Wimdows 1-5
This was so fun. The challenges provided an .ova file of Windows 2008 Server R2 to open in VirtualBox and just kick around in. There were a lot of distractions as Desktop Goose Unofficial was installed by the hacker and there were other strange things on the server. Metasploitable3 was installed as one of the websites, the main website had been hacked previously, and there were remnants of a deck of cards all over the place.
I wish I had killed the goose sooner, as he was apparently shutting down the computer here and there, or crashing. I actually thought it was Windows shutting down as there was no activation key, which it seems like I remember it doing back in the day, when they were trying desperately to sell Windows.
The hacker made the date of their activity clear as they had installed the Goose as well as Sysmon.
Wimdows 1
Earlier this week, an attacker managed to get into one of our Windows servers… can you help us figure out what happened? The VM files for this challenge are located below (the credentials are vagrant/vagrant):
What CVE did the attacker exploit to get a shell on the machine? Wrap your answer in byuctf{}. E.g. byuctf{CVE-2021-38759}
Hint: Figure out what process the attacker exploited and look up vulnerabilities associated with it.
Wimdows 2
Once they got in, the attacker ran some commands on the machine, but it looks like they tried to hide what they were doing. See if you can find anything interesting there (your answer will be found already in byuctf{} format).
Wimdows 3
The attacker also created a new account- what group did they add this account to? Wrap your answer in byuctf{}. E.g. byuctf{CTF Players}.
Reminder - all answers are case-INsensitive for all of these problems
Wimdows 4 ❌
Using their access, the attacker also deployed a C2 binary on the machine - what C2 framework was it, and what IP address was the C2 attempting to connect to?
Format your answer like so: byuctf{
_ }. E.g. byuctf{evilosx_10.1.1.1}
I had the right file, update.exe in the System32 folder, and had narrowed it down to Sliver, but could not determine the IP.
I needed to run it and then use Netstat to see what IP it was connecting to. Also I had the hash of the exe and put it in VirusTotal, but it didn’t work for some reason.
Wimdows 5 ✅
Last but not least, the attacker put another backdoor in the machine to give themself SYSTEM privileges… what was it? (your answer will be found directly in byuctf{} format)
The hacker had installed Sysmon and this flag just kind of fell out of the logs.
The backdoor is in the sticky keys feature. In Sysmon logs, there’s a registry modification event where you can see that the sticky keys registry key is modified to spawn cmd.exe with a comment at the end containing the flag.”