{"componentChunkName":"component---src-templates-post-template-js","path":"/cor-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"dea70179-13c7-5526-ae09-ddbced819699","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/cor-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in corCTF 2024, which started on July 27, 2024.</p>\n<p>This time the Rev challenges were far too difficult for me, and I did not feel like I could solve any of them, so I retired early after solving only two Forensics problems.</p>\n<p>I wrote brief writeups only for the challenges I solved, so I am collecting them here.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#the-conspiracyforensics\">the-conspiracy(Forensics)</a></li>\n<li>\n<p><a href=\"#infiltrationforensic\">infiltration(Forensic)</a></p>\n<ul>\n<li><a href=\"#q1\">Q1</a></li>\n<li><a href=\"#q2\">Q2</a></li>\n<li><a href=\"#q3\">Q3</a></li>\n<li><a href=\"#q4\">Q4</a></li>\n<li><a href=\"#q5\">Q5</a></li>\n<li><a href=\"#q6\">Q6</a></li>\n<li><a href=\"#analysis-notes\">Analysis Notes</a></li>\n</ul>\n</li>\n</ul>\n<h2 id=\"the-conspiracyforensics\" style=\"position:relative;\"><a href=\"#the-conspiracyforensics\" aria-label=\"the conspiracyforensics permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>the-conspiracy(Forensics)</h2>\n<blockquote>\n<p>Our intelligence team created a chat app, and secretly distributed it to the lemonthinker gang. We’ve given you the application source and a capture taken by one of our agents - can you uncover their plans?</p>\n</blockquote>\n<p>Analyzing the pcap file provided with the challenge shows that meaningless-looking payloads were being sent and received as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/49a06ea1ab09d73067b3f69188453fa8/a7a19/image-20240727150531143.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 57.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACgklEQVQoz32SS2/TUBCFswbEChaIIqBNmjh+xo+8HDukjpPaSdrSlqRNS0E82rSUIpB4i//ABoHEj/2YOCyQECyOzpm5Z47uHTs3fv2QzVdTJq+PSC/2mb55xEg4udhjJP345Zjo/AFbrw44kLO5b194780R89mNiynd0wnx+ZiueHO9NCXs9+kLV7sx6WCA3+tnutnrUYkizLWIdn+d4XBIL0kzT5IOiNYT/DhGCcLMY4k3d/buhOMPM06Fn32ccfb2hOfCc30sePppxhPBiXjO38+YvT3OvOdSv3gnfdG7L454/P6Yp59PyZmVOnfKDoZV59qqgWM3WVIqXBe9pNhcXdG4vKyyrLly1kC1qsxnKqLnWNEcLi2XubKickV8OcetolZcPK9O3qhQrzZQLCfTBc3kZrHMjVWFktStRiDnLWqeT9P18R0fW8KXFJPbRZNbqiU73NxjLdmm0UlpRSOaawPCeIOgO8JuRjh+jBf0Mb2Aql8jfiC7u79OOOkTPE5pHyY4QRV3U/boSeDW+JA43aLWimiEMtzsYNdDnEYbz1+jGnSphj1cJ8DebWP+mGB93UX9toP2c4zxZYj5aYD1fYLRciRwY8Qg6eM36/iNujzJwzI0ykpxgdIqqnCxkGdVV9A7HlrbQQ+dLEA3DXTfxmy56LpObufojO3DUzanM3r3H9EZTrk33CdMJwskE6kP8MKElbvLGIqGVlIXUASatuDfOre1vUsniml35D+yPUzbzdhyfkO07dZQdZN8Po8hN9LkJvo/kBsMB3Q697DtCoY0ykoJ5U+UStJTKBQKi0DDyG7yz0CvVZOvV8euyQ7ErKrqX5gHFIvFLHA+9L/AX6cen0hyl3LQAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/49a06ea1ab09d73067b3f69188453fa8/8ac56/image-20240727150531143.webp 240w,\n/static/49a06ea1ab09d73067b3f69188453fa8/d3be9/image-20240727150531143.webp 480w,\n/static/49a06ea1ab09d73067b3f69188453fa8/e46b2/image-20240727150531143.webp 960w,\n/static/49a06ea1ab09d73067b3f69188453fa8/41c4d/image-20240727150531143.webp 1323w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/49a06ea1ab09d73067b3f69188453fa8/8ff5a/image-20240727150531143.png 240w,\n/static/49a06ea1ab09d73067b3f69188453fa8/e85cb/image-20240727150531143.png 480w,\n/static/49a06ea1ab09d73067b3f69188453fa8/d9199/image-20240727150531143.png 960w,\n/static/49a06ea1ab09d73067b3f69188453fa8/a7a19/image-20240727150531143.png 1323w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/49a06ea1ab09d73067b3f69188453fa8/d9199/image-20240727150531143.png\"\n            alt=\"image-20240727150531143\"\n            title=\"image-20240727150531143\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After checking the script that was also provided with the challenge, I confirmed that the keys and messages encrypted by the <code class=\"language-text\">encrypt</code> function seemed to be exchanged as TCP packets.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> random\n<span class=\"token keyword\">from</span> scapy<span class=\"token punctuation\">.</span><span class=\"token builtin\">all</span> <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">import</span> csv\n\nsources<span class=\"token punctuation\">,</span> destinations<span class=\"token punctuation\">,</span> messages <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">'chatlogs.csv'</span><span class=\"token punctuation\">,</span> mode<span class=\"token operator\">=</span><span class=\"token string\">'r'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> <span class=\"token builtin\">file</span><span class=\"token punctuation\">:</span>\n    csv_reader <span class=\"token operator\">=</span> csv<span class=\"token punctuation\">.