,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ///////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////// ///////////////////////////////////////////////// ///////////////////////////////////////// /////////////////////////////
This was a challenge from the DefCamp CTF 2020 rated with 193 points (Q1) and 208 points (Q3). It was about investigating an security breach inside some Windows hosts by using logs collected from a ELK (Elasticsearch, Logstash, Kibana) system.
First step was to download the challenge zip, and execute then different commands they provide in the description.
To get the IP of the kibana first we must find out the name of the container with ‘docker container ls’ and we find that it’s elastic_kibana_1. Then, we use ‘docker container inspect elastic_kibana_1’ to get information about the container and, also, the IP.
We connect to [http://172.18.0.2:5601/] and a login screen appears. We try the default login credentials (which are elastic:changeme) and we get in.
Then we go to the left panel -> Kibana -> Discover. We set the date range to the one in the description and we get:
There are almost 5000 hits so let’s use the filter to find the solutions.
Q1
The description talk about some tool to dump passwords. Let’s check what commands were used by filtering with the cmd.exe and powershell.exe processes.
We are going to filter the fields with the following one so it’s easier to see them:
By inspecting the cmd.exe commands we found some weird commands related to the attack but nothing related to the passwords.
Let’s check the powershell.exe logs. At Dec 4, 10:37:11 we can see the malware is downloading some software and executing it.
By searching that name we get the tool Mimikatz, which is used to dump Windows passwords, among other things. The parameter (-DumpCreds) also is an indicator of what it’s doing. They ask us about the process name so let’s search around that moment.
Just a couple moments before, a mim.exe was executed. Let’s filter by that name:
It looks like this is the program that was dumping the passwords so the flag will be: ctf{mim.exe}
Q3
They told us about some APT script they used to start the attack so let’s back to the cmd.exe logs. Just a few logs from the beginning we find something promising:
That name really looks suspicious. We search that on Google and we find (https://github.com/NextronSystems/APTSimulator). This is a tool set to perform APT attacks for simulations.
But, we have to be sure that it was the first one. So let’s filter by date from the first log to Dec 4, 09:32:15.
We perform an investigation by 30 min ranges:
The only suspicious command is that p.exe but it doesn’t look like it’s the responsible for the APT attacks.
According to the investigation, we determined that the guilty is the APTSimulator.bat so the flag will be ctf{APTSimulator.bat}