleted from your
system. We made copies of your sensitive data and uploaded to our servers. The rule is simple

                                                       YOU PAY US
                                                           AND 
                         WE DO NOT RELEASE YOUR COMPANY SECRETS TO PUBLIC AND RETURN YOUR DATA SAFELY TO YOU


Failiure to oblige will result in immediate data leak to the public. 



For detailed information and process , Visit below link

https://pastebin.com/CwhBVzPq    

OR 


https://pastes.io/mvc6sue6cf                     

This is like a standard message for this kind of attack, on the end of the file we can see 2 links that will lead us to cryptocurrency wallets and some kind of communication method. The other files on this folder, the LootAndPurge.java is a “leftover” of the malware that was executed on the machine.

Now let’s begin with the questions provided by Hack The Box.

What is the full path of the script used by Simon for AWS operations?

On the config.xml file we can find a section for the history of files opened with the notepad++ by Simon, there we can see the script used by Simon for AWS operations:

<SNIP>

    <History nbMaxFile="10" inSubMenu="no" customLength="-1">
        <File filename="C:\Program Files\Notepad++\change.log" />
        <File filename="C:\Users\Simon.stark\Documents\Internal-DesktopApp\Prototype-Internal_Login.cs" />
        <File filename="C:\Users\Simon.stark\Documents\Dev-WebServer-BetaProd\dev2prod_fileupload.php" />
        <File filename="C:\Users\Simon.stark\Documents\Internal-DesktopApp\App_init_validation.yml" />
        <File filename="C:\Users\Simon.stark\Documents\Dev_Ops\AWS_objects migration.pl" />
    </History>

<SNIP>

The last file on that section will be our answer: C:\Users\Simon.stark\Documents\Dev_Ops\AWS_objects migration.pl

The attacker duplicated some program code and compiled it on the system, knowing that the victim was a software engineer and had all the necessary utilities. They did this to blend into the environment and didn’t bring any of their tools. This code gathered sensitive data and prepared it for exfiltration. What is the full path of the program’s source file?

We can get that information from the sesion.xml file, there we can find information about the notepad++ session, that includes the path of the program’s source file:

<?xml version="1.0" encoding="UTF-8" ?>
<NotepadPlus>
    <Session activeView="0">
        <mainView activeIndex="1">
            <File firstVisibleLine="21" xOffset="0" scrollWidth="848" startPos="1697" endPos="1697" selMode="0" offset="0" wrapCount="1" lang="Java" encoding="-1" userReadOnly="no" filename="C:\Users\Simon.stark\Desktop\LootAndPurge.java" backupFilePath="C:\Users\Simon.stark\AppData\Roaming\Notepad++\backup\LootAndPurge.java@2023-07-24_145332" originalFileLastModifTimestamp="-1354503710" originalFileLastModifTimestampHigh="31047188" tabColourId="-1" mapFirstVisibleDisplayLine="-1" mapFirstVisibleDocLine="-1" mapLastVisibleDocLine="-1" mapNbLine="-1" mapHigherPos="-1" mapWidth="-1" mapHeight="-1" mapKByteInDoc="512" mapWrapIndentMode="-1" mapIsWrap="no" />
            <File firstVisibleLine="0" xOffset="0" scrollWidth="1072" startPos="672" endPos="672" selMode="0" offset="0" wrapCount="1" lang="None (Normal Text)" encoding="-1" userReadOnly="no" filename="C:\Users\Simon.stark\Desktop\YOU HAVE BEEN HACKED.txt" backupFilePath="C:\Users\Simon.stark\AppData\Roaming\Notepad++\backup\YOU HAVE BEEN HACKED.txt@2023-07-24_150548" originalFileLastModifTimestamp="1536217129" originalFileLastModifTimestampHigh="31047190" tabColourId="-1" mapFirstVisibleDisplayLine="-1" mapFirstVisibleDocLine="-1" mapLastVisibleDocLine="-1" mapNbLine="-1" mapHigherPos="-1" mapWidth="-1" mapHeight="-1" mapKByteInDoc="512" mapWrapIndentMode="-1" mapIsWrap="no" />
        </mainView>
        <subView activeIndex="0" />
    </Session>
</NotepadPlus>

On the first file, we can see this path: C:\Users\Simon.stark\Desktop\LootAndPurge.java, this is the file’s path that we need.