</span>reader<span class=\"token punctuation\">(</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">for</span> row <span class=\"token keyword\">in</span> csv_reader<span class=\"token punctuation\">:</span>\n        sources<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>row<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n        destinations<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>row<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n        messages<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>row<span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">encrypt</span><span class=\"token punctuation\">(</span>message<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    messagenums <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n    <span class=\"token keyword\">for</span> character <span class=\"token keyword\">in</span> message<span class=\"token punctuation\">:</span>\n        messagenums<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>character<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    keys <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>messagenums<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        keys<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>randint<span class=\"token punctuation\">(</span><span class=\"token number\">10</span><span class=\"token punctuation\">,</span> <span class=\"token number\">100</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    finalmessage <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>messagenums<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        finalmessage<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>messagenums<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">*</span> keys<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">return</span> keys<span class=\"token punctuation\">,</span> finalmessage\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>messages<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    finalmessage<span class=\"token punctuation\">,</span> keys <span class=\"token operator\">=</span> encrypt<span class=\"token punctuation\">(</span>messages<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>finalmessage<span class=\"token punctuation\">,</span> keys<span class=\"token punctuation\">)</span>\n    packet1 <span class=\"token operator\">=</span> IP<span class=\"token punctuation\">(</span>src<span class=\"token operator\">=</span>sources<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> dst<span class=\"token operator\">=</span>destinations<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token operator\">/</span>TCP<span class=\"token punctuation\">(</span>dport<span class=\"token operator\">=</span><span class=\"token number\">80</span><span class=\"token punctuation\">)</span><span class=\"token operator\">/</span>Raw<span class=\"token punctuation\">(</span>load<span class=\"token operator\">=</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>finalmessage<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    send<span class=\"token punctuation\">(</span>packet1<span class=\"token punctuation\">)</span>\n    packet2 <span class=\"token operator\">=</span> IP<span class=\"token punctuation\">(</span>src<span class=\"token operator\">=</span>sources<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> dst<span class=\"token operator\">=</span>destinations<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token operator\">/</span>TCP<span class=\"token punctuation\">(</span>dport<span class=\"token operator\">=</span><span class=\"token number\">80</span><span class=\"token punctuation\">)</span><span class=\"token operator\">/</span>Raw<span class=\"token punctuation\">(</span>load<span class=\"token operator\">=</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span>keys<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    send<span class=\"token punctuation\">(</span>packet2<span class=\"token punctuation\">)</span></code></pre></div>\n<p>So I wrote the following script to decrypt each message and obtained the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> ast\n<span class=\"token keyword\">from</span> scapy<span class=\"token punctuation\">.</span><span class=\"token builtin\">all</span> <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">print_decrypted</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">,</span>k<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token operator\">//</span>k<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> end<span class=\"token operator\">=</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">return</span>\n\n\n<span class=\"token keyword\">def</span> <span class=\"token function\">extract_tcp_payload</span><span class=\"token punctuation\">(</span>pcap_file<span class=\"token punctuation\">,</span> src_ip<span class=\"token operator\">=</span><span class=\"token boolean\">None</span><span class=\"token punctuation\">,</span> dst_ip<span class=\"token operator\">=</span><span class=\"token boolean\">None</span><span class=\"token punctuation\">,</span> src_port<span class=\"token operator\">=</span><span class=\"token boolean\">None</span><span class=\"token punctuation\">,</span> dst_port<span class=\"token operator\">=</span><span class=\"token boolean\">None</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    packets <span class=\"token operator\">=</span> rdpcap<span class=\"token punctuation\">(</span>pcap_file<span class=\"token punctuation\">)</span>\n    payloads <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n\n    <span class=\"token keyword\">for</span> packet <span class=\"token keyword\">in</span> packets<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">if</span> packet<span class=\"token punctuation\">.