Welcome to holiday hack challenge 2019/Kringlecon 2

This annual CTF is the lovechild of a SANS and CounterHack collaboration, along with partners like Splunk, Graylog, Google, and more! The main objectives, along with the side challenges, combine SOC and blue teaming efforts this year with traditional red team hack escapades.

GOAL:

Save Christmas of course! Santa needs our help to find various items and solve challenges around the campus of Elf University. Let’s get started (and I’ll tell you about a few pitfalls to avoid). Click on the ticket to get started and register/login.

The first step is to login and go visit with Santa. After debarking from the train, Santa tells you about the Con, but the real Santa talk happens inside the Quad. Don’t worry about Bushy Evergreen; we’ll come back to him in the side challenges.

Santa

This is a little embarrassing, but I need your help.

Our KringleCon turtle dove mascots are missing!

They probably just wandered off.

Can you please help find them?

To help you search for them and get acquainted with KringleCon, I’ve created some objectives for you. You can see them in your badge.

This happens to be the next easiest task (aside from Objective 0). To find the doves, you must begin to look around the campus. After ducking into a few areas, the doves can be found in the North section of the Quad, in the Student Union cozying up to the fire to stay warm.

This is another item found by just walking around the Quad looking for anything out of the norm. You may have seen this on the way into the Student Union, but the letter was dropped by a mischievous troublemaker in the Northwest corner of the Quad.

Clicking the document loads a separate PDF document with heavily redacted sections (almost all!). By double clicking in the text, you can see that the redaction is an image overlay, however the words still exist behind the image and were selected. Simply select all of the text and you have the plaintext readout.

Date: February 28, 2019

To the Administration, Faculty, and Staff of Elf University

17 Christmas Tree Lane

North Pole

From: A Concerned and Aggrieved Character

Subject: DEMAND: Spread Holiday Cheer to Other Holidays and Mythical Characters… OR ELSE!

Attention All Elf University Personnel,

It remains a constant source of frustration that Elf University and the entire operation at the North Pole focuses exclusively on Mr. S. Claus and his year-end holiday spree. We URGE you to consider lending your considerable resources and expertise in providing merriment, cheer, toys, candy, and much more to other holidays year-round, as well as to other mythical characters.

For centuries, we have expressed our frustration at your lack of willingness to spread your cheer beyond the inaptly-called “Holiday Season.” There are many other perfectly fine holidays and mythical characters that need your direct support year-round.

If you do not accede to our demands, we will be forced to take matters into our own hands. We do not make this threat lightly. You have less than six months to act demonstrably.

Sincerely,

--A Concerned and Aggrieved Character

The first all caps word in the Subject line is: DEMAND

This task takes requires us to narrow down the Windows event logs to identify the password spray. The link is provided and downloads a copy of the event files in a ZIP file. After extracting, I used my host Windows system and opened them in the standard event viewer for ease.

One of my favorite things to do at a SANS event is collecting up the posters. When you have down time it allows you to learn a little bit more to prep for NETWARS or just learn a new technique. The tips in the most recent DFIR poster really helped.

I narrowed my search down to the Security logs, specifically these Event IDs:

• 4648 - A Logon Was Attempted Using Explicit Credentials.

• 4624 - An account was successfully logged on

This allows defenders to see the full list of logins attempted and pinpoints if any where successfully compromised. This video shows what the narrowed down list showed me.

In this case, you can see it was user: Supatree

BONUS: When completing the Sysmon challenge (0x04), you can also isolate the password spraying by tracking the shared resources.

You can see that the net use command was used to try passwords until IPC$ was mapped using the Supatree account [Password = Passw0rd1]. The attacker had to delete the mapped drive before moving on to the next user.

Just as before in the last objective, we download the files and open them up. I attempted to open these in a few different applications before I narrowed down my favorite at the time: Notepad++. This enabled color coding by default and provided a search pane for when I just wanted to see lines with results.

Not being super ninja in JSON parsing or even sed, I relied on the Notepad++ functions. The first clue drives a simple search for the “lsass” process.

This isolated the traffic down to a single event.

Looking at the entry, you can see the parent process (lsass | PPID 632) spawned cmd.exe (PID 3440), which in-turn spawned a new process. This process (ntdsutil | PID 3556) is the culprit. Let’s break down the command:

As you can see from the command, the tool used is: ntdsutil. NOTE: no .exe

Moving off Windows logs, Santa needs us to start tracking attackers across the network. Start by downloading the Zeek logs and opening them in RITA. As John Strand mentioned in the KCII Keynote, RITA is a great (and FREE) tool for hunting down anomalies in enterprise web traffic. This exercise begins with opening the index.html in the ELFU directory and then selecting ELFU.

Honestly, this is an easy challenge, but I constantly make things harder because READING IS HARD. I tried the first Destination IP, then next, and on and on. It wasn’t until I read the initial question again that they were looking for the infected system (commonly beaconing out). Knowing this, I discovered that the key to be the source IP: 192.168.134.130.

Now that the first 5 objectives are complete, it’s time to go back and revisit Santa in the Quad.

This was the first “Offsite” link I encountered, directing you to login to the Splunk SOC and take direction from the team lead Alice Bluebird, along with Kent and other SOC team members. Much of this is following along with the tips, but remember, READING IS HARD. So I struck out on my own path.

1. What is the short host name of Professor Banas' computer?

By following the first few prompts in the window (the red dots), you find in the #ELFUSOC channel that they are already discussing a compromised system called sweetums that is Prof Banas main computer. That was easy!

2. What is the name of the sensitive file that was likely accessed and copied by the attacker? Please provide the fully qualified location of the file. (Example: C:\temp\report.pdf)

The end goal from the conversation with the SOC lead is to start searching for other sensitive terms as the attackers are after Santa’s data. So let’s just try “Santa”. Too many results. Returning to the previous search for “cbanas”, we added “Santa” and whittled it down to 10 records. Time to manually review; what do you know! First try:

... 15 lines omitted ...

CommandInvocation(Format-List): "Format-List"

CommandInvocation(Out-String): "Out-String"

ParameterBinding(Stop-AgentJob): name="JobName"; value="4VCUDA"

ParameterBinding(Format-List): name="InputObject"; value="C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt:1:Carl, you know there's no one I trust more than you to help. Can you have a look at this draft Naughty and Nice list for 2019 and let me know your thoughts? -Santa"

The answer is: C:\Users\cbanas\Documents\Naughty_and_Nice_2019_draft.txt

3. What is the fully-qualified domain name(FQDN) of the command and control(C2) server? (Example: badguy.baddies.com)

Returning to the ELFU SOC chat, a ton of tips and premade sysmon searches are provided. Using the last one in the chat with Alice, we now have a list of powershell processes and need to identify the FQDN. Using the large list of selected fields, I zeroed in on the “Destination Hostname”.

All events reached out to this destination: 144.202.46.214.vultr.com

Part 2 coming soon!