Enterprise customers running Windows Defender for Endpoint have a lot of capability at their fingertips. This includes the Live Response console, a limited command shell to interact with any managed Defender assets that are online. Besides its native commands you can also use the console to push scripts and executables to endpoints.
Note: there is a specific security setting in the Defender console if you want to allow unsigned scripts.
Microsoft has its own triage package capability, but you can also push your own tools like Magnet RESPONSE or KAPE. With a little bit of PowerShell mojo you can use your favorite collection utilities using the Defender Live Response console as your entry point into the remote asset.
The console enables you to pull back files from the remote endpoint, even when itโs been quarantined. One limitation of this console function is that youโre limited to retrieving files of 3GB or less.
For many triage collections this could be under the limit, but depending on the artifacts youโre collecting you might exceed that. So what do you do when you have an isolated endpoint but you need to pull back files over 3GB? Thatโs where Ginsu comes in.
Ginsu is a PowerShell script that you can upload to your Defender console along with the command line version of 7zip. You configure the script with the directory with the contents you want to transfer. The script acts as a wrapper for 7zip and will create a multipart archive, splitting the files into 3GB segments.
Once you pull the archives back to your workstation, you can use 7zip to extract the files back into their original properties.
In testing, the file transfer capabilities were a bit buggy, whether it was transferring 3GB Ginsu files or other smaller files from the asset. Iโm hoping this improves as the Defender console matures. If youโre able to text Ginsu in your environment, Iโd love to hear how it performs.
I’ve frequently used exiftool to inspect the metadata of pictures, including GPS coordinates.
The file does contain GPS metadata but before we even get there, looks like something out of the ordinary for the Image Description…
Instead of the usual CyberChef, this time we’ll do the conversion using PowerShell.
The converted string is our flag.
Operation Not Found
First off, lets adjust the positioning of the image and see if we can get better view of our location.
That’s better.
Actually when I ran this challenge, I started on my mobile device.
I took a screenshot of the building and then used the Google Lens function to identify the building.
Georgia Tech Library. That’s consistent with the description in the challenge. I bring up the location in Google Maps.
Zooming and scrolling and zooming and scrolling to get the Google Maps location and the mini-map on the challenge to the same areas. The mini-map is a PAIN to navigate. Even knowing where I was going to it took me several minutes to manipulate my positioning on the map.
But once I’m finally there, I mark my location and submit for the flag and…
Under the Bridge
Pretty much the same methodology as above.
Pivot the screen for a clearer landmark.
Grab a screenshot and send it to Google Lens
Rickroll Tunnel. LOL.
Once again back and forth with Google Maps and the mini-map and getting familiar with all the London highways, and finally….
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
To start with let’s see what kind of file this is.
“UHARC is a compression/archiving system for PC platforms, which appears to be neglected since around 2005. It achieves better compression than most other archivers, at the expense of being much slower.”
I scoured the internet looking for a copy of UHARC to download. I’m not going to link any here as many if not all may contain malware. Since this is a Windows only tool, (or Wine under Linux), we’ll open this one in a sandboxed Windows system.
When the file extracts we are presented with hot_off_the_press.ps1.
OMG that’s a lot of obfuscation! Let’s see if we can clean this up and make it more readable. First let’s remove all the ”+”
That’s a little bit better. There’s another obfuscation method going on where specific numbers are used to represent different letters. Originally, I tried to determine the substitution by completing terms I knew. Early ahead I saw (”Sc{2}i’pt{1}loc{0}Logging”) which to me reads like ScriptBlockLogging. So all 2’s are i’s, 1’s are B’s, and 0’s are k. I do a find/replace through the script with replacements on {0},{1}, and {2}. Now it looks like a block of Base64 in the middle block. I copy it over to CyberChef and … NADA. Something’s not right.
If you look closer at the code, you’ll see that each one of the strings that had a {#} substitution in it ends with “-f” followed by other letters in quotations. The first character after -f is substituted for {0}, the next for {1}, etc. So I run the same substitution pattern on the script using the correct letters for this string this time.
Replace the {0} with L.
Replace the {1} with E.
Now we’ve got a nice clean block of Base64.
Bring that over to CyberChef for decoding and:
We’ve got a script within the script.
If you scroll down in the output, you’ll see that there’s something else encoded as well.
We’ll run that through CyberChef.
Interesting we have an encoded_flag. Let’s add URL decode to the recipe.
HumanTwo
There were 1,000 files in the zip container. Easy comparison options like file size, modification date etc. don’t help as they are the same for all the files. It’s something in the content that has to be different. How the ‘f’ am I going to find the outlier in 1,000 files?! Meld and diff are two options coming up in the Discord. I install Meld, which is really a gui for diff, and start getting a feel for it. You can compare files or directories. If doing files you could do a 3 way comparison between 3 files. But not 1000. As I was looking through the files with Meld it struck me that all of the file contents we also the same with the exception of one line.
Let’s run through all the files with the_silver_searcher and isolate on String.Equals
Scrolling down through the output we see that one is a definite outlier, or as we like to say around here, an Irregular.
Once more to CyberChef, this time from Hex.
PHP Stager
Heavily obfuscated PHP. This is going to be fun.
Let’s see if ChatGPT can give some insight into what’s going on here.
After several hours of back and forth from PHP to Python to PowerShell, online IDE’s, more ChatGPT, googling, and back again I was able to roughly reproduce the PHP in a Python and get it to execute.
Looks like we’re not done yet. In the middle of the output we can see another block of Base64. What happens if we toss that into CyberChef.
Great! Now we have a Perl script. How far down does this challenge go? It’s like those Matryoshka dolls from Russia. One inside another inside another. But wait… there’s something interesting in the Perl script.
There’s a reference to UU encoding and a string. We’ll copy the string and bring it over to another of my favorite decoding sites, dcode.fr.
Sure enough it handles the decoding and we have our flag.
Zerion
Yay (said no one), another crazy PHP file.
Looks to be using Base64 encoding, Rot13, and some other options to obfuscate the code. Back to school (ChatGPT) to see what’s going on.
Let’s copy the large encoded text block to CyberChef. We’ll apply Rot13, then Reverse the text by Character, and finally – decrypt using Base64.
And that’s our flag!
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
So we’ve got a url and a specific port. Firefox web browser yields…
So we need an Authorization header. ๐ค
Time to look at the provided files. It looks to be the export of a Splunk application.
Time to download an eval copy of Splunk and… pause. There’s probably a simpler way to attack this.
The Silver Searcher is a command line tool I picked up during the CTF and I love it. It’s like Grep on PCP.
Once installed, the base command is ag, followed by what you’re searching for, and where. So let’s do a quick search for Authorization on all the contents of this directory.
That looks interesting. A clue? One of the PowerShell scripts has Authorization and what looks to be Base64 code.
We also see a comment about the $PORT being dynamic based on the Start button. Decoding the string in CyberChef…
At this point we have all the pieces, we just need to put them together. I started to look at different ways to pass an Authorization header to a web server. There’s proxy tools galore. And then there’s the basic’s like curl. After a bit of brushing up on my syntax I had:
Yay what looks like more Base64. Once more with our Chef’s hat and…
Traffic
rita was a tool I hadn’t used before but it was very easy to use. I installed it on my REMnux box and then ran it against the dataset.
I then used the command to generate an html report.
Looking through the DNS requests there’s something sketchy indeed.
Let’s go take a look at that.
Dumpster Fire
Let’s start with the_silver_searcher again and see if we have any luck with “Password”.
There’s a number of hits including references to an encryptedUsername and encryptedPassword in the logins.json file. So we’ve got some encrypted Firefox user passwords. If only there were a utility that could decrypt those. Enter firepwd.py, an open source tool to decrypt Mozilla protected passwords.
Run the script in Python and point it to the directory for the user profile (where the logins.json file is).
That’s a pretty LEET password ๐
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 