## Objective

### Terminal - Linux Path

#### Challenge

I find SugarPlum Mary in the room off the left side of the quad, between the NetWars and Speak Unpreparedness Room:

Oh me oh my - I need some help!

I need to review some files in my Linux terminal, but I can’t get a file listing.

I know the command is ls, but it’s really acting up.

Do you think you could help me out? As you work on this, think about these questions:

1. Do the words in green have special significance?
2. How can I find a file with a specific name?
3. What happens if there are multiple executables with the same name in my $PATH? Going into the terminal, I’ve got a prompt: K000K000K000KK0KKKKKXKKKXKKKXKXXXXXNXXXX0kOKKKK0KXKKKKKKK0KKK0KK0KK0KK0KK0KK0KKKKKK 00K000KK0KKKKKKKKKXKKKXKKXXXXXXXXNXXNNXXooNOXKKXKKXKKKXKKKKKKKKKK0KKKKK0KK0KK0KKKKK KKKKKKKKKKKXKKXXKXXXXXXXXXXXXXNXNNNNNNK0x:xoxOXXXKKXXKXXKKXKKKKKKKKKKKKKKKKKKKKKKKK K000KK00KKKKKKKKXXKKXXXXNXXXNXXNNXNNNNNWk.ddkkXXXXXKKXKKXKKXKKXKKXKKXK0KK0KK0KKKKKK 00KKKKKKKKKXKKXXKXXXXXNXXXNXXNNNNNNNNWXXk,ldkOKKKXXXXKXKKXKKXKKXKKKKKKKKKK0KK0KK0XK KKKXKKKXXKXXXXXNXXXNXXNNXNNNNNNNNNXkddk0No,;;:oKNK0OkOKXXKXKKXKKKKKKKKKKKKK0KK0KKKX 0KK0KKKKKXKKKXXKXNXXXNXXNNXNNNNXxl;o0NNNo,,,;;;;KWWWN0dlk0XXKKXKKXKKXKKKKKKKKKKKKKK KKKKKKKKXKXXXKXXXXXNXXNNXNNNN0o;;lKNNXXl,,,,,,,,cNNNNNNKc;oOXKKXKKXKKXKKXKKKKKKKKKK XKKKXKXXXXXXNXXNNXNNNNNNNNN0l;,cONNXNXc',,,,,,,,,KXXXXXNNl,;oKXKKXKKKKKK0KKKKK0KKKX KKKKKKXKKXXKKXNXXNNXNNNNNXl;,:OKXXXNXc''',,''''',KKKKKKXXK,,;:OXKKXKKXKKX0KK0KK0KKK KKKKKKKKXKXXXXXNNXXNNNNW0:;,dXXXXXNK:'''''''''''cKKKKKKKXX;,,,;0XKKXKKXKKXKKK0KK0KK XXKXXXXXXXXXXNNNNNNNNNN0;;;ONXXXXNO,''''''''''''x0KKKKKKXK,',,,cXXKKKKKKKKXKKK0KKKX KKKKKKKXKKXXXXNNNNWNNNN:;:KNNXXXXO,'.'..'.''..':O00KKKKKXd'',,,,KKXKKXKKKKKKKKKKKKK KKKKKXKKXXXXXXXXNNXNNNx;cXNXXXXKk,'''.''.''''.,xO00KKKKKO,'',,,,KK0XKKXKKK0KKKKKKKK XXXXXXXXXKXXXXXXXNNNNNo;0NXXXKKO,'''''''.'.'.;dkOO0KKKK0;.'',,,,XXXKKK0KK0KKKKKKKKX XKKXXKXXXXXXXXXXXNNNNNcoNNXXKKO,''''.'......:dxkOOO000k,..''',,lNXKXKKXKKK0KKKXKKKK KXXKKXXXKXXKXXXXXXXNNNoONNXXX0;'''''''''..'lkkkkkkxxxd'...'''',0N0KKKKKXKKKKKK0XKKK XXXXXKKXXKXXXXXXXXXXXXOONNNXXl,,;;,;;;;;;;d0K00Okddoc,,,,,,,,,xNNOXKKKKKXKKKKKKKXKK XXXXXXXXXXXXXXXXXXXXXXXONNNXx;;;;;;;;;,,:xO0KK0Oxdoc,,,,,,,,,oNN0KXXKKXKKXKKKKKKKXK XKXXKXXXXXXXXXXXXXXXXXXXXWNX:;;;;;;;;;,cO0KKKK0Okxl,,,,,,,,,oNNK0NXXXXXXXXXKKKKKKKX XXXXXXXXXXXXXXXXXXXXXXXNNNWNc;;:;;;;;;xKXXXXXXKK0x,,,,,,,,,dXNK0NXXXXXXXXXXXKKXKKKK XKXXXXXXXXXXXXXXXXXXXXNNWWNWd;:::;;;:0NNNNNNNNNXO;,,,,,,,:0NN0XNXNXXXXXXXXXXXKKXKKX NXXXXXXXXXXXXXXXXXXXXXNNNNNNNl:::;;:KNNNNNNNNNNO;,,,,,,;xNNK0NXNXXNXXXXXXKXXKKKKXKK XXNNXNNNXXXXXXXXXXXXXNNNNNNNNNkl:;;xWWNNNNNWWWk;;;;;;;xNNKKXNXNXXNXXXXXXXXXXXKXKKXK XXXXXNNNNXNNNNXXXXXXNNNNNNNNNNNNKkolKNNNNNNNNx;;;;;lkNNXNNNNXXXNXXNXXXXXXXXXXXKKKKX XXXXXXXXXXXNNNNNNNNNNNNNNNNNNNNNNNNNKXNNNNWNo:clxOXNNNNNNNNXNXXXXXXXXXXXXXXXKKXKKKK XXXXNXXXNXXXNXXNNNNNWWWWWNNNNNNNNNNNNNNNNNWWNWWNWNNWNNNNNNNNXXXXXXNXXXXXXXXXXKKXKKX XNXXXXNNXXNXXNNXNXNWWWWWWWWWNNNNNNNNNNNNNWWWWNNNNNNNNNNNNNNNNNNNNNXNXXXXNXXXXXXKXKK XXXXNXXNNXXXNXXNXXNWWWNNNNNNNNNWWNNNNNNNNWWWWWWNWNNNNNNNNNNNNNNNXXNXNXXXXNXXXXKXKXK I need to list files in my home/ To check on project logos But what I see with ls there, Are quotes from desert hobos... which piece of my command does fail? I surely cannot find it. Make straight my path and locate that- I'll praise your skill and sharp wit! Get a listing (ls) of your current directory. elf@81110c98cc25:~$


