Objective

image-20191229193830041

Link: elfu-zeeklogs.zip

Terminal - PowerShell

Challenge

I find Sparkle in the room off the left side of the quad, between the NetWars and Speak Unpreparedness Room:

image-20191231124938511

I’m Sparkle Redberry and Imma chargin’ my laser!

Problem is: the settings are off.

Do you know any PowerShell?

It’d be GREAT if you could hop in and recalibrate this thing.

It spreads holiday cheer across the Earth …

… when it’s working!

When I visit the computer controlling the laser, there’s a PowerShell prompt on Linux:

WARNGING: ctrl + c restricted in this terminal - Do not use endless loops
Type exit to exit PowerShell.
PowerShell 6.2.3
Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/pscore6-docs
Type 'help' to get help.
🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲
🗲                                                                                🗲
🗲 Elf University Student Research Terminal - Christmas Cheer Laser Project       🗲
🗲 ------------------------------------------------------------------------------ 🗲
🗲 The research department at Elf University is currently working on a top-secret 🗲
🗲 Laser which shoots laser beams of Christmas cheer at a range of hundreds of    🗲
🗲 miles. The student research team was successfully able to tweak the laser to   🗲
🗲 JUST the right settings to achieve 5 Mega-Jollies per liter of laser output.   🗲
🗲 Unfortunately, someone broke into the research terminal, changed the laser     🗲
🗲 settings through the Web API and left a note behind at /home/callingcard.txt.  🗲
🗲 Read the calling card and follow the clues to find the correct laser Settings. 🗲
🗲 Apply these correct settings to the laser using it's Web API to achieve laser  🗲
🗲 output of 5 Mega-Jollies per liter.                                            🗲
🗲                                                                                🗲
🗲 Use (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info.  🗲
🗲                                                                                🗲
🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲🗲 
PS /home/elf> 

Solution

I’ll start with the calling card file left by the intruder:

PS /> get-content /home/callingcard.txt
What's become of your dear laser?
Fa la la la la, la la la la
Seems you can't now seem to raise her!
Fa la la la la, la la la la
Could commands hold riddles in hist'ry?
Fa la la la la, la la la la
Nay! You'll ever suffer myst'ry!
Fa la la la la, la la la la

The hint in there is about the history. There’s a few ways to check history. I can check the PowerShell history. That’s typically in AppData/local on Windows, but I’ll find it in .local on Linux. Unfortunately, it seems to have started with my session:

PS /> Get-Content /home/elf/.local/share/powershell/PSReadLine/ConsoleHost_history.txt
Get-Content /home/callingcard.txt
Get-Content ./.local/share/powershell/PSReadLine/ConsoleHost_history.txt

There’s no .bash_history file in the only home directory:

PS /> Get-ChildItem -Force /home/elf
    Directory: /home/elf
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--          12/24/19  4:27 PM                .cache
d--h--          12/24/19  4:27 PM                .local
d-r---          12/13/19  5:15 PM                depths
---h--            4/4/18  6:30 PM            220 .bash_logout
---h--            4/4/18  6:30 PM           3771 .bashrc
---h--            4/4/18  6:30 PM            807 .profile
--r---          12/13/19  4:29 PM           2029 motd

But when I run Get-History, I two things - the correct value for the angle (in item 7), and a clue:

PS /> Get-History
  Id CommandLine
  -- -----------
   1 Get-Help -Name Get-Process 
   2 Get-Help -Name Get-* 
   3 Set-ExecutionPolicy Unrestricted 
   4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm 
   5 Get-Service | Export-CSV c:\service.csv 
   6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv 
   7 (Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
   8 Get-EventLog -Log "Application" 
   9 I have many name=value variables that I share to applications system wide. At a command…
  10 Get-Content /home/callingcard.txt
  11 Get-Content ./.local/share/powershell/PSReadLine/ConsoleHost_history.txt
  12 Get-ChildItem -Force

Item 9 is interesting. I’ll get the full command, and it provides the next step:

