CyberDefender - Hunter (Part 3)

Posted on 2024-01-31 | Post modified | In Security/Practice/CyberDefender/Endpoint Forensic/Hunter - Medium |

CyberDefender - Hunter (Part 3)

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/32 Part 1: https://hackmd.io/@SBK6401/By1BpZIf6 Part 2: https://hackmd.io/@SBK6401/HJlmeuwfT

:::spoiler TOC [TOC] :::

Tools

JLECmd

==Q21==

One of the installed applications is a file shredder. What is the name of the application? (two words space separated)

Recon

承接上一題，我們已經知道BCWipe就是題目要的答案，也就是類似file shredder的工具，但前面六個字還是沒有想法，看了一下外層資料夾才發現Jetico是啥東西啊，上網查才發現是提供各種data encryption/data wiping/endpoint data protection之類的公司，所以這一題的正確答案是Jetico BCWipe

:::spoiler Flag Flag: Jetico BCWipe :::

==Q22==

How many prefetch files were discovered on the system?

Recon

就只是到/root/Windows/Prefetch/中數有多少的.pf檔案(善用排序)

:::spoiler Flag Flag: 174 :::

==Q23==

How many times was the file shredder application executed?

Recon

我們已經知道file shredder就是BCWipe這個軟體，那我們如果要知道這個軟體的相關資訊可以直接看prefetch file(就像Part 1 - Q9一樣)

Exploit

從結果可以得知共執行五次 :::spoiler Result

$ ./PECmd.exe -f BCWIPE.EXE-36F3F2DF.pf
PECmd version 1.5.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/PECmd

Command line: -f BCWIPE.EXE-36F3F2DF.pf

Keywords: temp, tmp

Processing BCWIPE.EXE-36F3F2DF.pf

Created on: 2023-11-02 04:55:47
Modified on: 2016-06-21 12:02:45
Last accessed on: 2023-11-02 04:55:53

Executable name: BCWIPE.EXE
Hash: 36F3F2DF
File size (bytes): 72,524
Version: Windows 8.0, Windows 8.1, or Windows Server 2012(R2)

Run count: 5
Last run: 2016-06-21 12:02:35
Other run times: 2016-06-21 12:02:39, 2016-06-21 12:01:35, 2016-06-21 12:01:00, 2016-06-21 12:00:56

Volume information:

#0: Name: \DEVICE\HARDDISKVOLUME2 Serial: 669B1B2A Created: 2016-06-21 09:09:24 Directories: 14 File references: 84
#1: Name: \DEVICE\HARDDISKVOLUMESHADOWCOPY1 Serial: 669B1B2A Created: 2016-06-21 09:09:24 Directories: 0 File references: 0
#2: Name: \DEVICE\HARDDISKVOLUMESHADOWCOPY2 Serial: 669B1B2A Created: 2016-06-21 09:09:24 Directories: 0 File references: 0

Directories referenced: 14

\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN
\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN\S-1-5-21-2489440558-2754304563-710705792-1001
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\BCWIPE
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\SHARED
\DEVICE\HARDDISKVOLUME2\WINDOWS
\DEVICE\HARDDISKVOLUME2\WINDOWS\FONTS
\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION
\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\EN-US
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.9600.17031_NONE_A9EFDB8B01377EA7

