Image for post
Image for post
The RIT Security Club

RITSEC Spring 2019 CTF — Week 9

The ninth week of RITSEC’s Spring 2019 CTF has concluded. Although the official challenge write-ups for the semester CTF will be posted on RITSEC’s GitHub for those interested, I have more detailed write-ups here each week for the challenges I am able to solve. I do this because as a freshman, when I read the challenge write-ups they often went step-by-step but never elaborated on why a certain command was run or the strategy the user followed when solving the challenges. This is my effort to elaborate on the reasoning to the process.

Topic: Windows Blue Team

This week, participants were given a Windows Server 2016 virtual machine with several different types of hidden persistence mechanisms . Points were earned by discovering and analyzing these programs for the flags. To begin, ensure that Sysinternals is downloaded on the VM and that the options for viewing hidden files and protected operating system files are enabled in Windows Explorer Folder Options.

Easy 1: There’s some persistence from the evil red team that gets run on login!
I wonder how I can find this?

I have mentioned this time and time again, but I still never start a Windows-centered CTF without Sysinternals. The important part of the challenge hint is “on login”, which for an easy challenge will almost certainly mean a scheduled task. While it is possible to scan through the Task Scheduler to find the persistence binary, the features of Sysinternals’ Autoruns application are much more intuitive and powerful.

Open Autoruns from the downloaded Sysinternals folder and click the Scheduled Tasks tab. The outlier, letmein, is easily identified with pink shading, indicating that there is no publisher information for the binary or that the publisher’s digital signature doesn’t match what is expected. For this challenge, it’s the former (as can be seen with the blank “Publisher” field in the entry details. Based on the entry name and path, this is probably a backdoor that gives an attacker shell access.

Image for post
Image for post
The Scheduled Tasks tab of the Sysinternals Autoruns utility.

Right-click on the \letmein task and select Jump to Entry in the menu. This will open the Task Scheduler to view more details about the task. (alternatively, Jump to Image will open the file location). As the hint says, this persistence mechanism runs on each login, ensuring that the red team can consistently access the box even after a restart.

Image for post
Image for post
The Task Scheduler entry for the `letmein` binary

Finally, check the properties of the scheduled task. Here, the author, scheduling options, and privilege settings can be seen. Users should always be selective about what programs automatically start on their PCs, and the Task Scheduler or other autorun utilities should always be a target of consistent auditing during a competition. The flag is seen in the description.

Image for post
Image for post

The flag is RS{cl0s3_th3_d00r}.

Easy 2: Set up firewall rules to allow IIS, SMB, and RPC. Also, enable firewall logging.
Signoff-based: Show your rules to the Tech Lead to get credit for this challenge.

Windows Firewall rules are easily written in PowerShell. Here are some resources for using firewall commands in Windows.

netsh advfirewall firewall add rule name = “Allow IIS in” dir=in action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name = “Allow IIS out” dir=out action=allow protocol=TCP localport=80
netsh advfirewall firewall add rule name = “Allow SMB in” dir=in action=allow protocol=TCP localport=445
netsh advfirewall firewall add rule name = “Allow SMB out” dir=out action=allow protocol=TCP localport=445
netsh advfirewall firewall add rule name = “Allow RPC EPM in” dir=in action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name = “Allow RPC EPM out” dir=out action=allow protocol=TCP localport=135
netsh advfirewall firewall add rule name = “Allow RPC HTTPS in” dir=in action=allow protocol=TCP localport=593
netsh advfirewall firewall add rule name = “Allow RPC HTTPS out” dir=out action=allow protocol=TCP localport=593
Set-NetFirewallProfile -name domain -LogFileName “D:\FWLOG\domain.log”
Set-NetFirewallProfile -name domain -LogAllowed true -LogBlocked true

Medium 1: Active Directory allows for such great security with its policies! This will 100% keep out the red team, nothing bad could ever happen in here! Right? …right?
Wrap the malicious thing in RS{}. If you believe you have the right thing, talk to the Tech Lead.

