A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. As a security analyst, you are tasked with mounting the image to determine how the system was compromised and the actions/commands the attacker executed.
Information
Category Name: Injector
Files: c7-Breach.zip 2.9 GB
— memdump.mem 1.07 GB
— s4a-challenge4 26.84 GB
Since the files are large, I recommend either extracting the archive in an external drive, or share a folder with your Virtual Machine.
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/Injector && cd Documents/CyberDefenders/InjectorDownload it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c7-Breach.zipSHA1: 1a4497202f6191f9a546a9c3d05bfc67eda3eb1be6983b894c6eb6c64735d
Then extract it with the provided the password
sudo mount -t ntfs-3g -o loop,ro,show_sys_files,stream_interface=windows,offset=$((2048*512)) /path/to/s4a-challenge4 /mountpoint/
Walkthrough
1. What is the computer's name?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SYSTEM -p compname
Answer: WIN-L0ZZQ76PMUF
2. What is the Timezone of the compromised machine?
Format: UTC+0 (no-space)
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SYSTEM -p timezone
The timezone is Pacific Standard Time. The ActiveTimeBias value takes into consideration Daylight Saving Times, and is the current time difference from UTC.
Answer: UTC-7
3. What was the first vulnerability the attacker was able to exploit?
Looking into /mnt/Windows, there is a directory called ‘xampp’. Xampp is a web server developed by Apache. When using Apache servers, all requests are recorded to ‘access.log’. It’s the best place to look for evidence of intrusion. Since the question asks for the ‘first’ vulnerability, we can print the first 20 lines to see if something comes up:
cat /mnt/Windows/xampp/apache/logs/access.log | head -n 20
The first thing we notice is that dvwa was installed to the server:
Per the github, there is a directory called ‘vulnerabilities’. To see which was the first exploitable vulnerability, we can do the same command as above, except grep for ‘vulnerabilities’ in the file:
cat /mnt/Windows/xampp/apache/logs/access.log | grep -i 'vulnerabilities'
The first vulnerability to be exploited was xss_r, aka Cross-Site Scripting (XSS).
Answer: xss
4. What is the OS build number?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SOFTWARE -p winver
The last three or four digits is the RID, which is a unique user ID. The value before is the SID.
Answer: 6001
5. How many users are on the compromised machine?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SAM -p samparse | grep Username
Administrator and Guest are System created users. There are two User created users on the machine, hacker and user1. In total, there are four users.
Answer: 4
6. What is the webserver package installed on the machine?
Looking into /mnt/Windows, there is a directory called ‘xampp’, which is an Apache distribution:
ls -la /mnt/Windows
Moreover, on the Administrator’s Desktop, there is the installer:
Answer: xampp
7. What is the name of the vulnerable web app installed on the webserver?
In question 3, access.log showed that Damn Vulnerable Web App was installed. Its directory is at xampp/htdocs/DVWA.
Answer: dvwa
8. What is the user agent used in the HTTP requests sent by the SQL injection attack tool?
DVWA’s sql injection attack took is in the folder ‘sqli’, so we can grep for that in access.log:
cat /mnt/Windows/xampp/apache/logs/access.log | grep -i 'dvwa/vulnerabilities/sqli'
Answer: sqlmap/1.0-dev-nongit-20150902
9. The attacker read multiple files through LFI vulnerability. One of them is related to network configuration. What is the filename?
Similarly as above, the LFI attack tool is under /dvwa/vulnerabilities/fi :
cat /mnt/Windows/xampp/apache/logs/access.log | grep -i 'dvwa/vulnerabilities/fi'
The file in question is hosts.
Answer: hosts
10. The attacker tried to update some firewall rules using netsh command. Provide the value of the type parameter in the executed command?
First, we need to find the correct volatility profile:
vol.py -f /mnt/hgfs/Breach/memdump.mem imageinfo
From Question 4, we know that the ProductName is ‘Windows Server 2008 Standard’, so the second profile is ideal.
Netsh commands are executed from cmd.exe, the plugin to find this data is ‘cmdscan’:
vol.py -f /mnt/hgfs/Breach/memdump.mem --profile=Win2008SP1x86 cmdscan
In Command 13-16, the type parameter for netsth firewall commands is ‘remotedesktop‘:
Answer: remotedesktop
11. How many users were added by the attacker?
From the SAM hive, in Question 5, we saw that two users were created: hacker and user1.
