Tolkien Ring - Windows Event Logs walkthrough

-

"Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint in the upper panel of the Windows Event Logs terminal."

Difficulty Rating: 2/5

Advancing to the next stage of the challenge after wireshark practice challenge, we talk to Dusty Giftwrap and we access a terminal called “Windows Event Logs”, We are provided with powershell.evtx.log file that contains all the logs captured between 13-12-2022 23:12:29.956579 till 24-12-2022 18:44:53.874228, within which claims to be an attack happened and we will analyse. For ease of analysis, have personally converted the log file into xml 


1. What is the date of when the attack took place ? 24/12/2022



PowerShell strict mode has been turned off as a first activity and more activities are seen on the 24th, which can be identified as your perform a visual grep through the logs or even a head command on the powershell.evtx.log file, given windows logs are in reverse chronological order.

2. What is the original filename where the attacker took the secret?  Recipe
 
Based on the visual grep on the file, the word recipe keeps getting repeated. Grepping for the word Recipe were able to identify as per below screenshot and based on the story context, that recipe.txt is the file where the attack took the secrets from.
Note: Recipe & Recipe.txt are 2 different files.


3. Submit the last full PowerShell line where the attacker used a variable to manipulate the file?
 
$foo = Get-Content .\Recipe| % {$_ -replace ‘honey’, ‘fish oil’} $foo | Add-Content -Path ‘recipe_updated.txt’

Where the attacker is replacing the word honey with fish oil within the recipe_updated file.


4. Show the last command that was run to send the variable’s value to a new file?  

$foo | Add-Content -Path ‘Recipe’
 
Last command that involves the variable can be found by filtering for the variable foo with grep. And windows logs are in reverse chronological order, hence it’s the first command in the output


5. What is the name of the file which the attacker used the previous command on multiple times? Recipe.txt
Based on the above screenshot, we can see that the Add-Content command is being used multiple times on the file Recipe.txt
 
6. Were any files deleted?  Yes
If we grep for the keyword del, we can see two entries in the logs for deletion attempts. 


7. Was the original file deleted ? No
Since we can only see logs for deletion for Recipe.txt and recipe_updated.txt, not for Recipe which is the original file.
 
8. EventID of the log entry where the file was deleted ? 4104
When we search for “del” keyword within the PowerShell logs, we can see the EventID is 4104


9. Was the secret ingredient compromised ?  Yes
Since the attacker was able to read the file and also modify honey with fish oil
 
10. What is the secret ingredient?  Honey
Based on the reference to the command seen in Question 3, we can see the secret ingredient attempted to replace was Honey
 
Extra Mile
To see the full command history behind this whole activity, we can filter for the field “ScriptBlockText” which should give us a nice summary like a command history. “cat PowerShell | grep ScriptBlockText > commands.xml”. Near the end of the output you should the activity for the 24th which lists the recipe related commands.


Troubleshoots
  • Software packages - https://softwarerecs.stackexchange.com/questions/17590/how-to-view-evtx-files-on-linux-windows-event-log
  • https://github.com/williballenthin/python-evtx
  • pip3 install python-evtx
  • For Mac Users (python3 /opt/homebrew/bin/evtx_dump.py powershell.evtx > powershell.xml)

Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Tolkien Ring - Wireshark Practice walkthrough

-
Image
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark Difficulty Rating: 1/5 Hints Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark   Solutions 1. What kinds of objects can be exported in the pcap file ?  HTTP Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.   2. Name of the biggest file you can export ?  app.php (808kB) Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php     3. Packet number where app.php starts ?   687 In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for tha
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more