lca

真正的不自由，是在自己的心中设下牢笼。

htb sherlocks CrownJewel-1 record

Sep 1, 2024#htb #sherlocks208

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

Forela's domain controller was attacked. The domain admin account was suspected to be compromised, and the attacker dumped the NTDS.dit database onto the DC. An alert was received regarding vssadmin on the DC, indicating potential misuse by the attacker. Analysis tasks were assigned to identify the attacker's actions and mitigate the breach.

Forela's domain controller has been attacked. The domain administrator account is suspected to have been compromised, and the attacker has dumped the NTDS.dit database to the DC. We just received an alert from vssadmin on the DC because this is not part of the routine check plan. We have good reason to believe that the attacker has abused this LOLBIN utility to gain access to the crown jewels of the domain environment. Analyze the provided artifacts to quickly categorize them and kick out the attacker as soon as possible.

Task1 Attackers may use the vssadmin utility to create shadow copy snapshots and extract sensitive files, such as the NTDS.dit file, to bypass security measures. It is necessary to determine when the Volume Shadow Copy service started running.

Analyze the SYSTEM log, filter for event ID 7036, and look for records where Volume Shadow Copy is in the running state.

Subtract 8 time zones to get 2024-05-14 03:42:16.

Task2 During the process of creating a shadow copy snapshot, the Volume Shadow Copy service uses the computer account to verify permissions and lists all user groups. We need to identify the user groups listed by the service, the name of the principal account, and the process identifier (PID) of the Volume Shadow Copy service process, which is represented in decimal form.

Look for entries with event ID 4799 and search for VSSVC.exe content.

There are two user groups and one account name.

Administrators, Backup Operators, DC01$

Note: Add spaces when submitting the answer. I was stuck on the format all along.

Task3 Identify the process ID (in decimal) of the Volume Shadow Copy service process.

Convert 0x1190 to decimal.

Task4 Find the volume ID/GUID value assigned to the mounted shadow copy snapshot.

Open the NTFS log file and search for event ID 9.

{06c4a997-cca8-11ed-a90f-000c295644f9}

Task5 Determine the full path of the dumped NTDS database on the disk.

Use MFTExlorer to open the $MFT file.

C:\Users\Administrator\Documents\backup_sync_dc\ntds.dit

Task6 When was the newly dumped ntds.dit created on the disk?

Same as above.

2024-05-14 03:44:22

Task7 The registry hive was also dumped along with the NTDS database. Which registry hive was dumped and what is its file size in bytes?

Same as above.

SYSTEM, 17563648

Note: When submitting the answer, also pay attention to spaces.

Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.

Blockchain ID
#53657-184
Owner
0x0bd0c6639592f2265c3dcd019be4fe39e5b00428
Transaction Hash
Creation 0xfbc8f5ab...9c48608548 Last Update 0xfbc8f5ab...9c48608548
IPFS Address
ipfs://QmSsYGGSqKoUme14FJbBNj2UpttoC3g6mwv5ucjKwWUpZm