Points: 110
Download File from: https://github.com/mfput/CTF-Questions/raw/master/Security
Hint: A change in time is a change in the security state.
Answer: 19
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
Sunday, May 10, 2020
Searching for Specific Processes in Windows Event Logs - Cal Poly FAST CTF Challenge 15
Question: How many times did VMware tools change the system time?
Points: 110
Download File from: https://github.com/mfput/CTF-Questions/raw/master/Security
Hint: A change in time is a change in the security state.
Answer: 19
Points: 110
Download File from: https://github.com/mfput/CTF-Questions/raw/master/Security
Hint: A change in time is a change in the security state.
Answer: 19
Sunday, December 1, 2019
Finding the Last Logon - Cal Poly FAST CTF Challenge 14
Question: What was the timestamp when Patrick last logged off? FORMAT: M/DD/YYYY H:MM:SS
Points: 70
Download File from: https://github.com/mfput/CTF-Questions/raw/master/Security
Hint: No Hint
Answer: 4/10/2017 6:32:00
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
Finding Interactive Logons - Windows Event Logs - Cal Poly FAST Challenge 13
Forensic Challenge 13:
Question: How many interactive logons were there on this machine?
Points: 100
Download File from: https://github.com/mfput/CTF-Questions/raw/master/Security
Hint: There are multiple types of logons.
Answer: 23
This is the first of three questions centered around the Windows Security event log. The file is an EVTX Windows event log from a Windows 7 machine. The extension has been removed, so you'll have to add the .evtx extension. You'd have to use the file command to figure out it is a event log file. I will be showing how to solve these 3 Windows event log questions with the native Event Viewer, of course you could also ingest the .evtx file into a supported program with better query functionality.
You can natively open this file with the Event Viewer. Once opened, it can be quiet overwhelming seeing all these logs. Of course, we are looking for something in particular, the number of interactive logins. Each event is group by a Windows event ID. The standard Windows event ID for account logins is 4624 "An Account was successfully logged on". We can filter the Windows event log by pressing the "Filter Current Log" on the right panel, and entering the 4624 event ID.
Once we have this log filtered, we can see that there 279 events from ID 4624. However, not all were an actual interactive login. When we select the individual event, we can see the details and see a field called "Logon Type":
There are multiple types of logins, which we are only interested in one. In the above log we see a Logon Type of 5, which is a Service logon. We want to filter by type 2, interactive logons. Below is a list of the different logon types available:
Logon Type
Description
2 Interactive (logon at keyboard and screen of system) 3 Network (i.e. connection to shared folder on this computer from elsewhere on network) 4 Batch (i.e. scheduled task) 5 Service (Service startup) 7 Unlock (i.e. unnattended workstation with password protected screen saver) 8 NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. 9 NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections." 10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) 11 CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network)
Source: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
NOTE: Interactive logins can come from other Event IDs as well, but are not present in this event log.
We want to filter by the interactive logon type of 2. Alas, this isn't possible with the simple click of a button in the Event Viewer, but it is possible using XPath. All Windows event logs are written in XML, and each attribute is an XML entity which we can query. From a selected event log, we can choose "Details -> XML View". With this, we can see the Data Name which we will use to query, "LogonType".
Go to the "Filter Current Log" on the right hand pane, switch to the XML tab, and press "Edit query manually". This will allow us to right custom XPath queries to gather more specific data. Because this is a saved log, the Path will be different from mine. After the Select Path asterisk, replace
[System[(EventID=4624)]] NOTE: This queries the Sytem entity for an Event ID of 4624.
with:
[EventData[Data[@Name='LogonType']='2']] NOTE: This queries the Event Data entity for a logon type of 2. The event Data is independent of the System entity, meaning if there are an other event IDs that have this event data, they will also appear.
With this, we can see that there were only 23 actual interactive logons in this event file.
