Monday, January 13, 2020

SANS Holiday Hack Challenge 2019


KringleCon 2 - Obj 0 to 5



0) Talk to Santa in the Quad

This is Santa! (Who knew?!)
This is Santa with an Umbrella in the Quad (Talk to him)

Talk to the Santa with the Umbrella until he repeats himself, then your first objective should be done, and  4 more objectives should be added:

 1) Find the Turtle Doves 2) Unredact Threatening Document 3) Windows Log Analysis: Evaluate Attack Outcome 4) Windows Log Analysis: Determine Attacker Technique 5) Network Log Analysis: Determine Compromised System


1) Find the Turtle Doves


Your first mission is to find the Turtle Doves, they are in the Student Union, to the left side, next to the fireplace

Fireplace

Very Important Turtle Doves
Just click on them and your first objective will be completed


2) Unredact Threatening Document

As you exit the Student Union hall, go all the way to the left side, in the corner, behind a pine tree, there's a document, just click on it to download it in PDF format.

Document behind pine tree
 

PDF of Redacted Document
When you open the PDF you'll see a lot of the text has been redacted with CONFIDENTIAL, but it was a really poor job, just use the mouse the select the text and copy it, then paste it somewhere else to read it an answer the question for the 2nd Objective

Here's the unredacted text:

Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR
ELSE!

Attention All Elf University Personnel,

It remains a constant source of frustration that Elf University and the entire operation at the
North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE
you to consider lending your considerable resources and expertise in providing merriment,
cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical
characters.

For centuries, we have expressed our frustration at your lack of willingness to spread your
cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine
holidays and mythical characters that need your direct support year-round.

If you do not accede to our demands, we will be forced to take matters into our own hands.

We do not make this threat lightly. You have less than six months to act demonstrably.

Sincerely,

--A Concerned and Aggrieved Character


3) Windows Log Analysis: Evaluate Attack Outcome


"We're seeing attacks against the Elf U domain! Using the event log data, identify the user account that the attacker compromised using a password spray attack. Bushy Evergreen is hanging out in the train station and may be able to help you out."

Difficulty: 🎄

The Terminals:


Through the game you'll find Elfs next to a  CRANPI Terminal with challenges to complete, as you help each Elf with their challenge, they'll give you clues to solve the main Objectives.

Cranpi Terminals look like this (copied from the game)




The first Terminal we encounter is the Escape Ed terminal

We need to help Bushy Evergreen exit the 'ed' editor on a Linux console so he can give us a clue to solve the 3rd objective.

This is Bushy Evergreen


Welcome to Elf U!
I'm glad you're here. I'm the target of a terrible trick.
Pepper Minstix is at it again, sticking me in a text editor.
Pepper is forcing me to learn ed.
Even the hint is ugly. Why can't I just use Gedit?

Please help me just quit the grinchy thing.



This one should be straight forward, if you haven't used ed before, you can just Google how to exit ed and .. the answer is 'q' then press Enter....





Wow, that was much easier than I'd thought.
Maybe I don't need a clunky GUI after all!
Have you taken a look at the password spray attack artifacts?
I'll bet that DeepBlueCLI tool is helpful.
You can check it out on GitHub.
It was written by that Eric Conrad.
He lives in Maine - not too far from here!



I tried using DeepBlueCLI but got some issues with dependencies so i just used evtexport and grep to count how many times each user failed authentication (EventID 4625), luckily all of them tried the same amount of time, 77, but only one got through on the 77th time, supatree which is the answer for the challenge. When looking at the export you can see that all user names are preceded by "String: 6"




|



4) Windows Log Analysis: Determine Attacker Technique


Using these normalized Sysmon logs, identify the tool the attacker used to retrieve domain password hashes from the lsass.exe process. For hints on achieving this objective, please visit Hermey Hall and talk with SugarPlum Mary.
Difficulty: 🎄🎄
So we go to Hermey Hall and we find SugarPlum Mary next to a crapi terminal with a challenge, we need to help her so she can give us clues for Objective 4.



This terminal is pretty simple too, just need to find the right binary for the ls command since there's a conflict in the PATH. You can use find or locate to figure out the correct PATH, or if you have an idea just try it like I did.

The Screenshot shows the answer.

'ls' command is under /bin/


With this information SugarPlum gives a clue we need:

SugarPlum Mary:
Oh there they are! Now I can delete them. Thanks!
Have you tried the Sysmon and EQL challenge?
If you aren't familiar with Sysmon, Carlos Perez has some great info about it.
Haven't heard of the Event Query Language?
Check out some of Ross Wolf's work on EQL or that blog post by Josh Wright in your badge.


