Network Log Analysis - Determine Compromised System
Zeek them logs!
Instructions from the badge:
The attacks don’t stop! Can you help identify the IP address of the malware-infected system using these Zeek logs? For hints on achieving this objective, please visit the Laboratory and talk with Sparkle Redberry.
Link to Zeek logs which weigh around 300 MB (1.4 GB uncompressed).
Technical Challenge
Before attacking the Zeek logs, you can look for Sparkle Redberry in the Laboratory for some hints on the main objective. But as usual, you need to help him first with a laser device that’s normally generating Xmas Cheers but is now malfunctioning:
I’m Sparkle Redberry and Imma chargin’ my laser! Problem is: the settings are off. Do you know any PowerShell? It’d be GREAT if you could hop in and recalibrate this thing. It spreads holiday cheer across the Earth … … when it’s working!
So now it’s time to dive into the PowerShell terminal sitting on the table, which controls the laser hardware. When you open the terminal you see the below banner:
PowerShell 6.2.3
Copyright (c) Microsoft Corporation. All rights reserved.
https://aka.ms/pscore6-docs
Type 'help' to get help.
๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ
๐ฒ ๐ฒ
๐ฒ Elf University Student Research Terminal - Christmas Cheer Laser Project ๐ฒ
๐ฒ ------------------------------------------------------------------------------ ๐ฒ
๐ฒ The research department at Elf University is currently working on a top-secret ๐ฒ
๐ฒ Laser which shoots laser beams of Christmas cheer at a range of hundreds of ๐ฒ
๐ฒ miles. The student research team was successfully able to tweak the laser to ๐ฒ
๐ฒ JUST the right settings to achieve 5 Mega-Jollies per liter of laser output. ๐ฒ
๐ฒ Unfortunately, someone broke into the research terminal, changed the laser ๐ฒ
๐ฒ settings through the Web API and left a note behind at /home/callingcard.txt. ๐ฒ
๐ฒ Read the calling card and follow the clues to find the correct laser Settings. ๐ฒ
๐ฒ Apply these correct settings to the laser using it's Web API to achieve laser ๐ฒ
๐ฒ output of 5 Mega-Jollies per liter. ๐ฒ
๐ฒ ๐ฒ
๐ฒ Use (Invoke-WebRequest -Uri http://localhost:1225/).RawContent for more info. ๐ฒ
๐ฒ ๐ฒ
๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ๐ฒ
You can see some really good hints straight away. Your main task is to calibrate the laser, so that it emits at least 5 Mega-Jollies of Xmas Cheer. In order to calibrate it we can change its angle, the temperature, the refraction and various compositions of gases inside. For the full instructions execute the command in the banner:
PS /home/elf> (Invoke-WebRequest -Uri http://localhost:1225/).RawContent
HTTP/1.0 200 OK
Server: Werkzeug/0.16.0
Server: Python/3.6.9
Date: Sat, 28 Dec 2019 21:20:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 860
...
----------------------------------------------------
Christmas Cheer Laser Project Web API
----------------------------------------------------
Turn the laser on/off:
GET http://localhost:1225/api/on
GET http://localhost:1225/api/off
Check the current Mega-Jollies of laser output
GET http://localhost:1225/api/output
Change the lense refraction value (1.0 - 2.0):
GET http://localhost:1225/api/refraction?val=1.0
Change laser temperature in degrees Celsius:
GET http://localhost:1225/api/temperature?val=-10
Change the mirror angle value (0 - 359):
GET http://localhost:1225/api/angle?val=45.1
Change gaseous elements mixture:
POST http://localhost:1225/api/gas
POST BODY EXAMPLE (gas mixture percentages):
O=5&H=5&He=5&N=5&Ne=20&Ar=10&Xe=10&F=20&Kr=10&Rn=10
----------------------------------------------------
...
When I first tried to calibrate the laser, I naively thought I can just enter some random numbers and see if I can reach the desired amount of Mega-Jollies by trial and error / brute forcing. But after 10 minutes of messing with the laser parameters, I had to admit that this was not going to work. So then I read the banner again and started following the hints.