PS /> Get-History -id 9 | Format-List -Property *
Id                 : 9
CommandLine        : I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.
ExecutionStatus    : Completed
StartExecutionTime : 11/29/19 4:57:16 PM
EndExecutionTime   : 11/29/19 4:57:16 PM
Duration           : 00:00:00.6090308

That’s clearly a reference to environment variables. In PowerShell, I can switch to a virtual drive, Env:/ and then use Get-ChildItem (or gci) to see what’s there:

PS /> cd env: 
PS Env:/> gci
Name                           Value
----                           -----
_                              /bin/su
DOTNET_SYSTEM_GLOBALIZATION_I… false
HOME                           /home/elf
HOSTNAME                       f96310ac76d0
LANG                           en_US.UTF-8
LC_ALL                         en_US.UTF-8
LOGNAME                        elf
MAIL                           /var/mail/elf
PATH                           /opt/microsoft/powershell/6:/usr/local/sbin:/usr/local/bin:/u…
PSModuleAnalysisCachePath/var/cache/microsoft/powershell/PSModuleAnalysisCache/ModuleA…
PSModulePath                   /home/elf/.local/share/powershell/Modules:/usr/local/share/po…
PWD                            /home/elf
RESOURCE_ID                    6ef39372-aa62-463c-8f20-c5e62b2d2ae4
riddle                         Squeezed and compressed I am hidden away. Expand me from my p…
SHELL                          /home/elf/elf
SHLVL                          1
TERM                           xterm
USER                           elf
USERDOMAIN                     laserterminal
userdomain                     laserterminal
USERNAME                       elf
username                       elf

There’s a variable named riddle, and the value is truncated. I’ll use the same trick as before:

PS Env:/> gci ./riddle | Format-List -Property value
Value : Squeezed and compressed I am hidden away. Expand me from my prison and I will show 
        you the way. Recurse through all /etc and Sort on my LastWriteTime to reveal im the 
        newest of all.

The way that LastWriteTime is written in the riddle is a hint. I can use gci to get all the files in /etc and sort by LastWriteTime to get the more recent. Ignoring the error about a path I can’t access, I see that “Expand me from my prison” was also a clue:

