top of page
Search

TryHackMe - MAL: Strings

  • Hacking By Doing
  • Jul 27, 2022
  • 3 min read

ree

This time, we will solve the TryHackMe MAL: Strings room in the Cyber Defense path; this is the third room in the Malware Analysis category.


FYI, all the answers in this room will be marked.


Task 1 What are "strings"?


"strings" is the term given for data handled by an application. In other words, these pieces of data are used to store information such as text to numerical values.


So why are strings necessary?

The room creator explains why saving passwords in clear text is dangerous. Then he shows us examples of companies that hid important passwords in clear text inside their application, which led to them being released to the public.


Q: " What is the name of the account that had the passcode of "12345678" in the intellian example discussed above? "


I found the answer to this question by googling "Aptus Web 1.24 account"

which led me to this result.

ree

Answer: intellian


Q: " What is the CVE entry disclosed by the company "Teradata" in their "Viewpoint" Application that has a password within a string? "


You can google "Teradata viewpoint cve" and find the answer to this question.

ree

Answer: CVE-2019-6499


Q: " According to OWASP's list of "Top Ten IoT" vulnerabilities, name the ranking this vulnerability would fall within, represented as text. "


Go to the owasp top ten IOT list and look at the first item on the list.

ree

Answer: one




Task 2 Practical: Extracting "strings" From an Application

In this task, we will dissect a program written in C++.

The program will ask you for credentials to log in if you open it in a windows environment, but if you open it in a Linux environment using the command "strings" you will be able to see all the strings hidden in the program, including the credentials to log in!


You can find all the answers to the following questions using the "strings" command.

ree

Q: " What is the correct username required by the "LoginForm"? "

Answer: cmnatic


Q: " What is the required password to authenticate with? "

Answer: TryHackMeMerchWhen


Q: " What is the "hidden" THM{} flag? "

Answer: THM{Not_So_Hidden_Flag}



Task 3 Strings in the Context of Malware


This short task explains how some botnets and ransomware have hidden strings, such as IP addresses used to communicate with the command and control servers or bitcoin addresses so that the victims could pay the hackers.


You can answer the following questions by reading the task.


Q: " What is the key term to describe a server that Botnets recieve instructions from? " Answer: command and control


Q: " Name the discussed example malware that uses "strings" to store the bitcoin wallet addresses for payment " Answer: wannacry



Task 4 Practical: Finding Bitcoin Addresses in Ransomware (Deploy!)



In this task, the room creator talks about bitcoin and crypto wallets and shows us the Wannacry bitcoin address.


Q: List the number of total transactions that the Bitcoin wallet used by the "Wannacry" author(s)


To answer this, we can go to blockcypher and look up the Wannacry bitcoin wallet.

ree

Answer: 143


Q: What is the Bitcoin Address stored within "ComplexCalculator.exe"


The Sysinternals tools will help us with this question.

first, we go to the Sysinternals directory and launch strings.exe; then, we type the command "strings.exe ComplexCalculatorv2.exe > strings.txt"

and go to the text we just created.

Now, all we have to do is search for the bitcoin wallet address, and we have the answer!

ree

Answer: 1LVB65imeojrgC3JPZGBwWhK1BdVZ2vYNC




Task 5 Summary


This was a brief but essential room as it teaches us about the importance of strings and why we shouldn't be hiding credentials in clear text, especially inside programs.


The three simple questions at the end could be answered by completing the room and going over what we did.


Q: What is the name of the toolset provided by Microsoft that allows you to extract the "strings" of an application?

Answer: sysinternals


Q: What operator would you use to "pipe" or store the output of the strings command?

Answer: >


Q: What is the name of the currency that ransomware often uses for payment? Answer: bitcoin




Conclusion


I hope you all enjoyed this room and if you did, it would be really cool if you'd share this post or maybe even get me a cup of coffee








bottom of page