Holiday Hack 2019: Determine Attacker Technique
Objective
Link: sysmon-data.json.zip
Terminal - Linux Path
Challenge
I find SugarPlum Mary in the room off the left side of the quad, between the NetWars and Speak Unpreparedness Room:
Oh me oh my - I need some help!
I need to review some files in my Linux terminal, but I can’t get a file listing.
I know the command is ls, but it’s really acting up.
Do you think you could help me out? As you work on this, think about these questions:
- Do the words in green have special significance?
- How can I find a file with a specific name?
- What happens if there are multiple executables with the same name in my $PATH?
Going into the terminal, I’ve got a prompt:
K000K000K000KK0KKKKKXKKKXKKKXKXXXXXNXXXX0kOKKKK0KXKKKKKKK0KKK0KK0KK0KK0KK0KK0KKKKKK
00K000KK0KKKKKKKKKXKKKXKKXXXXXXXXNXXNNXXooNOXKKXKKXKKKXKKKKKKKKKK0KKKKK0KK0KK0KKKKK
KKKKKKKKKKKXKKXXKXXXXXXXXXXXXXNXNNNNNNK0x:xoxOXXXKKXXKXXKKXKKKKKKKKKKKKKKKKKKKKKKKK
K000KK00KKKKKKKKXXKKXXXXNXXXNXXNNXNNNNNWk.ddkkXXXXXKKXKKXKKXKKXKKXKKXK0KK0KK0KKKKKK
00KKKKKKKKKXKKXXKXXXXXNXXXNXXNNNNNNNNWXXk,ldkOKKKXXXXKXKKXKKXKKXKKKKKKKKKK0KK0KK0XK
KKKXKKKXXKXXXXXNXXXNXXNNXNNNNNNNNNXkddk0No,;;:oKNK0OkOKXXKXKKXKKKKKKKKKKKKK0KK0KKKX
0KK0KKKKKXKKKXXKXNXXXNXXNNXNNNNXxl;o0NNNo,,,;;;;KWWWN0dlk0XXKKXKKXKKXKKKKKKKKKKKKKK
KKKKKKKKXKXXXKXXXXXNXXNNXNNNN0o;;lKNNXXl,,,,,,,,cNNNNNNKc;oOXKKXKKXKKXKKXKKKKKKKKKK
XKKKXKXXXXXXNXXNNXNNNNNNNNN0l;,cONNXNXc',,,,,,,,,KXXXXXNNl,;oKXKKXKKKKKK0KKKKK0KKKX
KKKKKKXKKXXKKXNXXNNXNNNNNXl;,:OKXXXNXc''',,''''',KKKKKKXXK,,;:OXKKXKKXKKX0KK0KK0KKK
KKKKKKKKXKXXXXXNNXXNNNNW0:;,dXXXXXNK:'''''''''''cKKKKKKKXX;,,,;0XKKXKKXKKXKKK0KK0KK
XXKXXXXXXXXXXNNNNNNNNNN0;;;ONXXXXNO,''''''''''''x0KKKKKKXK,',,,cXXKKKKKKKKXKKK0KKKX
KKKKKKKXKKXXXXNNNNWNNNN:;:KNNXXXXO,'.'..'.''..':O00KKKKKXd'',,,,KKXKKXKKKKKKKKKKKKK
KKKKKXKKXXXXXXXXNNXNNNx;cXNXXXXKk,'''.''.''''.,xO00KKKKKO,'',,,,KK0XKKXKKK0KKKKKKKK
XXXXXXXXXKXXXXXXXNNNNNo;0NXXXKKO,'''''''.'.'.;dkOO0KKKK0;.'',,,,XXXKKK0KK0KKKKKKKKX
XKKXXKXXXXXXXXXXXNNNNNcoNNXXKKO,''''.'......:dxkOOO000k,..''',,lNXKXKKXKKK0KKKXKKKK
KXXKKXXXKXXKXXXXXXXNNNoONNXXX0;'''''''''..'lkkkkkkxxxd'...'''',0N0KKKKKXKKKKKK0XKKK
XXXXXKKXXKXXXXXXXXXXXXOONNNXXl,,;;,;;;;;;;d0K00Okddoc,,,,,,,,,xNNOXKKKKKXKKKKKKKXKK
XXXXXXXXXXXXXXXXXXXXXXXONNNXx;;;;;;;;;,,:xO0KK0Oxdoc,,,,,,,,,oNN0KXXKKXKKXKKKKKKKXK
XKXXKXXXXXXXXXXXXXXXXXXXXWNX:;;;;;;;;;,cO0KKKK0Okxl,,,,,,,,,oNNK0NXXXXXXXXXKKKKKKKX
XXXXXXXXXXXXXXXXXXXXXXXNNNWNc;;:;;;;;;xKXXXXXXKK0x,,,,,,,,,dXNK0NXXXXXXXXXXXKKXKKKK
XKXXXXXXXXXXXXXXXXXXXXNNWWNWd;:::;;;:0NNNNNNNNNXO;,,,,,,,:0NN0XNXNXXXXXXXXXXXKKXKKX
NXXXXXXXXXXXXXXXXXXXXXNNNNNNNl:::;;:KNNNNNNNNNNO;,,,,,,;xNNK0NXNXXNXXXXXXKXXKKKKXKK
XXNNXNNNXXXXXXXXXXXXXNNNNNNNNNkl:;;xWWNNNNNWWWk;;;;;;;xNNKKXNXNXXNXXXXXXXXXXXKXKKXK
XXXXXNNNNXNNNNXXXXXXNNNNNNNNNNNNKkolKNNNNNNNNx;;;;;lkNNXNNNNXXXNXXNXXXXXXXXXXXKKKKX
XXXXXXXXXXXNNNNNNNNNNNNNNNNNNNNNNNNNKXNNNNWNo:clxOXNNNNNNNNXNXXXXXXXXXXXXXXXKKXKKKK
XXXXNXXXNXXXNXXNNNNNWWWWWNNNNNNNNNNNNNNNNNWWNWWNWNNWNNNNNNNNXXXXXXNXXXXXXXXXXKKXKKX
XNXXXXNNXXNXXNNXNXNWWWWWWWWWNNNNNNNNNNNNNWWWWNNNNNNNNNNNNNNNNNNNNNXNXXXXNXXXXXXKXKK
XXXXNXXNNXXXNXXNXXNWWWNNNNNNNNNWWNNNNNNNNWWWWWWNWNNNNNNNNNNNNNNNXXNXNXXXXNXXXXKXKXK
I need to list files in my home/
To check on project logos
But what I see with ls there,
Are quotes from desert hobos...
