Skip to content

Instantly share code, notes, and snippets.

@CreateRemoteThread CreateRemoteThread/sha2017-abusemail-abuse02-decrypted.txt

Created Aug 7, 2017
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Raw
sha2017-abusemail-abuse02-decrypted.txt
command:ls -la
command:ls -la
command:total 16
drwxr-xr-x 3 root root 4096 Jul 26 09:36 .
drwxr-xr-x 3 root root 4096 Jul 26 03:45 ..
drwxr-x--- 2 www-data www-data 4096 Jul 26 09:37 css
-rwxr-xr-x 1 www-data www-data 1664 Jul 26 04:46 index.php
command:total 16
drwxr-xr-x 3 root root 4096 Jul 26 09:36 .
drwxr-xr-x 3 root root 4096 Jul 26 03:45 ..
drwxr-x--- 2 www-data www-data 4096 Jul 26 09:37 css
-rwxr-xr-x 1 www-data www-data 1664 Jul 26 04:46 index.php
command:id
command:id
command:uid=0(root) gid=0(root) groups=0(root)
command:uid=0(root) gid=0(root) groups=0(root)
command:id
command:id
command:uid=0(root) gid=0(root) groups=0(root)
command:uid=0(root) gid=0(root) groups=0(root)
command:id
command:id
command:uid=0(root) gid=0(root) groups=0(root)
command:uid=0(root) gid=0(root) groups=0(root)
command:ls -la /root
command:ls -la /root
command:total 32
drwx------ 5 root root 4096 Jul 27 07:27 .
drwxr-xr-x 22 root root 4096 Apr 18 05:43 ..
-rw------- 1 root root 3228 Jul 26 06:44 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Jul 27 09:11 certs
drwxr-xr-x 2 root root 4096 Jul 26 03:47 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Jul 27 07:27 .ssh
command:total 32
drwx------ 5 root root 4096 Jul 27 07:27 .
drwxr-xr-x 22 root root 4096 Apr 18 05:43 ..
-rw------- 1 root root 3228 Jul 26 06:44 .bash_history
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Jul 27 09:11 certs
drwxr-xr-x 2 root root 4096 Jul 26 03:47 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Jul 27 07:27 .ssh
command:ls -la /root/certs
command:ls -la /root/certs
command:total 16
drwxr-xr-x 2 root root 4096 Jul 27 09:11 .
drwx------ 5 root root 4096 Jul 27 07:27 ..
-rw-r--r-- 1 root root 989 Jul 27 07:23 intranet.crt
-rw-r--r-- 1 root root 916 Jul 27 07:23 intranet.key
command:total 16
drwxr-xr-x 2 root root 4096 Jul 27 09:11 .
drwx------ 5 root root 4096 Jul 27 07:27 ..
-rw-r--r-- 1 root root 989 Jul 27 07:23 intranet.crt
-rw-r--r-- 1 root root 916 Jul 27 07:23 intranet.key
command:cat /root/certs/intranet.crt
command:cat /root/certs/intranet.crt
command:-----BEGIN CERTIFICATE-----
MIICrDCCAhWgAwIBAgIJALfe3aETCSTsMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV
BAYTAk5MMRIwEAYDVQQIDAlGbGV2b2xhbmQxETAPBgNVBAcMCFplZXdvbGRlMRQw
EgYDVQQKDAtTSEEyMDE3IENURjEjMCEGCSqGSIb3DQEJARYUc2hhMjAxN2N0ZkBn