</span>haslayer<span class=\"token punctuation\">(</span><span class=\"token string\">'TCP'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">if</span> src_ip <span class=\"token keyword\">and</span> packet<span class=\"token punctuation\">[</span><span class=\"token string\">'IP'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>src <span class=\"token operator\">!=</span> src_ip<span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">continue</span>\n            <span class=\"token keyword\">if</span> dst_ip <span class=\"token keyword\">and</span> packet<span class=\"token punctuation\">[</span><span class=\"token string\">'IP'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>dst <span class=\"token operator\">!=</span> dst_ip<span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">continue</span>\n            <span class=\"token comment\"># if src_port and packet['TCP'].sport != src_port:</span>\n            <span class=\"token comment\">#     continue</span>\n            <span class=\"token keyword\">if</span> dst_port <span class=\"token keyword\">and</span> packet<span class=\"token punctuation\">[</span><span class=\"token string\">'TCP'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>dport <span class=\"token operator\">!=</span> dst_port<span class=\"token punctuation\">:</span>\n                <span class=\"token keyword\">continue</span>\n            \n            tcp_payload <span class=\"token operator\">=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">(</span>packet<span class=\"token punctuation\">[</span><span class=\"token string\">'TCP'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>payload<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> tcp_payload<span class=\"token punctuation\">:</span>\n                payloads<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>tcp_payload<span class=\"token punctuation\">)</span>\n    \n    <span class=\"token keyword\">return</span> payloads\n\n\npcap_file <span class=\"token operator\">=</span> <span class=\"token string\">\"challenge.pcap\"</span>\nsrc_ip <span class=\"token operator\">=</span> <span class=\"token string\">\"192.168.134.8\"</span>\ndst_ip <span class=\"token operator\">=</span> <span class=\"token string\">\"192.168.87.251\"</span>\nsrc_port <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ndst_port <span class=\"token operator\">=</span> <span class=\"token number\">80</span>\n\npayloads <span class=\"token operator\">=</span> extract_tcp_payload<span class=\"token punctuation\">(</span>pcap_file<span class=\"token punctuation\">,</span> src_ip<span class=\"token punctuation\">,</span> dst_ip<span class=\"token punctuation\">,</span> src_port<span class=\"token punctuation\">,</span> dst_port<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> i<span class=\"token punctuation\">,</span> payload <span class=\"token keyword\">in</span> <span class=\"token builtin\">enumerate</span><span class=\"token punctuation\">(</span>payloads<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">%</span> <span class=\"token number\">2</span> <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n        p <span class=\"token operator\">=</span> ast<span class=\"token punctuation\">.</span>literal_eval<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        k <span class=\"token operator\">=</span> ast<span class=\"token punctuation\">.</span>literal_eval<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        print_decrypted<span class=\"token punctuation\">(</span>p<span class=\"token punctuation\">,</span>k<span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 768px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2e2ae21c39f7866a5137b96083a0f88a/e5715/image-20240727150738333.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAt0lEQVQY052O226DMBQEDcoFG7dJaeILUbAxxk2l/v/vTQHltVLbh9GRVjqzK2K+EYunfAXe/SuntzNSnzhIzaFpOaqX7W7Ilv1RPjOF1nqjkQ1tq5BSIlJK5DwTQqSUgvcOaw373Q4hxN+xzlI+ZqacGMKwyCx1Xf9PtuJ7zzhGpilxH+6kacQtK91SdLle6LoOY64opX4nNMYwpojv3Sbqbz15zjw+H4QYNtblq1hU1fOx+lH4DQP6cdgCL/Z0AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2e2ae21c39f7866a5137b96083a0f88a/8ac56/image-20240727150738333.webp 240w,\n/static/2e2ae21c39f7866a5137b96083a0f88a/d3be9/image-20240727150738333.webp 480w,\n/static/2e2ae21c39f7866a5137b96083a0f88a/8b983/image-20240727150738333.webp 768w\"\n              sizes=\"(max-width: 768px) 100vw, 768px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2e2ae21c39f7866a5137b96083a0f88a/8ff5a/image-20240727150738333.png 240w,\n/static/2e2ae21c39f7866a5137b96083a0f88a/e85cb/image-20240727150738333.png 480w,\n/static/2e2ae21c39f7866a5137b96083a0f88a/e5715/image-20240727150738333.png 768w\"\n            sizes=\"(max-width: 768px) 100vw, 768px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2e2ae21c39f7866a5137b96083a0f88a/e5715/image-20240727150738333.png\"\n            alt=\"image-20240727150738333\"\n            title=\"image-20240727150738333\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Being able to analyze pcap files with scapy was extremely convenient. It seems easier than using tcpdump.