This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Connect to the machine using RDP. The credentials the machine are as follows:
Information
Room: Investigating Windows
Difficulty: Easy
If not using the AttackBox, you will need to RDP into the machine.
Walkthrough
1. Whats the version and year of the windows machine?
In the Command Prompt of the Machine we can just enter:
winver
The machine is running Windows Server 2016.
Answer: Windows Server 2016
2. Which user logged in last?
First, we need to figure out which users are on the machine. We can list the users in the Command Prompt:
net user
The Users ‘DefaultAccount’ and ‘Guest’ are System Users. It’s unlikely that they ever logged in, but it doesn’t hurt to check. In the Command Prompt we can do:
net user administrator | findstr /B /C:"Last logon"
net user jenny | findstr /B /C:"Last logon"
net user john | findstr /B /C:"Last logon"
net user defaultaccount | findstr /B /C:"Last logon"
net user guest | findstr /B /C:"Last logon"
The only users that were logged on are Administrator and John. Obviously, since we RDPd into the machine, the Last user that Logged in is Administrator. The Last logon time corresponds to the time of RDP.
Answer: Administrator
3. When did John log onto the system last?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM
In the question above, we figured that John last logged in on the 2nd of March 2019 at 17:48:32.
Answer: 03/02/2019 05:48:32 PM
4. What IP does the system connect to when it first starts?
The key CurrentVersion\Run of the Software hive stores information about commands ran each time a user logs in.
In the command prompt we can enter:
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The system connects to 10.34.2.3 at every log on.
Answer: 10.34.2.3
5. What two accounts had administrative privileges (other than the Administrator user)?
Since we found the usernames, we can just look for each user’s Local Group Memberships:
net user jenny | findstr /B /C:"Local Group"
net user john | findstr /B /C:"Local Group"
net user defaultaccount | findstr /B /C:"Local Group"
net user guest | findstr /B /C:"Local Group"
The only two users with Administrative privileges are jenny and guest.
Answer: jenny, guest
6. What's the name of the scheduled task that is malicous.
To list all Scheduled Tasks, we can just enter schtasks in the Command Prompt:
schtasks
These tasks look quite suspicious. We can look into them in the ‘Task Scheduler’ application:
Answer: jenny, guest
7. What file was the task trying to run daily?
In the Task Scheduler app, if we click on a task and select the ‘Actions’ tab it will show what Action occurs when the tasks starts:
The ‘Clean file system’ taks runs the program nc.ps1 everyday.
Answer: nc.ps1
8. What port did this file listen locally for?
As we saw in the previous question, the file listens to port 1348.
Answer: 1348
9. When did Jenny last logon?
In question 2, we checked the Last Logon time of each user. Jenny never logged on.
Answer: Never
10. At what date did the compromise take place?
Answer format: MM/DD/YYYY
As we saw, two users had Administrator privileges. This likely points to privilege escalation. We can open the app ‘Event Viewer’ to see the Security Logs. To show only events related to Users group membership change, we can select ‘Filter Current Log…’ and enter 4728 as the Event ID:
All the events took place in March 2nd 2019. The same day the user john last logged on.
Answer: 03/02/2019
11. At what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY
Answer: 03/02/2019 04:04:49 PM
12. What tool was used to get Windows passwords?
Previously, we saw that a netcat reverse shell was running on port 1348. The path of the script was C:\TMP. Opening that folder shows many malicious things:
‘mim.exe’ runs every 5 minutes (if you spend time in the machine you will see it annoyingly popping up). Its scheduled task is ‘GameOver’:
Without a doubt, mim.exe reffers to mimikatz.
Answer: mimikatz
13. What was the attackers external control and command servers IP?
The etc\hosts file most likely contains information about the attacker’s implementation:
type C:\Windows\System32\drivers\etc\hosts
The only IP addresses that do not belong to any value in ipconfig are the two last ones.
Answer: 76.32.97.132
14. What was the extension name of the shell uploaded via the servers website?
In the server’s wwwroot directory, there are three files: two jsp files and one gif file:
b.jsp contains this code, which is a program for remote web-base file access and manipulation. The file tests.jsp is the actual JSP cmd shell:
Answer: .jsp
15. What was the last port the attacker opened?
To find the ports currently open, we can use netsh in the command prompt:
netsh firewall show state
Port 1337 and 8888 are open.
The first rule returned means it’s the last rule set in place. In this case it’s the rule ‘Allow outside connections for development’, which is at Port 1337.
Answer: 1337
16. Check for DNS poisoning, what site was targeted?
Looking at the etc/hosts file (Q.13), the site google.com is mapped to the attacker’s IP.
Answer: google.com
TLDR
– This was my first experience of remote forensics in a CTF environment.
– This type of exercise/walkthrough is extremely useful, especially when booting a vmdk/E01 to vmdk for analysis.