I've never used EQL before, and I didn't need it, we just have to look for the process that had lsass.exe as parent, that would mean that lsass.exe was exploited with something like a buffer overflow to execute something like a shell, in this case a cmd.exe and that cmd was used to call the tool we are looking for, which means the process spawned for the tool has a cmd.exe as a parent.

So, lsass.exe → cmd.exe → ???

We go ahead and download the JSON file and take a quick look to search for the lsass process and we find that i has spawn a CMD and just after that the tool ntdsutil was used to export the credentials.

Obj 4's Answer 'ntdsutil'



5) Network Log Analysis: Determine Compromised System


Difficulty: 🎄🎄


The attacks don't stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.


Wefind Sparkle Redberry and she gives us a new terminal challenge we need to solve if we want a hint for Objective 5

Sparkle Redberry


Sparkle Redberry:
I'm Sparkle Redberry and Imma chargin' my laser!
Problem is: the settings are off.
Do you know any PowerShell?
It'd be GREAT if you could hop in and recalibrate this thing.
It spreads holiday cheer across the Earth ...
... when it's working!






We go into the terminal and find a Linux PowerShell console.
Someone has changed the values of the parameters necessary to make the lase work properly, we must follow the clues to find the good values...

MOTD describes what's going on

1st clue - Read the history of commands

API Instructions
The 1st riddle says "Could commands hold riddles in hist'ry?", so let's see what were the last commands ran using the history command.

Correct angle value and 2nd clue found

Alright! we found our first value, the angle must be 65.5, we start building a list o commands we're going to need to execute to fix the laser.

#Turn the laser off:
(Invoke-WebRequest http://127.0.0.1:1225/api/off).RawContent
#Change gas value
(Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent

And there;s a second clue on Item 9 of the history, but when we try retrieving it we can't read the whole message, so we just try executing it and ignore the error

2nd Clue
It says: I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.

So it occurs to me that we can search for equal signs ('=') in the ./depth folder using Get-ChildItem

Temperature found

We've found the next value, temperature=-33.5, in a file, so we go to look at the file to see if there's another clue.

We take a note of the 3rd command:

#Change temperature value:
(Invoke-WebRequest http://127.0.0.1:1225/api/temperature?val=-33.5).RawContent

3rd clue gives us another file
As you can see in the image above, the third clue gives us another file, we immediately use Get-ChildItem to find it and we take a look at it with type.

No values but the 4th clue
This file doesn't give us any of the 2 values missing but a clue to keep digging.
We list the process with Get-Processes -IncludeUsername, and proceed to stop all the processes running by the users listed in the clue with Stop-Process -Id <#>

Processes stopped and next clue found in /shall/see

Once we've stopped all the processes, the file /shall/see is created and it contains the next clue which is to find an XML file in /etc.

XML found
 No idea how to follow those instructions to navigate the XML file, so we just look for one of the values we are missing, gas... and guess what... we found them 😁



Now we have our 4th command... but no new clue 🤔

#Change gases values
(Invoke-WebRequest http://127.0.0.1:1225/api/gas -Method Post -Body "O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9").RawContent

So let's read the second clue again...

I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.

Hmm... we missed the part that says system wide, this must be talking about environment variables, let's take a look

Forgotten Clue
 We found the clue...ok, we're on track again...
Must find a compressed file which is the latest file to be written under /etc


Found archive file

We decompress it with Extract-Archive and found an executable file so we run it to find the last value (or second), refraction=1.867.


Refraction value found and a clue we didn't need
Now we have all the commands we need

#Change refraction value.
(Invoke-WebRequest http://127.0.0.1:1225/api/refraction?val=1.867).RawContent
#Turn on laser
(Invoke-WebRequest http://127.0.0.1:1225/api/on).RawContent
#Check Mega-jollies
(Invoke-WebRequest http://127.0.0.1:1225/api/output).RawContent

We run them all.

First 4 commands

Last Commands and Success!!

Once we have fixed the laser she gives us the hint:

Sparkle Redberry
You got it - three cheers for cheer!
For objective 5, have you taken a look at our Zeek logs?
Something's gone wrong. But I hear someone named Rita can help us.
Can you and she figure out what happened?


So, here's some information about RITA... pretty cool, right? well... fortunately we don't need to install and run RITA, we just need to now how to navigate the report.

We download the Zeek Logs archive and decompress it to find 890 .log files and 1 very interesting ELFU folder.



The ELFU folder contains the RITA report, just open the index.html, click on ELFU, click on Beacons and top Source IP address of the list is the one infected with malware because it has an out of proportion amount of connections, 7660, to one specific destination IP address.

Obj 5's Answer - 192.168.134.130


No comments:

Post a Comment