Holiday Hack 2019: Determine Compromised System
Objective
Link: elfu-zeeklogs.zip
Terminal - PowerShell
Challenge
I find Sparkle in the room off the left side of the quad, between the NetWars and Speak Unpreparedness Room:
I’m Sparkle Redberry and Imma chargin’ my laser!
Problem is: the settings are off.
Do you know any PowerShell?
It’d be GREAT if you could hop in and recalibrate this thing.
It spreads holiday cheer across the Earth …
… when it’s working!
When I visit the computer controlling the laser, there’s a PowerShell prompt on Linux:
WARNGING: ctrl + c restricted in this terminal - Do not use endless loops
Type exit to exit PowerShell.
PowerShell 6.2.3
Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/pscore6-docs
Type 'help' to get help.
🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲
🗲 🗲
🗲 Elf University Student Research Terminal - Christmas Cheer Laser Project 🗲
🗲 ------------------------------------------------------------------------------ 🗲
🗲 The research department at Elf University is currently working on a top-secret 🗲
🗲 Laser which shoots laser beams of Christmas cheer at a range of hundreds of 🗲
🗲 miles. The student research team was successfully able to tweak the laser to 🗲
🗲 JUST the right settings to achieve 5 Mega-Jollies per liter of laser output. 🗲
🗲 Unfortunately, someone broke into the research terminal, changed the laser 🗲
🗲 settings through the Web API and left a note behind at /home/callingcard.txt. 🗲
🗲 Read the calling card and follow the clues to find the correct laser Settings. 🗲
🗲 Apply these correct settings to the laser using it's Web API to achieve laser 🗲
🗲 output of 5 Mega-Jollies per liter. 🗲
🗲 🗲
🗲 Use (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info. 🗲
🗲 🗲
🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲
PS /home/elf>
Solution
I’ll start with the calling card file left by the intruder:
PS /> get-content /home/callingcard.txt
What's become of your dear laser?
Fa la la la la, la la la la
Seems you can't now seem to raise her!
Fa la la la la, la la la la
Could commands hold riddles in hist'ry?
Fa la la la la, la la la la
Nay! You'll ever suffer myst'ry!
Fa la la la la, la la la la
The hint in there is about the history. There’s a few ways to check history. I can check the PowerShell history. That’s typically in AppData/local on Windows, but I’ll find it in .local on Linux. Unfortunately, it seems to have started with my session:
PS /> Get-Content /home/elf/.local/share/powershell/PSReadLine/ConsoleHost_history.txt
Get-Content /home/callingcard.txt
Get-Content ./.local/share/powershell/PSReadLine/ConsoleHost_history.txt
There’s no .bash_history file in the only home directory:
PS /> Get-ChildItem -Force /home/elf
Directory: /home/elf
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--h-- 12/24/19 4:27 PM .cache
d--h-- 12/24/19 4:27 PM .local
d-r--- 12/13/19 5:15 PM depths
---h-- 4/4/18 6:30 PM 220 .bash_logout
---h-- 4/4/18 6:30 PM 3771 .bashrc
---h-- 4/4/18 6:30 PM 807 .profile
--r--- 12/13/19 4:29 PM 2029 motd
But when I run Get-History, I two things - the correct value for the angle (in item 7), and a clue:
PS /> Get-History
Id CommandLine
-- -----------
1 Get-Help -Name Get-Process
2 Get-Help -Name Get-*
3 Set-ExecutionPolicy Unrestricted
4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm
5 Get-Service | Export-CSV c:\service.csv
6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv
7 (Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
8 Get-EventLog -Log "Application"
9 I have many name=value variables that I share to applications system wide. At a command…
10 Get-Content /home/callingcard.txt
11 Get-Content ./.local/share/powershell/PSReadLine/ConsoleHost_history.txt
12 Get-ChildItem -Force
Item 9 is interesting. I’ll get the full command, and it provides the next step:
PS /> Get-History -id 9 | Format-List -Property *
Id : 9
CommandLine : I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.
