A New Host Touches the Beacon

All right, last talk of the day. This is Marlon and Devin Clary from Hex Bits Heads. It operates somewhere between root access and creative anarchy. They break things ethically, make things digitally, and blur the lines between exploit and expression, one limit of code and one pixel at a time. So, um, this is our last talk. [Applause] Thanks all for coming. Uh, we're going to start this off with this quick pop quiz. Uh, I'm just curious, anybody here familiar with a game called Sky Ribbit? All right, cool. So, you're finally awake. Yeah. Took a while, but yes, finally awake. You were trying to cross the border, right? Yeah. Yeah. Yeah, for sure. Now, you played Skyrim with mods.

Okay, so we're familiar with some mods. Okay. Yeah. I just love my dragon friend in the Thomas Tank Engine. That's right. So, I want you to have a little knowledge about like reverse shells and a C2 beacon uh while fun on this talk. Um, so this is our introductory slide and this is where we go through and enjoy introductions of course, but we kind of thought it'd be fun to to kind of portray ourselves as like Skyrim characters, characters, but um it ended up looking like a like one of those bad Rolex novel cover covers book covers instead. So maybe that should have been like the pop quid. What would you call this horrible book?

Uh, as you mentioned, my name is Deon Mcquary. My handle is AOMAC. And together we have a small website hexads.com where we try to do fun small like hacking projects. And uh this this one's been one of our favorites. On the last slide, we'll go ahead and give you like a QR link and a link to our website. So, if you want to refer back to these slides at any time, you'll have that as a resource. So, what I would like to do now is uh I'm going to hand the floor over to Izzy here and she's going to go ahead and get us started and I'm just going to like stand back here awkwardly over shoulder

and then I'll be back on later to kind of wrap things up here. So, go ahead. So, my name is Marlo, also known as Sydney. Um, I'm the other half of this. And what we are going to do today, we're going to do like a little bit of a quest line. So, you guys are going to go with us into this quest. We're going to have a highle overview of how do we come about this project, the progress that we made until we get a C2 beacon. So, let's go ahead. So, if you have played Skyrim before like I did, this was the 11th playthrough of it. And I was browsing two Nexus mods when suddenly

this little thing came up and I was like, "Okay, well, virus scan safe to use. That's kind of interesting." So, I needed to find out how exactly does this work, right? If we can have a malicious mod somehow, what would that look like? So, we started planning ahead cuz otherwise I would never go ahead and get the game going until I figured this out cuz now I'm freaking out if something actually is malicious in there. So, we went ahead and got going. So, we wanted to find out what are mods and we already knew is something that alterates the video game. it can provide you with um quests characters, better graphics like you can see in that

picture there. Um but it's also developed by other third party players and developed by other people. So it was really interesting for us to see, okay, maybe something malicious can come through this. So if you played Skyrim before, you know that there's two ways to get mods into the game. You have creation kit which was released by Bethesda. Um it also have a very restrictive platform. So it requires Papyrus to be developed the mods. And then you have SKSC which probably most of us actually been using um I'm included. I'm guilty of that. So um SQC is community made um it has a less restrictive platform to get mods created and it uses um C++ for

the coding development. So once we figured that out we decided okay we can go ahead and get um can we actually go ahead and summon a hack from Tamriel into our terminal? And the answer is yes, we actually can do that. So we needed to figure it out how can we make our code to execute um locally and then go ahead and maybe have a C2 beacon also. And since we're talking about C2 beacons, there's nothing more fitting that midious beacon for this journey. So, if you have played Odyssey before, the player needs to hit level 12 before you find the actual um beacon and then you'll hear like a loud voice saying a new head touches the beacon and it kind

of freak you out. Uh so, we needed to find out. We're just going to go ahead and do this beacon for this one. So, now that we have what is our quest, what are we going to do? We needed to find out what do we need to make this happen. So from there, we obviously need the sky game. We're going to use SKC cuz we're going to use the C++ on it. Uh we're going to do the VCPkg which is a package manager. We use a Visual Community Studio. We also need a template login script which I'll tell you guys what that does in a minute. And then our proof of concepts that are also going to be

showing up in our in our slides so you guys can tinker with it. And lastly, our C2 framework. In this case, we use Havoc for this one. All right. So, we have all our items required. Let's go ahead and just get something going. So, in this case, we're trying to have a local code execution. Um, and we just started simple. We just wanted to see if Caulk can come up if I go into White Run and hit somebody over the head. So, um, so this is how that looks like. So, here I am. And then I'm just going to walk this happy camper with his chicken. And then I got my calculator coming out. So, this