</p>\n<h2 id=\"infiltrationforensic\" style=\"position:relative;\"><a href=\"#infiltrationforensic\" aria-label=\"infiltrationforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>infiltration(Forensic)</h2>\n<blockquote>\n<p>After successfully infiltrating the lemonthinker gang, we’ve obtained their current location - the UK. We’ve attained some security logs from a gang member’s PC, but need some help in answering information relating to these.</p>\n</blockquote>\n<p>This challenge involved analyzing the Windows Security Event Log provided with the challenge and answering six questions.</p>\n<h3 id=\"q1\" style=\"position:relative;\"><a href=\"#q1\" aria-label=\"q1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Q1</h3>\n<blockquote>\n<p>Hello agent. Thanks for your hard work in the field researching. We’ll now ask you 6 questions on the information you’ve gathered.\nI’d like to take this opportunity to remind you that our targets are located in the United Kingdom, so their timezone is BST (UTC +1).\nWe’d like to confirm what the username of the main user on the target’s computer is. Can you provide this information?</p>\n</blockquote>\n<p>The administrator user that was added first looked like the likely one, and <code class=\"language-text\">slice1</code> was the correct answer.</p>\n<h3 id=\"q2\" style=\"position:relative;\"><a href=\"#q2\" aria-label=\"q2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Q2</h3>\n<blockquote>\n<p>Now, we’d like the name of the computer, after it was renamed. Ensure that it is entered in exactly how it is in the logs.</p>\n</blockquote>\n<p>The computer name was changed twice, and after the change made by what seemed to be the attacker, it was <code class=\"language-text\">lemon-squeezer</code>.</p>\n<h3 id=\"q3\" style=\"position:relative;\"><a href=\"#q3\" aria-label=\"q3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Q3</h3>\n<blockquote>\n<p>I wonder if they’ll make any lemonade with that lemon-squeezer…\nGreat work! In order to prevent their lemons from moulding, the lemonthinkers changed the maximum password age. What is this value? Please enter it as an integer number in days.</p>\n</blockquote>\n<p>From the password-policy change audit, you can tell that it was extended to 83 days.</p>\n<h3 id=\"q4\" style=\"position:relative;\"><a href=\"#q4\" aria-label=\"q4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Q4</h3>\n<blockquote>\n<p>It seems that our targets are incredibly smart, and turned off the antivirus. At what time did this happen? Give your answer as a UNIX timestamp.</p>\n</blockquote>\n<p>Converting the time when Defender was stopped into a UNIX timestamp gives <code class=\"language-text\">1721946160</code>.</p>\n<h3 id=\"q5\" style=\"position:relative;\"><a href=\"#q5\" aria-label=\"q5 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Q5</h3>\n<blockquote>\n<p>The main lemonthinker, slice1, hasn’t learnt from the-conspiracy and has (again) downloaded some malware on the system. What is the name of the user created by this malware?</p>\n</blockquote>\n<p>The answer is the user <code class=\"language-text\">notabackdoor</code>, which was the last account created.</p>\n<h3 id=\"q6\" style=\"position:relative;\"><a href=\"#q6\" aria-label=\"q6 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Q6</h3>\n<blockquote>\n<p>Finally, we’d like to know the name of the privilege level of the user created by the malware. What is this?</p>\n</blockquote>\n<p>The answer here was simply <code class=\"language-text\">Administrator</code>.</p>\n<p>The final answers were as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">slice1\nlemon-squeezer\n<span class=\"token number\">83</span>\n<span class=\"token number\">1721946160</span>\nnotabackdoor\nAdministrator</code></pre></div>\n<p>Submitting these answers gives the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f20bdeda76425c36b151d0277a63fc8d/26c3a/image-20240727154821481.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAv0lEQVQY022P2QrDIBBFDUGbRaPZzGaamGb5/y+8VUMLhT4cLgMzhzvEngbbseK5bhgmg340GM0MMxsM44CmqdF1Gm3boO87tLpFznMQQv5jrcW+vzBOA7Rb9oc+q6qEVBJSSiilUJYKRSHcXASyLANjDOzBQClFHMe3cLULzutwLbogKJ2oqquQykk+GVAeCSG4kxdh5pwjSRKkaXpLfbvzOrGsi2umod17flkIEdLjlymj4dC3+nkxIoii6Msbkg1eLJ9egVQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f20bdeda76425c36b151d0277a63fc8d/8ac56/image-20240727154821481.webp 240w,\n/static/f20bdeda76425c36b151d0277a63fc8d/d3be9/image-20240727154821481.webp 480w,\n/static/f20bdeda76425c36b151d0277a63fc8d/e46b2/image-20240727154821481.webp 960w,\n/static/f20bdeda76425c36b151d0277a63fc8d/f992d/image-20240727154821481.webp 1440w,\n/static/f20bdeda76425c36b151d0277a63fc8d/854a9/image-20240727154821481.webp 1907w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f20bdeda76425c36b151d0277a63fc8d/8ff5a/image-20240727154821481.png 240w,\n/static/f20bdeda76425c36b151d0277a63fc8d/e85cb/image-20240727154821481.png 480w,\n/static/f20bdeda76425c36b151d0277a63fc8d/d9199/image-20240727154821481.png 960w,\n/static/f20bdeda76425c36b151d0277a63fc8d/07a9c/image-20240727154821481.png 1440w,\n/static/f20bdeda76425c36b151d0277a63fc8d/26c3a/image-20240727154821481.png 1907w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f20bdeda76425c36b151d0277a63fc8d/d9199/image-20240727154821481.png\"\n            alt=\"image-20240727154821481\"\n            title=\"image-20240727154821481\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"analysis-notes\" style=\"position:relative;\"><a href=\"#analysis-notes\" aria-label=\"analysis notes permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analysis Notes</h3>\n<p>First, I analyzed the event log with Hayabusa.