Active Directory auditing is one of the many challenges for Windows-based businesses. Due to its expansive nature, adding, removing, or troubleshooting Active Directory policies in the event of a problem can be difficult. This makes the service a perfect target for the red team and other nefarious users.

Image for post
Image for post
Sysinternals Active Directory Explorer

Fortunately, Sysinternals includes a tool to simplify the process of detecting and auditing anomalous Active Directory group policies. Active Directory Explorer has the ability to search through classes and attributes based on many different criteria. To find any recent changes made to Active Directory policies, use the search function to find any keys modified after March 21st, 2019 (when the challenges were created).

Image for post
Image for post
Search settings set to “Common classes modified after March 21st, 2019”

Unfortunately, there are too many results for these search criteria to make inspecting them for the flag feasible. However, finding maliciously-modified Active Directory entries is made somewhat easier because they will often have a later modification date in relation to other entries in the same container. While scrolling through the list, observe that most results have a modification date of March 21st, 2019 at 9:04:08 PM. Modify the search criteria to a later date than that, such as 9:05:00 PM. When searching after this date, one entry at the top appears suspicious because it has a unique modification date to the rest of the entries.

Image for post
Image for post
Search settings set to “Common classes modified after March 21st, 2019 9:05 PM”
Image for post
Image for post
The entry from previous search results

Active Directory group policies are stored in C:\Windows\SYSVOL\domain\Policies. Further inspecting this directory, there is only one file with the same modification date as the Active Directory entry:

C:\Windows\SYSVOL\domain\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\USER\Preferences\Files\Files.xml

This is an XML file, so it can be easily opened with a web browser, among other applications.

Image for post
Image for post
Image for post
Image for post
Left: The location “C:\Windows\SYSVOL\domain\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\USER\Preferences\Files” as indicated in Active Directory Explorer; Right: the contents of the Files.xml file

According to the file, there is a hidden file located at C:\Windows\beacon.dll! The flag is then RS{C:\Windows\beacon.dll}.

Image for post
Image for post
The location “C:\Windows\beacon.dll”

Medium 2: They found our original backdoor that was run on login! Luckily, we’ve hidden another binary to keep persistence! They’ll never see it coming!
I hope they don’t download Sysinternals though… 😱

Persistence mechanisms don’t necessarily need to be Scheduled Tasks to start automatically in Windows. The registry and the Services MMC are also excellent locations to search for automatically-starting services and service hosts (a bundle of DLLs that are needed by many programs, started and run together). Fortunately, Sysinternals Autoruns also lists these files.

Image for post
Image for post
The Services tab of the Sysinternals Autoruns utility.

As can be seen from the screenshot, there is an unsigned service host running on startup from HKLM\System\CurrentControlSet\Services\svchost. By jumping to the entry, the flag can be seen in the description of the svchost.

Image for post
Image for post

The flag is RS{h1dd3n-serv1c3-bo111}.

Hard: Make a 5 minute plan for Windows! This will be extremely beneficial for any competitions, especially IRSeC coming up on April 20th! Message the Tech Lead with any questions you have!

Requirements:

  • Change passwords
  • Setup firewall rules
  • Audit scheduled tasks/cron jobs
  • List of running services (system and network)
  • Audit users
  • 3 more custom things

Wow, this seems really familiar…

Conclusion

While defending several Windows boxes in a competition such as RITSEC’s upcoming Incident Response and Security Competition (IRSeC) can be challenging, knowing which tools to come prepared with can save an incredible amount of time and make your defenses more effective. Here are a few of my favorites:

Do you know of any tools or strategies to solve these challenges that I missed? Please let me know! I am always improving on my techniques for red/blue team competitions as well.

There will be 6 more weeks of challenges coming from RITSEC this semester! If you want to know more about RITSEC check out their website or attend a meeting if you’re on RIT’s campus — 12–4 PM in GOL-1400 for the CTF and presentations. Until next week!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store