was a really good point for us cuz it's like, okay, this is actually working. Now that we have a calculator, we know we can do pretty much anything else after that. So what we needed is to find out the beacon ID. So instead of us trying to get our player to level 12, we needed to figure it out, can we just go ahead and find a way to hack ourselves and we don't have to wait until Media's beacon to come up on a random loop. So we went down finding this huge rabbit hole about base ids and form IDs. So the meridius beacon has a form ID identifier is a hexodimal. I'm going to put it here bigger because I

wear glasses. And this form ID is unique identifier for each of the items within the game. So NPCs, dragons, everything has its unique identifier. This matters because since we're not going to go loot everything, we just needed to have a quick way of spawning the beacon to us. So that's what we did right here. Now, um the next part was the logging technique. So we needed to find out the base ID, which is the identifier for the prototype object. So it's important to find out what that base ID is so we can use it throughout the rest of our proven concepts. Now, in this screenshot right here, you see that we are going to be able to create a

bench within the game. It's going to trigger that base ID, and we're going to go ahead and look at look at it in our logs. So, I'm going to go ahead and show you guys. So, we are going to go ahead and open the command console. We're going to write play player place at me for E4E6. that's going to spawn the beacon in us and we're going to go ahead and pick it up. We're going to exit the game and then we're going to go into our directory, go into our game file, open up our launch, and then we're going to go ahead and find the base ID that was activated uh when we picked up the movie speaker. So

now I will give the floor to Aroma to take us the rest of your journey. Thank you for setting us up and getting us started. All right, cool. So the next thing we're looking into is how do we build on top of this to start getting the reverse shell, the C2 beacon, the stuff the attacker would want to do, right? So here we got another picture of some source code. Um, there's plenty of reverse shell examples out on the web. Maybe see some like web shells or other source code that gives you where you plug in your IP address as the attacker, your port number that you're listening on. And that's what we see in that first

red box there. Below that is just some of the the Skyrim dabber that goes through and communicates with the game. And the second red box that we see here is just a simple if condition. says, basically all that says is if the player picks up an item that matches this ID, which we just found out is the Meridian beacon ID, execute the following code, which is reverse shot. Right? So, we'll see this in action. Uh, we see a listener set up here, port 8,000. We've compiled the DLL. We threw it into our mods file folder for Skyrim. We follow the exact same steps. We spawn the beacon item. So we're not waiting till we're level 12 to find it. Pick it

up. We'll switch back to the other VM that has our listener. And there's our reverse shell. So this would call back to the attacker. We do a quick check for the IP address. So you can see on the BG info in the background that it matches. So the attacker at this point has successfully gained a reverse shell by the player picking up Aridius beacon in the game. That was really cool. But we're not quite done yet because how much fun would it be to to to pick up the beacon item and get a C2 beacon, right? That's the whole goal of this thing. So, how do we take this further? So, we really happy to get this far.

Again, it's a step further than getting the calculator from the first step. Now, we've got the reverse shell. How do we get a C2 beacon? Um, we chose Havoc as our C2 framework. It's a pretty popular one. And the way that havoc works is we were able to generate a bin file which is our agent, our C2 beacon agent. But if you've ever if you ever catted out or tried to read like a compiled file in any kind of text or anything, it's that gibberish that you see in the top image. Like there's no use for it for us in this format. So how do we how do we change that format? How do we get

into something that we can actually stuff into our source code and use? And that's where this command line tool XSXT comes in. We were able to feed it the bin file and it spit out um shell code for us. Okay, I know how to use shell code. So, we were able to change our template up a little bit as seen in the bottom. And you can see in the red box there where we would put in our shell code to execute. So, we went from a compile.bin file. it's no good for us. Converted it with xxd into the shell code that we now know how to use and put into our tinder. So here I've got uh I've got a VM again

running Skyrim and we're going to go ahead and test this out. We'll pick up the radius beacon spawning in the console again. Switch back to Havoc and we've got to call back an agent from that target. Got the IP address. Now here I'm switching over to another VM. I actually got three of them running the Skyrim all in between. That's why some of the graphics look terrible on this, but I I run over this area because uh it's it's a nice flat spot where the beacon doesn't just roll away on the ground. Happened to me a couple times while trying to recording is hard thing. I do the same thing. I use the console command. I spawn the beacon. I switch

back to Havoc. Now I have two agents. I've got one more VM running Skyrim. So, we're going to switch to that. And this is going to be the exact same thing. He's going to run over to an area where he can open up the console command, spawn the Meridian beacon, pick it up and we'll get the third call back through Havoc when I switch back to that virtual machine. Bam. All three targets, all the same mod pick up the greatest beacon and have it call back. I'm going through the IP addresses so you can see a few of the VMs that they all match from the callback engines.