Moreover, looking at the exploits ran by the attacker (Question 17 for hacker and Question 10 for user1) it is confirmed that the attacker created those accounts.
Answer: 2
12. When did the attacker create the first user?
Using RegRipper:
rip.pl -r /mnt/Windows/Windows/System32/config/SAM -p samparse
The first user, is user1. The fact that it was created first confirms that its the ‘first user’.
Answer: 2015-09-02 09:05:06 UTC
13. What is the NThash of the user's password set by the attacker?
We need to dump users’ hashes from the Registry. We can use the disk image and the memory dump to do so:
samdump2 /mnt/Windows/Windows/System32/config/SYSTEM /mnt/Windows/Windows/System32/config/SAM
vol.py -f /mnt/hgfs/Breach/memdump.mem --profile=Win2008SP1x86 hashdump
Hacker and user1 have the same NThash.
Answer: 817875ce4794a9262159186413772644
14. What is The MITRE ID corresponding to the technique used to keep persistence?
So far, the attacker has:
– Created a a user: ‘net user add’
– Associated the user to a group: ‘net localgroup add’
– Updated firewall rules: ‘netsh firewall set service’
Persistence is possible because the attacker has created a local user. This fits best Mitre’s technique T1136.
Sub-technique T1136.001 creates a local account.
Sub-technique T1136.002 creates a domain account.
Sub-technique T1136.003 creates a cloud account.
In our case, the attacker created a local account with the command ‘ net user user1 user1 /add’. The password for user1 is Root@psut.
Answer: T1136.001
15. The attacker uploaded a simple command shell through file upload vulnerability. Provide the name of the URL parameter used to execute commands?
Looking at access.log, we can grep for ‘shell’ as a starter:
cat /mnt/Windows/xampp/apache/logs/access.log | grep -i 'shell'
The php file is phpshell.php. From the log we can see that it’s using ‘cmd=’.
cat /mnt/Windows/xampp/htdocs/DVWA/hackable/uploads/phpshell.php
Answer: cmd
16. One of the uploaded files by the attacker has an md5 that starts with "559411". Provide the full hash.
The easy way:
find /mnt/Windows/xampp/htdocs/DVWA -type f -exec md5sum "{}" \; > uploads.txt
grep '559411' uploads.txt
#returns 5594112b531660654429f8639322218b /mnt/Windows/xampp/htdocs/DVWA/webshell.php
cat /mnt/Windows/xampp/htdocs/DVWA/webshell.php
It’s the same file as phpshell.php:
Answer: 5594112b531660654429f8639322218b
17. The attacker used Command Injection to add user "hacker" to the "Remote Desktop Users" Group. Provide the IP address that was part of the executed command?
Using Volatility, we can try to locate potential malware:
vol.py -f /mnt/hgfs/Breach/memdump.mem --profile=Win2008SP1x86 malfind | grep Pid
The most interesting, and perhaps relevant one is pid 2768, which is xampp-control.exe. We can dump the file and examine it:
vol.py -f /mnt/hgfs/Breach/memdump.mem --profile=Win2008SP1x86 memdump -p 2768 -D .
strings 2768.dmp | grep 'hacker' -B 5 -A 5
The command shows that ‘net localgroup ‘Remote Desktop Users’ hacker add’ was executed from ‘192.168.56.102’.
Answer: 192.168.56.102
18. The attacker dropped a shellcode through SQLi vulnerability. The shellcode was checking for a specific version of PHP. Provide the PHP version number?
Returning to ‘access.log’:
cat /mnt/Windows/xampp/apache/logs/access.log | grep 'sqli'
The last line of the output contains the shellcode:
echo -n '(shellcode in hex)' | xxd -r -p
The shellcode checks whether php version above 4.1.0 is installed.
Answer: 4.1.0
TLDR
– This is a Disk/Memory Forensics challenge of a Windows WebServer.
– It’s great to practice vulnerability identification, persistence techniques and how a system looks in post-exploitation.
