NTUSTISC - CyberDefender - MrRobot - Target 1

Posted on | Post modified | In |

NTUSTISC - CyberDefender - MrRobot - Target 1

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/88 Target 2: https://hackmd.io/@SBK6401/HJz2FPne6 POS: https://hackmd.io/@SBK6401/BJpJqDhlp

:::spoiler TOC [TOC] ::: Lecture Video: 2022/06/29 藍隊安全系列課程 04 Volatility - Cheat Sheet

Background

  • vmss2core 題目下載之後會得到一些.vmss的檔案,這時候就需要下載vmss2core.exe,.vmss是VMware經過轉換的snapshot,而這個工具可以把snapshot轉換成memory dump :::spoiler Execution Result 
    1
    2
    3
    4
    5
    6
    7
    8
    		 
      $ vmss2core-sb-8456865.exe -W .\c69-Grrcon2015\pos01\POS-01-c4e8f786.vmss
  vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.
  ... 10 MBs written.
  ... 20 MBs written.
  ... 30 MBs written.
  ...
  ... 1020 MBs written.
  Finished writing core.

    :::

  • Volatility3: 安裝可以直接參考影片,建議直接使用windows exe protable file,這樣比較方便也穩定,而且還不需要擔心環境的問題

Lab - Target 1

起手式

1
2
3
4
5
6
7
8
9
10
11
12
 
$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (D:\Downloads\Trash\CyberDefenders\c69-Grrcon2015\target1\memory.dmp)
                      PAE type : PAE
                           DTB : 0x3ecc3260L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-10-09 12:53:02 UTC+0000
     Image local date and time : 2015-10-09 08:53:02 -0400

重要資訊System Name: Win7SP0x86

==Q1==

What email address tricked the front desk employee into installing a security update?

Recon

既然要找到email,可以有兩種思路,一種是直接看哪些檔案帶有email中常見的string,例如From之類的;另外一種思路是,查看之前執行過的process中有甚麼是和email有關係的,本題以思路1當作主要方式:

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 yarascan -Y "From:"
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process OUTLOOK.EXE Pid 3196
0x086dffe1  46 72 6f 6d 3a 20 54 68 65 20 57 68 69 74 33 52   From:.The.Whit3R
0x086dfff1  30 73 33 20 3c 74 68 33 77 68 31 74 33 72 30 73   0s3.<th3wh1t3r0s
0x086e0001  33 40 67 6d 61 69 6c 2e 63 6f 6d 3e 0d 0a 54 6f   3@gmail.com>..To
0x086e0011  3a 20 3c 66 72 6f 6e 74 64 65 73 6b 40 61 6c 6c   :.<frontdesk@all
0x086e0021  73 61 66 65 63 79 62 65 72 73 65 63 2e 63 6f 6d   safecybersec.com
0x086e0031  3e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a   >..Content-Type:
0x086e0041  20 6d 75 6c 74 69 70 61 72 74 2f 61 6c 74 65 72   .multipart/alter
0x086e0051  6e 61 74 69 76 65 3b 20 62 6f 75 6e 64 61 72 79   native;.boundary
0x086e0061  3d 22 30 30 31 61 31 31 33 34 33 32 37 38 62 64   ="001a11343278bd
0x086e0071  61 30 64 36 30 35 32 31 61 36 31 65 39 35 22 0d   a0d60521a61e95".
0x086e0081  0a 52 65 74 75 72 6e 2d 50 61 74 68 3a 20 74 68   .Return-Path:.th
0x086e0091  33 77 68 31 74 33 72 30 73 33 40 67 6d 61 69 6c   3wh1t3r0s3@gmail
0x086e00a1  2e 63 6f 6d 0d 0a 58 2d 4d 53 2d 45 78 63 68 61   .com..X-MS-Excha
0x086e00b1  6e 67 65 2d 4f 72 67 61 6e 69 7a 61 74 69 6f 6e   nge-Organization
0x086e00c1  2d 4e 65 74 77 6f 72 6b 2d 4d 65 73 73 61 67 65   -Network-Message
0x086e00d1  2d 49 64 3a 20 34 35 35 36 64 33 61 34 2d 33 38   -Id:.4556d3a4-38

:::spoiler Flag Flag: th3wh1t3r0s3@gmail.com :::

==Q2==

What is the filename that was delivered in the email?

