Saturday, 7 May 2022

Magnet Summit 2022 Virtual CTF - Windows

Magnet Forensics recently concluded their Virtual CTF for the Magnet Summit 2022. 

Participants were provided with the following three images to process prior to the start of the Capture-the-Flag (CTF) challenge, as well as a trial key for the newly launched AXIOM 6.

  1. Pixel image containing what appears to be a full file system extraction of a Pixel 3 running Android 9;
  2. HP Image containing a full disk image of a Windows 11 system; and
  3. Google Takeout image of the account used in the CTF, rafaelshell24@gmail.com.

The questions for the CTF are split into three sections, and the write-ups for each section is as follows: 

  1. Windows
  2. Android
  3. Egg Hunt

 

Windows

Processing

The heavy lifting for this section of the CTF was done using the trial copy of AXIOM provided. Other tools that were used include Exterro's FTK Imager for browsing and exporting from the E01 image, Eric Zimmerman's EvtxECmd for parsing the event logs, and ewf-tools package for mounting the E01 image in Linux.

For the purposes of this CTF, I used Ubuntu on WSL (Windows Subsystem for Linux) so as to avoid having to switch between machines but the Linux commands should work for most distributions, including the SANS SIFT Workstation which has a number of preconfigured incident response and forensic tools.

Surprising, a large number of questions for this CTF centered around the Minecraft game and its data. Along the way while attempting to solve the questions, I came across a number of software and plugins for viewing Minecraft data stored in NBT (Named Binary Tag), such as NBT Viewer plugin for Visual Studio Code and Universal Minecraft Editor, as well as Minecraft Overviewer for rendering interactive maps from Minecraft Region file format (.mcr) and Anvil file format (.mca) save files.


Questions

1. Never Gonna Give You Up

How many times did Patrick get rick rolled? (5 points)

To understand what the question was asking, I performed a quick Google search for 'rick roll' and found out that it was a bait-and-switch prank to redirect viewers to Rick Astley's 'Never Gonna Give You Up' music video.

The answer is found by performing a keyword search for 'never gonna' and counting the number of web visits to Rick's MV. Interestingly the web visits were all from Edge (Users\Patrick\AppData\Local\Microsoft\Edge\User Data\Default\History) and none from Chrome.

Answer: 9


2. Crater of Diamonds

When did n30forever "Mine" diamonds? YYYY-MM-DD HH:MM UTC (10 points)

My initial instinct was to search in the Minecraft application logs for this question, which defaults to the user's AppData\Roaming\.minecraft\logs. Unfortunately the logs in that folder only captured the chat message from n30forever and I wasted a bunch of tries trying to convert the timestamp of that message into UTC.

It pays to have a look at the image we are given outside of our processing tool as I subsequently realized that there was another Minecraft folder in Users\Patrick\Documents\Minecraft with far more details captured in the logs. Using zgrep -H n30forever *.gz | grep -i diamond to search through the compressed logs for n30forever and messages relating to diamonds showed when they issued a server command to get diamonds.

As each log file is dated and each message within time stamped, we can determine that the time the diamonds were "mined" was 2022-02-10 19:57:52. However, as the game logs were in local time, we need to check the SYSTEM\ControlSet001\Control\TimeZoneInformation registry key to determine what time zone the system was in, which was Eastern Standard Time (UTC-5). Adding 5 hours to 2022-02-10 19:57:52 will give us the answer in UTC.

Answer: 2022-02-11 00:57


3. Punching Wood

How many wood blocks has n30forever mined? (10 points)

Once again, this question required the data files from Users\Patrick\Documents\Minecraft rather than those in Users\Patrick\AppData\Roaming\.minecraft. In the Minecraft\world\stats folder, we see two JSON files containing player statistics named by player UUID. To determine which of the two files belonged to n30forever, I grepped for n30forever's UUID in the latest.log log file and then searched the relevant JSON file for the number of wood blocks.

Answer: 60


4. Version aversion

What was the version number of ZeroTier that was installed on the system? Format X.X.X (5 points)

A fairly easy question if using AXIOM as it can be found under the 'Installed Programs' category. Alternatively one can get the answer from the registry key SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ZeroTier One 1.8.4.

Answer: 1.8.4


5. r/hobbies

What subreddit did Patrick frequent the most? Format: r/subredditName (5 points)

Performing a keyword search for 'reddit' in AXIOM shows that the most frequented subreddit based on the user's Chrome and Edge browsing history was 'r/stamps'.

Answer: r/stamps


6. Nil Layer

What was the ZeroTier Network name? (10 points)

Since most applications save configuration details in the user's AppData\Local folder, that was my first port of call and I located the answer in Users\Patrick\AppData\Local\ZeroTier\saved_networks.json.

