CTF:  Investigating Windows

CTF: Investigating Windows

The goal of this machine is to investigate a Windows system that has been recently compromised. There are 16 questions that we will be answering along the way, so let's dive in.

  1. What's the version and year of the windows machine? Answer: Windows Server 2016

*This question can be frustrating if you were trying to enumerate the actual system version number.

No alt text provided for this image

By running the next command, I was able to answer the next two questions.

2. Which user logged in last? Answer: Administrator

3. When did John log onto the system last? Answer: 3/2/2019 5:48:32 PM

No alt text provided for this image

This next question was surprisingly a rough one. I spent a great deal of time trying to figure out different ways to answer this question. In short, there was no easy answer. I did find it explained that you should open regedit and navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run. There you will find a file called UpdateSvc that is executing p.exe. When I Googled “p.exe” it came back as a malicious file and when searching “C:\tmp” there was a host of suspicious looking files. * Credit to Seemz

4. What IP does the system connect to when it first starts? Answer: 10.34.2.3

No alt text provided for this image

5. What two accounts had administrative privileges (other than the Administrator user)? Answer: Guest & Jenny

No alt text provided for this image

The next 3 questions were answered by pulling up the Task Scheduler.

6. What's the name of the scheduled task that is malicious? Answer: Clean File System

7. What file was the task trying to run daily? Answer: nc.ps1

8. What port did this file listen locally for? Answer: 1348

No alt text provided for this image

9. When did Jenny last logon? Answer: Never

No alt text provided for this image

10. At what date did the compromise take place? Answer: 03/02/2019

No alt text provided for this image

This next question was a bit confusing, due to it being poorly worded, so I used the “hint” and filtered the event ID 4672 by date/time.

11. At what time did Windows first assign special privileges to a new logon? Answer: 03/02/2019 04:04:49 PM

No alt text provided for this image

For the next question, I actually came across the answer when looking through the suspicious files in the c:\tmp\ folder.

12. What tool was used to get Windows passwords? Answer: Mimikatz

No alt text provided for this image

The next question, we looked at the win hosts file. We see two entries for Google with IP addresses that aren’t 8.8.8.8 or 8.8.4.4.

13. What was the attacker's external control and command servers IP? Answer: 76.32.97.132

No alt text provided for this image

With this being a Windows machine, we can assume that it is using Microsoft Internet Information Services (IIS) which uses the default folder inetpub.

14. What was the extension name of the shell uploaded via the servers website? Answer: .jsp

No alt text provided for this image

For this next question we looked up the Windows firewall log in event viewer for outside connections.

15. What was the last port the attacker opened? Answer: 1337

No alt text provided for this image

As we saw earlier while viewing the hosts file, we can see that DNS poisoning had taken place.

16. Check for DNS poisoning, what site was targeted? Answer: google.com

No alt text provided for this image

要查看或添加评论,请登录

Daniel McNally的更多文章

  • Project 1 - DVWA

    Project 1 - DVWA

    During the latest FXBG Hackers meeting, a newcomer attended for the second time. He expressed an interest in…

  • Security Analyst Notes: Things to Remember

    Security Analyst Notes: Things to Remember

    Over the last two years during my training, I've been taking notes along the way on all different topics that have been…

    7 条评论
  • PyScript Domains > 72 Char.

    PyScript Domains > 72 Char.

    Last night I was reading one of the go-to blue team compendiums, Blue Team Handbook, by Don Murdoch and it was going…

    1 条评论
  • Malware Analysis Notes: Putty.exe

    Malware Analysis Notes: Putty.exe

    I finally was able to get back around to working on the PMAT course by, HuskyHacks and TCM Security. These are my notes…

    1 条评论
  • Snort 3 vs MiTM Attacks

    Snort 3 vs MiTM Attacks

    Executive Summary: There are pros and cons when using Snort's Intrusion Prevention and Intrusion Detection System…

  • Manual Log Parsing with Cut, AWK and Python

    Manual Log Parsing with Cut, AWK and Python

    This will be a quick tutorial aimed at people who are infosec newbies or are new to Linux in general that are…

    1 条评论
  • Blue Team CTF: Warzone 1

    Blue Team CTF: Warzone 1

    To continue to work on my ability to parse logs and sniff out possible IOC's, I will be tackling another blue team CTF…

  • Splunk BOTSv3 AWS & WINEvent

    Splunk BOTSv3 AWS & WINEvent

    AWS S3 Bucket Challenge Today I will be finishing up my Splunk course with 2 more blue team CTFs. The first challenge…

    1 条评论
  • Splunk BOTSv3 Web & OneDrive

    Splunk BOTSv3 Web & OneDrive

    The past week I’ve been spending most of my time trying to complete a Splunk learning path to gain an understanding of…

  • CTF: SNORT Basics Pt. 1

    CTF: SNORT Basics Pt. 1

    Today I will be running through a blue team CTF focused on using the IDS/IPS Snort. Snort can be used both passively…

    5 条评论

社区洞察

其他会员也浏览了