PS /home/elf> get-content /home/callingcard.txt
What's become of your dear laser?
Fa la la la la, la la la la
Seems you can't now seem to raise her!
Fa la la la la, la la la la
Could commands hold riddles in hist'ry?
Fa la la la la, la la la la
Nay! You'll ever suffer myst'ry!
Fa la la la la, la la la la
PS /home/elf>
This clue is pointing to the command history, so next I Googled how to see PowerShell command history and queried the terminal:
PS /home/elf> Get-History
Id CommandLine
-- -----------
1 Get-Help -Name Get-Process
2 Get-Help -Name Get-*
3 Set-ExecutionPolicy Unrestricted
4 Get-Service | ConvertTo-HTML -Property Name, Status > C:\services.htm
5 Get-Service | Export-CSV c:\service.csv
6 Get-Service | Select-Object Name, Status | Export-CSV c:\service.csv
7 (Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
8 Get-EventLog -Log "Application"
9 I have many name=value variables that I share to applications system wide. At a commaโฆ
10 (Invoke-WebRequest -Uri http://localhost:1225/).RawContent
11 get-content /home/callingcard.txt
IDs #7 and ID #9 both seems interesting. For now we can assume that ID #7 holds the correct value for the angle! I then continued with ID #9 which seemed to have a truncated message. If only we could reveal the full version. Of course, after few google searches, I found just the command I needed.
PS /home/elf> Invoke-History -Id 9
I have many name=value variables that I share to applications system wide. At a command I will reveal my secrets once you Get my Child Items.
So hidden in the riddle was another riddle. The first sentence seems to suggest we need to look at ENV variables, while the second sentence seems to suggest how to get to them. On to google searching again, then back to the terminal:
PS /home/elf> Get-ChildItem Env:
Name Value
---- -----
PWD /home/elf
riddle Squeezed and compressed I am hidden away. Expand me from myโฆ
SHELL /home/elf/elf
... ...
Here we see an environment variable named riddle containing some further clues. However we need to find a way to expand it so its full content can be revealed. This can be done in numerous ways, one idea I got from my brother, who is a bigger PowerShell guru than I am, was to do the below:
PS /home/elf> (Get-ChildItem Env:)[-9].Value
Squeezed and compressed I am hidden away. Expand me from my prison and I will show you the way. Recurse through all /etc and Sort on my LastWriteTime to reveal i'm the newest of all.
PS /home/elf>
So the content of the riddle env variable was now revealed, which seemed to suggest to continue looking in the /etc folder, where we should find the file which was modified most recently. Back to Google again, to do some searching, which gave the below commands:
PS /home/elf> Get-ChildItem -Recurse -Path /etc | Sort LastWriteTime
[... lots of output omitted for brievity...]
