Objective

image-20191214144948485

Link: Security.evtx.zip

Terminal - Escape Ed

Challenge

I find Bushy Evergreen in the train station as my badge indicated I would:

Pepper Minstix is at it again, sticking me in a text editor.

Pepper is forcing me to learn ed.

Even the hint is ugly. Why can’t I just use Gedit?

Please help me just quit the grinchy thing.

Going into the terminal presents the challenge:

                  ........................................
               .;oooooooooooool;,,,,,,,,:loooooooooooooll:
             .:oooooooooooooc;,,,,,,,,:ooooooooooooollooo:
           .';;;;;;;;;;;;;;,''''''''';;;;;;;;;;;;;,;ooooo:
         .''''''''''''''''''''''''''''''''''''''''';ooooo:
       ;oooooooooooool;''''''',:loooooooooooolc;',,;ooooo:
    .:oooooooooooooc;',,,,,,,:ooooooooooooolccoc,,,;ooooo:
  .cooooooooooooo:,''''''',:ooooooooooooolcloooc,,,;ooooo,
  coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;ooo,
  coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,,;l'
  coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc,,..
  coooooooooooooo,,,,,,,,,;ooooooooooooooloooooc.
  coooooooooooooo,,,,,,,,,;ooooooooooooooloooo:.
  coooooooooooooo,,,,,,,,,;ooooooooooooooloo;
  :llllllllllllll,'''''''';llllllllllllllc,
Oh, many UNIX tools grow old, but this one's showing gray.
That Pepper LOLs and rolls her eyes, sends mocking looks my way.
I need to exit, run - get out! - and celebrate the yule.
Your challenge is to help this elf escape this blasted tool.
-Bushy Evergreen
Exit ed.
1100

Solution

In last year’s editor challenge, I knew immediately how to exit vim, as I use it on a daily basis. I had to look at the man page for ed. There are two commands to quit:

q

Quits ed.

Q

Quits ed unconditionally. This is similar to the q command, except that unwritten changes are discarded without warning. 

So I enter q into the terminal and hit enter, and I get success:

q
Loading, please wait......
You did it! Congratulations!
elf@d6f56af24a8b:~$ 

Hints

On solving, Bushy gives me a hint to look at DeepBlueCLI from Eric Conrad:

Wow, that was much easier than I’d thought.

Maybe I don’t need a clunky GUI after all!

Have you taken a look at the password spray attack artifacts?

I’ll bet that DeepBlueCLI tool is helpful.

You can check it out on GitHub.

It was written by that Eric Conrad.

He lives in Maine - not too far from here!

Objective Challenge

I’m given a link to a .zip file which contains a single file, Security.evtx. Last year, I performed a similar analysis by hand. This year, I’ll give DeepBlueCLI a run.

I download it from GitHub and unzip it to where I can use it. I’ll then run it, passing Security.evtx as an argument:

PS C:\Tools\DeepBlueCLI-master > .\DeepBlue.ps1 \\Vboxsvr\hhc2019\3\Security.evtx

The output is a series of alerts summarizing potential attacks detected in the event log data. There are 12 alerts indicating Password Spray Attacks. A Password Spray attack is when the attacker tries a few very common passwords on all the accounts, rather than a typical brute force where they try huge wordlists of potential passwords against a single user. These alerts look like:

Date    : 11/19/2019 12:22:46 PM
Log     : Security
EventID : 4648
Message : Distributed Account Explicit Credential Use (Password Spray Attack)
Results : The use of multiple user account access attempts with explicit credentials is an indicator of a password spray attack.
Target Usernames: ygoldentrifle esparklesleigh hevergreen Administrator sgreenbells cjinglebuns tcandybaubles bbrandyleaves bevergreen lstripyleaves gchocolatewine wopenslae ltrufflefig supatree mstripysleigh pbrandyberry civysparkles sscarletpie ftwinklestockings cstripyfluff gcandyfluff smullingfluff hcandysnaps mbrandybells twinterfig civypears ygreenpie ftinseltoes smary ttinselbubbles dsparkleleaves
Accessing Username: -
Accessing Host Name: -
Command :
Decoded :

There are also three alerts for “Multiple admin logins for one account”:

Date    : 8/24/2019 1:00:20 AM
Log     : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: pminstix
          User SID Access Count: 2
Command :
Decoded :

Date    : 8/24/2019 1:00:20 AM
Log     : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: DC1$
          User SID Access Count: 12
Command :
Decoded :

Date    : 8/24/2019 1:00:20 AM
Log     : Security
EventID : 4672
Message : Multiple admin logons for one account
Results : Username: supatree
          User SID Access Count: 2
Command :
Decoded :

The middle one seems legit, but the other two are suspect.

There are also 31 alerts for “High number of logon failures for one account”. Each one looks like this:

Date    : 8/24/2019 1:00:20 AM
Log     : Security
EventID : 4672
Message : High number of logon failures for one account
Results : Username: ygoldentrifle
          Total logon failures: 77
Command :
Decoded :

Each have a different username, and all but one had 77 total logon failures. supatree has only 76 failures:

Date    : 8/24/2019 1:00:20 AM
Log     : Security
EventID : 4672
Message : High number of logon failures for one account
Results : Username: supatree
          Total logon failures: 76
Command :
Decoded :

Given that supatree has multiple admin logons, and one less failed logon attempt than everyone else, it seems his account was likely the one compromised. Submitting that name solves the challenge.