NorthSec 2021 CTF: Port Skan

Hello there! This weekend I competed in the NorthSec CTF, it was awesome! I decided to write up the challenge “Port Skan” because it was in my wheelhouse, so to speak and I really liked it.

This challenge is an incident response challenge, involving investigating a security breach. Below is the challenge description:

You are given an ElasticSearch log archive, a docker file, and a questionaire. To score points you must complete the questions in the questionnaire using the log data. It mimics the steps of a real-life investigation, finding the source of the breach, and identifying potential data exfilitration, and persistence methods.

The way I did it probably not the most efficient, but I tried to follow a logically workflow.

We begin by setting up and starting the docker instance, they gave you the choice of greylog or kibana, I picked kibana. Once that was done we head on over to the dashboard and begin.

Questions:

All the answers had to submitted in a specific format as an md5 hash. For example:

• Flag format: <Name of the event>|<Year>
• The flag is computed like so: echo -n "NSEC|2021" | tr '[:upper:]' '[:lower:]' | md5sum

Flag 1:

The sysadmin discovers a suspicious new domain account, captainhook, which is also part of the Domain Admins group. When does this account was created and by who?

The flag format is:

<Account creation TIMESTAMP>|<ACCOUNT NAME who created the captainhook>

Since this event will take place on a Windows machine, we can use the following Windows event code:

Windows	4720 	A user account was created

In kibana this is done like so:

Here is is, we can see the user Administrator creates the account captainhook.

From the event we also get the timestamp, so we now have the info to answer the question and get the flag:

User: Administrator
Timestamp: Apr 27, 2021 @ 15:14:56.869

So the flag is: 2021-04-27 15:14:56.869|Administrator

We convert it to the flag format, and we are done:

echo -n "2021-04-27 15:14:56.869|Administrator" | tr '[:upper:]' '[:lower:]' | md5sum
85104309c7305de0675455a7af1d1358  -

Submit the flag:

askgod submit 85104309c7305de0675455a7af1d1358
Congratulations, you score your team 1 points!

Flag 2

What is the password of the captainhook account?

The flag format is <Password>

This method might be a bit hacky, you could also use event codes again here maybe? To find the password I looked for commands that are used to set a password:

net user <username> <password> /domain
Set-ADAccountPassword <username> -NewPassword $pwd –Reset

We do it like this:

We find

So the command was:

net  user captainhook 58yJCpmxipdVDSFDzCK5neFqu4i229u. /ADD /DOMAIN /Y

We also make note of the timestamp, and the actor that performed the action, to build a timeline later:

Timestamp: Apr 27, 2021 @ 15:14:56.833
User: PortSkan\Administrator

We can now build the flag. Format it, and submit it:

crazyeights@es-base:~$ echo -n "58yJCpmxipdVDSFDzCK5neFqu4i229u." | tr '[:upper:]' '[:lower:]' | md5sum
96a2cec744eba1847b43601bcec0742b  -

crazyeights@es-base:~$ askgod submit 96a2cec744eba1847b43601bcec0742b
Congratulations, you score your team 1 points!
crazyeights@es-base:~$

Flag 4 (Yes 4, not 3):

Question: The attacker might be using a Command-n-Control server on the Internet. Can you find it?

The flag format is <IP Address>|<Port>

The timeline makes more sense if we find flag 4, before flag 3.

I looked for connection events occurring before the password was reset. This filter is a bit hacky too, but the important thing here is we are looking for connection events before the password was reset.

A better way to do this would be to create a filter like event_action is NetworkConnection

I found this one from aws which was suspicious:

Again to build our timeline we record the user, hostname, and timestamp:

User: PortSkan\Administrator
Host: CentenialHawk.portskan.ctf
Timestamp: Apr 27, 2021 @ 15:08:59.717

Formatting it into the flag:

35.183.121.63|80

Get the hash:

crazyeights@es-base:~$ echo -n "35.183.121.63|80" | tr '[:upper:]' '[:lower:]' | md5sum
8f0911b91b0f75d27a33ae37de05460c  -

If I can recall correctly I think this part of the challenge was worth 1 point.

Flag 3 (Yes 3, not 4):

The previous actions were done remotely from another internal machine. Where does it come from?

The flag format is <Remote machine FQDN>|<Process ID which initiated the network connection>|<Full executable path>

It makes more sense if you do flag 4 before flag 3, because the attacker connects from the command and control, after they connect from the other internal machine.

We found flag 4, then we clicked to “View surronding documents” view to context of the event, the event immediately before, also “Network connection detected” is the event caused by the attacker connecting from another internal machine.

Below the blue-highlighted event is the one from flag 4:

I didn’t show this in the image below (oops) but the parent of the process from flag 3 is 3650, which corresponds to this event, which seems a bit suspicious itself:

Machine: ThomasSkerritt.portskan.ctf
Process ID: 3560
Full Executable: C:\Users\saltyseamare\AppData\Local\Temp\OutlookUpdate.exe
Timestamp:	Apr 27, 2021 @ 15:08:59.746

We now have all the info we need to create the flag:

ThomasSkerritt.portskan.ctf|3560|C:\Users\saltyseamare\AppData\Local\Temp\OutlookUpdate.exe

Compute and submit the flag for a cool 2 points:

crazyeights@es-base:~$ echo -n "ThomasSkerritt.portskan.ctf|3560|C:\Users\saltyseamare\AppData\Local\Temp\OutlookUpdate.exe" | tr '[:upper:]' '[:lower:]' | md5sum
ffb9fa4634c81840fa431cd39ad7056c

crazyeights@es-base:~$ askgod submit ffb9fa4634c81840fa431cd39ad7056c
Congratulations, you score your team 2 points!