Recon

這一題一樣是要找和email相關的文件,有提示是一個執行檔,所以主要想法應該是把剛剛的process執行過程中的memory dump下來,再去分析他,試圖string search有沒有.exe的部分

Exploit

  1. 先查詢當時執行那些process Command: python vol.py -f ..\memory.dmp --profile Win7SP0x86 pslist :::spoiler Command Result 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    		 
     $ python vol.py -f ..\memory.dmp --profile Win7SP0x86 pslist
 Volatility Foundation Volatility Framework 2.6.1
 Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
 ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
 0x83d334e8 System                    4      0     94      500 ------      0 2015-10-09 11:30:44 UTC+0000
 0x84edcbf0 smss.exe                276      4      2       30 ------      0 2015-10-09 11:30:44 UTC+0000
 0x84ecbb18 csrss.exe               368    360      9      366      0      0 2015-10-09 11:30:47 UTC+0000
 0x84f97628 wininit.exe             420    360      3       77      0      0 2015-10-09 11:30:48 UTC+0000
 0x855f6d40 csrss.exe               432    412     11      366      1      0 2015-10-09 11:30:48 UTC+0000
 0x8561d030 winlogon.exe            480    412      3      115      1      0 2015-10-09 11:30:48 UTC+0000
 0x84e979f8 services.exe            528    420      9      200      0      0 2015-10-09 11:30:48 UTC+0000
 0x8583b030 lsass.exe               536    420      9      851      0      0 2015-10-09 11:30:48 UTC+0000
 0x8583d960 lsm.exe                 544    420     10      163      0      0 2015-10-09 11:30:48 UTC+0000
 0x8586fd40 svchost.exe             644    528     11      351      0      0 2015-10-09 11:30:48 UTC+0000
 0x84e01448 svchost.exe             720    528      6      276      0      0 2015-10-09 11:30:50 UTC+0000
 0x85935030 svchost.exe             796    528     19      446      0      0 2015-10-09 11:30:51 UTC+0000
 0x85969030 svchost.exe             836    528     17      405      0      0 2015-10-09 11:30:52 UTC+0000
 0x85978940 svchost.exe             864    528     30     1036      0      0 2015-10-09 11:30:52 UTC+0000
 0x859cc2c0 svchost.exe            1008    528     13      650      0      0 2015-10-09 11:30:52 UTC+0000
 0x85a138f0 svchost.exe            1124    528     16      484      0      0 2015-10-09 11:30:53 UTC+0000
 0x8582c8d8 spoolsv.exe            1228    528     12      273      0      0 2015-10-09 11:30:53 UTC+0000
 0x85a55d40 svchost.exe            1256    528     17      304      0      0 2015-10-09 11:30:53 UTC+0000
 0x85ae3030 vmtoolsd.exe           1432    528      8      274      0      0 2015-10-09 11:30:54 UTC+0000
 0x85976318 svchost.exe            1784    528      5       99      0      0 2015-10-09 11:30:54 UTC+0000
 0x85ae0cb0 dllhost.exe            1888    528     13      196      0      0 2015-10-09 11:30:54 UTC+0000
 0x858b69e8 msdtc.exe              1980    528     12      145      0      0 2015-10-09 11:30:55 UTC+0000
 0x85c09968 dwm.exe                2088    836      3       93      1      0 2015-10-09 11:31:04 UTC+0000
 0x85c1e5f8 explorer.exe           2116   2060     23      912      1      0 2015-10-09 11:31:04 UTC+0000
 0x85c39030 taskhost.exe           2252    528      7      150      1      0 2015-10-09 11:31:04 UTC+0000
 0x859281f0 vmtoolsd.exe           2388   2116      7      164      1      0 2015-10-09 11:31:04 UTC+0000
 0x8598c920 SearchIndexer.         2544    528     13      670      0      0 2015-10-09 11:31:10 UTC+0000
 0x85d0d030 iexplore.exe           2996   2984      6      463      1      0 2015-10-09 11:31:27 UTC+0000
 0x85cd3d40 OUTLOOK.EXE            3196   2116     22     1678      1      0 2015-10-09 11:31:32 UTC+0000
 0x85d01510 svchost.exe            3232    528      9      131      0      0 2015-10-09 11:31:34 UTC+0000
 0x85b43a58 sppsvc.exe             3900    528      4      153      0      0 2015-10-09 11:32:54 UTC+0000
 0x83eb5d40 cmd.exe                2496   2116      1       22      1      0 2015-10-09 11:33:42 UTC+0000
 0x83e5cd40 conhost.exe             916    432      3       83      1      0 2015-10-09 11:33:42 UTC+0000
 0x83f105f0 cmd.exe                1856   2996      1       33      1      0 2015-10-09 11:35:15 UTC+0000
 0x83f13d40 conhost.exe            1624    432      3       81      1      0 2015-10-09 11:35:15 UTC+0000
 0x83fb86a8 cmd.exe                3064   2116      1       22      1      0 2015-10-09 11:37:32 UTC+0000
 0x83fa9030 conhost.exe             676    432      3       83      1      0 2015-10-09 11:37:32 UTC+0000
 0x83fb2d40 cmd.exe                3784   2196      1       24      1      0 2015-10-09 11:39:22 UTC+0000
 0x83fc7c08 conhost.exe            1824    432      3       85      1      0 2015-10-09 11:39:22 UTC+0000
 0x84013598 TeamViewer.exe         2680   1696     28      632      1      0 2015-10-09 12:08:46 UTC+0000
 0x84017d40 tv_w32.exe             4064   2680      2       83      1      0 2015-10-09 12:08:47 UTC+0000
 0x858bc278 TeamViewer_Des         1092   2680     16      405      1      0 2015-10-09 12:10:56 UTC+0000
 0x83f1ed40 mstsc.exe              2844   2116     11      484      1      0 2015-10-09 12:12:03 UTC+0000