PS /> gci -Recurse /etc | sort LastWriteTime | select -Last 1
gci : Access to the path '/etc/ssl/private' is denied.
At line:1 char:1
+ gci -Recurse | sort LastWriteTime | select -Last 1
+ ~~~~~~~~~~~~
+ CategoryInfo          : PermissionDenied: (/etc/ssl/private:String) [Get-ChildItem], Unautho
rizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildIte
mCommand
 
    Directory: /etc/apt
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
--r---          12/24/19  4:27 PM        5662902 archive

I can extract the files from the archive. There were some errors generated, but I found when I set the output directory, I got what I needed:

PS /> Expand-Archive /etc/apt/archive -DestinationPath /home/elf
PS /> gci /home/elf

    Directory: /home/elf                                                                      
                                            
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---          12/13/19  5:15 PM                depths
d-----          12/24/19  5:21 PM                refraction
--r---          12/13/19  4:29 PM           2029 motd
PS /> gci -Recurse /home/elf/refraction/
    Directory: /home/elf/refraction
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
------           11/7/19 11:57 AM            134 riddle
------           11/5/19  2:26 PM        5724384 runme.elf

I’ll start with runme.elf. An elf file is a Linux executable. I can try to run it, but it throws an error:

PS /home/elf/refraction> ./runme.elf         
Program 'runme.elf' failed to run: No such file or directoryAt line:1 char:1
+ ./runme.elf
+ ~~~~~~~~~~~.
At line:1 char:1
+ ./runme.elf
+ ~~~~~~~~~~~
+ CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed

The execute permission on the file isn’t set. On Linux, I set that with chmod. Then I can run the file and get the refraction value:

PS /home/elf/refraction> chmod +x ./runme.elf
PS /home/elf/refraction> ./runme.elf
refraction?val=1.867

Now continue with riddle:

PS /> Get-Content /home/elf/refraction/riddle
Very shallow am I in the depths of your elf home. You can find my entity by using my md5 identity:
25520151A320B5B0D21561F92C8F6224

There is a depth directory in the elf home directory. I can do this search in a few steps in a pipeline. First, I’ll use Get-ChildItem with -File to only get files (not directories) and -Recurse to find files in directories. I’ll pipe that to Get-FileHash with the -Algorithm MD5 flag. That goes into a Where-Object to get the object with a hash value of the one I’m looking for. Then, when an object comes out of that, I’ll have it to into select Path so that I get the file path:

PS /> Get-ChildItem -File -Recurse /home/elf/depths | Get-FileHash -Algorithm MD5 |  Where-Object Hash -eq 25520151A320B5B0D21561F92C8F6224 | select Path
Path
----
/home/elf/depths/produce/thhy5hll.txt

The content is the desired temperature, as well as another riddle:

PS /> Get-Content /home/elf/depths/produce/thhy5hll.txt
temperature?val=-33.5
I am one of many thousand similar txt's contained within the deepest of /home/elf/depths. Finding me will give you the most strength but doing so will require Piping all the FullName's to Sort Length.

I found a bit of code on StackExchange that showed how to do this. I just needed to change name to fullname. It is getting all the files and directories in /home/elf/depths, and for each, it is using Select to keep two fields, the fullName, and a field NameLength that I create which is equal to the length of fullName. Then I sort based on NameLength, and select the last item:

PS /> gci -Recurse /home/elf/depths/ | Select fullName,@{Name="NameLength";Expression={$_.full
name.length}} | sort namelength | select -last 1 | Format-List 
FullName   : /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/es
             cape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/pract
             ical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adu
             lt/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/
             fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
NameLength : 388

That’s quite a name. I can get the contents:

PS /> Get-Content /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
Get process information to include Username identification. Stop Process to show me you're skilled and in this order they must be killed:
bushy
alabaster
minty
holly
Do this for me and then you /shall/see .

I can run Get-Process with the -IncludeUserName flag to see the processes and the users, and sleep processes for each of the users above:

PS /> Get-Process -IncludeUserName
     WS(M)   CPU(s)      Id UserName                       ProcessName
     -----   ------      -- --------                       -----------
     26.98     0.36       6 root                           CheerLaserServi
    120.33     2.62      31 elf                            elf
      3.30     0.03       1 root                           init