Files referenced: 113

\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WOW64.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WOW64WIN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WOW64CPU.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\BCWIPE\BCWIPE.EXE (Executable: True)
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\KERNELBASE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\VERSION.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\GDI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SHELL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.9600.17031_NONE_A9EFDB8B01377EA7\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SECHOST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\COMBASE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SSPICLI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SHCORE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\CRYPTBASE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\IMM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\MSCTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\SHARED\BCWIPE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\OLE32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SFC.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\BCWIPE\LANGFILE2.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\BCWIPE\LICENSE.TXT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\CRYPT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\MSASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WINTRUST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\CRYPTSP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\RSAENH.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\BCRYPT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\IMAGEHLP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\EN-US\CRYPT32.DLL.MUI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NCRYPT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NTASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\GPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\PROFAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NTMARTA.DLL
\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN\S-1-5-21-2489440558-2754304563-710705792-1001\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN\S-1-5-21-2489440558-2754304563-710705792-1001\$IJJWGAC
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SETUPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\CFGMGR32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\DWMAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\EN-US\USER32.DLL.MUI
\DEVICE\HARDDISKVOLUME2\WINDOWS\FONTS\STATICCACHE.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\KERNEL.APPCORE.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES (X86)\JETICO\SHARED\BCWIPELIB2.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\FLTLIB.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\PSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NETAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\MPR.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NETUTILS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SRVCLI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WKSCLI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\PROPSYS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\CLBCATQ.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAMDATA\MICROSOFT\WINDOWS\CACHES\CVERSIONS.2.DB
\DEVICE\HARDDISKVOLUME2\PROGRAMDATA\MICROSOFT\WINDOWS\CACHES\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.VER0X0000000000000004.DB
\DEVICE\HARDDISKVOLUME2\PROGRAMDATA\MICROSOFT\WINDOWS\CACHES\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.VER0X0000000000000002.DB
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\EN-US\PROPSYS.DLL.MUI
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\DESKTOP\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\DOCUMENTS\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\MUSIC\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\PICTURES\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\VIDEOS\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\DOWNLOADS\DESKTOP.INI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\URLMON.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\IERTUTIL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WININET.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\USERENV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SECUR32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\PCACLI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\APPHELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\SFC_OS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\DEVRTL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WBEM\WBEMPROX.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WBEMCOMN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\NSI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WBEM\WBEMSVC.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\WBEM\FASTPROX.DLL
\DEVICE\HARDDISKVOLUME2\$MFT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\VSSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\VSSTRACE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\DSROLE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSWOW64\BCD.DLL
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\APPDATA\LOCAL\TEMP\BCS576923DD.TMP (Keyword: True)
\DEVICE\HARDDISKVOLUMESHADOWCOPY1\$MFT
\DEVICE\HARDDISKVOLUMESHADOWCOPY2\$MFT
\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN\S-1-5-21-2489440558-2754304563-710705792-1001\$RJJWGAC\VKORPPVHKXUVQCVJ
\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN\S-1-5-21-2489440558-2754304563-710705792-1001\SHATBBMS.DIF:???
\DEVICE\HARDDISKVOLUME2\~BCWIPE.TMP\BCW-DIR-NODES\DIR1:??? (Keyword: True)
\DEVICE\HARDDISKVOLUME2\~BCWIPE.TMP\BCW-DIR-NODES\DIR2:??? (Keyword: True)
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER:???
\DEVICE\HARDDISKVOLUME2\$RECYCLE.BIN\C7A6090EE:???
\DEVICE\HARDDISKVOLUME2\WINDOWS\APPPATCH\SYSMAIN.SDB
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\APPDATA\LOCAL\TEMP\S64_5762C6FA.TMP (Keyword: True)
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
\DEVICE\HARDDISKVOLUME2\USERS\HUNTER\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000002.DB


---------- Processed BCWIPE.EXE-36F3F2DF.pf in 0.07580980 seconds ----------

::: :::spoiler Flag Flag: 5 :::

==Q24==

Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?

Recon

直接看Part 1 - Q9的輸出結果就好了

:::spoiler Flag Flag: 06/21/2016 12:08:13 PM :::

==Q25==

A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?

Recon

通常直覺會是到program file去看一下，不過有時候載下來的軟體可能是portable version，所以我也到downloads去看，發現唯一一個jar file就是burpsuite

:::spoiler Flag Flag: C:\Users\Hunter\Downloads\burpsuite_free_v1.7.03.jar :::

==Q26==

The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?

Recon

用pst viewer瀏覽一下信件就知道了

:::spoiler Flag Flag: Pictures.7z :::

==Q27==

Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?

Recon

看一下pictures裡面的資料夾很明顯的Exfil就是我們的目標

:::spoiler Flag Flag: C:\Users\Hunter\Pictures\Exfil :::

==Q28==

The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?