    ::: 重要資訊: OUTLOOK.EXE -> PID -> ==3196==

  2. 把執行OUTLOOK.EXE時候的memory dump下來 
    1
    2
    3
    4
    		 
     $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 memdump -p 3196 --dump-dir .\output\proc_dump_pid3196
 Volatility Foundation Volatility Framework 2.6
 ************************************************************************
 Writing OUTLOOK.EXE [  3196] to 3196.dmp
  3. String Search .exe 
    1
    		 
     $ strings 3196.dmp | grep "\.exe" > output.txt

    經過不斷的嘗試最後找到AnyConnectInstaller.exe為最終答案

:::spoiler Flag Flag: AnyConnectInstaller.exe :::

==Q3==

What is the name of the rat’s family used by the attacker?

Background

深度調研:真實世界里的大規模RAT家族

遠程控制木馬(Remote Access Trojans,簡稱為 RAT)是一種主流的惡意程序,它賦予了攻擊者遠程監控和控制受害者主機的能力

Recon

這一題是要找出RAT家族程式的名字,所以從上一題可以知道受害電腦從email下載了一個程式(AnyConnect.exe),所以如果要知道他是RAT家族的甚麼名字,可以透過hash直接上網查找或是直接用virustotal比對database,但反正第一步一定是要先取得這隻程式的樣本

Exploit

  1. 找出文件中含有AnyConnect的字樣 
    1
    2
    3
    4
    5
    6
    7
    8
    		 
     $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 filescan | findstr "AnyConnect"
 Volatility Foundation Volatility Framework 2.6
 0x000000003df12dd0      2      0 RW-rwd \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
 0x000000003df1cf00      4      0 R--r-d \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
 0x000000003e0bc5e0      7      0 R--r-d \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
 0x000000003e2559b0      8      0 R--rwd \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
 0x000000003e2ae8e0      8      0 RWD--- \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
 0x000000003ed57968      4      0 R--r-d \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
  2. 把該文件dump出來 
    1
    2
    3
    4
    		 
