CyberDefender - MrRobot - Target 2

Posted on | Post modified | In |

CyberDefender - MrRobot - Target 2

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/88 Target 1: https://hackmd.io/@SBK6401/SkJAThwla POS: https://hackmd.io/@SBK6401/BJpJqDhlp

:::spoiler TOC [TOC] ::: Lecture Video: 2022/06/29 藍隊安全系列課程 04 Volatility - Cheat Sheet

Background

Lab - Target 2

起手式

1
2
3
4
5
6
7
8
9
10
11
12
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (D:\NTU\CTF\CyberDefenders\c69-Grrcon2015\target2\memory.dmp)
                      PAE type : PAE
                           DTB : 0x3ed36260L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-10-09 12:53:12 UTC+0000
     Image local date and time : 2015-10-09 08:53:12 -0400

重要資訊System Name: Win7SP0x86

==Q16==

It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon’s password?

Recon

根據題目的敘述,我首先會想看他的console,看他有甚麼樣的檔案或是process上的操作,果不其然他有使用到前面提到的wce.exe工具,並且他把結果存在某一個檔案中,接下來就是把檔案dump出來,看裡面的內容這樣

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 consoles > .\output\consoles.txt
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 filescan | findstr w.tmp
Volatility Foundation Volatility Framework 2.6
0x000000003fcf2798      8      0 -W-r-- \Device\HarddiskVolume2\Users\gideon\w.tmp
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 dumpfiles -n -D .\output -Q 0x000000003fcf2798
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fcf2798   None   \Device\HarddiskVolume2\Users\gideon\w.tmp
$ strings file.None.0x85a35da0.w.tmp.dat
WCE v1.42beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
gideon\ALLSAFECYBERSEC:t76fRJhS
GIDEON-PC$\ALLSAFECYBERSEC:s9O3t%sd1q>:u5Za8Xrx_3Eg;(\qapu<"Rn$#QQJlsD m#;z2hbJkr*tLe>0)F[S)'USh3BKJILn3-?vt]q=s-Cp.ws9wVik[]5?#F\*l/J19+`PYco:au;T

:::spoiler Flag Flag: t76fRJhS :::

==Q17==

Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?

Background

rar.exe的使用方法

-HP :帶文件頭加密,更安全,沒有密碼無法查看里面的文件列表

Recon

題目敘述提到的狀況可以從console中看出來,可以看到他先把c槽掛在自己的z槽上面(這可能需要一點AD的概念才會比較清楚,可以看之前寫的NTUSTISC - AD Note - Lab(SMB遠端讀寫)),然後把一個rar.exe丟到對方的c槽底下(z:\crownjewels),接著把所有東西(.txt)都壓縮,而如果知道rar.exe中-hp的意思就知道他後面帶的東西是壓縮的密碼也就是本題的答案

Exploit

:::spoiler Flag Flag: 123qwe!@# :::

==Q18==

What was the name of the RAR file created by the attackers?

Recon

這一題意外的超簡單,就看console中的內容就知道壓縮的檔案名稱是啥了

Exploit

:::spoiler Flag Flag: crownjewlez.rar :::

==Q19==

How many files did the attacker add to the RAR archive?

Background

Recon

這一題比較複雜,因為如果單看console中的內容會發現dump出來的部分不完全,所以可以把這一個console的process memory dump出來,然後查看裡面的內容

Exploit

1
2
3
4
5
6
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 memdump --pid 3048 -D .\output\    # 按照之前的console查詢結果,可以知道pid是3048
$ strings -el 3048.dmp > 3048.txt
$ strings 3048.txt | grep '\crownjewels\'| grep ".txt"
\crownjewels\SecretSauce2.txt
\crownjewels\SecretSauce1.txt
\crownjewels\SecretSauce3.txt
  1. 記得要把dump出來的memory轉換成16-bits little endian才能看到完整的可視內容
  2. 然後如果看前面console的結果可以得知他是在crownjewels這個folder底下執行rar的壓縮,所以可以下grep的pipe command,可以知道只有三個.txt檔案

:::spoiler Flag Flag: 3 :::

==Q20==

The attacker appears to have created a scheduled task on Gideon’s machine. What is the name of the file associated with the scheduled task?

Background

Windows 工作排程 Windows 如何透過工作排程設定開機自動連線

Recon

看到scheduled task就要想到windows內建的task scheduler的功能,詳細的工具教學可以看上面的background,總之他新增的東西通常會放在Windows/System32/Tasks,所以我們可以直接用filescan搭配上述地址的關鍵自進行搜尋

Exploit

可以看到task大部分都是microsoft或是google update的東西,只有一個有點奇怪,應該就是這一題的access point

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86  filescan | findstr \Windows\System32\Tasks\
Volatility Foundation Volatility Framework 2.6
...
0x000000003fc399b8      8      0 R--r-d \Device\HarddiskVolume2\Windows\System32\Tasks\At1
...
$ volatility_2.6_win64_standalone.exe -f memory.dmp --profile Win7SP0x86 dumpfiles -n -Q 0x000000003fc399b8 -D .\output
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3fc399b8   None   \Device\HarddiskVolume2\Windows\System32\Tasks\At1
$ cat file.None.0x85a86af0.At1.dat
��<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.0" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo />
  <Triggers>
    <TimeTrigger>
      <StartBoundary>2015-10-09T08:00:00</StartBoundary>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>@AtServiceAccount</UserId>
      <LogonType>InteractiveTokenOrPassword</LogonType>
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>
  <Actions Context="Author">
    <Exec>
      <Command>c:\users\gideon.bat</Command>
    </Exec>
  </Actions>
</Task>%

可以看到執行label寫說要執行c:\users\gideon\1.bat這個script

:::spoiler Flag Flag: 1.bat :::

Reference