Directory: /etc/apt
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 12/28/19 9:46 PM 5662902 archive
PS /home/elf> Expand-Archive /etc/apt/archive -DestinationPath ./expanded
PS /home/elf> Get-ChildItem ./expanded/
Directory: /home/elf/expanded
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 12/28/19 9:53 PM refraction
PS /home/elf> Get-ChildItem ./expanded/refraction/
Directory: /home/elf/expanded/refraction
Mode LastWriteTime Length Name
---- ------------- ------ ----
------ 11/7/19 11:57 AM 134 riddle << further clue for temperature
------ 11/5/19 2:26 PM 5724384 runme.elf << refraction is hidden here
This archive, when unpacked, revealed a folder named refraction and within another hint plus the value for refraction. To get the value for refraction I had to somehow run the other file runme.elf. I spent close to 2 hours trying to figure out how to call this file from PowerShell, when I had almost given up, and gave a final try by issuing chmod +x and then running it as binary executable. Quite surprisingly this worked like a charm:
PS /home/elf/expanded/refraction> chmod +x ./runme.elf
PS /home/elf/expanded/refraction> ./runme.elf
refraction?val=1.867
PS /home/elf/expanded/refraction> Get-Content ./riddle
Very shallow am I in the depths of your elf home. You can find my entity by using my md5 identity:
25520151A320B5B0D21561F92C8F6224
PS /home/elf/expanded/refraction>
So there was the correct setting for the refraction of the laser. Next I turned to the other file in the folder called riddle and saw further clues. I noticed that it referred to depths, which was a reference to the HOME directory which contained hundreds of text files in several levels of folders hierarchy. Somewhere in these depths was a file which had the md5 hash referenced in the riddle. To find it I issued the below command:
PS /home/elf> Get-ChildItem ./depths/*.txt -Recurse | Get-FileHash -Algorithm MD5 | Where-Object hash -eq 25520151A320B5B0D21561F92C8F6224 | Select path
Path
----
/home/elf/depths/produce/thhy5hll.txt
PS /home/elf> Get-Content /home/elf/depths/produce/thhy5hll.txt
temperature?val=-33.5
I am one of many thousand similar txt's contained within the deepest of /home/elf/depths. Finding me will give you the most strength but doing so will require Piping all the FullName's to Sort Length.
The last missing piece of the laser puzzle was the correct composition of gas compounds for the laser. There were no direct hints that I could find, however, I had the idea that perhaps the /home/elf/depths folder may be holding more than just the temperature. Next I did a search for the top 3 largest text files within this folder and found that the 2 largest text files are somewhat special. The largest was the one which contained the temperature, the second largest was another file with some further clues.
PS /home/elf> Get-ChildItem -Path ./depths/ -Recurse | Sort-Object Length -Descending | Select-Object length,name,directory -First 3 | Format-Table -AutoSize -Wrap
Length Name Directory
------ ---- ---------
224 thhy5hll.txt /home/elf/depths/produce
209 0jhj5xz6.txt /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/u
nknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/t
ape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/bea
uty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main
/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/la
bor/sail/dropped/fox
162 r9j67n1j.txt /home/elf/depths/larger/saddle/grown/correctly/allow/free/spoken/coffee
/sight/increase/steady/division/gas/available/pressure/wooden
As it can be seen, the 3rd largest file was noticeably smaller. I still checked its content, but there was nothing useful in it, so it was safe to assume that no other files were of any interest within the depths folder. So then I checked the contents of the 0jhj5xz6.txt buried deep within the depths and found that it contained some pretty useful hint:
PS /home/elf> Get-Content /home/elf/depths/larger/cloud/behavior/beauty/enemy/produce/age/chair/unknown/escape/vote/long/writer/behind/ahead/thin/occasionally/explore/tape/wherever/practical/therefore/cool/plate/ice/play/truth/potatoes/beauty/fourth/careful/dawn/adult/either/burn/end/accurate/rubbed/cake/main/she/threw/eager/trip/to/soon/think/fall/is/greatest/become/accident/labor/sail/dropped/fox/0jhj5xz6.txt
Get process information to include Username identification. Stop Process to show me you're skilled and in this order they must be killed:
bushy
alabaster
minty
holly
Do this for me and then you /shall/see.
PS /home/elf> Get-Process -IncludeUserName
WS(M) CPU(s) Id UserName ProcessName
----- ------ -- -------- -----------
28.99 2.01 6 root CheerLaserServi
191.95 16.86 31 elf elf
3.57 0.02 1 root init
0.72 0.00 24 bushy sleep
0.75 0.00 26 alabaster sleep
0.77 0.00 28 minty sleep
0.82 0.00 29 holly sleep
3.27 0.00 30 root su
PS /home/elf> Stop-Process 24 26 28 29
PS /home/elf> Get-Content /shall/see
Get the .xml children of /etc - an event log to be found. Group all .Id's and the last thing will be in the Properties of the lonely unique event Id.