ExecutionStatus : Completed
StartExecutionTime : 11/29/19 4:57:16 PM
EndExecutionTime : 11/29/19 4:57:16 PM
Duration : 00:00:00.6090308
That’s clearly a reference to environment variables. In PowerShell, I can switch to a virtual drive, Env:/ and then use Get-ChildItem (or gci) to see what’s there:
PS /> cd env:
PS Env:/> gci
Name Value
---- -----
_ /bin/su
DOTNET_SYSTEM_GLOBALIZATION_I… false
HOME /home/elf
HOSTNAME f96310ac76d0
LANG en_US.UTF-8
LC_ALL en_US.UTF-8
LOGNAME elf
MAIL /var/mail/elf
PATH /opt/microsoft/powershell/6:/usr/local/sbin:/usr/local/bin:/u…
PSModuleAnalysisCachePath/var/cache/microsoft/powershell/PSModuleAnalysisCache/ModuleA…
PSModulePath /home/elf/.local/share/powershell/Modules:/usr/local/share/po…
PWD /home/elf
RESOURCE_ID 6ef39372-aa62-463c-8f20-c5e62b2d2ae4
riddle Squeezed and compressed I am hidden away. Expand me from my p…
SHELL /home/elf/elf
SHLVL 1
TERM xterm
USER elf
USERDOMAIN laserterminal
userdomain laserterminal
USERNAME elf
username elf
There’s a variable named riddle, and the value is truncated. I’ll use the same trick as before:
PS Env:/> gci ./riddle | Format-List -Property value
Value : Squeezed and compressed I am hidden away. Expand me from my prison and I will show
you the way. Recurse through all /etc and Sort on my LastWriteTime to reveal im the
newest of all.
The way that LastWriteTime is written in the riddle is a hint. I can use gci to get all the files in /etc and sort by LastWriteTime to get the more recent. Ignoring the error about a path I can’t access, I see that “Expand me from my prison” was also a clue:
PS /> gci -Recurse /etc | sort LastWriteTime | select -Last 1
gci : Access to the path '/etc/ssl/private' is denied.
At line:1 char:1
+ gci -Recurse | sort LastWriteTime | select -Last 1
+ ~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (/etc/ssl/private:String) [Get-ChildItem], Unautho
rizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildIte
mCommand
Directory: /etc/apt
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 12/24/19 4:27 PM 5662902 archive
I can extract the files from the archive. There were some errors generated, but I found when I set the output directory, I got what I needed:
PS /> Expand-Archive /etc/apt/archive -DestinationPath /home/elf
PS /> gci /home/elf
Directory: /home/elf
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 12/13/19 5:15 PM depths
d----- 12/24/19 5:21 PM refraction
--r--- 12/13/19 4:29 PM 2029 motd
PS /> gci -Recurse /home/elf/refraction/
Directory: /home/elf/refraction
Mode LastWriteTime Length Name
---- ------------- ------ ----
------ 11/7/19 11:57 AM 134 riddle
------ 11/5/19 2:26 PM 5724384 runme.elf
I’ll start with runme.elf. An elf file is a Linux executable. I can try to run it, but it throws an error:
PS /home/elf/refraction> ./runme.elf
Program 'runme.elf' failed to run: No such file or directoryAt line:1 char:1
+ ./runme.elf
+ ~~~~~~~~~~~.
At line:1 char:1
+ ./runme.elf
+ ~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
The execute permission on the file isn’t set. On Linux, I set that with chmod. Then I can run the file and get the refraction value:
PS /home/elf/refraction> chmod +x ./runme.elf
PS /home/elf/refraction> ./runme.elf
refraction?val=1.867
Now continue with riddle:
PS /> Get-Content /home/elf/refraction/riddle
Very shallow am I in the depths of your elf home. You can find my entity by using my md5 identity:
25520151A320B5B0D21561F92C8F6224
There is a depth directory in the elf home directory. I can do this search in a few steps in a pipeline. First, I’ll use Get-ChildItem with -File to only get files (not directories) and -Recurse to find files in directories. I’ll pipe that to Get-FileHash with the -Algorithm MD5 flag. That goes into a Where-Object to get the object with a hash value of the one I’m looking for. Then, when an object comes out of that, I’ll have it to into select Path so that I get the file path:
PS /> Get-ChildItem -File -Recurse /home/elf/depths | Get-FileHash -Algorithm MD5 | Where-Object Hash -eq 25520151A320B5B0D21561F92C8F6224 | select Path
Path
----
/home/elf/depths/produce/thhy5hll.txt
The content is the desired temperature, as well as another riddle:
PS /> Get-Content /home/elf/depths/produce/thhy5hll.txt
temperature?val=-33.5
I am one of many thousand similar txt's contained within the deepest of /home/elf/depths. Finding me will give you the most strength but doing so will require Piping all the FullName's to Sort Length.