     $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 dumpfiles -n -D .\output\dumpfiles -Q 0x000000003e0bc5e0
 Volatility Foundation Volatility Framework 2.6
 ImageSectionObject 0x3e0bc5e0   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
 DataSectionObject 0x3e0bc5e0   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

    :::info -n: 代表包含文件原始名稱 -Q: 代表physical offset -D: 代表dump出來要放的位址 :::

  3. 放到VirusTotal上查詢 詳細的審查結果可以看這邊

:::spoiler Flag Flag: XtremeRat :::

==Q4==

The malware appears to be leveraging process injection. What is the PID of the process that is injected?

Recon

這一題延伸了第二題的process list,因為process injection的操作,代表目前的process一定會出現在pslist,然後我是用暴力try try看,畢竟提示是四個digits,扣掉一些常見的windows process,應該沒剩多少

1
2
3
4
5
6
7
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
...
0x85d0d030 iexplore.exe           2996   2984      6      463      1      0 2015-10-09 11:31:27 UTC+0000
...

:::spoiler Flag Flag: 2996 $\to$ iexplore.exe :::

==Q5==

What is the unique value the malware is using to maintain persistence after reboot?

Background

註冊表中的運行鍵是什麼?

Recon

我們都知道惡意程式會在機碼設定重開機後自動執行,例如在: 電腦\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 電腦\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 所以如果要看會不會重開機後自動執行,就直接看機碼

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 printkey -K "Microsoft\Windows\CurrentVersion\Run"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \SystemRoot\System32\Config\SOFTWARE
Key name: Run (S)
Last updated: 2015-10-09 10:36:11 UTC+0000

Subkeys:

Values:
REG_SZ        VMware User Process : (S) "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
REG_EXPAND_SZ MrRobot         : (S) c:\users\anyconnect\AnyConnect\AnyConnectInstaller.exe

:::info printkey: 印出機碼路徑/子路徑/內容 -K: 機碼的路徑 :::

:::spoiler Flag Flag: MrRobot :::

==Q6==

Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?

Background

  • Windows HANDLE是什麼 這一篇講的出奇的好,他用程式設計的角度解釋為甚麼我們需要使用handle,若不使用的話會在甚麼情況出現問題等等,所以我對handle的理解是它就像一個pointer一樣,可以指向一個結構、process或是資源,而不同的結構創造出的handle不能通用,原因的話,文章中有提到,總而言之各個process產生的時候都需要各種不同的資源,例如螢幕、記憶體、鍵盤等等資源,而這些資源要怎麼只在這個process中被使用呢?答案就是利用handle,他可以只在該Process中指向該process所需要的資源,而不會和其他process搞混,如果再更進階一點可以看這一篇: 什麼是句柄?爲什麼會有句柄?HANDLE

    Handle本身是一個32位的無符號整數,它用來代表一個內核對象。它並不指向實際的內核對象,用戶模式下的程序永遠不可能獲得一個內核對象的實際地址(一般情況下)。那麼Handle的意義何在?它實際上是作爲一個索引在一個表中查找對應的內核對象的實際地址。那麼這個表在哪裏呢?每個進程都有這樣的一個表,叫句柄表。該表的第一項就是進程自己的句柄,這也是爲什麼你調用GetCurrentProcess()總是返回0x7FFFFFFF原因。 簡單地說,Handle就是一種用來”間接”代表一個內核對象的整數值。你可以在程序中使用handle來代表你想要操作的內核對象。這裏的內核對象包括:事件(Event)、線程、進程、Mutex等等。我們最常見的就是文件句柄(file handle)

