What is the Volatility profile for this image?
vol.py -f 0day.bin kdbgscan or imageinfo
Answer is Win2012R2x64
What was the startup time for this system?
Start up time of the system should be ties to the start time of PID 4, in Volatility we can use the pslist or pstree module
vol.py -f 0day.bin --profile=Win2012R2x64 pslist
Answer: 2019-10-17 21:36:43
What is the System's Hostname?
One good place to look at for this information would be located in the Widows Registry at the key located at: HKLM:\System\CurrentControlSet\Control\Computername\ActiveComputerName
In volatility in order to find the location of the Windows Registry we need to first find the hive locations.
vol.py -f 0day.bin --profile=Win2012R2x64_18340 hivelist
We needed a more specific profile for the hivelist module to populate the list
Now we will use the virtual offset of registry\machine\system to get to the list we need: 0xffffc001cb428000
vol.py -f 0day.bin --profile=Win2012R2x64_18340 printkey -o 0xffffc001cb428000
vol.py -f 0day.bin --profile=Win2012R2x64_18340 printkey -o 0xffffc001cb428000 -K CurrentControlset
Since Current Control Set does not have anything inside other than a pointer, we will try to controlset001 location.
We will run the following command to get the host name (“ “ around the -K parameter is required).
vol.py -f 0day.bin --profile=Win2012R2x64_18340 printkey -o 0xffffc001cb428000 -K “ControlSet001\Control\ComputerName\ActiveComputerName"
Answer: WEB-SERVER-DMZ
What is the name of the Active Directory Domain?
We can piggyback off of 0day 3 with the Registry Keys as we can find the domain in the current location: hklm:\ SYSTEM\ControlSet001\Services\Tcpip\Parameters
vol.py -f 0day.bin --profile=Win2012R2x64_18340 printkey -o 0xffffc001cb428000 -K "ControlSet001\Services\Tcpip\Parameters"
Answer: area116.mil
What is the system IP address?
For this one we will use the netscan plugin to answer this question, but there are to many local results s owe should grep those results out of the output.
vol.py -f 0day.bin --profile=Win2012R2x64_18340 netscan | grep -v :::0 | grep -v 0.0.0.0
Answer: 172.116.5.105
What SID proves session 4 is granted Domain Admin rights?
We will choose the getsids plugin to get this info:
vol.py -f 0day.bin --profile=Win2012R2x64_18340 getsids | grep -i domain
The S-1-5-21 -*-512 is the Sid used by domain admins where * is the specific domain
Answer: S-1-5-21-4092088994-1057394591-2624646455-512
This system has been exploited. Wat is the PID of the exploited process?
A good place to start on this would be to look at the malfind plugin to see if there are any injected code blocks.
I ran the following command to get the Pids of all possible injections:
vol.py -f 0day.bin --profile=Win2012R2x64_18340 malfind | grep Pid
Doing a quick google search on this one: Winsw.exe
Answer: 1884
What PID proves the attacker has the ability to remotely copy files to/from this system?
For this challenge we are looking for a way to send/receive data, we will look as the pstree again.
vol.py -f 0day.bin --profile=Win2012R2x64_18340 pstree
We might first look at the 1884 PID for program, but none of those are the answer, but if we move up to the parent process of 1884, we are at Pid 492. Inside of Pid 492 we have an RDP session and in order to move files between the client and server rdpclip.exe is spawned. Pid 2784 gives the ability to copy to/from the server in the RDP client.
The answer is: 2784