I found a bit of code on StackExchange that showed how to do this. I just needed to change name to fullname. It is getting all the files and directories in /home/elf/depths, and for each, it is using Select to keep two fields, the fullName, and a field NameLength that I create which is equal to the length of fullName. Then I sort based on NameLength, and select the last item:
PS /> gci -Recurse /home/elf/depths/ | Select fullName,@{Name="NameLength";Expression={$_.full
name.length}} | sort namelength | select -last 1 | Format-List
FullName : /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/es
cape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/pract
ical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adu
lt/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/
fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
NameLength : 388
That’s quite a name. I can get the contents:
PS /> Get-Content /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
Get process information to include Username identification. Stop Process to show me you're skilled and in this order they must be killed:
bushy
alabaster
minty
holly
Do this for me and then you /shall/see .
I can run Get-Process with the -IncludeUserName flag to see the processes and the users, and sleep processes for each of the users above:
PS /> Get-Process -IncludeUserName
WS(M) CPU(s) Id UserName ProcessName
----- ------ -- -------- -----------
26.98 0.36 6 root CheerLaserServi
120.33 2.62 31 elf elf
3.30 0.03 1 root init
0.71 0.00 23 bushy sleep
0.80 0.00 26 alabaster sleep
0.71 0.00 27 minty sleep
0.72 0.00 29 holly sleep
3.30 0.00 30 root su
I can also see that there’s nothing in the /shall directory:
PS /> gci -Force /shall/
I’ll kill the processes in the order described above (the ideas change on each load):
PS /> Stop-Process -id 23; Stop-Process -id 26; Stop-Process -id 27; Stop-Process -id 29
Now, there’s a see file in /shall/:
PS /> gci -Force /shall/
Directory: /shall
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 12/24/19 5:55 PM 149 see
It contains the next step in the riddle:
PS /> Get-Content /shall/see
Get the .xml children of /etc - an event log to be found. Group all .Id's and the last thing will be in the Properties of the lonely unique event Id.
I’ll find the event log file using a Get-ChildItem with flags to only return .xml files:
PS /> Get-ChildItem -Path /etc/ -Recurse -File -Filter *.xml -ErrorAction SilentlyContinue
Directory: /etc/systemd/system/timers.target.wants
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 11/18/19 7:53 PM 10006962 EventLog.xml
I can read the file in as xml:
PS /> [xml]$log = Get-Content /etc/systemd/system/timers.target.wants/EventLog.xml
Now I can reference parts of it:
PS /> $log
Objs
----
Objs
PS /> $log.Objs
Version xmlns Obj
------- ----- ---
1.1.0.1 http://schemas.microsoft.com/powershell/2004/04 {Obj, Obj, Obj, Obj…}
After some playing around with the data format, I was able to get a histogram of the log ids:
PS /> $log.objs.obj.props.I32 | where N -eq 'Id' | Group-Object -Property '#text' -NoElement
Count Name
----- ----
1 1
39 2
179 3
2 4
905 5
98 6
But there’s a better way to read xml, with Import-CliXML:
PS /> $log = Import-Clixml /etc/systemd/system/timers.target.wants/EventLog.xml
PS /> $log[0]
Message : Network connection detected:
RuleName:
UtcTime: 2019-11-07 17:51:21.083
ProcessGuid: {BA5C6BBB-4C7A-5DC4-0000-0010F4540100}
ProcessId: 1068
Image: C:\Windows\System32\svchost.exe
User: NT AUTHORITY\LOCAL SERVICE
Protocol: udp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.1.150
SourceHostname: elfuresearch.localdomain
SourcePort: 123
SourcePortName: ntp
DestinationIsIpv6: false
DestinationIp: 13.86.101.172
DestinationHostname:
DestinationPort: 123
DestinationPortName: ntp
Id : 3
Version : 5
Qualifiers :
Level : 4
Task : 3
Opcode : 0
Keywords : -9223372036854775808
RecordId : 2194
ProviderName : Microsoft-Windows-Sysmon
ProviderId : 5770385f-c22a-43e0-bf4c-06f5698ffbd9
LogName : Microsoft-Windows-Sysmon/Operational
ProcessId : 1960
ThreadId : 6648
MachineName : elfuresearch
UserId : S-1-5-18
TimeCreated : 11/7/19 5:51:22 PM
ActivityId :
RelatedActivityId :
ContainerLog : microsoft-windows-sysmon/operational
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Network connection detected (rule: NetworkConnect)
KeywordsDisplayNames : {}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty…}
I can get the same histogram:
PS /> $log | Group-Object -Property Id -NoElement
Count Name
----- ----
1 1
39 2
179 3
2 4
905 5
98 6
ID 1 only has on log. So now I can find the log I want:
PS /> $log | where {$_.id -eq 1} | select message | format-list
Message : Process Create:
RuleName:
UtcTime: 2019-11-07 17:59:56.525
ProcessGuid: {BA5C6BBB-5B9C-5DC4-0000-00107660A900}
ProcessId: 3664
