CTF: Investigating Windows

The goal of this machine is to investigate a Windows system that has been recently compromised. There are 16 questions that we will be answering along the way, so let's dive in.

1. What's the version and year of the windows machine? Answer: Windows Server 2016

*This question can be frustrating if you were trying to enumerate the actual system version number.

By running the next command, I was able to answer the next two questions.

2. Which user logged in last? Answer: Administrator

3. When did John log onto the system last? Answer: 3/2/2019 5:48:32 PM

This next question was surprisingly a rough one. I spent a great deal of time trying to figure out different ways to answer this question. In short, there was no easy answer. I did find it explained that you should open regedit and navigate to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run. There you will find a file called UpdateSvc that is executing p.exe. When I Googled “p.exe” it came back as a malicious file and when searching “C:\tmp” there was a host of suspicious looking files. * Credit to Seemz

4. What IP does the system connect to when it first starts? Answer: 10.34.2.3

5. What two accounts had administrative privileges (other than the Administrator user)? Answer: Guest & Jenny

The next 3 questions were answered by pulling up the Task Scheduler.

6. What's the name of the scheduled task that is malicious? Answer: Clean File System

7. What file was the task trying to run daily? Answer: nc.ps1

8. What port did this file listen locally for? Answer: 1348

9. When did Jenny last logon? Answer: Never

10. At what date did the compromise take place? Answer: 03/02/2019

This next question was a bit confusing, due to it being poorly worded, so I used the “hint” and filtered the event ID 4672 by date/time.

11. At what time did Windows first assign special privileges to a new logon? Answer: 03/02/2019 04:04:49 PM

For the next question, I actually came across the answer when looking through the suspicious files in the c:\tmp\ folder.

12. What tool was used to get Windows passwords? Answer: Mimikatz

The next question, we looked at the win hosts file. We see two entries for Google with IP addresses that aren’t 8.8.8.8 or 8.8.4.4.

13. What was the attacker's external control and command servers IP? Answer: 76.32.97.132

With this being a Windows machine, we can assume that it is using Microsoft Internet Information Services (IIS) which uses the default folder inetpub.

14. What was the extension name of the shell uploaded via the servers website? Answer: .jsp

For this next question we looked up the Windows firewall log in event viewer for outside connections.

15. What was the last port the attacker opened? Answer: 1337

As we saw earlier while viewing the hosts file, we can see that DNS poisoning had taken place.

16. Check for DNS poisoning, what site was targeted? Answer: google.com