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\"><span class=\"token punctuation\">.</span>\\hayabusa-2<span class=\"token punctuation\">.</span>5<span class=\"token punctuation\">.</span>1-win-x64<span class=\"token punctuation\">.</span>exe csv-timeline <span class=\"token operator\">-</span>d <span class=\"token string\">\"C:\\Users\\kash1064\\Downloads\"</span></code></pre></div>\n<p>At first, it looks like the user with SID <code class=\"language-text\">S-1-5-21-2883796447-3563202477-3898649884-1000</code> was added to the local Admin group.</p>\n<p>This username is <code class=\"language-text\">slice1</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">2024-07-25 22:03:56<span class=\"token punctuation\">.</span>012 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4616 ‖ low ‖ 201 ‖ Unauthorized System Time Modification ‖ PrevTime: 2024-07-25T22:03:56<span class=\"token punctuation\">.</span>012867Z ¦ NewTime: 2024-07-25T22:03:56<span class=\"token punctuation\">.</span>012000Z ¦ User: WIN-MB9TIUK70HK$ ¦ Proc: C:\\Windows\\System32\\rundll32<span class=\"token punctuation\">.</span>exe ¦ PID: 0x4a0 ¦ LID: 0x3e7\n2024-07-25 22:03:56<span class=\"token punctuation\">.</span>016 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4728 ‖ low ‖ 202 ‖ A Member Was Added to a Security-Enabled Global <span class=\"token function\">Group</span> ‖ SrcSID: S-1-5-21-2883796447-3563202477-3898649884-1000 ¦ TgtGrp: None ¦ LID: 0x3e7\n2024-07-25 22:03:56<span class=\"token punctuation\">.</span>020 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4720 ‖ low ‖ 203 ‖ Local User Account Created ‖ TgtUser: slice1 ¦ TgtSID: S-1-5-21-2883796447-3563202477-3898649884-1000\n2024-07-25 22:03:56<span class=\"token punctuation\">.</span>049 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4732 ‖ high ‖ 212 ‖ User Added To Local Admin Grp ‖ SrcSID: S-1-5-21-2883796447-3563202477-3898649884-1000 ¦ TgtGrp: Administrators ¦ LID: 0x3e7\n2024-07-25 22:05:18<span class=\"token punctuation\">.</span>412 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4648 ‖ info ‖ 414 ‖ Explicit Logon ‖ TgtUser: slice1 ¦ SrcUser: WIN-MB9TIUK70HK$ ¦ SrcIP: 127<span class=\"token punctuation\">.</span>0<span class=\"token punctuation\">.</span>0<span class=\"token punctuation\">.</span>1 ¦ Proc: C:\\Windows\\System32\\svchost<span class=\"token punctuation\">.</span>exe ¦ TgtSvr: localhost\n2024-07-25 22:05:18<span class=\"token punctuation\">.</span>412 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4624 ‖ info ‖ 415 ‖ Logon <span class=\"token punctuation\">(</span>Interactive<span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span>Creds in memory* ‖ <span class=\"token function\">Type</span>: 2 ¦ TgtUser: slice1 ¦ SrcComp: WIN-MB9TIUK70HK ¦ SrcIP: 127<span class=\"token punctuation\">.</span>0<span class=\"token punctuation\">.</span>0<span class=\"token punctuation\">.</span>1 ¦ LID: 0xb6b25\n2024-07-25 22:05:18<span class=\"token punctuation\">.</span>412 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4624 ‖ info ‖ 416 ‖ Logon <span class=\"token punctuation\">(</span>Interactive<span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span>Creds in memory* ‖ <span class=\"token function\">Type</span>: 2 ¦ TgtUser: slice1 ¦ SrcComp: WIN-MB9TIUK70HK ¦ SrcIP: 127<span class=\"token punctuation\">.</span>0<span class=\"token punctuation\">.</span>0<span class=\"token punctuation\">.</span>1 ¦ LID: 0xb6b55\n2024-07-25 22:05:18<span class=\"token punctuation\">.</span>412 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 4672 ‖ info ‖ 417 ‖ Admin Logon ‖ TgtUser: slice1 ¦ LID: 0xb6b25\n2024-07-25 22:05:19<span class=\"token punctuation\">.</span>785 <span class=\"token operator\">+</span>00:00 ‖ DESKTOP-MALD9OV ‖ Sec ‖ 5379 ‖ low ‖ 427 ‖ Credential Manager Accessed ‖ PID: 1484 ¦ SrcUser: slice1 ¦ Tgt: MicrosoftAccount:user=02yzspbvdvzrqxqh ¦ CredsReturned: 1 ¦ ReturnCode: 3221226021 ¦ LID: 0xb6b55 ¦ SrcSID: S-1-5-21-2883796447-3563202477-3898649884-1000</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/487ba/image-20240727151652663.