PS /home/elf>
So it seemed the gas values were hidden somewhere in an .xml file in the /etc folder. To find this file I turned to another command of PowerShell:
PS /home/elf> Get-ChildItem -Recurse -Include *.xml -Path /etc/
Directory: /etc/systemd/system/timers.target.wants
Mode LastWriteTime Length Name
---- ------------- ------ ----
--r--- 11/18/19 7:53 PM 10006962 EventLog.xml
It was a rather large XML file, so instead of displaying it, I just did a simple text-based search. I know the hint said I should parse the XML and do some fancy Group-By based on ID and whatnot, but I am fond of simpler shortcuts whenever possible, so I did a simple string search that quickly gave me the answer to the composition of gases:
PS /home/elf> Get-Content /etc/systemd/system/timers.target.wants/EventLog.xml | Select-String -pattern "gas"
<S N="Message">
Process Create: -
RuleName: -
UtcTime: 2019-11-07 17:59:56.525
ProcessGuid: {BA5C6BBB-5B9C-5DC4-0000-00107660A900}
ProcessId: 3664
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.14393.206 (rs1_release.160915-0644)
Description: Windows PowerShell Product: Microsoftยฎ Windowsยฎ Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "`$correct_gases_postbody = @{`n O=6`n H=7`n He=3`n N=4`n Ne=22`n Ar=11`n Xe=10`n F=20`n Kr=8`n Rn=9`n}`n"
CurrentDirectory: C:\
User: ELFURESEARCH\allservices
LogonGuid: {BA5C6BBB-5B9C-5DC4-0000-0020F55CA900}
LogonId: 0xA95CF5
TerminalSessionId: 0
IntegrityLevel: High
Hashes: MD5=097CE5761C89434367598B34FE32893B
ParentProcessGuid: {BA5C6BBB-4C79-5DC4-0000-001029350100}
ParentProcessId: 1008
ParentImage: C:\Windows\System32\svchost.exe
ParentCommandLine: C:\Windows\system32\svchost.exe -k netsvcs</S>
I formatted the output a bit, but basically it is very easy to spot the composition of gases within the arguments of the PowerShell executable: O=6 H=7 He=3 N=4 Ne=22 Ar=11 Xe=10 F=20 Kr=8 Rn=9. With this final piece of the puzzle complete, I used the laser Web API to submit the correct values and reached the 5 Mega-Jollies of Xmas Cheer with the laser output.
(Invoke-WebRequest http://127.0.0.1:1225/api/off).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/angle?val=65.5).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/temperature?val=-33.5).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/refraction?val=1.867).RawContent
(Invoke-WebRequest -Uri http://127.0.0.1:1225/api/gases -Body "O=6&H=7&He=3&N=4&Ne=22&Ar=11&Xe=10&F=20&Kr=8&Rn=9" -Method POST).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/on).RawContent
(Invoke-WebRequest http://127.0.0.1:1225/api/output).RawContent
Now that this terminal issue is solved, let’s check with Sparkle Redberry for the hints he promised:
You got it - three cheers for cheer! For objective 5, have you taken a look at our Zeek logs? Something’s gone wrong. But I hear someone named Rita can help us. Can you and she figure out what happened?
Main Objective
So the hint from Sparkle mentioned Rita, which is not a reference to some other character on the ELFU campus, but a tool for solving the main objective. The tool is available through a GitHub repository.
As a next step I unpacked the 300 MB zip and noticed that it already contained a folder ELFU which had an index.html. I loaded it up in my browser and noticed that it contained statistics from presumably the same log files so I did not had to install Rita eventually. Instead I relied on the contents of this ELFU folder from the unpacked zip.
So next I opened the index.html and saw that one database with name ELFU was available. I clicked it and got a bunch of tabs with different kinds of information:
I first noticed the Beacons tab and the very first item in the table with 7660 connections and source IP of 192.168.134.130. Then I remembered that I was looking for the IP address of a system which is infected with malware. Then I also checked the Long Connections tab and the same source IP showed up with the longest connection of 1000 (probably seconds?). Then I tried my luck with this IP address as the answer and the value was accepted!