BTLO - Bruteforce
Challenge: https://blueteamlabs.online/home/challenge/bruteforce-16629bf9a2
:::spoiler TOC [TOC] :::
Scenario
Can you analyze logs from an attempted RDP bruteforce attack?
One of our system administrators identified a large number of Audit Failure events in the Windows Security Event log.
There are a number of different ways to approach the analysis of these logs! Consider the suggested tools, but there are many others out there!
==Q1==
How many Audit Failure events are there? (Format: Count of Events)
Recon
直接用timeline explorer下4625的條件
Exploit
:::spoiler Flag
Flag: 3103
:::
==Q2==
What is the username of the local account that is being targeted? (Format: Username)
Recon
直接看./BTLO_Bruteforce_Challenge.txt的Account Name,總共有
- administartor
- BTLO
- EC2AMAZ-UUEMPAU$
- SYSTEM
:::spoiler Flag
Flag: administrator
:::
==Q3==
What is the failure reason related to the Audit Failure logs? (Format: String)
Recon
直接看./BTLO_Bruteforce_Challenge.txt的Failure Reason
Failure Reason: Unknown user name or bad password.
:::spoiler Flag
Flag: Unknown user name or bad password.
:::
==Q4==
What is the Windows Event ID associated with these logon failures? (Format: ID)
Recon
以為是陷阱題,但還是4625
:::spoiler Flag
Flag: 4625
:::
==Q5==
What is the source IP conducting this attack? (Format: X.X.X.X)
Recon
直接看./BTLO_Bruteforce_Challenge.txt的Source Network Address
Source Network Address: 113.161.192.227
:::spoiler Flag
Flag: 113.161.192.227
:::
==Q6=
What country is this IP address associated with? (Format: Country)
Recon
直接看該IP的訊息,用whois來看相關內容,詳細query result可以看這邊
:::spoiler Flag
Flag: Vietnam
:::
==Q7==
What is the range of source ports that were used by the attacker to make these login requests? (LowestPort-HighestPort - Ex: 100-541)
Recon
寫個簡單的script
$ cat BTLO_Bruteforce_Challenge.txt | grep "Source Port:" > Extracted_port.txt
f = open('./Extracted_port.txt', 'r').read().replace(' Source Port: ', '').replace('-\n', '').split('\n')[:-1]
# for i in range(len(f)):
# print(f[i])
print(f'Min: {min(f)}, Max: {max(f)}')
:::spoiler Flag
Flag: 49162-65534
:::