Answer: pensive_joybubbles


7. Insider Preview

What is the Build Number of the Windows Install (10 points)

I found this information under 'Operating System Information' in AXIOM. Alternatively one could use the 'winver' plugin from Harlan Carvey's RegRipper against the SOFTWARE registry file.

Answer: 22543


8. Default Skin

What is the SID of the account that was used to create the extra user? (25 points)

A search for user account creation event ID 4720 shows us that the account 'minecraftsteve' was created by 'S-1-5-18' on 2022-02-12 01:29:43 UTC.

Answer: S-1-5-18


9. Groundhog Day

Where did n30forever spawn on the most recent logon? Format: x,y,z (25 points)

A quick search for n30forever in the latest log file in Users\Patrick\Documents\Minecraft\logs provided the answer.

Answer: 226.5624306726793, 71.5625, 200.30000001192093


10. 1T5 H4CK1N6 T1M3

Patrick reports a suspicious consle open on his screen. Can you find the full path to the script that caused this? (50 points)

I'm not sure if there was an easier way of locating the answer as I found it by chance while looking through the E01 image. I noticed a folder named 'lolololol' in the user's profile folder containing a suspicious batch file and tried that for the answer.

Answer: C:\Users\Patrick\lolololol\matrix.bat


11. Real 2020 Moment

Patrick reports seeing a couple of notifications saying malicious files were found and quarentined. What was the file name of the malicious file that was spawned with the process name starting with the letter S? (50 points)

I actually solved this question after solving 'Obfuscation Occasion' as the two questions are related. On hindsight, the question hinted to notifications that Patrick saw, which we can determine is Windows Defender related from the artifacts in the 'Windows Notification Center' category. Research on Windows Defender events led me to event IDs 1006, 1015, and 1116 for malware detection events in the Microsoft-Windows-Windows Defender%4Operational.evtx log. Once we filter for the relevant event IDs, we can determine the malicious file that was spawned from process 'sihost.exe'.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78" />
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-02-12T01:47:55.9160525Z" />
<EventRecordID>256</EventRecordID>
<Correlation ActivityID="5507b298-0527-4c1f-a99d-0e3de41488b8" />
<Execution ProcessID="3136" ThreadID="14652" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>DESKTOP-SKPTDIO</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Product Name">Microsoft Defender Antivirus</Data>
<Data Name="Product Version">4.18.2201.10</Data>
<Data Name="Detection ID">{818B2C3E-929A-4444-8FFB-5571A2CAA8E7}</Data>
<Data Name="Detection Time">2022-02-12T01:47:45.310Z</Data>
<Data Name="Unused"></Data>
<Data Name="Unused2"></Data>
<Data Name="Threat ID">2147724209</Data>
<Data Name="Threat Name">TrojanDropper:VBS/Ploty.A</Data>
<Data Name="Severity ID">5</Data>
<Data Name="Severity Name">Severe</Data>
<Data Name="Category ID">37</Data>
<Data Name="Category Name">Trojan Dropper</Data>
<Data Name="FWLink">https://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:VBS/Ploty.A&threatid=2147724209&enterprise=0</Data>
<Data Name="Status Code">1</Data>
<Data Name="Status Description"></Data>
<Data Name="State">1</Data>
<Data Name="Source ID">3</Data>
<Data Name="Source Name">Real-Time Protection</Data>
<Data Name="Process Name">C:\Windows\System32\sihost.exe</Data>
<Data Name="Detection User">DESKTOP-SKPTDIO\Patrick</Data>
<Data Name="Unused3"></Data>
<Data Name="Path">file:_C:\Users\Patrick\AppData\Local\Temp\xPSPLcEr.vbs</Data>
<Data Name="Origin ID">1</Data>
<Data Name="Origin Name">Local machine</Data>
<Data Name="Execution ID">1</Data>
<Data Name="Execution Name">Suspended</Data>
<Data Name="Type ID">0</Data>
<Data Name="Type Name">Concrete</Data>
<Data Name="Pre Execution Status">0</Data>
<Data Name="Action ID">9</Data>
<Data Name="Action Name">Not Applicable</Data>
<Data Name="Unused4"></Data>
<Data Name="Error Code">0x00000000</Data>
<Data Name="Error Description">The operation completed successfully. </Data>
<Data Name="Unused5"></Data>
<Data Name="Post Clean Status">0</Data>
<Data Name="Additional Actions ID">0</Data>
<Data Name="Additional Actions String">No additional actions required</Data>
<Data Name="Remediation User"></Data>
<Data Name="Unused6"></Data>
<Data Name="Security intelligence Version">AV: 1.359.53.0, AS: 1.359.53.0, NIS: 1.359.53.0</Data>
<Data Name="Engine Version">AM: 1.1.18900.3, NIS: 1.1.18900.3</Data>
</EventData>
</Event>