which piece of my command does fail?
I surely cannot find it.
Make straight my path and locate that-
I'll praise your skill and sharp wit!
Get a listing (ls) of your current directory.
elf@81110c98cc25:~$
Solution
Running ls doesn’t list the files as expected:
elf@81110c98cc25:~$ ls
This isn't the ls you're looking for
I can use which to identify the location of a command that will run. If there are multiple binaries with the same name in my PATH, it will show the one that comes first.
On a typical Linux distro, ls will be in /usr/bin or /bin. For example, on my Kali VM:
root@kali# which ls
/usr/bin/ls
But in this terminal, it’s different:
elf@81110c98cc25:~$ which ls
/usr/local/bin/ls
I can see that’s just a bash script to echo out the message I got earlier:
elf@81110c98cc25:~$ cat /usr/local/bin/ls
#!/bin/bash
echo -e $'This isn\'t the ls you\'re looking for'
One tools that jumps to mind would be locate, but this ends up not being that helpful here. First, the default search for locate searches for *[input]*, so running locate ls returns tons of stuff, anything with ls in it. I can eliminate that behavior by running locate '\ls', but then I get this:
elf@82aaea9e07af:~$ locate '\ls'
locate: warning: database '/var/cache/locate/locatedb' is more than 8 days old (actual age is 33.1 days)
The DB is out of date. I can try updatedb, but it seems I lack permission:
elf@82aaea9e07af:~$ updatedb
/usr/bin/updatedb: 320: /usr/bin/updatedb: cannot create /var/cache/locate/locatedb.n: Per
mission denied
/usr/bin/find: '/root': Permission denied
/usr/bin/find: '/var/cache/apt/archives/partial': Permission denied
/usr/bin/find: '/var/cache/ldconfig': Permission denied
/usr/bin/find: '/var/lib/apt/lists/partial': Permission denied
/usr/bin/find: '/etc/ssl/private': Permission denied
Failed to generate /var/cache/locate/locatedb.n
A better alternative is find. I can generate a command to locate all files named ls on this host. The options I’ll use are:
find- runfind/- search from the system root-name ls- for files namedls2>/dev/null- get rid of any error messages; there would be a lot since I’m not a root user, and therefore there are a lot of directories I can’t access
The result shows two binaries:
elf@81110c98cc25:~$ find / -name ls 2>/dev/null
/usr/local/bin/ls
/bin/ls
I can run /bin/ls to complete the challenge:
elf@81110c98cc25:~$ /bin/ls
' ' rejected-elfu-logos.txt
Loading, please wait......
You did it! Congratulations!
Hints
On solving, Bushy gives me a hint to look at DeepBlueCLI from Eric Conrad:
Oh there they are! Now I can delete them. Thanks!
Have you tried the Sysmon and EQL challenge?
If you aren’t familiar with Sysmon, Carlos Perez has some great info about it.
Haven’t heard of the Event Query Language?
Check out Ross Wolf’s talk at CircleCityCon.
Objective Challenge
I’m given a link to a .zip file which contains a single file, sysmon-data.json. The hint references EQL, which is a useful query language for hunting in logs.
I’ll install eql with python3 -m pip install eql . I already had it installed. Now I can open the shell, and load the log file:
root@kali# eql -f sysmon-data.json
===================
EQL SHELL
===================
Using file sysmon-data.json with 2626 events
type help to view more commands
eql>
I see it loaded 2626 events.
To find out what tool was used, I started by looking at the processes that were in the logs. I’ll tell EQL that I want queries to output the process name and path:
eql> table process_name, process_path
Now I’ll get a list of unique combinations of process name and path:
eql> search process where true | unique process_name,process_path
============================================================================
process_name process_path
============================================================================
wevtutil.exe C:\Windows\System32\wevtutil.exe
cmd.exe C:\Windows\System32\cmd.exe
powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe C:\Windows\SysWOW64\cmd.exe
net.exe C:\Windows\SysWOW64\net.exe
ntdsutil.exe C:\Windows\System32\ntdsutil.exe
============================================================================
7 results found
The answer immediately jumped out: ntdsutil.exe. ntdsutil.exe is a command line tool that provides management facilities for Active Directory, according to Microsoft documentation. The binary shows up on the page in Mitre ATT&CK for Credential Dumping. Entering ntdsutil solves the challenge.