For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on the log4j library. Many of them are not known till now. We created a challenge to test your ability to detect, analyze, mitigate and patch products vulnerable to log4shell.
Information
Category Name: DetectLog4j
Files: c67-Log4shell.zip 3GB
–> DetectLog4Shell.E01 2.99 GB
–> DetectLog4Shell.E01.txt 1KB
–> wordlist.txt 4.6 MB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/log4j && cd Documents/CyberDefenders/log4jDownload it from Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c67-Log4shell.zipSHA1: 6556e7d46e89bf2ea68e05cf101920e2de071a22
Then extract it with the provided the password
Since the file is big, and requires to be mounted, I prefer to share the Log4shell folder with my VM and then mount:
sudo ewfmount /path/to/DetectLog4Shell.E01 /mnt/ewf
sudo mount -t ntfs-3g -o loop,ro,show_sys_files,stream_interface=windows /mnt/ewf/ewf1 /mnt/Windows Walkthrough
1. What is the computer hostname?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SYSTEM -p compname
Answer: vcw65
2. What is the Timezone of the compromised machine?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SYSTEM -p timezone
Daylight Saving Time is not implemented, since the image was acquired in December (winter). This is why ‘ActiveTimeBias’ and ‘Bias’ are the same.
Answer: UTC-8
3. What is the current build number on the system?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SOFTWARE -p winver
Answer: 14393
4. What is the computer IP?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SYSTEM -p ips
Answer: 192.168.112.139
5. What is the domain computer was assigned to?
Looking into the netlogon.dns file:
cat /mnt/Windows/Windows/System32/config/netlogon.dns
The only domain in the file is cyberdefenders.org.
Answer: cyberdefenders.org
6. When was myoussef user created?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SAM -p samparse | grep 'myoussef' -A 20
Answer: 2021-12-28 06:57:23 UTC
7. What is the user mhasan password hint?
RegRipper doesn’t parse the password hint, so we need to look for it manually:
xxd /mnt/Windows/Windows/System32/config/SAM | grep mhasan -A 100
All of the users hints is a linkedin link, mhasan is most likely Mohammed Hasan (who is a Security Engineer at Cyber Defenders).
Answer: https://www.linkedin.com/in/0xmohamedhasan/
8. What is the version of the VMware product installed on the machine?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SOFTWARE -p uninstall
There are multiple VMware-related installations, but the actual product is VMware Server:
Answer: 6.7.0.40322
9. What is the version of the log4j library used by the installed VMware product?
VMware-related files are in ProgramData. We can use find to look for a jar file in that directory, and grep for ‘log4j’:
find /mnt/Windows/ProgramData/VMware -name "*.jar" | grep log4j
In this case, the log4j library is log4j-core-2.11.2.jar
Answer: 2.11.2
10. What is the log4j library log level specified in the configuration file?
On VMware’s website, the file that has the logging configuration for log4j is ‘log4j.xml’ . Given that the lversion is 2.11, the configuration file is named ‘log4j2.xml’.
cat '/mnt/Windows/Program Files/VMware/vCenter Server/VMware Identity Services/log4j2.xml' | grep -i level
Answer: INFO
11. The attacker exploited log4shell through an HTTP login request.
What is the HTTP header used to inject payload?
VMware VCenter is exploitable by Log4Shell when several conditions are met:
– The connection page /websso/SAML2/SSO/MachineName needs to be valid
– The SAMLRequest parameter needs to be invalid or empty
– JNDI malicious code is injected in the HTTP X-Forwarded-For header
Answer: X-Forwarded-For
12.The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable.
What is the first link of the log4huntress payload?
grep -r -F 'log4shell.huntress.com' /mnt/Windows/ProgramData/VMware/vCenterServer
The exploit’s first step is to get the SSO login realm. One of the files that logs SSO activity is audit_events.log (as seen above).
The earliest entry, at 2021-12-29 01:50:06.009 has the link log4shell.huntress.com:1389/b1292f3c-a652-4240-8fb4-59c43141f55a
Answer: log4shell.huntress.com:1389/b1292f3c-a652-4240-8fb4-59c43141f55a
13. When was the first successful login to vsphere WebClient?
Since audit_events.log logs SSO activity, we can grep for ‘LoginSuccess’ and look at the timestamps:
cat /mnt/Windows/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/logs/audit_events.log | grep LoginSuccess
The timestamp of the login is “12/28/2021 12:39:29 PST”, which in UTC would be 20:39:29, same as the log timestamp (highlighted above).