Sweet. So that's all three targets. We have finally accomplished what we intended to do all the way through from calculator to reverse shell to C2 beacon through havoc. But we had some free time. So we wanted to go a little bit further and see if we can make this a little crazier. No. So, uh, we thought about this for a while and you know there is a there is a mod out there called Skyrim Together. And if you're familiar with this, what this does is this introduces multiplayer into Skyrim. You know where this is going, right? I think I think I'm starting to see where this is going. So, we like what if we could take Skyrim

together and combine it with Armoth to just like further the chaos. This sounds awesome. So here in this video, we've got a blank slate with Havoc. I'm going to go through and show you between the three different VMs that you see in the tabs up top. I've got three dragon born heroes people here all in the same town and I'm switching through the three VMs. So you can see that I have control of all three players. So they're all grouped up in here. So with this guy, I'm going to follow the same pattern. I'm going to spawn the Maria's beacon, but this time they're going to go straight into his inventory and not on the ground.

I'm going to have him walk into a random barrel, and he's going to put in the the beacons, two beacons. He's going to put in two beacons into this barrel, and he's going to back out. I'm going to switch over to the other guy, the second guy in this world, and he's going to walk over to that barrel, and he's going to pick up one of those Marriia Pacific. He'll back out, show his inventory to show that he has it. And then finally, switch over to the third guy. Have him do the same thing. He's going to walk over to that beacon or I'm sorry, that that barrel, pick up the beacon, walk backwards, open up his inventory,

and he's got it. What's going to happen when we switch over to Havoc? We have all three beacons called back to our Havoc server. They have full control of the computer. from there. Okay, that's cool. So, now we've gone even further and set up our own like multiplayer server with Skyrim and was able to get all the call backs from there. So, that was pretty cool. We're pretty happy with that. Um, the game we had a little more time. So, we thought, well, what if uh what if we want to change the condition a little bit? We kind of wanted wanted to learn how how like SKSC interfaces with the game and what else can we do with this.

So to kind of show a different example, we took a different direction in this logic. The if statement in the first box, this says when the player runs out of health. So instead of picking up Mickey's beacon as a condition, this is when the player dies. So that's changed. The bigger box was an experiment of what if we just run a bunch of like enumeration commands on the host and then we want that to feed into like a text file and then we're going to send that text file to a remote host. So as like an attacker, maybe I don't want remote code execution. Maybe it's like a reverse shell. Maybe it's too obvious. So what if I just want to enumerate your

system and enumerate your home network and then give me that information on my server that I'm running remotely? So, in this video, we have an example. In the bottom right hand corner, dragon born dude's going to die. And what we're looking for in the top left corner is you'll see a file pop up in that little window for the file explorer there. That just popped up there. So, the game will continue on as if nothing happened. And then what we're going to do is we're going to see what what's included in this text file that just randomly popped up on a remote server. So for realism, we try to we we had this run on like a system that we use quite a

bit like daily. So that way there's like actual information in here. That's why you see a lot of redacted blocks in there. But what we found was like RDPU information that we use a lot for our home network. Um account details for like Adobe, GitHub, just like your normal stuff that you use. Um, there was some Microsoft information in there like an Xbox Live account that like I think I did years ago when I got the laptop. All that stuff was in there. These are just usernames. It's like that's that's half the battle, right? You get you get usernames, you get emails, then you can start building social engineering. So, it's not like it's dumping out username

and password, but you've got valid emails in here that you know you're personally use. Um, this was my second favorite one. It had uh so we were able to enumerate like SMB shares that we have. So like storage units that you have at home maybe you're using as a cloud like it found those cuz it just kind of has that information so you could auto log in and a path. And then um if you're familiar with netsh and being able to grab Wi-Fi information, this one was pretty cool. I had to set up like a test Wi-Fi for this, but there's a demo down here to where I I used a hotspot and just created like a bid demo network and then

ran u on that CMD screen a command that would pull the SSID and the plain text password to my Wi-Fi network that you see in the bottom red square there. So, there's plenty of things that you could do with that CMD whether it's like or just those commands in general. you want to do some fancy PowerShell stuff or command line stuff, the the possibilities are just endless at that point. Okay, so we did it. We went anywhere from from learning how to build a mod to getting the calculator to pop verse shell C2 beacon, whatever that multiplayer thing was at the end. And uh as I promised here, there's a QR code and a link. We went ahead and

