A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.
Task 01: Investigating Windows
looking into eventviewer log for EventID 4624. Ref: read
open CMD -> type net user John
look for Last Logon
while booting up we see the IP in CMD
net localgroup administrators
open task scheduler and look for names that sticks out.
dig more with
clean file system
check the file create date of Flag7
looking 10 min (before-after for any special logon)
PS: use Get-EventLog Date Range with XPath Filter
GameOver is another Task Scheduled. opon investigation / running it like an Idiot you’ll see the banner that tells you the Name of the tool.
this machine doesnot have SYSMON, and took me 40 min to figure out where to look, long story short there is
google.com is hardcoded to 184.108.40.206 that’s suspicious.
Default web dir in Windows is
c:\inetpub\wwwroot found the file
backddoors there (jsp is the ans.)
0x1337 Hax0r mistake of using port
PS: in Windows port can be open/close manually using Windosws built in firewall rules.
Ans is from Flag-13, hardcoded known domain name.