Tear or Dare Malware

HTB Content Challenges
1

Maybe I’m just bad at disassembly… but I found some startling things in this challenge. And I did NOT write this code.

I attempted the challenge with the decompiler dotPeek, but I moved into Visual Studio to debug the process to see if I could circumvent some of the obfuscation. When I opened it, I found a VERY interesting piece of code shown in these screenshots and this pastebin:

[Album] imgur.com

That’s clearly a Windows 7 privilege escalation exploit along with malicious shellcode. I sincerely hope I somehow found my way into random malware on my computer, and not malware embedded in a reversing challenge…

2

Very interesting.

3

The code is from this exploit: Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014) - Windows_x86 local Exploit

4

Can you send us back checksums of the file you have? In my decompiler I get the following:

// Decompiled with JetBrains decompiler
// Type: TearORDear.Program
// Assembly: TearORDear, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: FAD666A4-4959-43F0-9D38-7FD79F826579
// Assembly location: C:\TearORDear.exe
// Compiler-generated code is shown

using System;
using System.Windows.Forms;

namespace TearORDear
{
  internal static class Program
  {
    [STAThread]
    private static void Main()
    {
      Application.EnableVisualStyles();
      Application.SetCompatibleTextRenderingDefault(false);
      Application.Run((Form) new LoginForm());
    }
  }
}
5

I get the same thing, the code only showed up when debugging the process. I have a side-by-side picture as well with the JetBrains decompiler and VS: Imgur: The magic of the Internet

anyways,
SHA-256: D419ADCAEE5D77143E3537F558A6CDDD6BCD7AC9CD6C6783A02B8C67ACBFEA9F
SHA-1:
1A848729F8770A2137FEDB367C42962F43A1D266
MD5:
033F2A528BBB55D37A47FF3F8A3D5197

6

As I see in your screenshot, right side shows on top Program.cs* (Star denoting file was changed).

Furthermore, check line:

Application.Run((Form/*

It seems to me like you accidentally pasted an exploit there while trying to debug the file :expressionless:

Even if there was malware on the file (that i cannot rule out) It would not be an exact exploitdb copy (including comments!!)

Hashes are correct.

7

I ran it again, and I did NOT add anything to the code, but it’s still there. I’m talking to Arrexel about it in Discord, but it’s just weird. And I know how this looks, but I swear, I didn’t add anything to the code.

8

I know you didn’t do it in purpose, what I believe is that you added it by mistake. Did you try opening a new debug instance? Rename the exe to something else and open it again from debugger. Let me know how it goes.

9

I figured out the problem… It was a combination of user error (me) and Visual Studio having a stupid layout, sorry for the wasted time.

10

I apologize for any inconvenience I caused the moderators, it was my mistake.

11

No worries.