  • 如何打開.dat 文件

    DAT 文件是一個數據文件,其中包含有關用於創建它的程序的特定信息。

Recon

回到目前的題目,雖然沒有提到handle等字眼,但我們可以推測其實每一個process在建立的時候都會有一個特殊的handle table,而且該table是for該process唯一的,則我們就可以往handle的方向去想,再搭配前面找到的PID,就可以幫助我們找到答案。

Exploit

1
2
3
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 handles -p 2996 | findstr ".dat"
Volatility Foundation Volatility Framework 2.6
0x85d11700   2996      0x150   0x1f0001 Mutant           fsociety0.dat

根據主要參考WP1的說法

Malware typically uses a mutant/mutex to run a single copy of malware on the system and to avoid reinfecting the host, which can increase the chances of detection by security tools.

而根據MSDN-HANDLE中的說明,mutant是handle的其中一種類型,他還有其他的,例如event, file, port, directory之類的 :::spoiler Flag Flag: fsociety0.dat :::

==Q7==

It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.

Recon

這一題的重點在於我要找到一個名字,所以直覺會想說從username開始找,所以一樣從

Exploit

1
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 filescan | findstr User > .\output\filescan\findstr_User.txt

然後就利用一些文字編輯器,找名字,應該沒有很多,所以可以找到一些名字,大部分是frontdesk, FRONTD~1, Administrator等等,但應該可以找到gideonzerocool的名字,前者應該是原使用者的名字,而後者應該是駭客的名字,上網搜尋一下發現zerocool是《Hackers》(1995年上映的電影)中出現的駭客名字

:::spoiler Flag Flag: Hackers :::

==Q8==

What is the NTLM password hash for the administrator account?

Background

NTUSTISC - AD Note - Lab(透過Mimikatz取得Local Admin的NTLM)

Recon

既然是要找NTLM hash,可以使用hashdump這個Plugin

Exploit

1
2
3
4
5
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:79402b7671c317877b8b954b3311fa82:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
front-desk:1000:aad3b435b51404eeaad3b435b51404ee:2ae4c526659523d58350e4d70107fc11:::

:::spoiler Flag Flag: 79402b7671c317877b8b954b3311fa82 :::

==Q9==

The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?

Recon

Attacker既然有用到一些指令操作,搬運一些檔案,我們直覺可以想到也許可以從console身上撈到一點command的歷史紀錄,判斷font desk有哪些exe file

Exploit

:::spoiler Command Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 consoles
...
C:\Windows\system32>cd ..                                                       
                                                                                
C:\Windows>cd Temp                                                              
                                                                                
C:\Windows\Temp>dir                                                             
 Volume in drive C has no label.                                                
 Volume Serial Number is FE0F-F423                                              
                                                                                
 Directory of C:\Windows\Temp                                                   
                                                                                
10/09/2015  07:29 AM    <DIR>          .                                        
10/09/2015  07:29 AM    <DIR>          ..                                       
10/09/2015  01:27 AM                 0 DMIE58D.tmp                              
10/09/2015  06:57 AM            50,176 getlsasrvaddr.exe                        
10/09/2015  02:02 AM             7,572 MpCmdRun.log                             
10/09/2015  12:07 AM             4,636 MpSigStub.log                            
10/09/2015  03:37 AM    <DIR>          MPTelemetrySubmit                        
10/09/2015  06:45 AM            36,864 nbtscan.exe                              
10/09/2015  06:44 AM           503,800 Rar.exe                                  
10/09/2015  01:28 AM           180,224 TS_A16D.tmp                              
10/09/2015  01:28 AM           196,608 TS_A3BF.tmp                              
10/09/2015  01:28 AM           376,832 TS_A42D.tmp                              
10/09/2015  01:28 AM           114,688 TS_A528.tmp                              
10/09/2015  01:28 AM           425,984 TS_A5C5.tmp                              
10/09/2015  01:28 AM           131,072 TS_A807.tmp                              
10/09/2015  01:28 AM           655,360 TS_A911.tmp                              
10/09/2015  01:28 AM           114,688 TS_AA79.tmp                              
10/09/2015  01:28 AM           180,224 TS_AF79.tmp                              
10/08/2015  11:43 PM    <DIR>          vmware-SYSTEM                            
10/09/2015  07:16 AM                 0 w.tmp                                    
10/09/2015  06:45 AM           199,168 wce.exe                                  
              17 File(s)      3,177,896 bytes                                   
               4 Dir(s)  22,602,948,608 bytes free
...

