Gian Klug

swiss hacking challenge 2024 - give-me-logs

Posted on May 1, 2024
Tags: SHC24 Writeup

Difficulty: medium

Category: forensics

Author: tttttx2

Steve was very lucky indeed. He recently got a call from a security vendor, claiming he needs to buy a fancy SIEM solution. No idea what that is, but steve managed to cobble something together, and now he has a shiny new elastic siem. Surely, this must protect him from all the bad things, so on he went to download some new AI tools that claim to do all his work for him. Within a few minutes though everything went dark. And his fancy new SIEM is completely offline too, but luckily, he managed to recover a backup of some of the logs that were generated during the attack. Being completely overwhelmed by this, it’s now your turn to figure out what happened. Find the answers to the following questions:

Note: Get started by extracting the backup, starting a local elastic instance, and import the backup.

Hint: Password is in .env file. If it doesn’t start (which takes a long while!), look at elastic system requirements, you probably need to set the virtual memory count in sysctl. Create a backup repo and restore the snapshot by import only the logs-* indexes (in case you get a failure due to existing indexes), create this as a new dataview, and off you go. Figuring out how to access the data is half of the fun ;)

The flag is compromised of all your answers. Every question has a format, replace the number of the question in the flag format with the answer. Flag format is: shc2024{1-2-3-4-5}

Example question 1: What is the localhost IP (format: IPv4), question 2: what is the color of the sky (format: keyword) –> shc2024{127.0.0.1-blue…

Question 1: What was the name of the downloaded File? (format: filename.extension)

Question 2: What was the file renamed to? (format: filename.extension)

Question 3: To which IP did the malicious file connect to when executed? (format: IPv4 address)

Question 4: During the first open session with the attacker, they dumped registry keys and saved them to files each. List the filenames in alphabetical order per registry key. (format: file1,file2)

Question 5: After dumping the files, they were base64 encoded for easier exfiltration. List all those files in alphabetical order (format: file1,file2)

Hint: If you have issues to get the instance running run sysctl -w vm.max_map_count=262144 and your instance should be reachable on http://127.0.0.1:5601

Files

We get a compose file for an elastic stack and a backup folder that is mounted under /mnt/backup

Exploitation

This was 90% getting to know how to restore elastic backups.

Restoring the backup

$ sudo sysctl -w vm.max_map_count=262144
$ docker compose up -d
$ curl -k -X PUT "https://localhost:9200/_snapshot/backup" \
    -u elastic:adminadmin \
    -H 'Content-Type: application/json'\
    -d'
{
  "type": "fs",
  "settings": {
    "location": "/mnt/backup"
  }
}
'
$ curl -X POST \
    "https://localhost:9200/_snapshot/backup/now-kiscxdkisdspj2drxcl9dw/_restore" \
    -u elastic:adminadmin -k \
    -H "Content-Type: application/json"\
    -d '{"indices": "*logs-*"}'

Finding the logs

I used the Observability > Explorer (Beta) feature of elastic to search through the logs.

First, I searched for created files in the user downloads directory.

file.path:C\:\\Users\\*\\Downloads* and event.action: "creation"

This leads to C:\Users\Steve\Downloads\report_generator.ps created by msedge.exe.

We can find the new filename after renaming by searching for file.Ext.original.name: "report_generator.ps", which shows us that it has been renamed to report_generator.ps1.

As it is likely that the script was run with powershell, we can look for powershell network events:

message: "Endpoint network event" and process.name: "powershell.exe"

This leads us to three entries connecting to 192.168.1.101.

Now, let’s check what files were dumped from the registry:

message: "Endpoint file event" and process.name: "reg.exe"

There were two files created under C:\Users\Steve\Documents\:

  • system
  • sam

Let’s hope that the “encrypted” versions of the files were also created in the documents folder:

message: "Endpoint file event" and file.path:C\:\\Users\\Steve\\Documents* and event.action: "creation"

And sure enough, we can see system.base64 and sam.base64 have been created by certutil.exe (as it provides base64 encryption).

We can now put all of these pieces together to get the flag:

Flag

shc2024{report_generator.ps-report_generator.ps1-192.168.1.101-sam,system-sam.base64,system.base64}

Conclusion

Elastic is pain to get running. But once you’re past this part, it’s actually pretty cool.