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
There are multiple types of logins, which we are only interested in one. In the above log we see a Logon Type of 5, which is a Service logon. We want to filter by type 2, interactive logons. Below is a list of the different logon types available:
Logon Type
|
Description
|
| 2 | Interactive (logon at keyboard and screen of system) |
| 3 | Network (i.e. connection to shared folder on this computer from elsewhere on network) |
| 4 | Batch (i.e. scheduled task) |
| 5 | Service (Service startup) |
| 7 | Unlock (i.e. unnattended workstation with password protected screen saver) |
| 8 | NetworkCleartext (Logon with credentials sent in the clear text. Most often indicates a logon to IIS with "basic authentication") See this article for more information. |
| 9 | NewCredentials such as with RunAs or mapping a network drive with alternate credentials. This logon type does not seem to show up in any events. If you want to track users attempting to logon with alternate credentials see 4648. MS says "A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections." |
| 10 | RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance) |
| 11 | CachedInteractive (logon with cached domain credentials such as when logging on to a laptop when away from the network) |
Source: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
NOTE: Interactive logins can come from other Event IDs as well, but are not present in this event log.
[System[(EventID=4624)]] NOTE: This queries the Sytem entity for an Event ID of 4624.
with:
[EventData[Data[@Name='LogonType']='2']] NOTE: This queries the Event Data entity for a logon type of 2. The event Data is independent of the System entity, meaning if there are an other event IDs that have this event data, they will also appear.
With this, we can see that there were only 23 actual interactive logons in this event file.
Sunday, March 31, 2019
Recycle Bin Forensics: Cal Poly FAST CTF Challenge 12
File:
https://raw.githubusercontent.com/mfput/CTF-Questions/master/file12.zip
Question: When was the flag deleted? Format: "YYYY-MM-DD HH:MM:SS"
Hint: Utilizzare uno strumento chiamato rifiuti.
Answer: 2018-11-04 02:43:31
Question: When was the flag deleted? Format: "YYYY-MM-DD HH:MM:SS"
Hint: Utilizzare uno strumento chiamato rifiuti.
Answer: 2018-11-04 02:43:31
Here
we have a zipped folder. Upon unzipping the folder it looks empty. Of
course it is not, as the size of the zipped folder is over a kilobyte
big. If you have Windows Explorer set to view hidden files, you can
actually see the files inside of it while zipped.
Now
we don’t have a forensic image, so there won’t be any NTFS
artifacts to help you here. There are files inside this folder, and
as we learned earlier, some files have attributes that make them
hidden to Explorer. We can use the command “dir
/a” to view all
files in the directory. Inside the folder there is a directory with
the name of a user SID (Security Identifier). We can use the “attrib
filename”
command to view the attributes of that file.
Here
we can see that the S-1-5 directory has the “S” and “H”
attributes. These attributes denote “System” and “Hidden”.
We can remove these attributes with a minus sign to make this
directory appear normally in Windows Explorer. “attrib
-s -h filename”.
Now
the directory becomes visible to use once a gain. If we wanted to add
those attributes back, we would use “attrib
+s +h filename”
and the folder would become hidden again. To see a full list of
attributes, use “attrib
/?”. Now the
S-1-5 directory is empty. Or is it really? Upon further inspection
there are two files hidden in the directory: “desktop.ini” and
“INFO2”. The desktop.ini file is not relevant to finding the
flag. Using the attrib command we can see that INFO2 has the “A”,
“S”, and “H” attributes (A is for archived). Similar to
before, we will make this file visible to Explorer with the attrib
command “attrib
-s -h INFO2”.
When
opening the INFO2 file in a text editor, we can see the flag, but the
data isn’t being parsed right. We can’t tell when it was actually
deleted with this method.
This
is where our hint comes in handy. “Utilizzare uno strumento
chiamato rifiuti” is Italian and roughly translates to “Use the
tool called trash”. Trash is not a tool that can help you, but
rifiuti can. Rifiuti is a Windows forensic tool used for Recycle Bin
forensics. An INFO2 file is actually a log of the pointers of files
that are sent to the Recycle Bin. You can download Rifiuti2 (improved
version of the original tool) here:
https://abelcheung.github.io/rifiuti2/.
Use the normal rifiuti.exe and not rifiuti-vista.exe against the
INFO2 file. “rifiuti.exe
INFO2”.
With
the data now parsed correctly, the flag.rtf file was deleted with a
timestamp of “2018-11-04 02:43:31”. Rifiuti2 tells us the name of
the deleted files, if they were emptied or not, the size on disk and
the path.
INFO2
files are located at “C:\Recycled\INFO2”
for Windows 95/98/ME and “C:\Recycler\SID*\INFO2”
for Windows NT/2000/XP. Initially there was one INFO2 file the
machine. With NT, 2000, and XP, there exists an INFO2 file for each
user, located in the SID folder belonging to that user. This way, it
is possible to tell which user sent the file to the recycle bin.