FileVersion: 10.0.14393.206 (rs1_release.160915-0644)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c
"`$correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n
Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}`n"
CurrentDirectory: C:\
User: ELFURESEARCH\allservices
LogonGuid: {BA5C6BBB-5B9C-5DC4-0000-0020F55CA900}
LogonId: 0xA95CF5
TerminalSessionId: 0
IntegrityLevel: High
Hashes: MD5=097CE5761C89434367598B34FE32893B
ParentProcessGuid: {BA5C6BBB-4C79-5DC4-0000-001029350100}
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs
I see the answer in the form of a PowerShell command that creates a variable that’s an array of elements and counts. I can load that variable into my environment with the following command:
PS /home/elf> iex "`$correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}`n"
PS /> $correct_gases_postbody
Name Value
---- -----
Kr 8
Xe 10
N 4
He 3
Ne 22
Ar 11
H 7
O 6
Rn 9
F 20
Now I have all the information I need to set the laser. I’ll check the output to start, and it comes up short:
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/output).Content
Failure - Only 2.49 Mega-Jollies of Laser Output Reached!
I’ll update the values:
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).Content
Updated Lense Refraction Level - Check /api/output if 5 Mega-Jollies per liter reached.
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).Content
Updated Laser Temperature - Check /api/output if 5 Mega-Jollies per liter reached.
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).Content
Updated Mirror Angle - Check /api/output if 5 Mega-Jollies per liter reached.
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/gas -Method POST -Body $correct_gas
es_postbody).Content
Updated Gas Measurements - Check /api/output if 5 Mega-Jollies per liter reached.
Unfortunately, I still didn’t have 5 Mega-Jollies:
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/output).Content
Failure - Only 3.88 Mega-Jollies of Laser Output Reached!
I was stumped for a couple minutes, but then I tried turning it off and back on again, and it worked, and the challenge was solved:
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/off).Content
Christmas Cheer Laser Powered Off
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/on).Content
Christmas Cheer Laser Powered On
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/output).Content
Success! - 5.76 Mega-Jollies of Laser Output Reached!
Hints
On solving, Sparkle gives me a hint to use Rita to look at the Zeek logs:
You got it - three cheers for cheer!
For objective 5, have you taken a look at our Zeek logs?
Something’s gone wrong. But I hear someone named Rita can help us.
Can you and she figure out what happened?
Objective Challenge
I’m given a link to a .zip file which contains a folder with almost 900 Zeek logs. Zeek (formerly Bro) is a framework for analyzing network traffic. It summarized network traffic into a series of logs that can be analyzed.
Installing Rita
Rita (Real Time Threat Analytics) is a tool from Active Countermeasures that ingests Zeek logs and provides a bunch of analytics to look for patterns of known or potential badness.
The README.md on their GitHub page has detailed installation instructions via several different methods. I pulled up my Security Onion VM and ran the commands to install Rita:
oxdf@seco:~$ wget https://raw.githubusercontent.com/activecm/rita/master/install.sh
--2019-12-29 17:09:18-- https://raw.githubusercontent.com/activecm/rita/master/install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.248.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.248.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19239 (19K) [text/plain]
Saving to: ‘install.sh’
install.sh 100%[===================>] 18.79K --.-KB/s in 0.02s
2019-12-29 17:09:18 (1.18 MB/s) - ‘install.sh’ saved [19239/19239]
oxdf@seco:~$ sudo bash ./install.sh
[sudo] password for oxdf:
_ \ _ _| __ __| \
/ | | _ \
_|_\ ___| _| _/ _\ v3.1.1
Brought to you by Active CounterMeasures
[-] In order to run the installer, several basic packages must be installed.
[-] Updating packages... SUCCESS
[-] Ensuring curl is installed... SUCCESS
[-] Ensuring coreutils is installed... SUCCESS
[-] Ensuring lsb-release is installed... SUCCESS
[-] Ensuring yum-utils is installed... SUCCESS
[-] This installer will:
[-] Install MongoDB
[-] Install RITA to /usr/local/bin/rita
[-] Create a runtime directory for RITA in /var/lib/rita
[-] Create a configuration directory for RITA in /etc/rita
[-] Bro IDS is already installed
If you need to check or change your network interfaces, please do so now
by switching to a different terminal and making any changes. Please note
that any interfaces you would like to use for packet capture must be up
and configured before you continue. When the interfaces are ready,
please return to this terminal.
