Image for post
Image for post
The RIT Security Club

RITSEC Spring 2019 CTF — Week 5

The fifth week of RITSEC’s Spring 2019 CTF has concluded. Although the official challenge write-ups for the semester CTF will be posted on RITSEC’s GitHub for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.

Topic — Advanced Windows

This week, participants were given a Windows Server 2008 R2 virtual machine with flags hidden in files and services. Points were earned this week by understanding Windows security and user verification processes, showing proficiency with the Sysinternals suite, and knowing various exploits for common processes such as logging in and Kerberos ticketing.

Easy 1: Help! I can’t login and I am locked out :( Can you help me?
Something sticky is going on here…

A common method to bypass the Windows logon screen in older versions (such as the demo box) is to replace one of the accessibility tool binaries that can be launched without logging in to the operating system with a command prompt. This can be done using an alternative operating system such as Kali Linux, launching it as boot and using it to change the location of files on the main PC’s storage device provided the device is not using full disk encryption. A full walkthrough of this technique is found here.

From the hint, the On-Screen Keyboard has been replaced with the command prompt. First, click the Ease of Access button in the bottom left corner. A menu with the many accessibility options that a disabled user may need to access the computer, such as a screen reader or a narrator, will appear.

Image for post
Image for post
The Ease of Access menu with OSK checked

Check the box for On-Screen Keyboard and click OK. A command prompt will appear, because the binary for osk.exe has been renamed and replaced with a command prompt (cmd.exe) named osk.exe. When running the whoami command, it can be seen that the command prompt is open as the system user.

Image for post
Image for post
Results of the `whoami` command

Now the net user command can be used to reset the Administrator password using the command

net user Administrator Rits3c!

where Rits3c! is the password for the account. Login with the new password. However, it looks like someone removed the Desktop…

Image for post
Image for post
Results of logging in to the system

The registry key that controls the shell to launch upon login is at the following location in the registry:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Open regedit.msc with the command prompt that is available, and check the value of the key.

Image for post
Image for post
The registry editor open to view the location of the Shell key

Change the value of the key from cmd.exe /c "echo I forgot to give you a desktop. Sorry :<" & pause to explorer.exe. Then logoff and log back in using the password set earlier.

Image for post
Image for post
The desktop

Much better. The flag is on the desktop.

Image for post
Image for post
Contents of flag.txt

The flag is CT{1-c@nt-th1nk-0f-@-good-flaggg-name}.

Side note: Set the IPv4 configuration to DHCP if internet access is desired. It has been modified.

Easy 2 — Who is the most trusted SID of them all?
Remember, there is an account that also holds system privileges.

The key word for this challenge is trusted. Windows contains a bunch of system accounts, and while system might be the most obvious, the hint is clearly looking for TrustedInstaller, the service that manages many important tasks in Windows.

The demo machine actually isn’t necessary for this challenge, as the SID is based on the hash of the account name and would be the same across all systems. The Microsoft docs state that the TrustedInstaller SID is

S-1–5–80–956008885–3418522649–1831038044–1853292631–2271478464

so the flag must be RS{S-1–5–80–956008885–3418522649–1831038044–1853292631–2271478464}.

Medium 1 — I think there is some malware running in the background, do you think you could find it?
Scheduled tasks is not the only “cron like” service on Windows.

cron is Linux’s task scheduler. While the common Windows alternative Scheduled Tasks and the startup list in System Configuration could be checked, the service name is unknown and if it is “malware”, it is unlikely that it will be visible to a normal user anyway, so these utilities won’t be of much use.

Windows Sysinternals includes the Autoruns utility that is excellent at identifying background processes, as well as processes that load on startup, and would be much better to use in this situation. Filtering by any entries that are unsigned (highlighted in red) is a good place to start. An interesting result will appear:

Image for post
Image for post
Autoruns scan results

This file is also flagged by 8 antivirus engines from VirusTotal as the number in the far right shows. It is worth a closer look. Double click on the file to open it’s location, and click on the VirusTotal rating to view the scan results. The path is

C:\Users\Administrator\AppData\Roaming\Microsoft\Things\backdoor

Image for post
Image for post
VirusTotal scan results

This binary is Meterpreter, a Metasploit payload for Windows used as a reverse shell. As this is a medium challenge and not a hard challenge, try running strings on the binary. strings is provided with Sysinternals.

The command to run is

C:\Users\Administrator\Desktop\SysinternalsSuite>strings C:\Users\Administrator\AppData\Roaming\Microsoft\Things\backdoor.exe > C:\Users\Administrator\Desktop\report.txt

where the first argument invokes the strings command, the second argument is the file to run strings on, and the third argument sends the output to a file on the desktop called report.txt for easy reading and searching.

Image for post
Image for post
Result of strings command

Open the file on the desktop and search for a flag, keeping in mind that the data could be encrypted. Anything that is five characters or less is unlikely to be the flag. Scroll through the sections of the file until near the bottom where a socket and connection would be created.

Image for post
Image for post

The string Q1R7aDMxMTAtZnIwbS10aDMtMHRoM3Itc2lkZX0= is base64-encoded. Convert it to text.

The flag is CT{h3110-fr0m-th3–0th3r-side}.

Medium 2 — Can you find the hidden service?
Remember, services have permissions too!

Going back to Autoruns, there’s a second interesting result that was passed over earlier, this time in the registry and called FlagService.

Image for post
Image for post
Autoruns scan results

Double click on the result to open the registry location, Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FlagService .

Image for post
Image for post
The FlagService registry key

The flag is clearly visible in the registry key, CT{LTDnuNtzkYvwILv1pzom}.

Conclusion

Windows is a very old operating system, with many hidden tools, features, and workarounds often invisible to the end user. If you struggled with the challenges this week, here are some resources to help get you started with some of Windows’ system administration tools. All of these topics will also be addressed in later courses at RIT.

There will be 10 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-1400 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store