Holiday Hack 2019: Evaluate Attack Outcome
Objective
Link: Security.evtx.zip
Terminal - Escape Ed
Challenge
I find Bushy Evergreen in the train station as my badge indicated I would:
Pepper Minstix is at it again, sticking me in a text editor.
Pepper is forcing me to learn ed.
Even the hint is ugly. Why can’t I just use Gedit?
Please help me just quit the grinchy thing.
Going into the terminal presents the challenge:
........................................
.;oooooooooooool;,,,,,,,,:loooooooooooooll:
.:oooooooooooooc;,,,,,,,,:ooooooooooooollooo:
.';;;;;;;;;;;;;;,''''''''';;;;;;;;;;;;;,;ooooo:
.''''''''''''''''''''''''''''''''''''''''';ooooo:
;oooooooooooool;''''''',:loooooooooooolc;',,;ooooo:
.:oooooooooooooc;',,,,,,,:ooooooooooooolccoc,,,;ooooo:
.cooooooooooooo:,''''''',:ooooooooooooolcloooc,,,;ooooo,
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;ooo,
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;l'
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,..
coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc.
coooooooooooooo,,,,,,,,,;ooooooooooooooloooo:.
coooooooooooooo,,,,,,,,,;ooooooooooooooloo;
:llllllllllllll,'''''''';llllllllllllllc,
Oh, many UNIX tools grow old, but this one's showing gray.
That Pepper LOLs and rolls her eyes, sends mocking looks my way.
I need to exit, run - get out! - and celebrate the yule.
Your challenge is to help this elf escape this blasted tool.
-Bushy Evergreen
Exit ed.
1100
Solution
In last year’s editor challenge, I knew immediately how to exit vim
, as I use it on a daily basis. I had to look at the man page for ed
. There are two commands to quit:
q Quits ed. Q Quits ed unconditionally. This is similar to the q command, except that unwritten changes are discarded without warning.
So I enter q
into the terminal and hit enter, and I get success:
q
Loading, please wait......
You did it! Congratulations!
elf@d6f56af24a8b:~$
Hints
On solving, Bushy gives me a hint to look at DeepBlueCLI from Eric Conrad:
Wow, that was much easier than I’d thought.
Maybe I don’t need a clunky GUI after all!
Have you taken a look at the password spray attack artifacts?
I’ll bet that DeepBlueCLI tool is helpful.
You can check it out on GitHub.
It was written by that Eric Conrad.
He lives in Maine - not too far from here!
Objective Challenge
I’m given a link to a .zip
file which contains a single file, Security.evtx
. Last year, I performed a similar analysis by hand. This year, I’ll give DeepBlueCLI
a run.
I download it from GitHub and unzip it to where I can use it. I’ll then run it, passing Security.evtx
as an argument:
PS C:\Tools\DeepBlueCLI-master > .\DeepBlue.ps1 \\Vboxsvr\hhc2019\3\Security.evtx
The output is a series of alerts summarizing potential attacks detected in the event log data. There are 12 alerts indicating Password Spray Attacks. A Password Spray attack is when the attacker tries a few very common passwords on all the accounts, rather than a typical brute force where they try huge wordlists of potential passwords against a single user. These alerts look like:
Date : 11/19/2019 12:22:46 PM
Log : Security
EventID : 4648
Message : Distributed Account Explicit Credential Use (Password Spray Attack)
Results : The use of multiple user account access attempts with explicit credentials is an indicator of a password spray attack.
Target Usernames: ygoldentrifle esparklesleigh hevergreen Administrator sgreenbells cjinglebuns tcandybaubles bbrandyleaves bevergreen lstripyleaves gchocolatewine wopenslae ltrufflefig supatree mstripysleigh pbrandyberry civysparkles sscarletpie ftwinklestockings cstripyfluff gcandyfluff smullingfluff hcandysnaps mbrandybells twinterfig civypears ygreenpie ftinseltoes smary ttinselbubbles dsparkleleaves
Accessing Username: -
Accessing Host Name: -
Command :
Decoded :
There are also three alerts for “Multiple admin logins for one account”:
Date : 8/24/2019 1:00:20 AM
Log : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: pminstix
User SID Access Count: 2
Command :
Decoded :
Date : 8/24/2019 1:00:20 AM
Log : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: DC1$
User SID Access Count: 12
Command :
Decoded :
Date : 8/24/2019 1:00:20 AM
Log : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: supatree
User SID Access Count: 2
Command :
Decoded :
The middle one seems legit, but the other two are suspect.
There are also 31 alerts for “High number of logon failures for one account”. Each one looks like this:
Date : 8/24/2019 1:00:20 AM
Log : Security
EventID : 4672
Message : High number of logon failures for one account
Results : Username: ygoldentrifle
Total logon failures: 77
Command :
Decoded :
Each have a different username, and all but one had 77 total logon failures. supatree has only 76 failures:
Date : 8/24/2019 1:00:20 AM
Log : Security
EventID : 4672
Message : High number of logon failures for one account
Results : Username: supatree
Total logon failures: 76
Command :
Decoded :
Given that supatree has multiple admin logons, and one less failed logon attempt than everyone else, it seems his account was likely the one compromised. Submitting that name solves the challenge.