boredhackerblog BoredHackerBlog

## docker-compose.yaml
version: "3"

networks:
  loki:

services:
  loki:
    image: grafana/loki:2.4.0
    volumes:
      - ./loki:/etc/loki

## winrar_CVE-2023-38831_extract_cmd.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                BoredHackerBlog
                / winrar_CVE-2023-38831_extract_cmd.md
            
            
              Last active
              August 24, 2023 16:06
            
              
                Extracting malicious command file from rar file exploiting CVE-2023-38831
              
          
    Article with details regarding the vuln and malicious use & file hashes: https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
File: 049af32f678da5e344315ce46787e8fc
Anyrun: https://app.any.run/tasks/3c2f3ff4-3883-4f68-98d1-706138771f46
remnux@remnux:~/Downloads$ md5sum malware.rar 
a519226ff8e4edd6d622db45a0099932  malware.rar
remnux@remnux:~/Downloads$ 7z l malware.rar |grep -v ico

  
## docker-compose.yml
version: "3.6"

services:
  so1:
    image: splunk/splunk:latest
    container_name: so1
    environment:
      - SPLUNK_START_ARGS=--accept-license
      - SPLUNK_PASSWORD=password
      - SPLUNK_LICENSE_URI=Free

## guac_token.py
import requests

GUAC_URL="http://10.0.0.1:8080/guacamole"
GUAC_USERNAME="user"
GUAC_PASSWORD="password"

def get_token():
  url = f"{GUAC_URL}/api/tokens"
  payload = f"username={GUAC_USERNAME}&password={GUAC_PASSWORD}"
  headers = {"Content-Type": "application/x-www-form-urlencoded"}

## docker-compose.yml
version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
    container_name: elasticsearch
    environment:
      - xpack.security.enabled=false #there is no password to access ES!!
      - xpack.security.enrollment.enabled=false
      - discovery.type=single-node
    ulimits:

## Caddyfile
:80 {
	reverse_proxy :9000 {
		header_up +Remote-User "anonymous"
	}
}


## docker-compose.yml
version: "3.9"

services:
    cloudflared:
        image: cloudflare/cloudflared:latest
        network_mode: "service:gluetun"
        command: tunnel --no-autoupdate --url http://localhost:3000

#webtop
    webtop:

## ha_ingest.py
# ingest data from hybrid analysis
import requests
import psycopg2

HA_API = ""
ha_header = {'api-key':HA_API, 'user-agent': 'Falcon Sandbox', 'accept': 'application/json'}

POSTGRES_HOST = "localhost"
POSTGRES_DB = "procsearch"
POSTGRES_SEARCH_USER = "postgres"

## abusech_malware_bazaar_hourly.sh
#!/bin/bash
# prolly use cron w/ '10 * * * *' so it runs every hour, at hour:10mins

hourlyfile=$(date -u --date="1 hour ago" +%Y-%m-%d-%H).zip
wget https://datalake.abuse.ch/malware-bazaar/hourly/$hourlyfile -O /tmp/hourly.zip
unzip -P infected -o /tmp/hourly.zip -d /tmp/hourly_files
# do stuff with the files
file /tmp/hourly_files/* >> /tmp/file_out.txt
# do stuff with the files
rm -rf /tmp/hourly_files /tmp/hourly.zip

## rulematch.py
# requires dictquery (pip3 install dictquery or get it from here: https://github.com/cyberlis/dictquery)
import dictquery as dq

#each rule needs to be a new line
#rule format, RULENAME|RULE
#rule syntax: https://github.com/cyberlis/dictquery#dictquery
rules_file = "rules.txt"

rules = {}
	version: "3"

	networks:
	loki:

	services:
	loki:
	image: grafana/loki:2.4.0
	volumes:
	- ./loki:/etc/loki
	version: "3.6"

	services:
	so1:
	image: splunk/splunk:latest
	container_name: so1
	environment:
	- SPLUNK_START_ARGS=--accept-license
	- SPLUNK_PASSWORD=password
	- SPLUNK_LICENSE_URI=Free
	import requests

	GUAC_URL="http://10.0.0.1:8080/guacamole"
	GUAC_USERNAME="user"
	GUAC_PASSWORD="password"

	def get_token():
	url = f"{GUAC_URL}/api/tokens"
	payload = f"username={GUAC_USERNAME}&password={GUAC_PASSWORD}"
	headers = {"Content-Type": "application/x-www-form-urlencoded"}
	version: '3'
	services:
	elasticsearch:
	image: docker.elastic.co/elasticsearch/elasticsearch:8.8.0
	container_name: elasticsearch
	environment:
	- xpack.security.enabled=false #there is no password to access ES!!
	- xpack.security.enrollment.enabled=false
	- discovery.type=single-node
	ulimits:
	:80 {
	reverse_proxy :9000 {
	header_up +Remote-User "anonymous"
	}
	}
	version: "3.9"

	services:
	cloudflared:
	image: cloudflare/cloudflared:latest
	network_mode: "service:gluetun"
	command: tunnel --no-autoupdate --url http://localhost:3000

	#webtop
	webtop:
	# ingest data from hybrid analysis
	import requests
	import psycopg2

	HA_API = ""
	ha_header = {'api-key':HA_API, 'user-agent': 'Falcon Sandbox', 'accept': 'application/json'}

	POSTGRES_HOST = "localhost"
	POSTGRES_DB = "procsearch"
	POSTGRES_SEARCH_USER = "postgres"
	#!/bin/bash
	# prolly use cron w/ '10 * * * *' so it runs every hour, at hour:10mins

	hourlyfile=$(date -u --date="1 hour ago" +%Y-%m-%d-%H).zip
	wget https://datalake.abuse.ch/malware-bazaar/hourly/$hourlyfile -O /tmp/hourly.zip
	unzip -P infected -o /tmp/hourly.zip -d /tmp/hourly_files
	# do stuff with the files
	file /tmp/hourly_files/* >> /tmp/file_out.txt
	# do stuff with the files
	rm -rf /tmp/hourly_files /tmp/hourly.zip
	# requires dictquery (pip3 install dictquery or get it from here: https://github.com/cyberlis/dictquery)
	import dictquery as dq

	#each rule needs to be a new line
	#rule format, RULENAME\|RULE
	#rule syntax: https://github.com/cyberlis/dictquery#dictquery
	rules_file = "rules.txt"

	rules = {}