Open in app

Sign in

Write

Sign in

CyberDefenders: Injector

Ross Andrews
7 min readAug 2, 2023

--

If you struggle with analyzing registry information from a memory dump using Volatility, this is a fantastic challenge to practice and build your cheat-sheet. The rest of the challenge involves extracting access.log file from an Apache server, finding previously ran commands, and grabbing a hash from a file uploaded by the attacker.

Challenge:

“A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. As a soc analyst, you are tasked with mounting the image to determine how the system was compromised and the actions/commands the attacker executed.”

What is the computer’s name:

Typically, this information is stored on the registry under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00X\Control\ComputerName\ComputerName.

NOTE: the X in ControlSet00X is going to be an integer. Additionally, you might see “CurrentControlSet,” this is essentially an alias to one of the numbered ControlSets.

To find this information we need to list the hives from the dump and look for the HKLM\SYSTEM registry. If you are unsure of the path to the computer name, you can list the subkeys by using printkey plugin with the offset address.

When we list the subkeys and drill down into the ControlSets. We see two of them, so lets start with the first.

NOTE: you can list the subkeys one at a time to navigate the registry by adding the key argument. For example: vol printkey -o 0x86226008 -K "ControlSet001" that will then list all the subkeys under ControlSet001.

Eventually, we will get to ControlSet001\Control\ComputerName\ComputerName" to obtain the computer name.

What is the Timezone of the compromised machine:

To determine the Timezone, we need to read HKLM\SYSTEM\ControlSet003\Control\TimeZoneInformation.

What is the OS build number:

To retrieve the build number, we need to stay in the registry and look for Microsoft\Windows NT\CurrentVersion.

NOTE: the number you need are the first four numbers for the BuildLab.

How many users are on the compromised machine:

There are three ways we can get this information, through registry or dump password hashes. First, we can retrieve the ProfileList from the registry:

NOTE: you will not see usernames, but the user SIDs

To get the usernames we can look in the registry for SAM\DOMAINS\Account\Users\Names.

Third, we can run the hashdump plugin and see how many user password hashes are stored on the system:

When did the attacker create the first user:

Staying in Windows\System32\config\SAM we can find the creation date for the first user made by the attacker.

What is the webserver package installed on the machine:

Staying in the registry, if we list the contents of Windows\System32\config\SOFTWARE we will see the answer as one of the subkeys.

We can confirm this in two ways, one is to list the process tree and the other is to use cmdline plugin.

What is the vulnerable web app installed on the webserver:

For this we can extract the access.log from the memory dump by using filescan and dumpfiles.

Once we have collected the log data, we can cat its contents to determine what the application is:

If you run a google search on the abbreviation, you’ll be able to confirm that the first few entries show connections being made to the login page of the vulnerable app.

What is the user agent used in the HTTP request sent by the SQL injection attack tool:

If you’ve never attacked a website through a platform like HTB or OWASP Juice Shop, you might not know about many common tools to enumerate and exploit web servers. One tool is called sqlmap, and it will automatically enumerate and exploit SQLi vulnerabilities. So lets use grep to see if we can pull a User-Agent header named sqlmap.

The attacker used command injection to add user “hacker” to the “Remote Desktop Users” Group. Provide the IP address that was part of the executed command:

Lets list the process tree and dump one of the cmd.exe processes and see if our answer is there.

NOTE: I choose to dump PID 1972 because this is close to the date/time that the attacker created the first user.

Now we can grep “Remote+Desktop”to get the answer.

For this question, we can confirm the IP in the access.log. The IP address from the webshell is the same IP that added the user to the remote users group.

NOTE: if we grep for dir, we should be able to get the URL parameter they used to run commands.

Provide the name of the URL parameter used to execute commands:

See note above.

The attacker read multiple files through LFI vulnerability. One of them is related to network configuration. What is the file name:

First off, Local File Inclusion (LFI) is a vulnerability that allows an attacker to navigate and read files from the file system. So we can grep for anything that might look like directory traversal (../).

We not only see that there is significant evidence of the attacker trying to look around the filesystem, but we also see our answer in the first line.

The attacker tried to update some firewall rules using netsh command. Provide the value of the type parameter in the executed command:

Here we can use the consoles plugin and grep for netsh firewall to get our answer:

How many users were added by the attacker:

Still using consoles lets grep "net user" to see if we out answer.

Looks like we have a partial answer, lets check the file we made when we dumped PID 1972.

NOTE: I first tried grep "net user" but it returned no results. Due to the attacker exploiting a web app, I then tried using URL encoding grep "net%20user" and that failed too. Finally, got a result with grep "net+user".

What is the first vulnerability the attacker was able to exploit:

My first answer was actually wrong, because a previous question referenced sqlmap, I assumed that was the answer was sql. However, if we use the cmd.dmp file we made and search for <script> we’ll find the correct answer.

The URL path names the vulnerability, so does the alert message in the <script></script>.

We can also check the access.log to confirm the vulnerability occurred first.

The attacker dropped a shellcode through SQLi vulnerability. The shellcode was checking for a specific version of PHP. Provide the PHP version number:

Because we saw that sqlmap was using /?id= parameter, we can use the access.log and see if we can find the shellcode by grepping for the parameter.

Ignoring the opening SQL statement and URL encoding, it looks like we have some content that is written in hex. We can try decoding this with xxd to see if it has our answer.

One of the uploaded files by the attacker hash an md5 that starts with “559411”. Provide the full hash:

I tried as many ways as I could to get this to work solely using Volatility, but I couldn’t get it to work.

So to get this answer, I mounted the disk image provided by the challenge and used the find command to get the md5 hash of all files in xampp\htdocs\DVWA.

NOTE: I chose xampp\htdocs\DVWA because that’s were it looked like the PHP shell was placed when we were looking for PHP version in the previous question.

What is the MITRE ID corresponding to the technique used to keep persistence:

For this just google what MITRE ID is associated with local account creation.

YouTube Walkthrough:

Ctf Writeup
Digital Forensics
Cybersecurity
Windows
YouTube

--

--

Ross Andrews

Written by Ross Andrews

59 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams