Download the target environment ([hvv Training] Incident Response Target Machine Training â Close-range Penetration OS-1) and set it up. Use the command mstsc to access the remote desktop connection on your computer. Enter the target machineâs IP address and account credentials (Administrator / zgsf@2024) to log in.
1. Attackerâs External IP Address
Using the command netstat -nao, no network connection related to an external IP address was found.
Use the command compmgmt.msc to enter Computer Management. In System Tools-> Event Viewer-> Windows Logs-> Security, filter the current log by Event ID 4624, but no login record related to the external IP address was found.
Using the command compmgmt.msc to access Computer Managementâs System Tools-> Task Scheduler-> Task Scheduler Library did not reveal any backdoor related to scheduled tasks with an external IP address.
Using the command msinfo32 to open System Information, no startup programs associated with an external IP address were found in Software Environment-> Startup Programs.
Using the command msinfo32 to access System Information, no services related to an external IP address were found in Software Environment-> Services.
Examine the desktop files and open files such as âAnti-Fraud.docâ, âSchool Holiday Notice â Practice.docâ, and âMy Father â Typing Practice.docâ. Use the command netstat -nao, and you will find a network connection established with the external IP address 8.219.200.130.
In Word, view the macro through Tools-> Macro-> Visual Basic Editor, where the macro code exists.
Upload the file to Micro-Step Sandbox Analysis, which finds a macro virus that downloads a malicious program from http://8.219.200.130:80/hhW. https://s.threatbook.com/report/file/334d2c38dadfe9ef6b73d645776f9bd4305a3b541b9c6d79cc1de976116d9c75
Therefore, the answer to the first question, âAttackerâs External IP Address,â is: 8.219.200.130.
2. Attackerâs Internal Pivot IP Address
Continue to examine the desktop files, and after opening the âphpStudy â Repairâ file, you will find a connection to the internal IP address 192.168.20.129 using the command netstat -nao.
Right-click to select âEditâ and find a BAT script that downloads a malicious program from http://192.168.20.129:801/a.
Therefore, the answer to the second question, âAttackerâs Internal Pivot IP Address,â is: 192.168.20.129.
3. MD5 of Throttling Software Used by Attacker (Uppercase)
Continue investigating the desktop files and find the âP2P Terminatorâ software, which can limit the bandwidth of LAN users. More information is available in the article: https://blog.csdn.net/weixin_73636162/article/details/127162089.
Right-click and select âOpen File Locationâ to enter the program directory.
Use the command certutil -hashfile p2pover.exe MD5 to calculate the MD5 value, which does not yield the answer.
The answer might be the MD5 value of the installation package. Search âp2poverâ in the file browser to find the installation package. After opening the file location, use the command certutil -hashfile p2pover4.34.exe MD5 to calculate the MD5 value to get the answer.
Therefore, the answer to the third question, âMD5 of Throttling Software Used by Attacker (Uppercase),â is: 2A 5D 88 38 BD B4 D4 04 EC 63 23 18 C9 4A DC 96.
4. MD5 of the Attackerâs Backdoor (Uppercase)
Through the first question, several backdoors were examined without results. Finally, a Sticky Keys backdoor was found. Relevant information can be found here: https://www.cnblogs.com/MoZiYa/p/16690229.html.
The Sticky Keys program is located at C:\Windows\System32\sethc.exe. Open the file location and use the command certutil -hashfile sethc.exe MD5 to calculate the MD5 value to obtain the answer.
Therefore, the answer to the fourth question, âMD5 of the Attackerâs Backdoor (Uppercase),â is: 58 A3 FF 82 A1 AF F9 27 80 9C 52 9E B1 38 5D A1.
5. Flag Left by the Attacker
The Sticky Keys backdoor can be triggered by pressing the shift key five times, revealing the flag.
Therefore, the answer to the fifth question, âFlag Left by the Attacker,â is: flag{zgsf@shift666}.