Recon

這應該是嘗試，如果刪除檔案會直接丟到recycle bin，所以可以直接到這邊去撈，不過從recycle bin撈到的檔案貌似損毀，紙看到應該是貓貓的耳朵

所以可以查看一下原圖是甚麼，我是直接從Pictures裡面的private中撈檔案剛好檔案大小誠如題目所述

:::spoiler Flag Flag: ws_Small_cute_kitty_1920x1200.jpg :::

==Q29==

Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?

Background

ChatGPT

甚麼是windows jump list

Windows Jump List（視窗跳躍清單）是微軟Windows操作系統的一個功能，它允許用戶在任務欄或開始菜單中快速訪問最近使用的文件或網站。 Jump List通常包含以下元素：

最近打開的文件：這些是您最近打開的文件或應用程序，讓您可以快速重新訪問它們。

固定的項目：您可以將特定文件或應用程序釘選到Jump List中，以便隨時方便訪問。

一些應用程序還可以自定義Jump List，提供特定功能或快速操作的選項。 Jump List通常會顯示在相應應用程序的任務欄圖標上，並提供一個方便的方式來訪問最近的活動。

請注意，某些應用程序可能會選擇不支持Jump List功能，這取決於開發人員的實現方式。

Recon

我直接問ChatGPT後得到以下回答:

The directory where information about jump list items (created automatically by the system) is stored in Windows is:
1
%APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations
This directory contains files that store information about recently accessed items and is used by the Jump List feature in Windows. Each file corresponds to a specific application or taskbar icon. Please note that these files are in a binary format and are not meant to be manually modified.

:::spoiler Flag Flag: AutomaticDestinations :::

==Q30==

Using JUMP LIST analysis, provide the full path of the application with the AppID of “aa28770954eaeaaa” used to bypass network security monitoring controls.

Recon

該用到新工具的時候了，下載JLECmd後可以直接查看.ms file，就是我們上一題找到的地方，在Recent/CustomDestinations的地方有這一題著重探到的aa28770954eaeaaa，export出來之後就可以開始分析

Exploit

$ ./JLECmd.exe -f aa28770954eaeaaa.customDestinations-ms
JLECmd version 1.5.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/JLECmd

Command line: -f aa28770954eaeaaa.customDestinations-ms

Processing D:\Software\CTF\Misc\JLECmd\aa28770954eaeaaa.customDestinations-ms

Source file: D:\Software\CTF\Misc\JLECmd\aa28770954eaeaaa.customDestinations-ms

--- AppId information ---
AppID: aa28770954eaeaaa, Description: null
--- DestList information ---
  Entries:  1

  Entry #: 0, lnk count: 3 Rank: 1.4013E-45

--- Lnk #0 information ---
  Lnk target created:  2000-01-01 00:00:00
  Lnk target modified: 2000-01-01 00:00:00
  Lnk target accessed: 2016-06-21 10:51:23

  Absolute path: Tor Browser\Browser\firefox.exe

--- Lnk #1 information ---
  Lnk target created:  2000-01-01 00:00:00
  Lnk target modified: 2000-01-01 00:00:00
  Lnk target accessed: 2016-06-21 10:51:23

  Absolute path: Tor Browser\Browser\firefox.exe

--- Lnk #2 information ---
  Lnk target created:  2000-01-01 00:00:00
  Lnk target modified: 2000-01-01 00:00:00
  Lnk target accessed: 2016-06-21 10:51:23

  Absolute path: Tor Browser\Browser\firefox.exe



---------- Processed D:\Software\CTF\Misc\JLECmd\aa28770954eaeaaa.customDestinations-ms in 0.27381430 seconds ----------

我們到了jump list的absolute path之後就可以回去翻他在哪邊，原來是在desktop

:::spoiler Flag Flag: C:\Users\Hunter\Desktop\Tor Browser\Browser\firefox.exe :::

Reference

Cyberdefenders.org Hunter Walkthrough

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/cyberdefender/endpoint%20forensic/hunter%20-%20medium/2024/01/31/CyberDefender-Hunter-(Part-3)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.