bWFpbC5jb20wHhcNMTcwNzI3MTQyMzIwWhcNMTgwNzI3MTQyMzIwWjBvMQswCQYD
VQQGEwJOTDESMBAGA1UECAwJRmxldm9sYW5kMREwDwYDVQQHDAhaZWV3b2xkZTEU
MBIGA1UECgwLU0hBMjAxNyBDVEYxIzAhBgkqhkiG9w0BCQEWFHNoYTIwMTdjdGZA
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+H/mwETvdjGRn
n/33zsjMOyPsg5xgSCsLDTg9D8XaeGp7ZQ1habE+9G0gabrKYntVburjitcuheXK
hCo6nYWF2pSch4WjhNhCxkM++UeKRUv8xYAtSGl+6vvSrwogR+BfRuxZFAeJzvgK
hNwL7sdW2CJ7Gk89pET/W6AOBNcDWwIDAQABo1AwTjAdBgNVHQ4EFgQUFeykHO7M
V70l0IO87/3ogRb5VxMwHwYDVR0jBBgwFoAUFeykHO7MV70l0IO87/3ogRb5VxMw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQCITumB4q5A+Lu9EzUe1qAW
rjAeVfXq/qVrw+byH4VqNuEOBQ7lq151VbsXI1YQXCxVbP/r5Zxb1BfS/3qHHFDu
SRqYaxh9c+BRkdAdzkFebMbIocnaLuVFpn237Z/ysSt0PPrTaI3gUSoz/7gXB+nX
DkYKgl7BR0a72yTuLAc0GA==
-----END CERTIFICATE-----
command:-----BEGIN CERTIFICATE-----
MIICrDCCAhWgAwIBAgIJALfe3aETCSTsMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV
BAYTAk5MMRIwEAYDVQQIDAlGbGV2b2xhbmQxETAPBgNVBAcMCFplZXdvbGRlMRQw
EgYDVQQKDAtTSEEyMDE3IENURjEjMCEGCSqGSIb3DQEJARYUc2hhMjAxN2N0ZkBn
bWFpbC5jb20wHhcNMTcwNzI3MTQyMzIwWhcNMTgwNzI3MTQyMzIwWjBvMQswCQYD
VQQGEwJOTDESMBAGA1UECAwJRmxldm9sYW5kMREwDwYDVQQHDAhaZWV3b2xkZTEU
MBIGA1UECgwLU0hBMjAxNyBDVEYxIzAhBgkqhkiG9w0BCQEWFHNoYTIwMTdjdGZA
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+H/mwETvdjGRn
n/33zsjMOyPsg5xgSCsLDTg9D8XaeGp7ZQ1habE+9G0gabrKYntVburjitcuheXK
hCo6nYWF2pSch4WjhNhCxkM++UeKRUv8xYAtSGl+6vvSrwogR+BfRuxZFAeJzvgK
hNwL7sdW2CJ7Gk89pET/W6AOBNcDWwIDAQABo1AwTjAdBgNVHQ4EFgQUFeykHO7M
V70l0IO87/3ogRb5VxMwHwYDVR0jBBgwFoAUFeykHO7MV70l0IO87/3ogRb5VxMw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQCITumB4q5A+Lu9EzUe1qAW
rjAeVfXq/qVrw+byH4VqNuEOBQ7lq151VbsXI1YQXCxVbP/r5Zxb1BfS/3qHHFDu
SRqYaxh9c+BRkdAdzkFebMbIocnaLuVFpn237Z/ysSt0PPrTaI3gUSoz/7gXB+nX
DkYKgl7BR0a72yTuLAc0GA==
-----END CERTIFICATE-----
command:cat /root/certs/intranet.key
command:cat /root/certs/intranet.key
command:-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL4f+bARO92MZGef
/ffOyMw7I+yDnGBIKwsNOD0Pxdp4antlDWFpsT70bSBpuspie1Vu6uOK1y6F5cqE
KjqdhYXalJyHhaOE2ELGQz75R4pFS/zFgC1IaX7q+9KvCiBH4F9G7FkUB4nO+AqE
3Avux1bYInsaTz2kRP9boA4E1wNbAgMBAAECgYEAiYU/aedNUhc2mO3VGeXswC0W
8wDPn6UT3U6WmzRJfJkVDGQvpYJ5vnu2Y3eWsMVDSKyOIkBPHUukxzOKCBPge449
kMwW8cX0nHSGFl1HsYiY14Lr/BiOXz/c+I9Yg+Bexf5kCTYAjzqZ1ZErrIQvagNE
pXb1GGZrnrU7wH9FI8ECQQDhwEnscmqsnPr43E0eFUy3OybfQfo+mSRdq84zwHoW
BofTUUOpDZpZhIWt6JsdsSqqYVt+W8XHqILraK/EQDnpAkEA15mi7tjozljGcjVP
dYzB4m24vRK4guujNSJDXKwoDvjDI8x3iu/iTtfxkM3Swko4bxWwiUB7MOaCLgQO
HaaEowJAXIzswZcWzLV+3s/SfebVkLkbcqQl58v48L4ix2y9oJIE1UmXp5MAGHsQ
IwAdt8qOZ1OKov8U0onvQnuks5xxIQJBAMwBz5/MVfYzIIwfD7H+X9Pe2Ojn1vni