::: 可以從該指令的結果輸出,看出該文件含有幾個exe file: getlsasrvaddr.exe, nbtscan.exe, Rar.exe, wce.exe,所以基本上答案應該是4但因為getlsasrvaddr.exewce.exe都是來自一個wcegithub repo中,所以其實只有算3個

:::spoiler Flag Flag: 3 :::

==Q10==

What is the password for the front desk local administrator account?

Background

runas就是windows的command用來”以系統管理員權限”執行一些指令或是開啟process

Recon

同樣要取得admin的password,可以直接看上一題的console輸出,或是直接hashcat NTLM的hash,詳細的操作可以看NTUSTISC - AD Note - Lab(Brute Force SAM)

1
2
 
$ $ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 hashdump > ntlm.hash
$ hashcat.exe -a 0 -m 1000 ntlm.hash rockyou.txt --force

不過如果從console上來看也可以看出他的一些操作,因為attacker的目的同樣是要把credential的password dump出來,所以最後一定會有相關的訊息跑出來

Exploit

Console的操作如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
$ cd ..
$ cd Temp
$ dir
$ wce.exe -w
$ wce.exe -w > w.tmp # 從這邊取得frontdesk\ALLSAFECYBERSEC的密碼為THzV7mpz
---
$ cd ..
$ cd Temp
$ wce.exe -w
$ runas /profile /user:Administrator # 這邊應該是不太熟悉runas的操作
$ runas /profile /user:Administrator cmd # 應該是利用剛剛取得Administartor的密碼進行提權
---
$ cd ..
$ cd Temp
$ dir
$ wce.exe -w
$ wce.exe -w > w.tmp # 從這邊取得Administrator\front-desk-PC的密碼為flagadmin@1234

然後實際用online tool查看該密碼的ntlm的確是前兩題得到的79402b7671c317877b8b954b3311fa82

:::spoiler Flag Flag: flagadmin@1234 :::

==Q11==

What is the std create data timestamp for the nbtscan.exe tool?

Background

nbtscan 掃描WINDOWS網絡NetBIOS信息軟件

互聯網搜索引擎nbtscan是一個掃描WINDOWS網絡NetBIOS信息的小工具。只能用於局域網,可以顯示IP,主機名,用戶名稱和MAC地址等等。

Recon

如果是要找到某個東西的timestamp,可以考慮直接用timeliner這個plubin,主要的功能是就是建立記憶體中的各種痕跡資訊的時間線

Exploit

$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 timeliner | findstr nbtscan.exe
Volatility Foundation Volatility Framework 2.6
2015-10-09 10:45:12 UTC+0000|[SHIMCACHE]| \??\C:\Windows\Temp\nbtscan.exe|

:::spoiler Flag Flag: 2015-10-09 10:45:12 UTC :::

==Q12==

The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first machine in that file?

Recon

這一題要先把nbs.txt找出來,再把它dump出來,之後查看這支file存的內容

Exploit

1
2
3
4
5
6
7
8
9
10
11
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 filescan | findstr nbs.txt
Volatility Foundation Volatility Framework 2.6
0x000000003fdb7808      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\nbs.txt
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 dumpfiles -n -D .\output\dumpfiles -Q 0x000000003fdb7808
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fdb7808   None   \Device\HarddiskVolume2\Windows\Temp\nbs.txt
$ strings file.None.0x83eda598.nbs.txt.dat
10.1.1.2        ALLSAFECYBERSEC\AD01            SHARING DC
10.1.1.3        ALLSAFECYBERSEC\EX01            SHARING
10.1.1.20       ALLSAFECYBERSEC\FRONT-DESK-PC   SHARING
10.1.1.21       ALLSAFECYBERSEC\GIDEON-PC       SHARING

:::spoiler Flag Flag: 10.1.1.2 :::

==Q13==

What is the full IP address and the port was the attacker’s malware using?