      0.71     0.00      23 bushy                          sleep
      0.80     0.00      26 alabaster                      sleep
      0.71     0.00      27 minty                          sleep
      0.72     0.00      29 holly                          sleep
      3.30     0.00      30 root                           su

I can also see that there’s nothing in the /shall directory:

PS /> gci -Force /shall/

I’ll kill the processes in the order described above (the ideas change on each load):

PS /> Stop-Process -id 23; Stop-Process -id 26; Stop-Process -id 27; Stop-Process -id 29

Now, there’s a see file in /shall/:

PS /> gci -Force /shall/                                                                
    Directory: /shall
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
--r---          12/24/19  5:55 PM            149 see

It contains the next step in the riddle:

PS /> Get-Content /shall/see
Get the .xml children of /etc - an event log to be found. Group all .Id's and the last thing will be in the Properties of the lonely unique event Id.

I’ll find the event log file using a Get-ChildItem with flags to only return .xml files:

PS /> Get-ChildItem -Path /etc/ -Recurse -File -Filter *.xml -ErrorAction SilentlyContinue
    Directory: /etc/systemd/system/timers.target.wants
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
--r---          11/18/19  7:53 PM       10006962 EventLog.xml

I can read the file in as xml:

PS /> [xml]$log = Get-Content /etc/systemd/system/timers.target.wants/EventLog.xml

Now I can reference parts of it:

PS /> $log
Objs
----
Objs
PS /> $log.Objs
Version xmlns                                           Obj
------- -----                                           ---
1.1.0.1 http://schemas.microsoft.com/powershell/2004/04 {Obj, Obj, Obj, Obj…}

After some playing around with the data format, I was able to get a histogram of the log ids:

PS /> $log.objs.obj.props.I32 | where N -eq 'Id' | Group-Object -Property '#text' -NoElement
Count Name
----- ----
    1 1
   39 2
  179 3
    2 4
  905 5
   98 6

But there’s a better way to read xml, with Import-CliXML:

PS /> $log = Import-Clixml /etc/systemd/system/timers.target.wants/EventLog.xml
PS /> $log[0]

Message              : Network connection detected:
                       RuleName: 
                       UtcTime: 2019-11-07 17:51:21.083
                       ProcessGuid: {BA5C6BBB-4C7A-5DC4-0000-0010F4540100}
                       ProcessId: 1068
                       Image: C:\Windows\System32\svchost.exe
                       User: NT AUTHORITY\LOCAL SERVICE
                       Protocol: udp
                       Initiated: true
                       SourceIsIpv6: false
                       SourceIp: 192.168.1.150
                       SourceHostname: elfuresearch.localdomain
                       SourcePort: 123
                       SourcePortName: ntp
                       DestinationIsIpv6: false
                       DestinationIp: 13.86.101.172
                       DestinationHostname: 
                       DestinationPort: 123
                       DestinationPortName: ntp
Id                   : 3
Version              : 5
Qualifiers           : 
Level                : 4
Task                 : 3
Opcode               : 0
Keywords             : -9223372036854775808
RecordId             : 2194
ProviderName         : Microsoft-Windows-Sysmon
ProviderId           : 5770385f-c22a-43e0-bf4c-06f5698ffbd9
LogName              : Microsoft-Windows-Sysmon/Operational
ProcessId            : 1960
ThreadId             : 6648
MachineName          : elfuresearch
UserId               : S-1-5-18
TimeCreated          : 11/7/19 5:51:22 PM
ActivityId           : 
RelatedActivityId    : 
ContainerLog         : microsoft-windows-sysmon/operational
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : Network connection detected (rule: NetworkConnect)
KeywordsDisplayNames : {}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, 
                       System.Diagnostics.Eventing.Reader.EventProperty, 
                       System.Diagnostics.Eventing.Reader.EventProperty, 
                       System.Diagnostics.Eventing.Reader.EventProperty…}

I can get the same histogram:

PS /> $log | Group-Object -Property Id -NoElement
Count Name
----- ----
    1 1
   39 2
  179 3
    2 4
  905 5
   98 6

ID 1 only has on log. So now I can find the log I want:

PS /> $log | where {$_.id -eq 1} | select message | format-list
Message : Process Create:
          RuleName: 
          UtcTime: 2019-11-07 17:59:56.525
          ProcessGuid: {BA5C6BBB-5B9C-5DC4-0000-00107660A900}
          ProcessId: 3664
          FileVersion: 10.0.14393.206 (rs1_release.160915-0644)
          Description: Windows PowerShell
          Product: Microsoft® Windows® Operating System
          Company: Microsoft Corporation
          OriginalFileName: PowerShell.EXE
          CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c 
          "`$correct_gases_postbody = @{`n    O=6`n    H=7`n    He=3`n    N=4`n    Ne=22`n   
           Ar=11`n    Xe=10`n    F=20`n    Kr=8`n    Rn=9`n}`n"
          CurrentDirectory: C:\
          User: ELFURESEARCH\allservices
          LogonGuid: {BA5C6BBB-5B9C-5DC4-0000-0020F55CA900}
          LogonId: 0xA95CF5
          TerminalSessionId: 0
          IntegrityLevel: High
          Hashes: MD5=097CE5761C89434367598B34FE32893B
          ParentProcessGuid: {BA5C6BBB-4C79-5DC4-0000-001029350100}
          ParentImage: C:\Windows\System32\svchost.exe
          ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs

I see the answer in the form of a PowerShell command that creates a variable that’s an array of elements and counts. I can load that variable into my environment with the following command:

PS /home/elf> iex "`$correct_gases_postbody = @{`n    O=6`n    H=7`n    He=3`n    N=4`n    Ne=22`n Ar=11`n    Xe=10`n    F=20`n    Kr=8`n    Rn=9`n}`n"
PS /> $correct_gases_postbody
Name                           Value
----                           -----
Kr                             8
Xe                             10
N                              4
He                             3
Ne                             22
Ar                             11
H                              7
O                              6
Rn                             9
F                              20

Now I have all the information I need to set the laser. I’ll check the output to start, and it comes up short:

PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/output).Content                    
Failure - Only 2.49 Mega-Jollies of Laser Output Reached!

I’ll update the values:

PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/refraction?val=1.867).Content      
Updated Lense Refraction Level - Check /api/output if 5 Mega-Jollies per liter reached.
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/temperature?val=-33.5).Content     
Updated Laser Temperature - Check /api/output if 5 Mega-Jollies per liter reached.
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/angle?val=65.5).Content            
Updated Mirror Angle - Check /api/output if 5 Mega-Jollies per liter reached. 
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/gas -Method POST -Body $correct_gas
es_postbody).Content
Updated Gas Measurements - Check /api/output if 5 Mega-Jollies per liter reached. 

Unfortunately, I still didn’t have 5 Mega-Jollies:

PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/output).Content
Failure - Only 3.88 Mega-Jollies of Laser Output Reached! 

I was stumped for a couple minutes, but then I tried turning it off and back on again, and it worked, and the challenge was solved:

PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/off).Content    
Christmas Cheer Laser Powered Off                                                          
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/on).Content                        
Christmas Cheer Laser Powered On                                                           
PS /> (Invoke-WebRequest -Uri http://localhost:1225/api/output).Content                    
Success! - 5.76 Mega-Jollies of Laser Output Reached!   

Hints

On solving, Sparkle gives me a hint to use Rita to look at the Zeek logs:

You got it - three cheers for cheer!

For objective 5, have you taken a look at our Zeek logs?

Something’s gone wrong. But I hear someone named Rita can help us.

Can you and she figure out what happened?

Objective Challenge

I’m given a link to a .zip file which contains a folder with almost 900 Zeek logs. Zeek (formerly Bro) is a framework for analyzing network traffic. It summarized network traffic into a series of logs that can be analyzed.

Installing Rita

Rita (Real Time Threat Analytics) is a tool from Active Countermeasures that ingests Zeek logs and provides a bunch of analytics to look for patterns of known or potential badness.

The README.md on their GitHub page has detailed installation instructions via several different methods. I pulled up my Security Onion VM and ran the commands to install Rita:

oxdf@seco:~$ wget https://raw.githubusercontent.com/activecm/rita/master/install.sh
--2019-12-29 17:09:18--  https://raw.githubusercontent.com/activecm/rita/master/install.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.248.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.248.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19239 (19K) [text/plain]
Saving to: ‘install.sh’

install.sh          100%[===================>]  18.79K  --.-KB/s    in 0.02s   

2019-12-29 17:09:18 (1.18 MB/s) - ‘install.sh’ saved [19239/19239]

oxdf@seco:~$ sudo bash ./install.sh 
[sudo] password for oxdf: 

 _ \ _ _| __ __|  \
   /   |     |   _ \
_|_\ ___|   _| _/  _\  v3.1.1

Brought to you by Active CounterMeasures

