1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

【TryHackMe】Advent of Cyber3 (2021)を続けてみた Day8

Last updated at Posted at 2021-12-10

Welcome to Advent of Cyber 2021

クリスマスまでの25日間、毎日基本的な知識を学び、初心者向けの新しいセキュリティ演習を行うことで、サイバーセキュリティを始めることができます。

day8

windowsに関する問題です。

RDPで接続します。

┌──(kali㉿kali)-[~]
└─$ xfreerdp /u:Administrator  /p:grinch123! /w:1366 /h:768 +fonts +clipboard /v:10.10.71.252

image.png

SantasLaptopLogsのOS名を確認します。

C:\Users\Administrator\Desktop\SantasLaptopLogs
image.png

次にPowerShell_transcript.LAPTOP.k_dg27us.20211128153538を開きログをみると、s4ntaユーザーが追加されてました。
image.png

次に、PowerShell_transcript.LAPTOP.Zw6PA+c4.20211128153734を開きログをみると、copyコマンドでUsrClass.datがデスクトップにコピーされてます。
image.png

このログによると、ファイルをエンコードしていることが確認できます。
image.png

-----BEGIN CERTIFICATE-----とから-----END CERTIFICATE-----までに囲われた部分をbase64でデコードします。
デコードする際は、CyberChefを使用します。

image.png
このdownload.datからShellbagsの探索を開始します。
image.png
image.png

SantaRatという怪しいフォルダを見つけました。このdatファイルの詳細を確認することができませんが、.githubと記載されているので外部公開しているかもしれません。
image.png

さらに、デスクトップには「BagofToys」という名前のユニークなフォルダがあります。
image.png

Githubにアクセスして、「SantaRat」を検索します。
https://github.com/Grinchiest/SantaRat
image.png
その他にもいくつかリポジトリがありました。
image.png

PowerShell_transcript.LAPTOP.b+XfnW7t.20211128154858を開きログをみると、実行ファイルをインストールしています。
image.png

PowerShell_transcript.LAPTOP.myCoN9lB.20211128155453によると、それぞれにGRINCHMASが入ってます。
image.png

Commitから元のbag_of_toys.uhaアーカイブのパスワードを予測します。
image.png
image.png

githubに表示されていたパスワードを入力してみます。
image.png
合計で228のファイルがありました。
image.png

Answer

What operating system is Santa's laptop running ("OS Name")?
Microsoft Windows 11 Pro
What was the password set for the new "backdoor" account?
grinchstolechristmas
In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?
C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat
The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?
certutil.exe
Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?
.github
Additionally, there is a unique folder named "Bag of Toys" on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder?
bag_of_toys.zip
What is the name of the user that owns the SantaRat repository?
Grinchiest
Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?
operation-bag-of-toys
Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa's bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?
uharc-cmd-install.exe
Following this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more! What are the contents of these "malicious" files (coal, mold, and all the others)?
GRINCHMAS
What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)
TheGrinchiestGrinchmasOfAll
How many original files were present in Santa's Bag of Toys?
228

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?