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.916666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAhklEQVQI1yXM3Q5DMABAYddKVn+lStERwya6WLL3f7Ezye5OvosTuG+N9RVmVbR7SX9qWl/SHuXlmu59tS9oT0Xtc6olRQ0pSSeJsgiRCEQmCGVIeAsJXp+NeZ9wc8+4OpZjZnrembYR9+hpBo1xmtpVVL1CmZzSFMhC/mdSEKcxjW2wzvID3/01LDdx4ekAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/8ac56/image-20240727151652663.webp 240w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/d3be9/image-20240727151652663.webp 480w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/e46b2/image-20240727151652663.webp 960w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/f992d/image-20240727151652663.webp 1440w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/882b9/image-20240727151652663.webp 1920w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/1bb28/image-20240727151652663.webp 2367w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/8ff5a/image-20240727151652663.png 240w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/e85cb/image-20240727151652663.png 480w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/d9199/image-20240727151652663.png 960w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/07a9c/image-20240727151652663.png 1440w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/29114/image-20240727151652663.png 1920w,\n/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/487ba/image-20240727151652663.png 2367w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9d6c5aa5c3a3e697aa45c6b368b72d1d/d9199/image-20240727151652663.png\"\n            alt=\"image-20240727151652663\"\n            title=\"image-20240727151652663\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the computer-name column, you can see that the name was changed several times.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 139px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/26175bc1071b1f3aeefaf178edce2ca1/c2610/image-20240727152944708.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 594.2446043165467%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAB3CAYAAAAD6WD5AAAACXBIWXMAAAsTAAALEwEAmpwYAAARi0lEQVRo3pWaeVsb2bHGbbR0tySzGbOafd83sQgBBiEECCQ2A8Y2GIw9cSZ37sR3MvdJPn2lfqepNl6SSf44qPusb9Wpek+dah7F43E5OjqSt2/fSrlclnfv3snExIR8/vxZrq6u5MOHD7K1tSXz8/Oyvb3t+tzd3cna2pr7vb29lY8fP8rS0pJ4niePUqmUdHZ2uknGx8fdc0NDg3R3d8vY2JgMDQ25uoGBAdent7dXenp6XDt1PFPa2toknU7Lo2QyKZubm3JycuIQHB8fu0k+ffrk6s7Pz109CNbX1x2yi4sL2djYkMvLSzk9PXXvMzMz4vu+POLP6OioLCwsuMqRkRFpbW2V4eFhJ+bs7Kx0dXU5NHNzc04KCghBbIU+SPsIuZlsd3dXXrx4IcVi0Yl4fX0te3t7TmdIsLi4KMvLy5LNZmV/f9/1PTw8lJ2dHdcP9QRBEE5IZzrwi2johIEmIuhQAxOyOL99fX3ud2VlRfL5vAwODoYT8mdkdERW11ZlaXlJsotZefbsmVSOKq6OklvJydz8nMzOzcro2GhUt1HYkKXckiyv6AL9fZIKVOREIiHbG9tytHckhdWC7Bf3ZWxkTCqFihzuHsrx3rHMjs/KxOiEFNYLUlgrSGW7IpPDk1IpVqRaqro+0+PT4aZkUhlJDiQluZYUP+9LbCYmXoMnNZUaV5fIJySxmpBgOZBgIRB/RPusaJ91T+IbcYkvxCW2EBO/zxfmepSJZcR/7Yv3kyf+iS/+B19SSynx/xTWeT97ktpISbAYhO2nWn7yJVjR94/hs/8Xfc8HkknqhOlUWtLP05KaT0kqm5J0X1oy6YykllOuLj2lbdP6PKfPM9q3V9/HwrbUrNYNa92Qlo5w3KNMTUYSbxMS+yUm8Vcqwi9x8RY9efyPxxL/37jU/F+N+IeK9oWK+DIuyQtVw2+qhpKO+RyT2K9afleRX/ghQnamua9ZOiY6pHOyU5q7muVZyzPpH+6X1pFW6Zrokrr6OmnsaJTOmU5p7G2U2pZaaetsk7b+NmkfbJfW3lZpaG0IEWKHq7lVuXl7I6VCSU6PTx1ZrOXXpFquyu3VrfOgUrEkd+/u5OL0QnJLOSnvleX9u/fy+uK1nL88l4X5hZAcsMOe3h4ZGx+TickJZ8C4EXWDQ4PSP9AvT548kebmZlfX1d3l7BbXxLhpx/CfNT8LXQ/bwTtevXrlHB5Xw5XwHNwKCpuamnLud3NzI9VqVSYnJ52LvnnzRl6+fOlcEJ93dghC3AYiQDQGgxLnhwQgDujs+fPnrh/kwWAmxX8p9Gtvbw9dj1lhEVZeXV11KB8WEDBJLpdzUhQKBScifg7VHRwcSKlUcowTTcgqiIjjMxAERhAUyBPU1Fsf6lEVv5AK/SM+ZHajKAbQCbS8Q2t0RhXol3Y2jTbQIgWMgzqiTUF3cBw0hLKhLDrwy0LQPuiQgvMFcVkQJqedidn1yGwQh5UZhILRGQhQPKvD4P39/W5B2jo6OhxiU8n09LRD7c4UEDKYswMElUrFmQtqAAEmwU6DiI2jGFLOEzaFwgKcTw4hBsoEILKTjA6IQR1mg1nwDBIQgpTCYkiIFA4hcrNrGDC6wBRAgShswuvXr51IIMKQz87OHFqk4CznndMRO44QgojV0B9oMWLQoTc2B9fjWOAddPSnns2ijjG0RwhRPKecIURvbAA7TyTBZqFPogQQmTnhihg7xo9EX8hBV8S40SMrc4yyOs8gMIT0ow30FENIoT2yQ45DogCMlB2zcxcUIDcdghBqY8NAjN6xDupw34gc2FnEYiAoebfYBiT19fVul+18xhHMXin0wz0jX2aHHKmqZ6BHcym8gLiFAeiUHQcZkyIBdohFIAkmFU1ohmsOj0joCzFA3tLS4tBRTx0q4pf+9otEETnQER9mMiugZSD6xCyYGC+ijcH8Qlvolr6gjjYF3cHSGDjiYkYgQkyIgAnoY3zJBPShL+2Iz4SR2aBYEwNdoHAQ2CQoHBNiMPrEuGmjDzYJehaNEMI0GCcDEBHFMylqwIxYEES08Q4i0LGRuCcFIBFCIqfJqUlXBgYHnMFOz0zL8MiwTM1MSWNjo3Q873DP3T3d0t7R7k4+IjFOS/q1tj0gh/xyXm7e6Lm8UZKXR3qKHRzK8uyyVPYqcnVxJdNT01LcLMr1xbWcn57L+tq6lEsa4L9+J69OXsnZ8ZlkZ7MhOaSDtDQMNEjjVKM0zTZJ45BGBj21Lo5pHGmUzKQGU3W+pFs1fhlPS11XnbT3tMvTsadSO1wrdWN10jCsUUNLJkRIPOKVNG75W1wSJxqzfEhI8lZDu21fElf6/ntCUnmNxs70/f+17WeNbba1/jLh3hP/o+VTIoxtEgRLgc48mHaRFNEXkZWLsEbC59Sovj9RdC1p14+29IS2T6Zc1OXaR8L2MD5UhEExkORfk2GUda0x4ZXGivsa9136kvw9GcaCGhcm/54U74MXvivi5G9JFz+6urX7+DDjZ9wqRKgpCnGfoksP6O+Mlgl9rlcEnV9QB0uBixdBmZpKufjRxYcBE3qK8EUg3sd7VIok0OJVfBexer9oBJvVcLisz58V7YXvJkAa/8865r2WN0S9itC/Rxhoh0QpkPR6IAmdPK4T1CpCT0VLKGpPdzg+nJKYoo/l9L2gImsIHKNd3xP67PWlBHBqhxlZ1fD3+iyQPdVlZTuQg2JKKmX9LaXkp+tAplTMrbWUfLoNNOpPyYRuzr72vbkI5M1pIKcHgcyr6H5wP+Hikicvz2OyVfTkoBqXQjGunuBLcTsuO3s16kl621qMS7H0WPb2Y7Jb9rQtIft6U9jZi8leOaYe46lhZ3A9X311XJlmQ4l2Qaksq6w9r2SRV2ZeUP8uKVv3KJtMKtPsqo9nlRw6tS2rfTaVINaVVHLKnwNfyCGbndez9djRUrm8pxxXcKRbKGzq+65ONqiDl5Tidlw75ACNVasHytY7rkxMjH8hhwENa6EjCrzGKQaVMSm/T58+dacdz5At54udkhZ4UheRA1zIecEZAiVBU3AcpMupxiDaeOYcgeZga05KogbG0P+ryAE0rAgC0LAqrA0X1tbWunMF9JAr7SaJnd0E9T+MHFiRyMHOE+otciCKACVHBScd75yK30UOkCaEOa6KZTViG64LFMg3k8lI07MmJwkIqefKwTvtSEV7dKNfya3I1ZsrR6KH1UOpVqqysbYh++V9uX0XXnyK20W5e3/ndMjm7JZChK8uXsnpyak72yOEXf1dMjY1JkMzQzI8OuxWbuprkoERjRWHeqS+tl7aWtqkq69L+nv7wxhoTHU3qBIM9cng8KDTcZAKQnJIFBLy+M+P3R255qJG4udKtlW9HJ7FpOavenlcUKqqJCX2N70ovtVL5rzekU+07ZcaiX3Uumu9P+e80JfTftpRkL/ly5P8E/HXlFXmPKnrr3M0xWR+i9YNqWvNKlsv6mV8I3DX3+SycuiS7yYLeu/ZxnnKdFaOdo5kfXldtla2ZHNlUzbXNbrPF+S8ei4jg3qMZlfk8uRSiqtFGe4Zlg111ZPyiUsR7KpLTo48iG24NBaKBSWJRVld1xhnISu9fb2yuLzokhQcoRyZC4sLLnmxsrri+uZX87KcW5ZcPud22/fuwzmMGD/GliyswzbZOWzTDB1bpA2zoo0xhCtED5hORA4WzhF2YLC4GR4CARCc4zEMYkLeIQeKRRm4IQs+IIcvAScT2e2UToQphLvELjzTFyIgVDFC4RmDj1yPoMdCYtyOWIWOoMGtsDsQ8UxQzzPIcDskYwzGH5EDsYzREa7H5YZVQQpp1NXVuYsN6NGfBe60QxKg/kNyADU64nLD6iCiD+RAfwvojRy+cr0fXXyMliiQA3pEEnRFH9oZ9/DiE5HDw6sZ6Ox2/+3F5/379xFVoV9HDnrxgTC+oi9WNjpHN+woq5t+uPjg/JYeRd9IBDraQYsOIzt8eL1FNxR2HPtChyzEO4iIYFENwTrHhl0topTptxdwGgwlqEFDBGs7yzsbwM3BEsEsiG4jX2YiVrao3yJ7fkHAROw6UoAUUe1Cjs0SizNxNCEvlsRgUhCgV1BTh2egM+qZGLOx7IjlZukfXXyY0NIsDILimZh3dtfER7e0IT67ClqkYGJQR5tityQmYSPsImNZYzob87AA9TANC7A5FDzqq6yIpapoQGegAxUiYhKIhGj0tfwDaO2yhDN8lRWx7LndLtlF0EIGxpc8QwaGnNs9/ZEOMvmKHGz7EQ+d8Qwa6rkvcz2zbwWWk6Dd6A7D/2FWBHJgVUTG9ciEsDqILAtiRGw3ekzrD7MiFruY6+H8tGHAlo/4t1kRQ2iE+aOsCOQAQvt28C+zIqZDdtVSpt9mRVzKVCWhDWmilOm9FF9lRb5NmVK+TZmC/kcpUxB/lzJlhYcpU5BZyhQ0D1OmIGMw0mCzlO9SpkxmpIpPP0yZgoBB6Bkp8Aq73f/blCkdzOFBir5YiMIBxSTUo3xLmeIQ/DLuq5QpOkFH6PJhypR3S5lii+z6w5QpaJHIPtB8lzJFLJTNZP8qZWqZEEuZWsLoq5QpL5bdsNw172zQf5IyBdB/nTJlsm9TpripJd/+MGWKzn6UMsWcHqZMLeH2XcoUx7eEJCgtZUrMY+k+TjncDN1aypR3kMKLEUJ3rRgJrxUEmgSY5GLc9eFhylTfydmAkmsFfd3V41tycN9Trm5ku7Adfk851PA4ty6V/YrcXt+6zSptl+Tu5k7Oz86dOZV3vvmekr3/nsIXn7a+NumZ6JHu6W7pHuqWtq42qR+ql86hTmkZbJHMk4w8bX4afhnq7JChYSWQ0S5p7293X3w6Bztdu7NDMhnJYlJqftXrxFHcXRHiV3HxDjyJX8bd96YgF0jyRK8Vf9e2u7jEV+Lu6hH7Ta8UP2v5oNeKtftrBVeB9JheLVZS4ZcyvpyNpiU9cJ/L0StHukHfu9JhPTmb3JcvaulpLbPhl7cwiUFWZD0Q784Tv6x3kuP7QlbkSO8gf/FcSsXf1edfPZevIb1Cu/cnT7wbz+V3+O4XZUXIzzCAdEtQCMK8zGDKffwj6ZNuD7/lMShY1bJ1/7sWhH30N9V/nxXhD18ag9OwY2pLxSnoe1mfi/r7NggTQHl9fhfWoQ436ZmWkyDsq6ijRFAyp5tyWSPJUlLix6rwHd2Ucd2U3bi7/3mD+pyLy+O9xxI71A3Y9ySxo/fDY70fHuh9r6p1k16YqnIXn2E9yBf14jOXlbmJOZkdm5WVpRWZm5qTrfyWdLcpew+Mu2vZ7OisPO94LnPTc7K+oKyzsCqLM4vS39X/hRzguLPzM0dL5f2ybJfClCnuVT2qOq/g+nV4dCj7lX3Xz7np6bHrf1A5cNlR/iMhoi+cHwri7OCEgwBwOYgBtyLo5HpBhGDfVOjHOPpQj0s6hDAMRICzc8pBDpAE/g3hQm0QAHWcMZzdnCPUETUwKaAgFIfQ8gysyEoUnmmzcNi+SFBPIdahn0kC5TGpQ8iD0REIIUxWhliNSJEAMoWuQGj/E0EbC8JKUFhIX/fXCFazYoQJGugJImUg4lnuhl+jfs4dVBQdoxw0rI6O0BtUbwcViNlV+oCSjJNFGbzbP1ZAcw4hq9nXL7vsgJi4kM4cDyicPnbR4ZeCukBoUkSfMu3rA7rkpEN3TMZBz6Fk30Ht44L97wiobdM4KhxCu/Jz+lE4FjmQ2EVWJbZmIiaxuNq+rTCO3BhoGRMhpNi/dtCA9zAhIjHQQj2eQUIfC00wITbFTWg6tBQehaiAc9jSApgIG8FmWRDFSWmJSTwFvTqRbZfRAQgskOQXV7MAHZEwE34t0KRgKvaJLtoUXkCG2VB4JkiysI3ogYJLWqTAZvBLwVbpG5kNCB4aLToBGadYU1NTZPg800ahnxEK5mWBv0MIdIyUHAIFJOZ6Rg64mZEDbUjALxIxud3Gov8iYDV0xmooGVMAIb+IBBKSu9YOafDMLwe8ZQD+CY6mH3yarrvVAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/26175bc1071b1f3aeefaf178edce2ca1/659ed/image-20240727152944708.webp 139w\"\n              sizes=\"(max-width: 139px) 100vw, 139px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/26175bc1071b1f3aeefaf178edce2ca1/c2610/image-20240727152944708.png 139w\"\n            sizes=\"(max-width: 139px) 100vw, 139px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/26175bc1071b1f3aeefaf178edce2ca1/c2610/image-20240727152944708.png\"\n            alt=\"image-20240727152944708\"\n            title=\"image-20240727152944708\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After that, a computer account named <code class=\"language-text\">LEMON-SQUEEZER$</code> starts showing suspicious activity, so it looks like the attack began around the time of this rename.</p>\n<p>The password policy was changed, and <code class=\"language-text\">Max. Password Age</code> was set to 83.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 728px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4779f3b9afd147480135ccfb873d77d8/cecac/image-20240727153707760.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 89.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAASCAYAAABb0P4QAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC70lEQVQ4y41TSWsUYRRs8C+IJzXgQdGTJ0/qQa8eRVyOip4MiKLgQRAEjSvuS3QgJKNi1ERQgmgCMYmabRJNz/RMT6/pfZvFuGQz5etvSKJkEjNQvP7m8VVXvXrNfU2LUGQZURRhZmYGnutCFEXksjk49Bz4PhzHxfT0NKampuDYNnRdhyRJrMqSDJv+i/uTk5PgUiM5ZAUBQRAi/nmei5yYg5gTYTsOIxgdNeYuWJbFyEZ4HmJehJDJQNO0Sn9igghTw+jt60dayEKhBp/OIDU0hIH+AciyAsMw2IVCoYAwDNlZJkdCNsuIYzeqqrJ+RH3OtU14hgJdEhDaOoqeBZtUmKbJrHiex+DEagmzZ59GMYu/+5xoBEh06QwNnywke21odsBG4PoBg1cFQVAdXH/exdUOC/UfPVyieuuDgzcjAdr4AM0pH8MahfWrjMkfFUwRfo6VUSqVqoJrTzvYeV/C7S4H97odXGy3UPfewo1OG08GPDxPeXgxVKmtwz6eDXr4LIUYK5dQLBYXgGtNWeBO8Fh1Lo815yWsOJ0FdyyNmgsSzrRZSHxykVJDjOgRwxeC5hZQLs0T/qOwS3BwIKki2e+xtz/66OAhIbbbI1KqfpFZxngFv3+W59RVtfz2q41Nl3M4/NxAbYuBvU0a9jRqONoSn03Utppo7HPxlOw/ppe+SwdzZFUVdpLC/U0qDjYbOPbKYBcbe11S6eIlzU4ne6IVI2I1tvs34QKFLYM0w+M8VtPMNlyWaXZ5mmkG+x/rLIhvZO/Ht3nEdhcjY4Sv4lBO8qipk7Dxiox1VLfeUSgQE91iwAgLVdJcVCFL+WQam64p2HxdwZZbCnYlVLYqfrSQ5H+oWKa1WUuW41VZT7a5U1mWdpxqWFge0Rzh62EbK88K2H5Pw44HKrbdVbEvqaM942P8+792l0XYmXGwu0HBEVqbQ5T0TfpC+NEIXlhccviLEvKah2sdJhKfXfbp1fc4zG6e1mSpBV4MfwDOXPgcmWLUJwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4779f3b9afd147480135ccfb873d77d8/8ac56/image-20240727153707760.webp 240w,\n/static/4779f3b9afd147480135ccfb873d77d8/d3be9/image-20240727153707760.webp 480w,\n/static/4779f3b9afd147480135ccfb873d77d8/8cb3e/image-20240727153707760.webp 728w\"\n              sizes=\"(max-width: 728px) 100vw, 728px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4779f3b9afd147480135ccfb873d77d8/8ff5a/image-20240727153707760.png 240w,\n/static/4779f3b9afd147480135ccfb873d77d8/e85cb/image-20240727153707760.png 480w,\n/static/4779f3b9afd147480135ccfb873d77d8/cecac/image-20240727153707760.png 728w\"\n            sizes=\"(max-width: 728px) 100vw, 728px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4779f3b9afd147480135ccfb873d77d8/cecac/image-20240727153707760.png\"\n            alt=\"image-20240727153707760\"\n            title=\"image-20240727153707760\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Defender was also disabled.