The fifth week of RITSEC’s Spring 2019 CTF has concluded. Although the official challenge write-ups for the semester CTF will be posted on RITSEC’s GitHub for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.
Topic — Advanced Windows
This week, participants were given a Windows Server 2008 R2 virtual machine with flags hidden in files and services. Points were earned this week by understanding Windows security and user verification processes, showing proficiency with the Sysinternals suite, and knowing various exploits for common processes such as logging in and Kerberos ticketing.
Easy 1: Help! I can’t login and I am locked out :( Can you help me?
Something sticky is going on here…
A common method to bypass the Windows logon screen in older versions (such as the demo box) is to replace one of the accessibility tool binaries that can be launched without logging in to the operating system with a command prompt. This can be done using an alternative operating system such as Kali Linux, launching it as boot and using it to change the location of files on the main PC’s storage device provided the device is not using full disk encryption. A full walkthrough of this technique is found here.
From the hint, the On-Screen Keyboard has been replaced with the command prompt. First, click the Ease of Access button in the bottom left corner. A menu with the many accessibility options that a disabled user may need to access the computer, such as a screen reader or a narrator, will appear.
Check the box for On-Screen Keyboard and click OK. A command prompt will appear, because the binary for
osk.exe has been renamed and replaced with a command prompt (
osk.exe. When running the
whoami command, it can be seen that the command prompt is open as the system user.
net user command can be used to reset the Administrator password using the command
net user Administrator Rits3c!
Rits3c! is the password for the account. Login with the new password. However, it looks like someone removed the Desktop…
The registry key that controls the shell to launch upon login is at the following location in the registry:
regedit.msc with the command prompt that is available, and check the value of the key.
Change the value of the key from
cmd.exe /c "echo I forgot to give you a desktop. Sorry :<" & pause to
logoff and log back in using the password set earlier.
Much better. The flag is on the desktop.
The flag is
Side note: Set the IPv4 configuration to DHCP if internet access is desired. It has been modified.
Easy 2 — Who is the most trusted SID of them all?
Remember, there is an account that also holds system privileges.
The key word for this challenge is trusted. Windows contains a bunch of system accounts, and while
system might be the most obvious, the hint is clearly looking for
TrustedInstaller, the service that manages many important tasks in Windows.
The demo machine actually isn’t necessary for this challenge, as the SID is based on the hash of the account name and would be the same across all systems. The Microsoft docs state that the TrustedInstaller SID is
so the flag must be
Medium 1 — I think there is some malware running in the background, do you think you could find it?
Scheduled tasks is not the only “
cron like” service on Windows.
cron is Linux’s task scheduler. While the common Windows alternative Scheduled Tasks and the startup list in System Configuration could be checked, the service name is unknown and if it is “malware”, it is unlikely that it will be visible to a normal user anyway, so these utilities won’t be of much use.
Windows Sysinternals includes the Autoruns utility that is excellent at identifying background processes, as well as processes that load on startup, and would be much better to use in this situation. Filtering by any entries that are unsigned (highlighted in red) is a good place to start. An interesting result will appear:
This file is also flagged by 8 antivirus engines from VirusTotal as the number in the far right shows. It is worth a closer look. Double click on the file to open it’s location, and click on the VirusTotal rating to view the scan results. The path is
This binary is Meterpreter, a Metasploit payload for Windows used as a reverse shell. As this is a medium challenge and not a hard challenge, try running
strings on the binary.
strings is provided with Sysinternals.
The command to run is
C:\Users\Administrator\Desktop\SysinternalsSuite>strings C:\Users\Administrator\AppData\Roaming\Microsoft\Things\backdoor.exe > C:\Users\Administrator\Desktop\report.txt
where the first argument invokes the
strings command, the second argument is the file to run
strings on, and the third argument sends the output to a file on the desktop called
report.txt for easy reading and searching.
Open the file on the desktop and search for a flag, keeping in mind that the data could be encrypted. Anything that is five characters or less is unlikely to be the flag. Scroll through the sections of the file until near the bottom where a socket and connection would be created.
Q1R7aDMxMTAtZnIwbS10aDMtMHRoM3Itc2lkZX0= is base64-encoded. Convert it to text.
The flag is
Medium 2 — Can you find the hidden service?
Remember, services have permissions too!
Going back to Autoruns, there’s a second interesting result that was passed over earlier, this time in the registry and called
Double click on the result to open the registry location,
The flag is clearly visible in the registry key,
Windows is a very old operating system, with many hidden tools, features, and workarounds often invisible to the end user. If you struggled with the challenges this week, here are some resources to help get you started with some of Windows’ system administration tools. All of these topics will also be addressed in later courses at RIT.
- 20 Top Windows SysAdmin Tools You Should Know
- A Beginner’s Introduction to Windows PowerShell
- What Are the SysInternals Tools and How Do You Use Them?
There will be 10 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-1400 for the CTF and presentations. Until next week!