Investigating Follina and Unquoted service path vulnerability
Walkthrough of FIN DRILL 2022
The below is the scenario. Please read it. This will let you understand what has happened and what you need to do to solve the questions/injections. I will show you the answers of the injections besides i will also explain what has happened and how will you solve this by teasing your brain.
Injection 0: 25
Our organization name is FIN and we are very conspicuous financial organization in Bangladesh. Our information technology domain name is FIN.LOCAL and Active Directory Domain Services (AD DS) or domain controller run on Windows Server 2019.
Very recently one of our employee received an email with an attachment. But after opening the attachment he found there was no content in the file. Later IT security team observed some suspicious activity in our organization network.
During analysis/investigation IT security team found a threatening text file in one of our domain controller administrator’s account Desktop.
Threatening text file location in DC : C:\Users\itadmin1\Desktop\Compromized.txt
For further analysis/investigation we are providing the Active Directory (Domain Controller) server and one workstation (Windows 10) which is used as common workstation for IT support team.
For This injection, you read the scenario and submit FIN2022{UNDERSTOOD} that you understand the scenario.
Ans : FIN2022{Understood}
Injection 1: 50
Identify the CVE of the vulnerability which was initially exploited by the attacker. The format for this flag is FIN2022{CVE-XXXX-XXXXX}
You will be provided one employee’s email inbox. Where you will see that a phishing email contains malicious attachment. You just need to download the attachment. Once it is download, run the below command. You don’t need to execute it. If you execute it, make sure you are in a isolated environment.
Get-FileHash <filename> -Algorithm SHA256 | Format-List
You shall get sha256 hash. Just copy it and paste it in virustotal platform. You will get the cve id. A little bit of googling shall tell you the vulnerability name is Follina. Check the below link:
https://www.cirt.gov.bd/follina-cve-2022-30190-new-microsoft-office-zero-day/
Ans: FIN2022{CVE-2022–30190}
Injection 2: 50
Refer to injection 01, which program was abused by the vulnerability? The format for this flag is FIN2022{filename with extension}
If we study the above link, then we come to know that Follina abused a program called msdt.exe
Ans: FIN2022{msdt.exe}
Injection 3: 100
After initial access to the victim machine, attacker performed enumeration to the system and found a service where user privilege was not properly configured. This makes the service vulnerable to exploit. What is the name of that service? The format for this flag is FIN2022{flag}
This part is a bit tricky. After accessing the system attacker try to exploit further vulnerability that will allow attacker for privilege escalation or maintain persistence. May be attacker used any tool that tell attacker any local privilege escalation vulnerability present or not. It could be Vulnerability scanner, any powershell script or any executables like winpeas.exe
You can query in the security event logs by utilizing the find feature (see right pane in event viewer). You can query like give me the process name of any executables that ends with .exe or .ps1 etc by clicking on the find options and write your query. A SIEM will help you to find this executables more easily.
As the question suggest, found a vulnerability in service where user privilege was not configured properly. During my Red Team study I already know that there is a vulnerability called unquoted service path execution. This vulnerability let’s an attacker to execute malicious executables. After executable is executed then attacker gets reverse shell with nt authority\system privilege in the local system. So we fireup autoruns and navigate to the Services tab. Here we can clearly see that there is only one entry that does not have verified publisher. That’s should immediately alert your instinct that this is something fishy. I will further explain this but let’s now ans this injection.
Ans: FIN2022{DataBackupSvc}
Injection 4: 200
Which file is used by the attacker to gain persistent access to support-pc. Mention the file name with file extension and the full (absolute) directory path. The format for this flag is FIN2022{E:\Fin\Drill\2022\ctf.txt}
Now in order to understand which file attacker used to gain persistence, I need to further explain this vulnerability. Each service has its executable file. When we start the service then that of corresponding executable is actually executed.
Here we can see that this service executable path is quoted so there is no problem with that. But when this path to executable is unquoted then one attack surface is raised which let’s an attacker to exploit this.
When we do not give quote then windows treats the program files (which is a single folder) separately. program is then considered as executable or command and rest of the part as argument. Now if an attacker rename their malicious executable as program.exe and place it under C:\ drive, then as soon as the service starts (Assume your service path to executable is C:\program files\app\testservice.exe), this executable will also execute. First windows will try to execute program, but it will fail because in C:\ drive there is nothing called program. Then windows will cycle through other extensions like .exe, .pdf etc. When program.exe matches then it will be executed because in C:\ drive, attacker placed program.exe; Which in turn give attacker reverse shell. This is exact the same case here.
Here our service name is DataBackupSvc and path to executable is C:\Program Files (x86)\Windows Resources Kits\Kits\Tools\Data Backup App\Backup.exe
Now notice, in the Data Backup App folder there is also inappropriate permission present that’s why attacker successfully placed Backup.exe there. Attacker got the write permission in this folder that’s why attacker successfully placed the Backup.exe there. Now notice carefully, inside the Data Backup App folder there is another folder called Backup Agent. That’s why attacker rename his malicious executable as Backup.exe because attacker knows as per windows execution logic, inside that folder first Backup will be executed and failed. Then windows will try to execute Backup.exe and it will be success (Already explained earlier). If you check Backup.exe in virustotal, you will see lots of vendor flagged this executable as malicious.
Ans: FIN2022{C:\Program Files (x86)\Windows Resources Kits\Kits\Tools\Data Backup App\Backup.exe}
Injection 5: 150
Refer to the injection 3 & 4, which account privilege was gained by the attacker after exploiting the misconfigured program? The format for this flag is FIN2022{AccountDomain\AccountName}
Now you need to investigate the windows security event logs to answer this. Generally when attacker exploit this kind of vulnerability, they got nt authority\system level access to the system which is the highest level of privilege within the system.
Note: One thing to note here. If your service running under normal user privilege, then after exploitation attacker will get normal user privilege. Likewise, if the service is running under nt authority\system level privilege, then attacker will get nt authority\system level privilege.
You can filter with event id 4672 to find the events.
Ans: FIN2022{NT AUTHORITY\SYSTEM}
Injection 6: 50
Find out the IP address of the attacker which was used to control support-pc?
The format for this flag is FIN2022{IP ADDRESS}
As they said, control the support-pc so that means attacker successfully connected to the victim system. In that case you may need to investigate RDP or Terminal Service events or windows security authentication success events.
In the support-pc you can install NirSoft full event log view software to view windows terminal service events. As attacker got the highest level access on the system so attacker may create a user called webadmins and using that user getting access to the system. Attacker created user accounts and put them under administrator group for maintaining persistence.
Ans: FIN2022{192.168.187.135}
Injection 7: 100
What was the ip of the support-pc when it was compromised?
The format for this flag is FIN2022{IP Address}
This is the ip address set by the CIRT team while making this. This is not the attacker’s ip. We already found that what is attacker’s ip address. So in order to successfully connect to this pc, attacker must have set ip from the 187 subnet. So if we query using the event viewer find feature up to this — 192.168.187; then we will get the following event.
Ans: FIN2022{192.168.187.149}
Injection 8: 100
An application was executed by the attacker to collect domain object information from DC. What is the application name?
The format for this flag is FIN2022{filename with extension}
Sharphound or Bloodhound is the applications that are used by the attacker to collect further juicy information about AD so that they can exploit further.
You can filter with event id 4799 to find all the process name or you can use find feature of event viewer to query like Sharphound or bloodhound or .exe or .ps1
Ans: FIN2022{SharpHound.exe}
Injection 9: 150
During the post exploitation phase, which attack method was used by the attacker to get user details from DC?
The format for this flag is FIN2022{FLAG}
Using the bloodhound tool attacker may already know that DCSync attack is possible. In this attack, attacker trick the main DC believing that I am another DC so in order to function properly you need to share your password hashes with me so that we can converged. DCSync requires a compromised user account with domain replication privileges which attacker already has. Attacker successfully established that, tell the main DC to replicate, and get password hashes from its subsequent response.
Ans: FIN2022{dcsync}
I hope you will like the walkthrough. Thanks.
Please subscribe to the following.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
https://www.youtube.com/@mahimfiroj1802/videos
In next, I will be trying to get the logs to the SIEM and investigate using various tools so that we can find the IOC’s more efficiently. I will post that on my YouTube channel.