+IslgbImIL2R/CxapF8uf+j1AtpvN9eqnV3XmzU0c50g8NuT8LtzvpsCQGUArCoa
ps7xk/SxGfz3IBrsUIOn3Iqh9wqoLfu7wVuc+LFIwkrNm6D5ZnzUapvO2oqj+5ER
iuSWkHY6ll1V1m0=
-----END PRIVATE KEY-----
command:-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL4f+bARO92MZGef
/ffOyMw7I+yDnGBIKwsNOD0Pxdp4antlDWFpsT70bSBpuspie1Vu6uOK1y6F5cqE
KjqdhYXalJyHhaOE2ELGQz75R4pFS/zFgC1IaX7q+9KvCiBH4F9G7FkUB4nO+AqE
3Avux1bYInsaTz2kRP9boA4E1wNbAgMBAAECgYEAiYU/aedNUhc2mO3VGeXswC0W
8wDPn6UT3U6WmzRJfJkVDGQvpYJ5vnu2Y3eWsMVDSKyOIkBPHUukxzOKCBPge449
kMwW8cX0nHSGFl1HsYiY14Lr/BiOXz/c+I9Yg+Bexf5kCTYAjzqZ1ZErrIQvagNE
pXb1GGZrnrU7wH9FI8ECQQDhwEnscmqsnPr43E0eFUy3OybfQfo+mSRdq84zwHoW
BofTUUOpDZpZhIWt6JsdsSqqYVt+W8XHqILraK/EQDnpAkEA15mi7tjozljGcjVP
dYzB4m24vRK4guujNSJDXKwoDvjDI8x3iu/iTtfxkM3Swko4bxWwiUB7MOaCLgQO
HaaEowJAXIzswZcWzLV+3s/SfebVkLkbcqQl58v48L4ix2y9oJIE1UmXp5MAGHsQ
IwAdt8qOZ1OKov8U0onvQnuks5xxIQJBAMwBz5/MVfYzIIwfD7H+X9Pe2Ojn1vni
+IslgbImIL2R/CxapF8uf+j1AtpvN9eqnV3XmzU0c50g8NuT8LtzvpsCQGUArCoa
ps7xk/SxGfz3IBrsUIOn3Iqh9wqoLfu7wVuc+LFIwkrNm6D5ZnzUapvO2oqj+5ER
iuSWkHY6ll1V1m0=
-----END PRIVATE KEY-----
command:cat /root/certs/intranet.key
command:cat /root/certs/intranet.key
command:-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL4f+bARO92MZGef
/ffOyMw7I+yDnGBIKwsNOD0Pxdp4antlDWFpsT70bSBpuspie1Vu6uOK1y6F5cqE
KjqdhYXalJyHhaOE2ELGQz75R4pFS/zFgC1IaX7q+9KvCiBH4F9G7FkUB4nO+AqE
3Avux1bYInsaTz2kRP9boA4E1wNbAgMBAAECgYEAiYU/aedNUhc2mO3VGeXswC0W
8wDPn6UT3U6WmzRJfJkVDGQvpYJ5vnu2Y3eWsMVDSKyOIkBPHUukxzOKCBPge449
kMwW8cX0nHSGFl1HsYiY14Lr/BiOXz/c+I9Yg+Bexf5kCTYAjzqZ1ZErrIQvagNE
pXb1GGZrnrU7wH9FI8ECQQDhwEnscmqsnPr43E0eFUy3OybfQfo+mSRdq84zwHoW
BofTUUOpDZpZhIWt6JsdsSqqYVt+W8XHqILraK/EQDnpAkEA15mi7tjozljGcjVP
dYzB4m24vRK4guujNSJDXKwoDvjDI8x3iu/iTtfxkM3Swko4bxWwiUB7MOaCLgQO
HaaEowJAXIzswZcWzLV+3s/SfebVkLkbcqQl58v48L4ix2y9oJIE1UmXp5MAGHsQ
IwAdt8qOZ1OKov8U0onvQnuks5xxIQJBAMwBz5/MVfYzIIwfD7H+X9Pe2Ojn1vni
+IslgbImIL2R/CxapF8uf+j1AtpvN9eqnV3XmzU0c50g8NuT8LtzvpsCQGUArCoa
ps7xk/SxGfz3IBrsUIOn3Iqh9wqoLfu7wVuc+LFIwkrNm6D5ZnzUapvO2oqj+5ER
iuSWkHY6ll1V1m0=
-----END PRIVATE KEY-----
command:-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL4f+bARO92MZGef
/ffOyMw7I+yDnGBIKwsNOD0Pxdp4antlDWFpsT70bSBpuspie1Vu6uOK1y6F5cqE
KjqdhYXalJyHhaOE2ELGQz75R4pFS/zFgC1IaX7q+9KvCiBH4F9G7FkUB4nO+AqE
3Avux1bYInsaTz2kRP9boA4E1wNbAgMBAAECgYEAiYU/aedNUhc2mO3VGeXswC0W
8wDPn6UT3U6WmzRJfJkVDGQvpYJ5vnu2Y3eWsMVDSKyOIkBPHUukxzOKCBPge449
kMwW8cX0nHSGFl1HsYiY14Lr/BiOXz/c+I9Yg+Bexf5kCTYAjzqZ1ZErrIQvagNE
pXb1GGZrnrU7wH9FI8ECQQDhwEnscmqsnPr43E0eFUy3OybfQfo+mSRdq84zwHoW
BofTUUOpDZpZhIWt6JsdsSqqYVt+W8XHqILraK/EQDnpAkEA15mi7tjozljGcjVP
dYzB4m24vRK4guujNSJDXKwoDvjDI8x3iu/iTtfxkM3Swko4bxWwiUB7MOaCLgQO
