CyberDefender - MrRobot - Target 2

• Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/88
• Target 1
• POS
• Lecture Video: 2022/06/29 藍隊安全系列課程 04
• Volatility - Cheat Sheet

Background

Lab - Target 2

起手式

1 2 3 4 5 6 7 8 9 10 11 12

$ volatility_2.6_win64_standalone.exe -f memory.dmp imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS) AS Layer3 : FileAddressSpace (D:\NTU\CTF\CyberDefenders\c69-Grrcon2015\target2\memory.dmp) PAE type : PAE DTB : 0x3ed36260L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2015-10-09 12:53:12 UTC+0000 Image local date and time : 2015-10-09 08:53:12 -0400

重要資訊System Name: Win7SP0x86

Q16

It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon’s password?

Recon

根據題目的敘述，我首先會想看他的console，看他有甚麼樣的檔案或是process上的操作，果不其然他有使用到前面提到的wce.exe工具，並且他把結果存在某一個檔案中，接下來就是把檔案dump出來，看裡面的內容這樣

Exploit

1 2 3 4 5 6 7 8 9 10 11 12

$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 consoles > .\output\consoles.txt $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 filescan | findstr w.tmp Volatility Foundation Volatility Framework 2.6 0x000000003fcf2798 8 0 -W-r-- \Device\HarddiskVolume2\Users\gideon\w.tmp $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 dumpfiles -n -D .\output -Q 0x000000003fcf2798 Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x3fcf2798 None \Device\HarddiskVolume2\Users\gideon\w.tmp $ strings file.None.0x85a35da0.w.tmp.dat WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com) Use -h for help. gideon\ALLSAFECYBERSEC:t76fRJhS GIDEON-PC$\ALLSAFECYBERSEC:s9O3t%sd1q>:u5Za8Xrx_3Eg;(\qapu<"Rn$#QQJlsD m#;z2hbJkr*tLe>0)F[S)'USh3BKJILn3-?vt]q=s-Cp.ws9wVik[]5?#F\*l/J19+`PYco:au;T

Flag: t76fRJhS

Q17

Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?

Background

rar.exe的使用方法

-HP ：帶文件頭加密，更安全，沒有密碼無法查看里面的文件列表

Recon

題目敘述提到的狀況可以從console中看出來，可以看到他先把c槽掛在自己的z槽上面(這可能需要一點AD的概念才會比較清楚，可以看之前寫的NTUSTISC - AD Note - Lab(SMB遠端讀寫))，然後把一個rar.exe丟到對方的c槽底下(z:\crownjewels)，接著把所有東西(.txt)都壓縮，而如果知道rar.exe中-hp的意思就知道他後面帶的東西是壓縮的密碼也就是本題的答案

Exploit

Flag: 123qwe!@#

Q18

What was the name of the RAR file created by the attackers?

Recon

這一題意外的超簡單，就看console中的內容就知道壓縮的檔案名稱是啥了

Exploit

Flag: crownjewlez.rar

Q19

How many files did the attacker add to the RAR archive?

Background

Recon

這一題比較複雜，因為如果單看console中的內容會發現dump出來的部分不完全，所以可以把這一個console的process memory dump出來，然後查看裡面的內容

Exploit

1 2 3 4 5 6

$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 memdump --pid 3048 -D .\output\ # 按照之前的console查詢結果，可以知道pid是3048 $ strings -el 3048.dmp > 3048.txt $ strings 3048.txt | grep '\crownjewels\'| grep ".txt" \crownjewels\SecretSauce2.txt \crownjewels\SecretSauce1.txt \crownjewels\SecretSauce3.txt

1. 記得要把dump出來的memory轉換成16-bits little endian才能看到完整的可視內容
2. 然後如果看前面console的結果可以得知他是在crownjewels這個folder底下執行rar的壓縮，所以可以下grep的pipe command，可以知道只有三個.txt檔案

Flag: 3

Q20

The attacker appears to have created a scheduled task on Gideon’s machine. What is the name of the file associated with the scheduled task?

Background

• Windows 工作排程
• Windows 如何透過工作排程設定開機自動連線

Recon

看到scheduled task就要想到windows內建的task scheduler的功能，詳細的工具教學可以看上面的background，總之他新增的東西通常會放在Windows/System32/Tasks，所以我們可以直接用filescan搭配上述地址的關鍵自進行搜尋

Exploit

可以看到task大部分都是microsoft或是google update的東西，只有一個有點奇怪，應該就是這一題的access point

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 filescan | findstr \Windows\System32\Tasks\ Volatility Foundation Volatility Framework 2.6 ... 0x000000003fc399b8 8 0 R--r-d \Device\HarddiskVolume2\Windows\System32\Tasks\At1 ... $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 dumpfiles -n -Q 0x000000003fc399b8 -D .\output Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x3fc399b8 None \Device\HarddiskVolume2\Windows\System32\Tasks\At1 $ cat file.None.0x85a86af0.At1.dat ��<?xml version="1.0" encoding="UTF-16"?> <Task version="1.0" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo /> <Triggers> <TimeTrigger> <StartBoundary>2015-10-09T08:00:00</StartBoundary> </TimeTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>@AtServiceAccount</UserId> <LogonType>InteractiveTokenOrPassword</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Actions Context="Author"> <Exec> <Command>c:\users\gideon\1.bat</Command> </Exec> </Actions> </Task>%

可以看到執行label寫說要執行c:\users\gideon\1.bat這個script

Flag: 1.bat

Reference

MrRobot Walkthrough — Cyberdefenders