So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXIOM, only free and open source tools!
Method of Attack
What was the method of attack the threat actor used?
So, we started from Windows Event Logs analysis, and very soon found our favorite base64-encoded string in Windows PowerShell.evtx:
The event took place on 04/26/2018 16:01:39 (UTC). We decided to look for opened documents around that time as weaponized documents are common media in such attacks. Soon we found an LNK file indicating that EpochConversionExample.xls was opened on 04/26/2018 16:01:38. The document is located under C:\Users\maxpowers\Desktop\EpochConversionExample\. Let’s look inside:
Surprise! Ok, we have found weaponized document. It’s time to find its origin. So, it’s inside EpochConversionExample folder on the Desktop. Also, you can find an archive with the same name and… Zone.Identifier ADS:[ZoneTransfer]
So, it was downloaded from the Internet. Where should we start? Emails or browsing history? Emails seem to be a better choice. Let’s look at email@example.com located under C:\Users\maxpowers\AppData\Local\Microsoft\Outlook\. You can use SysTools OST Viewer to browse its contents. Let’s search for the attachment of interest. Here it is:
So, our victim got an archive with weaponized document via email, the flag is phishing.
Attack Email Address
What was the email address associated with the attacker?
As you can see on the last screenshot, the email is firstname.lastname@example.org.
What is the file name of the malicious document the attacker used?
Again, we already know that it’s EpochConversionExample.xls.
What was the BASE64 payload that gave the attacker a shell? [BASE64 value]
As you have seen in the logs, the payload is:
What two DLLs were imported in the base64 payload? [Comma separated with extensions]
Let’s look at the same log record again:
As you can see, the flag is kernel32.dll, msvcrt.dll.
What was the system time of the first login by the attacker? [UTC timestamp in the “YYYY-MM-DD hh:mm:ss” format]
To solve it, you need to analyze Windows Event Logs again. This time Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx. We already know that the host ws compromised on 04/26/2018 16:01:39 (UTC). So let’s start from this time and date. We see a few RDP logons and logoffs from 220.127.116.11, but than, at 04/26/2018 18:16:29 (UTC), a logon from 18.104.22.168:
So, the flag is 2018-04-26 18:16:29.
What was the second account the attacker logged into?
So, according to the same log file, the host was accessed via RDP with itsupport user account too, but for some reason the flag is maxpowers.
What was the last website the attacker went to after logging in as Max Powers for the last time?
Let’s look at browsing history. For example, at History file located under C:\Users\maxpowers\AppData\Local\Google\ChromeUser Data\Default\:
As you can see, the last record is https://github.com/mpower4nsic/ProjectE/settings/delete, and the flag is https://github.com.
What happened to project e?
What was the last thing that happened to Project E after the attacker logged into Max Powers github?
Let’s look at browsing history again – Project E was deleted.
That’s all! CTF is solved! Thanks for reading!