#### Solution

Running ls doesn’t list the files as expected:

elf@81110c98cc25:~$ls This isn't the ls you're looking for  I can use which to identify the location of a command that will run. If there are multiple binaries with the same name in my PATH, it will show the one that comes first. On a typical Linux distro, ls will be in /usr/bin or /bin. For example, on my Kali VM: root@kali# which ls /usr/bin/ls  But in this terminal, it’s different: elf@81110c98cc25:~$ which ls
/usr/local/bin/ls


I can see that’s just a bash script to echo out the message I got earlier:

elf@81110c98cc25:~$cat /usr/local/bin/ls #!/bin/bash echo -e$'This isn\'t the ls you\'re looking for'


One tools that jumps to mind would be locate, but this ends up not being that helpful here. First, the default search for locate searches for *[input]*, so running locate ls returns tons of stuff, anything with ls in it. I can eliminate that behavior by running locate '\ls', but then I get this:

elf@82aaea9e07af:~$locate '\ls' locate: warning: database '/var/cache/locate/locatedb' is more than 8 days old (actual age is 33.1 days)  The DB is out of date. I can try updatedb, but it seems I lack permission: elf@82aaea9e07af:~$ updatedb
/usr/bin/updatedb: 320: /usr/bin/updatedb: cannot create /var/cache/locate/locatedb.n: Per
mission denied
/usr/bin/find: '/root': Permission denied
/usr/bin/find: '/var/cache/apt/archives/partial': Permission denied
/usr/bin/find: '/var/cache/ldconfig': Permission denied
/usr/bin/find: '/var/lib/apt/lists/partial': Permission denied
/usr/bin/find: '/etc/ssl/private': Permission denied
Failed to generate /var/cache/locate/locatedb.n


A better alternative is find. I can generate a command to locate all files named ls on this host. The options I’ll use are:

• find - run find
• / - search from the system root
• -name ls - for files named ls
• 2>/dev/null - get rid of any error messages; there would be a lot since I’m not a root user, and therefore there are a lot of directories I can’t access

The result shows two binaries:

elf@81110c98cc25:~$find / -name ls 2>/dev/null /usr/local/bin/ls /bin/ls  I can run /bin/ls to complete the challenge: elf@81110c98cc25:~$ /bin/ls
' '   rejected-elfu-logos.txt
You did it! Congratulations!


#### Hints

On solving, Bushy gives me a hint to look at DeepBlueCLI from Eric Conrad:

Oh there they are! Now I can delete them. Thanks!

Have you tried the Sysmon and EQL challenge?

If you aren’t familiar with Sysmon, Carlos Perez has some great info about it.

Haven’t heard of the Event Query Language?

Check out Ross Wolf’s talk at CircleCityCon.

### Objective Challenge

I’m given a link to a .zip file which contains a single file, sysmon-data.json. The hint references EQL, which is a useful query language for hunting in logs.

I’ll install eql with python3 -m pip install eql . I already had it installed. Now I can open the shell, and load the log file:

root@kali# eql -f sysmon-data.json
===================
EQL SHELL
===================
Using file sysmon-data.json with 2626 events
type help to view more commands
eql>


I see it loaded 2626 events.

To find out what tool was used, I started by looking at the processes that were in the logs. I’ll tell EQL that I want queries to output the process name and path:

eql> table process_name, process_path


Now I’ll get a list of unique combinations of process name and path:

eql> search process where true | unique process_name,process_path
============================================================================
process_name     process_path
============================================================================
wevtutil.exe     C:\Windows\System32\wevtutil.exe
cmd.exe          C:\Windows\System32\cmd.exe
powershell.exe   C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe   C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe          C:\Windows\SysWOW64\cmd.exe
net.exe          C:\Windows\SysWOW64\net.exe
ntdsutil.exe     C:\Windows\System32\ntdsutil.exe
============================================================================
7 results found


The answer immediately jumped out: ntdsutil.exe. ntdsutil.exe is a command line tool that provides management facilities for Active Directory, according to Microsoft documentation. The binary shows up on the page in Mitre ATT&CK for Credential Dumping. Entering ntdsutil solves the challenge.