Starting
with Windows Vista, INFO2 files were replaced by $I files located at
“C:\$Recycle.Bin\SID*\$I*”.
You can use the “rifiuti-vista.exe” to parse $I files. Supposedly
EnCase and FTK should also support parsing INFO2 files.
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
That
concludes the 12 questions for the FAST CTF! I am sure you learned
something new and the skills you learned will help your endeavors
into the future.
Bit Shifting: Cal Poly FAST CTF Challenge 11
File:
https://raw.githubusercontent.com/mfput/CTF-Questions/master/file11.txt
Question: Find the flag in this text document!
Hint: If you are having trouble with this bit, shift your focus.
Answer: fastctf{a_bit_tricky}
Question: Find the flag in this text document!
Hint: If you are having trouble with this bit, shift your focus.
Answer: fastctf{a_bit_tricky}
In
this challenge we are given a text file with some scrambled data.
The
file is definitely a text file. However we can’t make any sense of
it looking at it in a text editor. We need to use a hex editor to
look for more clues.
Even
in a hex editor is still looks like gobbledygook. Without any hints,
this was a hard challenge. The hint states “If you are having
trouble with this bit, shift your focus.” I use far too many puns
with my hints, at least I have fun with them. Bit-Shifting involves
shifting every bit in the file. We can do this with a hex editor
called WinHex from X-Ways forensics (http://www.winhex.com/winhex/).
By
shifting the bits to the left once, the file is displayed normally.
Please Don't Double Click Batch Files: Cal Poly FAST CTF Challenge 10
Question:
The flag is inside this Windows Batch file.
Hint:
Strings is faster than restarting your computer.
Answer:
fastctf{editnotopen}
This
challenge was very easy. All you had to do was read the batch file.
Now if the batch file was executed, it would have shutdown your
computer in 5 seconds and caused a pop-up to say “You’re in CIS
and you execute random batch scripts?”.
Obviously
this is quite malicious and hilarious. Don’t execute batch scripts
without inspecting them first! Using any text editor will show the
flag fastctf{editnotopen}. You could have also used strings on the
file. The “::” represents a comment and is not shown when
executed.
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
MD5 collisions: Cal Poly FAST CTF Challenge 9
Question:
What is the name of the executable with the MD5 hash of
cdc47d670159eef60916ca03a9d4a007 that performs a malicious task?
(Don't worry none of these will actually harm your computer).
No
Hint.
Answer:
15832-3645-24173.exe
This
question sounded easy but turned out to be a bit trickier. You are
given the MD5 hash of a file and then asked to give the name of the
file. No hints are given since it is so straight forward. Or is it
really?
Inside
the zipped archive is a large collection of randomly named files of
equal size.
In
Linux you can find the MD5 hash of all the files in the directory by
using “md5sum
*”. MD5sum is a
handy tool that calculates MD5 hashes. You can also get if for
Windows from the win-bash project
(https://sourceforge.net/projects/win-bash/).
After
running the command, you may notice something peculiar, every file in
the directory has the same MD5 hash. Are they all the same file? No.
One of these files is different, and this phenomenon is known as an
MD5 hash collision. So how can we go about figuring out which file is
the one we need? If you were to run the files from the command
prompt, you would eventually figure it out but that method is
impractical.
One
of these files is supposed to be harmful to our computer. If we know
that many of these files are identical, then calculating a hash will
tell use which file is different. This time, we will calculate each
file’s SHA1 hash. It is very, very unlikely that the odd file will
have an identical MD5 and SHA1 hash value as the other files. In
Linux, we can calculate the SHA1 hashes with “sha1sum
*”.
15832-3645-24173.exe
sticks out like a sore thumb with its different SHA1 sum. Running it
in the command it pretends to erase your hard drive.
You
could have also used strings on all the files in the directory and
eventually found which was different.
These
files were created with a tool called Evilize, which generates MD5
hash collisions between similar C programs. To understand more about
why this happens and to download Evilize, check out
https://www.mscs.dal.ca/~selinger/md5collision/.
Like my work? Donate here: https://buymeacoffee.com/forensicnoobsecurity
Subscribe to:
Posts (Atom)