Answer: 28/12/2021 20:39:29 UTC
14. What is the attacker's IP address?
In the audit_events.log file, all log4shell.huntress.com entries are associated with the same IP address: 192.168.112.128 -ie :
Moreover, if we look into the vmwaresyslogcollector directory (which stores syslog.log files), there are two folders for IP addresses 127.0.0.1 and 192.168.112.128:
127.0.0.1′s syslog appears to be a standard syslog. 192.168.112.128‘s syslog is not a log, it’s a HTTP request:
cat /mnt/Windows/ProgramData/VMware/vCenterServer/data/vmsyslogcollector/192.168.112.128/syslog.log
This request, for ‘/nice ports,/Trinity. txt.bak HTTP/1.0\r\n\r\n’, originates from NMAP. It is used to test how escape characters within an URI are handled by the server.
Answer: 192.168.112.128
15. What is the port the attacker used to receive the cobalt strike reverse shell?
In Administrator.WIN-B633EO9K91M’s Directory, there is evidence of a Powershell command being executed:
cat /mnt/Windows/Users/Administrator.WIN-B633EO9K91M/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt
Decoding the encoded command returns another base64 encoded string, which is compressed with Gzip:
We can decode it and check it in Virus Total for more information:
echo -n '#base64encodedstring' | base64 -d | gunzip > decoded
md5sum decoded
#returns 383c6d219a350699d7a3a328d484bd41
Virus Total flags the file as a Trojan. The file itself, is a powershell script that executes a Payload. Part of the contents is Base64 encoded. A full report is available on Joe’s Sandbox. The decoded Base64 string is the following:
The C2Server is at {attackerip}:1337/NOqO
Answer: 1337
16. What is the script name published by VMware to mitigate log4shell vulnerability?
VMware published an article to address the vulnerability. There are several workarounds, but the automated workaround, recommended by the company is to use the script ‘vc_log4j_mitigator.py’
Answer: vc_log4j_mitigator.py
17. In some cases, you may not be able to update the products used in your network.
What is the system property needed to set to ‘true’ to work around the log4shell vulnerability?
If you were to mitigate log4shell manually, VMware’s instructions, and many other vendors, is to set log4j2.formatMsgNoLookups to true.
Answer: log4j2.formatMsgNoLookups
18. What is the log4j version which contains a patch to CVE-2021-44228?
Apache fixed the issue in version Log4j 2.15.0:
Answer: 2.15.0
19. Removing JNDIlookup.class may help in mitigating log4shell.
What is the sha256 hash of the JNDILookup.class?
To do so, we need to find the JNDILookup.class using zipinfo on the jar file, extract it and calculate its sha256 hash:
zipinfo /mnt/Windows/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/log4j-core-2.11.2.jar | grep -i JndiLookup
#returns org/apache/logging/log4j/core/lookup/JndiLookup.class
unzip -j "/mnt/Windows/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/log4j-core-2.11.2.jar" "org/apache/logging/log4j/core/lookup/JndiLookup.class" -d .
sha256sum JndiLookup.class
Answer: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
20. Analyze JNDILookup.class.
What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?
Java files can be disassembled, and made readable, with ‘javap’:
javap -v -c JndiLookup.class
Without the verbose option (-v) the variable wouldn’t display any value.
Answer: java:comp/env/
21. What is the executable used by the attacker to gain persistence?
Evidence of persistence can be found in the Registry. The common keys are ‘run keys’. Looking into the Software hive returned nothing. Thus, we need to look into NTUSER.DAT hives.
Given that the cobalt strike beacon was in Administrator.WIN-B633EO9K91M’s directory, we can check its NTUSER.DAT hive:
rip.pl -r /mnt/Windows/Users/Administrator.WIN-B633EO9K91M/NTUSER.DAT -p run
There is an entry for the executable ‘baaaackdooor.exe’ on Adiministrator’s Desktop:
Answer: baaaackdooor.exe
22. When was the first submission of ransomware to virustotal?
The ransomware is the famous ‘khonsari.exe’. We can check its md5 to see its submission date:
md5sum /mnt/Windows/khonsari.exe
#returns 6ac57a1e090e7abdb9b7212e058c43c6
Searching for the executable’s MD5 hash in VirusTotal:
Answer: 2021-12-11 22:57:01
23. The ransomware downloads a text file from an external server.
What is the key used to decrypt the URL?
The URL can be found in VirusTotal – Relations section:
BlueVector has researched the ransomware and published the keys for the decrypted strings. The key for the URL is GoaahQrC.
Answer: GoaahQrC
24. What is the ISP that owns that IP that serves the text file?
25. The ransomware check for extensions to exclude them from the encryption process.
What is the second extension the ransomware checks for?
Netskope has a great post about the ransomware. The ransomware, ” skips the encryption if the file ends with “.khonsari”, “.ini”, and “ink”.”
Answer: ini
TLDR
The most *dramatic* cyber-security event of 2021 was by faaar the Log4Shell zero-day. It affected hundreds of services and reddit was on full-on panic mode….