Answer: xPSPLcEr.vbs


12. Philatelists Club

Patrick put a sign outside of his house in his offline survial minecraft world. What did it say? (Combine all lines of sign into 1 flag) (50 points)

Ahhh... the most fun and infuriating question of the challenge which took me the longest. I started by searching for keywords 'stamp' and 'philate' in AXIOM but could not get any answers. Thinking that it could be an image based answer, I reviewed the Pictures artifact category but could only find a red herring that was Users\Patrick\AppData\Roaming\.minecraft\screenshots\2022-02-11_17.53.43.png from the networked game with n30forever.

I then tried looking through the Minecraft data in the survival world save at Users\Patrick\AppData\Roaming\.minecraft\saves\Survial-World7 and researched on ways to view them. When I spied what appeared to be a signboard outside of a house in the Minecraft Overviewer rendered map, I became convinced that the answer we seek is contained within the Minecraft Anvil (.mca) data files.

Unfortunately none of the editors I found could parse the information successfully. Eventually in a final attempt, I installed the demo version of Minecraft: Java Edition (PC) and overwrote the local data files in AppData\Roaming\.minecraft\saves\Demo_World with the data files exported from Users\Patrick\AppData\Roaming\.minecraft\saves\Survial-World7 for a playthrough and found the answer. Both version 1.18.1 as used in the CTF image and the latest version 1.18.2 as of the challenge were tested to work with this method.

Answer: Stamp Lovers Only


13. Time 2 Block 0.0.0.0/0

What is the full address that the backdoor was downloaded into the system from? (75 points)

While reviewing the Windows Defender logs for malicious files in '1T5 H4CK1N6 T1M3', I noted some entries for PowerShell relating to 'Powercat'.

A search for 'powercat' in AXIOM revealed the download source in event ID 4100 from Microsoft-Windows-PowerShell%4Operational.evtx.

Answer: 192.168.191.253:8000/powercat.ps1


14. Obfuscation Occasion

Locate and extract the file identified in the above question. What is the first function name in the malware? Caution sample is REAL MALWARE (75 points)

While looking at the Defender logs in the previous question, I noted that the malicious VBA files were supposed to be located in C:\Users\Patrick\AppData\Local\Temp. However browsing to that path did not reveal any sign of the file.

Since we know from 'Real 2020 Moment' that the malicious files were quarantined, I wondered if a copy of the file still exists on the system within Defender's vault, similar to how other antivirus software works. Google search led me to Nikola's post on extracting quarantined files from Windows Defender and his defender-dump script, which I then used to extract the quarantined files from the mounted image. Note that dumping the two VBA files in Windows will cause Defender to quarantine them immediately, making analysis impossible, so it is recommended to do the following in Linux or turn off Defender in an isolated sandboxed machine.

Luckily there was no lock out for this question so I tested the first function name from both files and identified the correct file as 'xPSPLcEr.vbs' when the answer was accepted.
Answer: qiZlDWBXp


15. Oh Boy Its Time to DCode

It looks like the vba file contains another encoded file. Decode this and provide the time/date stamp located inside the COFF header in UTC. yyyy/mm/dd:HH:MM:SS Caution sample is REAL MALWARE (100 points)

This wasn't a difficult question once we had the VBA file and understood what a COFF header was.

Reviewing the code for 'xPSPLcEr.vbs' shows that the encoded file in question was stored as variable 'qyfjzHuPbtHJp' in Base64. I used a combination of sed and base64 to dump and decode the payload, and obtained the required date/time stamp using readpe -h coff from the PE file analysis toolkit.

Answer: 2009/04/28 19:12:46

 

Quick thoughts on the virtual CTF

This was a lengthy CTF with a wealth of information spread across Windows and Android domain. The use of actual malware in a forensics CTF image was also fairly refreshing and presented multiple learning opportunities for me, both during the challenge and while preparing the write-up.

It would have helped to look through the images and processed results beforehand, which could have saved some time in noticing the two Minecraft folders as well as the suspicious batch script file in a weirdly named folder. I also appreciated that the questions would be solvable with open source tools for those with limited resources or working on the solutions post-event, but the AXIOM trial key that was generously provided to participants made most of the questions a breeze.

Last but not least, my heartfelt thanks to the organizers at Magnet Forensics and the students from Champlain Digital Forensics Association for putting together this fun and interesting challenge. Now to play (mod) some Minecraft!

No comments:

Post a Comment

Magnet Summit 2022 Virtual CTF - Windows

Magnet Forensics recently concluded their Virtual CTF for the Magnet Summit 2022.  Participants were provided with the following three image...