Investigating Windows Write-up

Description

This CTF can be found on TryHackMe and is called “Investigating Windows”. A Windows machine has been hacked, its your job to go investigate this Windows machine and find clues to what the hacker might have done.

Investigating Windows

What IP does the system connect to when it first starts?

After starting the machine we see the following output in the console:

Console Windows pops on connection

It seems like the compromised machine tries to connect to the IP 10.34.2.3

Whats the version and year of the windows machine?

To get the Windows Version, just press WIN + R, then type in winver and press ENTER. After that the following Window should open:

winver output

This reveals us that “Windows Server 2016” is running.

Which user logged in last?

To get the last logged in user, we can inspect the registry. The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI stores the last logged in user.

Registry revealing which user was logged in last

For this case, it was the “Administrator” user.

When did John log onto the system last?

To get date and time when a specific user has last logged in, you can use the following command:

net user  john | findstr /B /C:"Last logon"

What two accounts had administrative privileges (other than the Administrator user)?

To get a list of local administrators follow these steps:

  1. Right click on the Windows start menu and open “Computer Management”

2. Go to Local Users and Groups > Groups > Administrators:

3. Double click on Administrators. Now you should see local Administrators:

Whats the name of the scheduled task that is malicious?

To display scheduled task, you can open the “Task Scheduler”. Just search and open it. After that click on “Task Scheduler Library”. Here you should see scheduled tasks:

As you can see the task “Clean file system” seems suspicious. You can also see which command is scheduled: nc.ps1. The command line arguments specifies to listen on port 1348.

When did Jenny last logon?

Running the command net user jenny | findstr /B /C:"Last logon" will reveal that “Jenny” never has logged into the machine:

At what date did the compromise take place?

We can assume that the scheduled task has been created, when the compromise has happend. So if we look at when this task was first created, we can derive from that, that the compromise has happend on 03/02/2019:

At what time did Windows first assign special privileges to a new logon?

To investigate this question, we can use the Windows event logs. The event with the ID 4672 will show us when special privileges were assigned to a new logon. The type of this event is “Success Audit”. This can be find in the “Security”-Logs.

To investigate the logs open the “Computer Management” and go to System Tools > Event Viewer > Windows Logs > Security.

Finally apply a filter by clicking on Filter current log:

Then type in the Event ID and click on “OK”:

Now you can search for the Event:

What tool was used to get Windows passwords?

In the Task Scheduler, we can see a task called “GameOver”. This one executes the following command:

mim.exe is Mimikatz and is used to steal Windows passwords.

What was the extension name of the shell uploaded via the servers website?

To analyze uploaded files, we can go to C:\inetpub\wwwroot. These files are served by Microsoft IIS. As we can see there are two files with extension .jsp.

As we can see, “tests.jsp” looks like a web shell:

What was the last port the attacker opened?

If we open the “Windows Firewall” and go to “Inbound Rules”. The rule that is on the top is the last rule added/modified:

When you scroll to the right you will see that this rule opens port 1337:

Check for DNS poisoning, what site was targeted?

To check for a DNS poisoning attack, we would first check the “hosts” file. This file is located at %SystemDrive%\Windows\System32\drivers\etc\hosts on Windows. You can open this file with Notepad. After that you should see that google.com will be redirected to another machine:

The machine with the IP 76.32.97.132 is also a command and control server of the attacker.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Sea of Lies: Burning Coast - A Mystery Hidden Object Game (Full) Hack Free Resources…

How To Secure Your Personal Data And Files — 2022

Go’s Recurring Security Problem

Get your OCI Free Tier Account

Migrating from FingerprintManager to BiometricPrompt

METAWORLD BREAKING NEWS

BORA 2.0 Official Site open!

Zero Trust Biometric Authentication

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

TryHackMe | Internal writeup

CTF Walkthrough | TryHackMe | Defense Space

HTB Write-up Jeeves (Windows) File Transferring with SMB file share(impacket tool), Poweshell &…

How to create a Vulnerable Box