Malware logo

Intro

CyberDefenders.org, hosted a fun 48-hr CTF (permitting time for more players), all about responding to an incident where a box had been attacked, compromised using the latest log4j exploit and subsequently had malware and ransomeware insstalled. You are provided with a forensic image, and have to answer a series of forensic and IR questions.

For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!

Walkthrough

1 What is the computer hostname?

Hint:

  • c:\windows\debug\netsetup.log

Answer:

VCW65

2 What is the Timezone of the compromised machine?

Hint:

  • Registry
  • Currentcontrolset\control\timezoneinformation - PST

Answer:

UTC-8

3 What is the current build number on the system?

Hint:

  • export explorer.exe
  • right-click properties, details tab

Answer:

14393

4 What is the computer IP?

Answer:

192.168.112.139

5 What is the domain computer was assigned to?

Answer:

cyberdefenders.org

6 When was myoussef user created?

Hint:

  • security.evtx
  • event id: 4720
  • scrape user creation from Registry - SAM Hive
  • from the SAM registry 61006e00 = 2021-07-27 20:35:12 UTC

We cant remember which answer worked, as the result became obfuscated:

Answer:

2021-12-28 06:57:23 UTC
or
2021-07-27 20:35:12 UTC

7 What is the user mhasan password hint?

Hint:

  • Registry - SAM Hive

Answer:

https://www.linkedin.com/in/0xmohamedhasan/

8 What is the version of the VMware product installed on the machine?

Hint:

  • Registry - Software Hive

Answer:

6.7.0.40322

9 What is the version of the log4j library used by the installed VMware product?

Answer:

2.11.2

10 What is the log4j library log level specified in the configuration file?

Answer:

info

11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?

Answer:

x-forward-for

not sure about this one, surely the header is x-forwarded-for

12 The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?

Hint:

  • C:\ProgramData\VMware\VCenterServer\runtime\VmwareServiceSTS\logs\

Answer:

log4shell.huntress.com:1389/b1292f3c-a652-4240-8fb4-59c43141f55a

13 When was the first successful login to vsphere WebClient?

  • audit_events.log

Answer:

28/12/2021 20:39:29 UTC

14 What is the attacker’s IP address?

powershell logs - reverse payload

192.168.112.128

15 What is the port the attacker used to receive the cobalt strike reverse shell?

Hint:

  • Powershell event logs
  • Administrator PS ReadLine history
  • Cyberchef
  • mandiant’s speakeasy

speakeasy

Answer:

1337

16 What is the script name published by VMware to mitigate log4shell vulnerability?

Hint:

Answer:

vc_log4j_mitigator.py

17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to ‘true’ to work around the log4shell vulnerability?

Answer:

log4j2.formatMsgNoLookups

18 What is the log4j version which contains a patch to CVE-2021-44228?

Hint:

  • Google Fu

Answer:

2.15.0

19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?

Answer:

0F038A1E0AA0AFF76D66D1440C88A2B35A3D023AD8B2E3BAC8E25A3208499F7E

20 Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?

Answer:

java:comp/env/

21 To gain some persistence the attacker dropped a malicious exe file. What is the malicious executable name?

Hint:

  • Registry
  • Run keys
  • User Hive
  • NTUSER.DAT

Answer:

baaaackdooor.exe

22 When was the first submission of ransomware to virustotal?

Answer:

2021-12-11 22:57:01

23 The ransomware downloads a text file from an external server. What is the key used to decrypt the URL?

Hint:

  • use ilspy to RE the .NET malware

ilspy

Answer:

GoaahQrc

24 What is the ISP that owns that IP that serves the text file?

Hint:

  • whois 3.145.115.94

Answer:

Amazon

25 The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?

Hints:

  • Use ilspy
  • 67 1d 2f 2e ^ ItAGEocK

ilspy 2

Answer:

ini

Tools

  • FTK Imager
  • Regripper
  • ilSpy
  • Mandiant’s Speakeasy
  • CyberChef
  • JAD (Java Decompiler)
  • Eventviewer

Share on: