Baker Street Forensics

Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift

CTF, DFIR, Forensics

Rogue Inbox

Originally I was looking at this in Timeline Explorer, but decided to switch to Excel.

Swimming and scanning through a sea of log entries, an anomaly showed itself.

For this one I just copied the values out by hand.

Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift

The download is Application Logs.evtx

If you open the log with Event Viewer, you may see there’s an entry for a (non-actual) event ID of 1337.

The error content isn’t very helpful.

Let’s take a hint from the title and run the event log through Chainsaw.

Nothing significant when using the stock rules. What if we poke specifically at Event ID 1337.

That looks interesting.

Copy the binary data and bring it over to CyberChef

From unintelligible binary to unintelligible PowerShell.

Copy the output and save it is a .ps1 file. We can run the script through PowerDecode.

PowerCode works down through the obfuscation layers, finally revealing the plain text of the command.

Now that the code has been deobfuscated, time to figure out what it does. I copied the code into PowerShell ISE and start isolating the different command sections.

One of the commands does a DNS lookup and directs the output into a string.

If we run the command on its own we can see the output. The last part of the script checks to see if the output matches the pattern of a Base64 encoded string, and if so, decodes it.

Now what was that about Tokyo?

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 3 – M Three Sixty Five

CTF, DFIR, M365

This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into.

The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation.

If I do a search on ‘street’ I see that it’s part of an Output example for Get-AADintTenantDetails

Ok, let’s give that command a go.

And there’s the flag under the street value.

For the next one, It not so subtly says that Conditional Access Policies will be part of this, so again we reference the docs. Get-AADIntConditionalAccessPolicies seems like a good candidate.

Two for two.

Microsoft Teams will be our focus on the third one. There’s dozens of Teams commands available within AADInternals. If we focus on message, that will get us to Get-AADIntTeamsMessages.

Having the documentation for the syntax really helped on this one.

And for the last one, no there isn’t a Get-AADIntPresident command. That would be too easy. How about a command that will show us all the users?

Scrolling up through the output, we find that the President (PattiF), has a flag in the telephone number field.

4 out of 4.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – Miscellaneous: Rock, Paper, Psychic

CTF, DFIR, Miscellaneous

Rock, Paper, Psychic

Do you want to play a game?

You can see the basic flow of the game above. You put in your choice, then after some calculation the game chooses, and what do you know – the game always makes the winning choice.

How about a nice game of Chess?

Having played the game a couple times to get familiar with the flow, I ran the program using x64dbg.

Hit F9 a few times until it the program gets to your input choice.

Once you’ve typed in your selection in the command window, back to x64dbg. From here we will step over (F8) the instructions 1 by one.

Continue to hit F8, observing as the rest of the game text appears.

Global Thermonuclear War

In x64dbg, we see that the program tests 2 values and then does a JNE (Jump if not Equal) command to another function 416C6A.

If we use the debugger and change this to JE (Jump if equal to):

Who you calling cheater?

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – Forensics: Wimble, Opposable Thumbs, Tragedy_Redux

CTF, DFIR, Forensics

Wimble

Once the file was downloaded and extracted from the zip I ran the file command on it.

OK so we’ll be doing the analysis for this one on a Windows box to start.

Move the file to windows and rename to Fetch.wim

Open the .wim with 7zip explorer

Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip

When we extract the contents of the zip file we have another directory of Prefetch files.

I extracted the .pf files to a folder.

I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress, ctf, and flag.

That was easy.

Opposable Thumbs

I know for a fact that Axiom can process thumbnail caches.

And BAM! there’s the flag.

Tragedy Redux

First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.

Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.

There’s a macro file with some curious fruit and vegetable related functions.

If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.

When opening the file in Word, there is a prompt to enable macros.

Once the document is open you see a document containing the definition of Tragedy.

From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.

The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.

This code interprets the numeric values in longstring (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.

When we run the Python script we get back:

powershell -enc JGZsYWc9ImZsYWd7NjNkY2M4MmMzMDE5Nzc2OGY0ZDQ1OGRhMTJmNjE4YmN9Ig==

Now we can echo the value to base64 decrypt and get our final flag value.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.