uploaded all of our slides here a little bit ago. So, those are available for you at any point. And a quest would not be a quest without a quest reward. So, we have some shiny stickers for you. You want to if you would like some stickers. And while she's doing that, we can conclude and start taking some questions. Yeah. I wish you guys were earlier in the day. This This is amazingly cool. You You'd have got a lot more traffic. This was great. Yeah. If there's a feedback thing, maybe that would help. No, we would love that too. Um, but thank you. Thank you. So, when you're executing that code remotely, you're running under the context of the user

that launched a Skyrim game. Yes. So, if they're an admin on their machine, then you pretty much could do anything they could do. Correct. could cheer grab their like um web browser if they store their username information and just put all their passwords and all that in there. So, good point. I'm glad you brought this up because I started that enumeration piece as like maybe three or four lines and then I was like, "Ooh, what if I do this? Ooh, what if I do this?" And then I realized that like I had to cut this off because at one point it's like you're just enumerating a whole computer or network at this point, but the

possibilities are just endless. So whatever like enumeration commands that you've seen before or whatever absolutely you can shove it in there send it out to a remote host it's listening on server or whatever. Absolutely. Yes. That's that's absolutely valid. Good question. So now you'd be more aware of okay what mods am I actually downloading? Well I mean that's that's a great point. I hadn't played Skyrim in a long time, but when I had it running was using Vortex mod manager and I had I couldn't even tell you how many mods I had running at once. Right. Yep. So, exactly. And that I don't think I ever got the game running. Bought it until it crashed. Bought it

until it crashed. Yeah. Yeah. For sure. That's a good point cuz I mean now they have like collections and now it's like, oh, I can get these foreign with like a click of a button. So, it's kind of like a supply chain thing at this point the way we look at it cuz it's like how hard would it be to have like one malicious mod in there that just does something like this. Yeah. And what's interesting when we thought about this some more, it's like this isn't something that's immediately obvious when we download the bottom environment. This is just chilling in the background until you hit like level 12 when the the item spawns into the world. So, even if you're like

trying to check your mods immediately, I mean, this this this could be hours before it even Yeah. you know, pops. Yeah. Did you check your like beacon mod against the virus scanner? Yes. So it was not recognized. Oh, like defender something in the beginning where it was like the little virus scan safe. So that was on that was on a um mod platform. Yeah. And we have not uploaded to that. Well, I guess if I'm answering your question here, um, we did like it didn't catch locally with Defender and No, we haven't uploaded to you. No. When you did the, uh, Skyrim together, wouldn't couldn't you have done it where once the beacon was activated from any

player that it grabbed everybody's info or did the you need to have it the one specific user ID connected to it? tricky part with that was um we tried to do it that way but the the tricky part was we would have had to have Skyrim together kind of deliver it to all the clients and it's something we wanted to go down as a pathway but um we ended up just having all the mods locally installed throughout and it was able to kind of trigger yeah I was able to trigger as you saw throughout so I yeah I we kind of explored that and it kind of got into like the whole area of reverse

engineering and all this stuff that uh maybe we didn't want to go that far, but I don't see why it wouldn't be possible. I have to give it. Yep. I just I think back to the days when like I played Runescape or WoW and we were using um like Voipe and your IP was in clear text when you're connected to the server and I'm just thinking like it would be easy to just essentially ping it to the server and get the information that way and then send it out. Yeah. Um, but obviously there's more nuances to it and it's like it every time we had a little bit of an idea, we're like, "Oh, let's run with it." And then we're like,

"When do we stop with this?" Because we're going to constantly be doing and doing. We're never going to get to other projects or other things that we want to get to. But so, no, I love that. Like, that's that's definitely cool. I think over time, like we would have just been going and going and going like never be done with this. We'll be Skyrim package for the rest of our lives. But this would apply to every game that has unofficial mods out there. Yes. I mean, there are tons of games. Um, where you can go up to the different mod platforms, install them, you could make a mod and tweak it slightly for each game. I think what's unique about this

one though is the the way that the team produced the SKSC, they they had to reverse engineer everything. So, they have this separate platform that's specific to Skyrim. Um they have another one that's close with Fallout 4, but um you're correct. However, there's a lot more effort that would go into another game to where you have to reverse engineer it. Almost like learning a different language at that point. Yeah. This one was interesting because there stood out to us because there's already that middle ground. So SKSE on one side and then C++ on the other side and and we were able to kind of merge those together and figure out how SKSE talks to the game and SKSE talks to C++,

right? and just kind of bring those together. Yeah, that makes sense. Otherwise, we would have to build Gate 3 has a a script extender, too. So, what does Balders's Gate 3? It's like your favorite. I didn't know that. Oh, there you go. Well there I didn't know that. Okay. Thank you. Thank you.