[-] In order to run the installer, several basic packages must be installed. 
	[-] Updating packages... SUCCESS
	[-] Ensuring curl is installed... SUCCESS
	[-] Ensuring coreutils is installed... SUCCESS
	[-] Ensuring lsb-release is installed... SUCCESS
	[-] Ensuring yum-utils is installed... SUCCESS
[-] This installer will: 
	[-] Install MongoDB 
	[-] Install RITA to /usr/local/bin/rita 
	[-] Create a runtime directory for RITA in /var/lib/rita 
	[-] Create a configuration directory for RITA in /etc/rita 
[-] Bro IDS is already installed 
If you need to check or change your network interfaces, please do so now
by switching to a different terminal and making any changes.  Please note
that any interfaces you would like to use for packet capture must be up
and configured before you continue.  When the interfaces are ready,
please return to this terminal.

Would you like to continue running the Bro configuration script? 
You might answer no if you know you have already created a working
node.cfg and do not wish to replace it.  Otherwise we recommend
continuing with this script.
(y/n)?y
Continuing, all requirements met
This system has 1 cores.
The potentially sniffable interface is: enp0s3 
Here are the stats for enp0s3
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 08:00:27:cc:ed:87 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast   
    106740     397      0       0       0       0       
    TX: bytes  packets  errors  dropped carrier collsns 
    35022      375      0       0       0       0       
Would you like to include it as a sniff interface (y/n)?n

This configuration has no sniff interfaces, so bro will not be able to run.  Exiting bro configuration script.
[!] Automatic Bro configuration failed. 
[!] Please edit /opt/bro/etc/node.cfg and run 
[!] 'sudo broctl deploy' to start Bro. 
[!] Pausing for 20 seconds before continuing. 
	[!] Adding Bro IDS to the path in /etc/profile.d/bro-path.sh 
[-] Installing MongoDB... SUCCESS
[!] Starting MongoDB and enabling on startup. 
Created symlink from /etc/systemd/system/multi-user.target.wants/mongod.service to /lib/systemd/system/mongod.service.
[!] Starting MongoDB process completed.
[!] You can access the MongoDB shell with 'mongo'. 
[!] If you need to stop MongoDB, 
[!] run 'sudo systemctl stop mongod'. 
[-] Installing RITA... SUCCESS
[!] To finish the installation, reload the system profile with 
[!] 'source /etc/profile'.

 _ \ _ _| __ __|  \
   /   |     |   _ \
_|_\ ___|   _| _/  _\  v3.1.1

Brought to you by Active CounterMeasures

Thank you for installing RITA! Happy hunting!

I edited /etc/rita/config.yaml to uncomment out the existing example InternalSubnets:

    InternalSubnets:
      - 10.0.0.0/8          # Private-Use Networks  RFC 1918
      - 172.16.0.0/12       # Private-Use Networks  RFC 1918
      - 192.168.0.0/16      # Private-Use Networks  RFC 1918

Running Rita

Now I can run the import command and point it at my logs:

root@seco:/mnt/hhc19/5# rita import elfu-zeeklogs/ hhc19

	[+] Importing [elfu-zeeklogs/]:
	[-] Verifying log files have not been previously parsed into the target dataset ... 
	[-] Parsing logs to: hhc19 ... 
	[-] Parsing elfu-zeeklogs/conn.log-00001_20190823120021.log -> hhc19
	[-] Parsing elfu-zeeklogs/conn.log-00002_20190823121227.log -> hhc19
	[-] Parsing elfu-zeeklogs/conn.log-00003_20190823122444.log -> hhc19
	[-] Parsing elfu-zeeklogs/conn.log-00004_20190823123904.log -> hhc19
...[snip]...
	[-] Parsing elfu-zeeklogs/ssl.log-00094_20190824085227.log -> hhc19
	[-] Parsing elfu-zeeklogs/ssl.log-00095_20190824090519.log -> hhc19
	[-] Parsing elfu-zeeklogs/ssl.log-00096_20190824091651.log -> hhc19
	[-] Host Analysis:            41993 / 41993  [==================] 100 %
	[-] Uconn Analysis:           115915 / 115915  [==================] 100 %
	[-] Exploded DNS Analysis:    47836 / 47836  [==================] 100 %
	[-] Hostname Analysis:        47836 / 47836  [==================] 100 %
	[-] Beacon Analysis:          115915 / 115915  [==================] 100 %
	[-] UserAgent Analysis:       6 / 6  [==================] 100 %
	[!] No certificate data to analyze
	[-] Updating blacklisted peers ...
	[-] Indexing log entries ... 
	[-] Updating metadatabase ... 
	[-] Done!

The simplest way to look at the data when you’re not exactly sure what you’re looking at is to run html-report:

root@seco:/mnt/hhc19/5# rita html-report
[-] Writing: /mnt/hhc19/5/hhc19/hhc19
[-] Wrote outputs, check /mnt/hhc19/5/hhc19 for files

Report Analysis

Now I can open the resulting index.html in Firefox. On the beacons tab, I see:

image-20191229193732740

The one with the highest score shows 7660 connections, every 10 seconds. The infected host is 192.168.134.130. When I enter that, I complete the challenge.

After solving this, I realized that there’s an HTML Rita report included in the zip, in the ELFU directory. Running firefox elfu-zeeklogs/ELFU/index.html will get the same report!