Logo
Day 13
Overview

Day 13

n nalo_
October 13, 2024
2 min read
ctf writeup huntress

forensic/obfuscation-station

Obfuscation Station
Authors
L LookAtThis
,
n nalo_
Category
forensic

The file given is a powershell script that seems to run commands based on some base64-encoded strings.

We can see the instruction [CONVERT]::FROMBASE64STRING() that will convert this base64 to a string. The result is used in the function System.IO.Compression.DeflateStream(). This one is a deflate function used in the Decompress mode.

We can reproduce the execution with python:

from base64 import b64decode
import zlib


encoded = 'UzF19/UJV7BVUErLSUyvNk5NMTM3TU0zMDYxNjSxNDcyNjexTDY2SUu0NDRITDWpVQIA'


# From base64 convertion
decoded_bytes = b64decode(encoded)
# Deflate using decompress mode
decompressed_data = zlib.decompress(decoded_bytes, -zlib.MAX_WBITS)
print(decompressed_data.decode())

The output string that would be used in the script contains the flag!

forensic/little-shop-of-hashes

Little Shop of Hashes
Authors
I Izunks
,
n nalo_
Category
forensic

That’s a challenge group! Which means we have multiple questions regarding the same data.

TO WRITE

Challenge 1: What is the name of the service that the attacker ran and stopped, which dumped hashes on the first compromised host?

TODO

Challenge 2: What lateral movement technique did the threat actor use to move to the other machine?

Pass-the-Hash

Using Explicit Credentials (Event ID 4648) Check if there was a credential theft and use of those credentials for lateral movement:

Terminal window
grep "4648" security_hosta.xml -A 10

3 results : must be that

Challenge 3: What is the full path of the binary that the threat actor used to access the privileges of a different user with explicit credentials?

C:\Users\DeeDee\Documents\runasc.exe

Looking for 4648 (Using Explicit Credentials); copy ProcessName. text

Challenge 4: How many accounts were compromised by the threat actor?

3

Terminal window
$ grep -oP '(?<=<Data Name="TargetUserName">)[^<]+' security_hosta.xml | sort | uniq -c
     86 -
     60 Administrator
      4 Administrators
     16 Craig
     42 DeeDee
    291 EC2AMAZ-3NV39E0$
      1 LOCAL SERVICE
     42 Niko
     16 SYSTEM

-> Craig, Deedee, Niko

Challenge 5: What is the full path of the binary that was used as a callback to the threat actor’s machine?

C:\Users\DeeDee\Documents\nc.exe

Not a remote execution, so found in HOSTA/Application

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Wow64 Emulation Layer"/>
    <EventID Qualifiers="16384">1109</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x0080000000000000</Keywords>
    <TimeCreated SystemTime="2024-10-01T20:52:41.685988900Z"/>
    <EventRecordID>12971</EventRecordID>
    <Correlation/>
    <Execution ProcessID="0" ThreadID="0"/>
    <Channel>Application</Channel>
    <Computer>EC2AMAZ-3NV39E0</Computer>
    <Security/>
  </System>
  <EventData>
    <Data>\??\C:\Users\DeeDee\Documents\nc.exe</Data>
  </EventData>
</Event>