Recon

這一題和網路有關,所以可以使用網路相關的plugin,不過不管是windows的執行檔,還是python的版本,在help的說明中都沒有提到這一題該使用的plugin,看了別人的WP才知道要用netscan不過help man根本沒寫,找了超久,可能是版本更新後忘了寫上去?反正在github的舊版wiki有這東西。另外根據我們上一題的結果知道,attacker掃到的內網IP中,第一台機器就是10.1.1.2,所以可以鎖定這個IP繼續查

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 netscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
...
0x3deba9a0         UDPv4    10.1.1.20:56813                *:*                                   3232     svchost.exe    2015-10-09 11:32:55 UTC+0000
0x3e143978         UDPv4    10.1.1.20:1900                 *:*                                   3232     svchost.exe    2015-10-09 11:32:55 UTC+0000
0x3e25bc60         UDPv4    10.1.1.20:138                  *:*                                   4        System         2015-10-09 11:30:49 UTC+0000
0x3e2b0f50         UDPv4    10.1.1.20:137                  *:*                                   4        System         2015-10-09 11:30:49 UTC+0000
0x3e2b08a8         TCPv4    10.1.1.20:139                  0.0.0.0:0            LISTENING        4        System
0x3de98df8         TCPv4    10.1.1.20:49261                10.1.1.21:445        ESTABLISHED      4        System
0x3e0d0df8         TCPv4    10.1.1.20:49208                10.1.1.3:80          ESTABLISHED      3196     OUTLOOK.EXE
0x3e0eedf8         TCPv4    10.1.1.20:49205                180.76.254.120:22    ESTABLISHED      2996     iexplore.exe
0x3e1e5008         TCPv4    10.1.1.20:49330                10.1.1.2:139         CLOSED           4        System
0x3e1f0df8         TCPv4    10.1.1.20:49207                10.1.1.3:80          ESTABLISHED      3196     OUTLOOK.EXE
0x3e1fadf8         TCPv4    10.1.1.20:49314                10.1.1.3:443         CLOSED           3196     OUTLOOK.EXE
0x3fa4dbf8         TCPv4    10.1.1.20:49333                10.1.1.3:443         CLOSED           3196     OUTLOOK.EXE
0x3fa8d1d8         TCPv4    10.1.1.20:49336                10.1.1.3:443         CLOSED           3196     OUTLOOK.EXE
0x3fa95df8         TCPv4    10.1.1.20:49297                192.96.201.138:5938  ESTABLISHED      2680     TeamViewer.exe
0x3fb7a560         TCPv4    10.1.1.20:49301                10.1.1.21:3389       ESTABLISHED      2844     mstsc.exe
0x3fc426a8         TCPv4    10.1.1.20:49291                107.6.97.19:5938     ESTABLISHED      2680     TeamViewer.exe

:::spoiler Flag Flag: 180.76.254.120:22 :::

==Q14==

It appears the attacker also installed legit remote administration software. What is the name of the running process?

Recon

這一題超簡單,應該寫到前面幾題就可以寫這一題了,也就是attacker還安裝了別種RDP軟體,看了前面的pslist就知道TeamViewer在搞事

Exploit

:::spoiler Flag Flag: TeamViewer.exe :::

==Q15==

It appears the attackers also used a built-in remote access method. What IP address did they connect to?

Background

Windows 內建的遠端桌面連線工具設定與使用教學 mstsc是windows內建的遠端連線工具

Recon

這也超簡單,看一下上上一題的netscan執行結果,就可以知道他有執行mstsc.exe的process,如果直接看pslist也看得出來他有執行,所以在前面幾題的時候久可以朝這個方向思考可能的攻擊手法

Exploit

:::spoiler Flag Flag: 10.1.1.21 :::

Reference

  1. MrRobot Walkthrough — Cyberdefenders