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 662px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cf9d62566dffc7339e85decfe6c4c12e/be86f/image-20240727154125365.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 49.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUklEQVQoz52SS2/CMBCE/f9/UrkViWOTkhcJeUMShzcJHIDD1LMoHIoQVQ+f7Gzs2dn1KttPkKYJGq1xu91wPp8RRRGSJEEcJ9hut2ia2qBxvV4FrRuUZYk8z5Gac4vFApfLRVD2twvL+hKBvu+x2+3gug48z4PjuEaoQZalhlySkaLITdIQQRDAmU4xC0OcTidBBYEPy7bNZccIeSLEg1wJs1O0rusnGB8YYupeUiMOWRa/N5vNv1FUDY3le89i0x/9+MnyB9br9Z9QdVXJI1RmLYtCHHZdh1XbSpxkWYbj8YjD4fAWRVVu+BCf47H0kpeTeI6P0QiTyQSzWSgu9/v9WxT7V1VLzOeRKT0S2xTkyvL58nxZuhb67uGWAk8OeWm5XMC2LXHD0n3fl54yUWHmrTCtGODsVabvg9hvUSmZQR7kuGjdojD7V2NB2nb1UvAHsFPjuNiQcVsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cf9d62566dffc7339e85decfe6c4c12e/8ac56/image-20240727154125365.webp 240w,\n/static/cf9d62566dffc7339e85decfe6c4c12e/d3be9/image-20240727154125365.webp 480w,\n/static/cf9d62566dffc7339e85decfe6c4c12e/90cc3/image-20240727154125365.webp 662w\"\n              sizes=\"(max-width: 662px) 100vw, 662px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cf9d62566dffc7339e85decfe6c4c12e/8ff5a/image-20240727154125365.png 240w,\n/static/cf9d62566dffc7339e85decfe6c4c12e/e85cb/image-20240727154125365.png 480w,\n/static/cf9d62566dffc7339e85decfe6c4c12e/be86f/image-20240727154125365.png 662w\"\n            sizes=\"(max-width: 662px) 100vw, 662px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cf9d62566dffc7339e85decfe6c4c12e/be86f/image-20240727154125365.png\"\n            alt=\"image-20240727154125365\"\n            title=\"image-20240727154125365\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>At the end, a user named <code class=\"language-text\">notabackdoor</code> was also added, and it seems to have been added to the local Admin group.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">2024-07-25 22:31:26<span class=\"token punctuation\">.</span>470 <span class=\"token operator\">+</span>00:00 ‖ lemon-squeezer ‖ Sec ‖ 4728 ‖ low ‖ 4857 ‖ A Member Was Added to a Security-Enabled Global <span class=\"token function\">Group</span> ‖ SrcSID: S-1-5-21-2883796447-3563202477-3898649884-1001 ¦ TgtGrp: None ¦ LID: 0x44e1d\n2024-07-25 22:31:26<span class=\"token punctuation\">.</span>472 <span class=\"token operator\">+</span>00:00 ‖ lemon-squeezer ‖ Sec ‖ 4720 ‖ low ‖ 4858 ‖ Local User Account Created ‖ TgtUser: notabackdoor ¦ TgtSID: S-1-5-21-2883796447-3563202477-3898649884-1001\n2024-07-25 22:31:26<span class=\"token punctuation\">.</span>570 <span class=\"token operator\">+</span>00:00 ‖ lemon-squeezer ‖ Sec ‖ 4732 ‖ high ‖ 4871 ‖ User Added To Local Admin Grp ‖ SrcSID: S-1-5-21-2883796447-3563202477-3898649884-1001 ¦ TgtGrp: Administrators ¦ LID: 0x44e1d</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/99bd504daa7f1d2ffb5be184ce4e1968/baa75/image-20240727151931748.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 4.583333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAATUlEQVQI1xWKywqAIADAuktEoGbaQ72WYSXR///YstvY1sy7JlyGeI/Mm2Y9DL9bUuVsmJLEn7UXR8hD7RpfFPGxxNfWTyFdS6cFohd8TAEbUxwHdsQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/99bd504daa7f1d2ffb5be184ce4e1968/8ac56/image-20240727151931748.webp 240w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/d3be9/image-20240727151931748.webp 480w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/e46b2/image-20240727151931748.webp 960w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/f992d/image-20240727151931748.webp 1440w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/ea6ef/image-20240727151931748.webp 1746w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/99bd504daa7f1d2ffb5be184ce4e1968/8ff5a/image-20240727151931748.png 240w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/e85cb/image-20240727151931748.png 480w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/d9199/image-20240727151931748.png 960w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/07a9c/image-20240727151931748.png 1440w,\n/static/99bd504daa7f1d2ffb5be184ce4e1968/baa75/image-20240727151931748.png 1746w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/99bd504daa7f1d2ffb5be184ce4e1968/d9199/image-20240727151931748.png\"\n            alt=\"image-20240727151931748\"\n            title=\"image-20240727151931748\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I really enjoy this kind of log-analysis forensic challenge.</p>","fields":{"slug":"/cor-ctf-2024-en","tagSlugs":["/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2024-07-29","description":"corCTF 2024 Writeup","tags":["Forensic (en)","English"],"title":"corCTF 2024 Writeup","socialImage":{"publicURL":"/static/c48331e455d03f71c9c1a469a46ff38c/cor-ctf-2024.png"}}}},"pageContext":{"slug":"/cor-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}