Flag 5

Question: The sysadmin suspects a phishing. What is the malicious file downloaded and opened by an employee?

The flag format is <SHA256 of the malicious file>

For this challenge we are looking for file downloads. We can use the event_action file stream created to find downloaded files as shown below:

We find the file C:\Users\saltyseamare\Downloads\Invoice-2021-B48f00.zip. This event is shown below, including the hash needed to compute the flag:

Again, we record the timestamp, user, and hostname to build our timeline:

Timestamp: Apr 27 @ 14:25:21.195
User: saltyseamare
Hostname: ThomasSkerritt

If we search a bit more around this time, we find that when this zip is decompressed it contains a vbs script, which is likely used for lateral movement, and PE.

Timestamp: Apr 27, 2021 @ 14:25:21.206
Image: C:\Windows\Explorer.exe
TargetFilename: C:\Users\saltyseamare\AppData\Local\Temp\Temp1_Invoice-2021-B48f00.zip\Invoice-BoatShipment.docx.vbs

Convert to the SHA256 hash of the malicious file to the flag format using md5sum and submit:

crazyeights@es-base:~$ askgod submit ffb9fa4634c81840fa431cd39ad7056c
Congratulations, you score your team 2 points!

Alright here’s where my notes get a bit spotty.

Flag 6:

Question: From which URL was this file downloaded?

The flag format is <Download URL>

Alright, to solve this one I took the FileCreateStreamHash filter I created for flag 5, and filtered further to find only the events that contained the string “Invoice”. There were several of these, each had a Contents field as well, which included details about the source of the file stream. This allowed us to find the HostUrl, which is the URL that the file was downloaded from:

This URL is:

https://doc-0s-8s-docs.googleusercontent.com/docs/securesc/t4rf2bigebikqtvb4794fkjsac525ft5/t27j55f1ok23qmr1e6g2pp20tr8m2dk9/1619547825000/13441235904916671278/07709468273378046147Z/1yQpA2t2RbiLn5hjGafiPqazCoTYI1Vx2?e=download&nonce=n0umgqb4e7702&user=07709468273378046147Z&hash=58qjdmg1ejfuj967m5s2tncmamstmdod

Convert this to md5sum and submit:

crazyeights@es-base:~$ askgod submit b2824077805d37192625473c7f7241b1
Congratulations, you score your team 2 points!

Flag 7

Question: Based on the information gathered so far, provide information on the persistence mechanism used.

The flag format is <Name given to the persistence by the attacker>|<Executable name (not the full path) launched by the persistence>

I got this one last because I was confused by the wording of the question, and the submission format. I found this one guessing more than anything. When trying to find the next flag (Flag 8), by searching for the string ssh in the event logs I found this event:

We can see that its parent is mupdate.exe. Searching some more I found when the mupdate.exe was created, likely by an attacker.

We can see it uses WMI:

We know that using Windows Management Instrumentation Event Subscription, which is commonly used for peristence. It is used to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.

We can see that of other suspicious-looking events involve the mupdate.exe binary.

The fact that mupdate.exe is used to communicate with the command and control server supports the idea that this exe was placed by an attacker.

We can conclude that it is the executable launched by the persistence. So we can say the flag is: WMI|mupdate.exe

I make note of the flag submission for this one either, I think it was worth 2 points.

Flag 8

Question: The attacker seems to have accessed a Linux server. Where does he found the password or SSH key to access the server?

The flag format is <Full path of the file where the password or SSH key was found>

The way I found this was so incredibly lazy, but it worked, so hey… I searched for events that contained the string “ssh”, and I found this:

By combining the partial path in the ssh command with the current directory we get:

C:\Users\pequod\.ssh/id_ed25519

To continue our timeline we also record the username, hostname, and timestamp.

User: NT AUTHORITY\SYSTEM
Host: ahabceely.portskan.ctf
Timestamp: Apr 27, 2021 @ 19:54:54.612 (ish, there were multiple connections made)

Submitting the flag gets us one whole point, whoop:

crazyeights@es-base:~$ askgod submit 2e64cf882e53ed71fbf7a6095b2ab63c
Congratulations, you score your team 1 points!

Flag 9

Question: We are afraid that data exfiltration might have occured on the Linux server. Can you where the data was exfiltrated?

The flag format is <IP Address>|<Port>

When searching for SSH connections we find this particular event. We can see that the command nc is included.

When we search for other events containing the string nc, we find many suggesting that this was the data exfilitration method used. This IP address found corresponds to that of the command and control server, so it makes sense that it would be the destination of the data. The port 443 as seen below was used for the exfiltration:

The flag is:

35.183.121.63|443

I didn’t make note of the flag submission for this one either, I think it was worth 2 points.

Flag 10

Question: We are afraid that data exfiltration might have occured on the Linux server. Can you find the strategic information for the organization that was exfiltrated?

The flag format is <Full path of the exfiltrated file>

Searching that auditd logs for any commands that the attacker may have executed we find this:

I used the following filter: audit_type: EXECVE, NOT audit_a0: is one of /usr/bin/containerd, runc

Looking back to the challenge description (the theme is boats, and shipping), this is most likely what they took.

Checking the surronding documents (events) we find the full path.

We now have the final flag.

/home/appuser/app/database/boat_shipments.db

crazyeights@es-base:~$ askgod submit 40f5ff196a77afaa82eda3e8c0642ca1
Congratulations, you score your team 2 points!

Now that we have all the information we can now build a timeline.

If you made it to the end of this post, congrats! If you are looking for more challenges like this one check out find-the-bad on github, they have challenges in the same format.

Later 👋