Downgrade
4 minutes to read
We are given a lot of Windows Event logs (.evtx
files):
$ tree Logs
Logs
βββ Application.evtx
βββ HardwareEvents.evtx
βββ Internet Explorer.evtx
βββ Key Management Service.evtx
βββ Microsoft-Windows-AppModel-Runtime%4Admin.evtx
βββ Microsoft-Windows-AppReadiness%4Admin.evtx
βββ Microsoft-Windows-AppReadiness%4Operational.evtx
βββ Microsoft-Windows-AppXDeployment%4Operational.evtx
βββ Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
βββ Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
βββ Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx
βββ Microsoft-Windows-Bits-Client%4Operational.evtx
βββ Microsoft-Windows-CodeIntegrity%4Operational.evtx
βββ Microsoft-Windows-Compat-Appraiser%4Operational.evtx
βββ Microsoft-Windows-CoreApplication%4Operational.evtx
βββ Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
βββ Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
βββ Microsoft-Windows-DSC%4Admin.evtx
βββ Microsoft-Windows-DSC%4Operational.evtx
βββ Microsoft-Windows-DataIntegrityScan%4Admin.evtx
βββ Microsoft-Windows-DataIntegrityScan%4CrashRecovery.evtx
βββ Microsoft-Windows-DeviceSetupManager%4Admin.evtx
βββ Microsoft-Windows-DeviceSetupManager%4Operational.evtx
βββ Microsoft-Windows-Dhcp-Client%4Admin.evtx
βββ Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
βββ Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
βββ Microsoft-Windows-Forwarding%4Operational.evtx
βββ Microsoft-Windows-GroupPolicy%4Operational.evtx
βββ Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx
βββ Microsoft-Windows-International%4Operational.evtx
βββ Microsoft-Windows-Iphlpsvc%4Operational.evtx
βββ Microsoft-Windows-Kernel-ApphelpCache%4Operational.evtx
βββ Microsoft-Windows-Kernel-Boot%4Operational.evtx
βββ Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
βββ Microsoft-Windows-Kernel-PnP%4Configuration.evtx
βββ Microsoft-Windows-Kernel-PnPConfig%4Configuration.evtx
βββ Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
βββ Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx
βββ Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
βββ Microsoft-Windows-Kernel-WDI%4Operational.evtx
βββ Microsoft-Windows-Kernel-WHEA%4Errors.evtx
βββ Microsoft-Windows-Kernel-WHEA%4Operational.evtx
βββ Microsoft-Windows-Known Folders API Service.evtx
βββ Microsoft-Windows-LanguagePackSetup%4Operational.evtx
βββ Microsoft-Windows-MUI%4Admin.evtx
βββ Microsoft-Windows-MUI%4Operational.evtx
βββ Microsoft-Windows-MiStreamProvider%4Operational.evtx
βββ Microsoft-Windows-NCSI%4Operational.evtx
βββ Microsoft-Windows-NetworkAccessProtection%4WHC.evtx
βββ Microsoft-Windows-NetworkProfile%4Operational.evtx
βββ Microsoft-Windows-NetworkProvider%4Operational.evtx
βββ Microsoft-Windows-Ntfs%4Operational.evtx
βββ Microsoft-Windows-Ntfs%4WHC.evtx
βββ Microsoft-Windows-PowerShell%4Admin.evtx
βββ Microsoft-Windows-PowerShell%4Operational.evtx
βββ Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager%4Operational.evtx
βββ Microsoft-Windows-Powershell-DesiredStateConfiguration-PullServer%4Operational.evtx
βββ Microsoft-Windows-PrintService%4Admin.evtx
βββ Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Admin.evtx
βββ Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
βββ Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
βββ Microsoft-Windows-RestartManager%4Operational.evtx
βββ Microsoft-Windows-SMBClient%4Operational.evtx
βββ Microsoft-Windows-SMBServer%4Audit.evtx
βββ Microsoft-Windows-SMBServer%4Connectivity.evtx
βββ Microsoft-Windows-SMBServer%4Operational.evtx
βββ Microsoft-Windows-SMBServer%4Security.evtx
βββ Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx
βββ Microsoft-Windows-ServerManager-DeploymentProvider%4Operational.evtx
βββ Microsoft-Windows-ServerManager-MgmtProvider%4Operational.evtx
βββ Microsoft-Windows-ServerManager-MultiMachine%4Admin.evtx
βββ Microsoft-Windows-ServerManager-MultiMachine%4Operational.evtx
βββ Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
βββ Microsoft-Windows-Shell-Core%4ActionCenter.evtx
βββ Microsoft-Windows-Shell-Core%4Operational.evtx
βββ Microsoft-Windows-SmartCard-DeviceEnum%4Operational.evtx
βββ Microsoft-Windows-SmbClient%4Connectivity.evtx
βββ Microsoft-Windows-SmbClient%4Security.evtx