HaaEowJAXIzswZcWzLV+3s/SfebVkLkbcqQl58v48L4ix2y9oJIE1UmXp5MAGHsQ
IwAdt8qOZ1OKov8U0onvQnuks5xxIQJBAMwBz5/MVfYzIIwfD7H+X9Pe2Ojn1vni
+IslgbImIL2R/CxapF8uf+j1AtpvN9eqnV3XmzU0c50g8NuT8LtzvpsCQGUArCoa
ps7xk/SxGfz3IBrsUIOn3Iqh9wqoLfu7wVuc+LFIwkrNm6D5ZnzUapvO2oqj+5ER
iuSWkHY6ll1V1m0=
-----END PRIVATE KEY-----
command:cat /etc/hosts
command:cat /etc/hosts
command:127.0.0.1 localhost
127.0.1.1 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.29.0.1 router
192.168.1.1 router
192.168.1.2 intranet
command:127.0.0.1 localhost
127.0.1.1 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.29.0.1 router
192.168.1.1 router
192.168.1.2 intranet
command:nohup nmap intranet > /tmp/intranet.nmap
command:nohup nmap intranet > /tmp/intranet.nmap
command:
command:
command:cat /tmp/intranet.nmap
command:cat /tmp/intranet.nmap
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:cat /tmp/intranet.nmap
command:cat /tmp/intranet.nmap
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:cat /tmp/intranet.nmap
command:cat /tmp/intranet.nmap
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:cat /tmp/intranet.nmap
command:cat /tmp/intranet.nmap
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-07-27 09:48 PDT
Nmap scan report for intranet (192.168.1.2)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
MAC Address: 00:0C:29:3D:FD:B0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
command:curl -k https://intranet/
command:curl -k https://intranet/
command: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 456 100 456 0 0 4871 0 --:--:-- --:--:-- --:--:-- 4903
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at intranet Port 443</address>
</body></html>
command: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 456 100 456 0 0 4871 0 --:--:-- --:--:-- --:--:-- 4903
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at intranet Port 443</address>
</body></html>
command:tcpdump -D
command:tcpdump -D
command:1.ens33 [Up, Running]
2.ens39 [Up, Running]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)
7.usbmon1 (USB bus number 1)
8.usbmon2 (USB bus number 2)
command:1.ens33 [Up, Running]
2.ens39 [Up, Running]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.nflog (Linux netfilter log (NFLOG) interface)
6.nfqueue (Linux netfilter queue (NFQUEUE) interface)
7.usbmon1 (USB bus number 1)
8.usbmon2 (USB bus number 2)
command:tcpdump -i usbmon2 -w /tmp/usb.pcap
command:tcpdump -i usbmon2 -w /tmp/usb.pcap
command:tcpdump host intranet -w /tmp/intranet.pcap
command:tcpdump host intranet -w /tmp/intranet.pcap
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.