Would you like to continue running the Bro configuration script?
You might answer no if you know you have already created a working
node.cfg and do not wish to replace it. Otherwise we recommend
continuing with this script.
(y/n)?y
Continuing, all requirements met
This system has 1 cores.
The potentially sniffable interface is: enp0s3
Here are the stats for enp0s3
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:cc:ed:87 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
106740 397 0 0 0 0
TX: bytes packets errors dropped carrier collsns
35022 375 0 0 0 0
Would you like to include it as a sniff interface (y/n)?n
This configuration has no sniff interfaces, so bro will not be able to run. Exiting bro configuration script.
[!] Automatic Bro configuration failed.
[!] Please edit /opt/bro/etc/node.cfg and run
[!] 'sudo broctl deploy' to start Bro.
[!] Pausing for 20 seconds before continuing.
[!] Adding Bro IDS to the path in /etc/profile.d/bro-path.sh
[-] Installing MongoDB... SUCCESS
[!] Starting MongoDB and enabling on startup.
Created symlink from /etc/systemd/system/multi-user.target.wants/mongod.service to /lib/systemd/system/mongod.service.
[!] Starting MongoDB process completed.
[!] You can access the MongoDB shell with 'mongo'.
[!] If you need to stop MongoDB,
[!] run 'sudo systemctl stop mongod'.
[-] Installing RITA... SUCCESS
[!] To finish the installation, reload the system profile with
[!] 'source /etc/profile'.
_ \ _ _| __ __| \
/ | | _ \
_|_\ ___| _| _/ _\ v3.1.1
Brought to you by Active CounterMeasures
Thank you for installing RITA! Happy hunting!
I edited /etc/rita/config.yaml to uncomment out the existing example InternalSubnets:
InternalSubnets:
- 10.0.0.0/8 # Private-Use Networks RFC 1918
- 172.16.0.0/12 # Private-Use Networks RFC 1918
- 192.168.0.0/16 # Private-Use Networks RFC 1918
Running Rita
Now I can run the import command and point it at my logs:
root@seco:/mnt/hhc19/5# rita import elfu-zeeklogs/ hhc19
[+] Importing [elfu-zeeklogs/]:
[-] Verifying log files have not been previously parsed into the target dataset ...
[-] Parsing logs to: hhc19 ...
[-] Parsing elfu-zeeklogs/conn.log-00001_20190823120021.log -> hhc19
[-] Parsing elfu-zeeklogs/conn.log-00002_20190823121227.log -> hhc19
[-] Parsing elfu-zeeklogs/conn.log-00003_20190823122444.log -> hhc19
[-] Parsing elfu-zeeklogs/conn.log-00004_20190823123904.log -> hhc19
...[snip]...
[-] Parsing elfu-zeeklogs/ssl.log-00094_20190824085227.log -> hhc19
[-] Parsing elfu-zeeklogs/ssl.log-00095_20190824090519.log -> hhc19
[-] Parsing elfu-zeeklogs/ssl.log-00096_20190824091651.log -> hhc19
[-] Host Analysis: 41993 / 41993 [==================] 100 %
[-] Uconn Analysis: 115915 / 115915 [==================] 100 %
[-] Exploded DNS Analysis: 47836 / 47836 [==================] 100 %
[-] Hostname Analysis: 47836 / 47836 [==================] 100 %
[-] Beacon Analysis: 115915 / 115915 [==================] 100 %
[-] UserAgent Analysis: 6 / 6 [==================] 100 %
[!] No certificate data to analyze
[-] Updating blacklisted peers ...
[-] Indexing log entries ...
[-] Updating metadatabase ...
[-] Done!
The simplest way to look at the data when you’re not exactly sure what you’re looking at is to run html-report:
root@seco:/mnt/hhc19/5# rita html-report
[-] Writing: /mnt/hhc19/5/hhc19/hhc19
[-] Wrote outputs, check /mnt/hhc19/5/hhc19 for files
Report Analysis
Now I can open the resulting index.html in Firefox. On the beacons tab, I see:
The one with the highest score shows 7660 connections, every 10 seconds. The infected host is 192.168.134.130. When I enter that, I complete the challenge.
After solving this, I realized that there’s an HTML Rita report included in the zip, in the ELFU directory. Running firefox elfu-zeeklogs/ELFU/index.html will get the same report!