What’s the name of the final archive file containing all the data to be exfiltrated?

We can find this on the program backup:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;

public class Sensitive_data_extort {
    public static void main(String[] args) {
        String username = System.getProperty("user.name");
        String desktopDirectory = "C:\\Users\\" + username + "\\Desktop\\";
        List<String> extensions = Arrays.asList("zip", "docx", "ppt", "xls", "md", "txt", "pdf");
        List<File> collectedFiles = new ArrayList<>();

        collectFiles(new File(desktopDirectory), extensions, collectedFiles);

        String zipFilePath = desktopDirectory + "Forela-Dev-Data.zip";
        String password = "sdklY57BLghvyh5FJ#fion_7";

        createZipArchive(collectedFiles, zipFilePath, password);

        System.out.println("Zip archive created successfully at: " + zipFilePath);
    }

<SNIP>

On the variable zipFilePath we can see the names of the file: Forela-Dev-Data.zip.

What’s the timestamp in UTC when attacker last modified the program source file?

This is a somewhat harder question. On the session.xml file we can find some timestamps on the file:

originalFileLastModifTimestamp="-1354503710" 
originalFileLastModifTimestampHigh="31047188"

We need to convert this timestamp to a more readable format, but first we need to convert those timestamps to the LDAP timestamp:

\( high = 31047188 \)
\( low = -1354503710 \)

\( fullvalue = (high . 2^{32}) + (2^{32} +low) \)

I have written this simple python script to do the calculations we need:

high = 31047188
low = -1354503710

print((high * 2**32) + (2**32 +low))

This will give us 133346660033227234, we can use this number in any kind of LDAP timestamp calculator, in this case we can use this. That way we get as a result: Monday, 24 July 2023 09:53:23.
Converting this to the answer format, we have: 2023-07-24 09:53:23.

The attacker wrote a data extortion note after exfiltrating data. What is the crypto wallet address to which attackers demanded payment?

To find the crypto wallet address we will need to navigate to the links that was provided by the attackers, the first link looks broken, but the second one looks ok, but we need a password.

That password can be found on the script the attackers used:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;

public class Sensitive_data_extort {
    public static void main(String[] args) {
        String username = System.getProperty("user.name");
        String desktopDirectory = "C:\\Users\\" + username + "\\Desktop\\";
        List<String> extensions = Arrays.asList("zip", "docx", "ppt", "xls", "md", "txt", "pdf");
        List<File> collectedFiles = new ArrayList<>();

        collectFiles(new File(desktopDirectory), extensions, collectedFiles);

        String zipFilePath = desktopDirectory + "Forela-Dev-Data.zip";
        String password = "sdklY57BLghvyh5FJ#fion_7";

        createZipArchive(collectedFiles, zipFilePath, password);

        System.out.println("Zip archive created successfully at: " + zipFilePath);
    }

<SNIP>

The variable password holds the password we need. Inserting that on the link that was provided we can see the following message:

If you are here then you know that you have no other choice than to pay us.Your Sensitive DATA is in our hands and we WILL release it to PUBLIC By midnight if you don't pay us a ransom.

We Want 50000e $ in ETH currency by midnight. This amount is very reasonable as we know FORELA is a multi million dollar company, but since we were able to extort small amount of data , this is our final offer.

Ethereum Wallet: 0xca8fa8f0b631ecdb18cda619c4fc9d197c8affca

Person of contact : CyberJunkie@mail2torjgmxgexntbrmhvgluavhj7ouul5yar6ylbvjkxwqf6ixkwyd.onion

We can see the wallet: 0xca8fa8f0b631ecdb18cda619c4fc9d197c8affca.

What’s the email address of the person to contact for support?

The contact email for support is also on the message we just got: CyberJunkie@mail2torjgmxgexntbrmhvgluavhj7ouul5yar6ylbvjkxwqf6ixkwyd.onion

That concludes this challenge, although it is imperative to say, it’s not a good idea to pay this kind of ransom, the company or individuals can’t have any confirmation that the attackers would do their part in the agreement.

One response to “Hack The Box – Noted – Complete Guide”

Leave a Reply

Your email address will not be published. Required fields are marked *