βββ Microsoft-Windows-Storage-Tiering%4Admin.evtx
βββ Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx
βββ Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx
βββ Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
βββ Microsoft-Windows-TWinUI%4Operational.evtx
βββ Microsoft-Windows-TZSync%4Operational.evtx
βββ Microsoft-Windows-TaskScheduler%4Maintenance.evtx
βββ Microsoft-Windows-TaskScheduler%4Operational.evtx
βββ Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
βββ Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
βββ Microsoft-Windows-TerminalServices-Printers%4Admin.evtx
βββ Microsoft-Windows-TerminalServices-Printers%4Operational.evtx
βββ Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx
βββ Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
βββ Microsoft-Windows-UAC%4Operational.evtx
βββ Microsoft-Windows-User Profile Service%4Operational.evtx
βββ Microsoft-Windows-User-Loader%4Operational.evtx
βββ Microsoft-Windows-UserPnp%4ActionCenter.evtx
βββ Microsoft-Windows-UserPnp%4DeviceInstall.evtx
βββ Microsoft-Windows-WER-Diag%4Operational.evtx
βββ Microsoft-Windows-WMI-Activity%4Operational.evtx
βββ Microsoft-Windows-Wcmsvc%4Operational.evtx
βββ Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
βββ Microsoft-Windows-WinRM%4Operational.evtx
βββ Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
βββ Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
βββ Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
βββ Microsoft-Windows-Winlogon%4Operational.evtx
βββ OpenSSH%4Admin.evtx
βββ OpenSSH%4Operational.evtx
βββ Security.evtx
βββ Setup.evtx
βββ System.evtx
βββ Windows PowerShell.evtx
βββ WitnessClientAdmin.evtx
0 directories, 113 files
We also have a remote instance to connect to and answer some questions.
Basic log information in Windows
$ nc 178.62.85.130 31120
+-----------+---------------------------------------------------------+
| Title | Description |
+-----------+---------------------------------------------------------+
| Downgrade | During recent auditing, we noticed that |
| | network authentication is not forced upon remote |
| | connections to our Windows 2012 server. That |
| | led us to investigate our system for |
| | suspicious logins further. Provided the server's event |
| | logs, can you find any suspicious successful |
| | login? |
+-----------+---------------------------------------------------------+
Which event log contains information about logon and logoff events? (for example: Setup)
>
There are five main logs in Windows:
- Application
- System
- Security
- Setup
- Forwarded events
The one that informs about logon and logoff events is Security:
Which event log contains information about logon and logoff events? (for example: Setup)
> security
[+] Correct!
What is the event id for logs for a successful logon to a local computer? (for example: 1337)
>
If we search for this event identifier, we will see that it is 4624 (more information here):
What is the event id for logs for a successful logon to a local computer? (for example: 1337)
> 4624
[+] Correct!
Which is the default Active Directory authentication protocol? (for example: http)
>
This question is well-known for people who solve Windows machines on Hack The Box…
Which is the default Active Directory authentication protocol? (for example: http)
> kerberos
[+] Correct!
Looking at all the logon events, what is the AuthPackage that stands out as different from all the rest? (for example: http)
>
Inspecting events
At this point, we can open the Event Viewer in Windows and inspect the events of Security.evtx
:
We have a lot of events (18789). Let’s apply a filter and show only successful logon events (ID 4624):
We still have a lot of events. Let’s use XML to filter by AuthenticationPackageName
(the attribute that is referred by the question). There are a lot of events that have Negotiate
as value, so let’s suppress these events:
Now we have only 52 events, but some of them have a blank value for AuthenticationPackageName
(-
), let’s filter a bit more:
Alright, 43 events. Yet another normal AuthenticationPackageName
is Kerberos
, let’s add it to the filter:
Great, now we only have NTLM as AuthenticationPackageName
, and this is the answer to the question:
Looking at all the logon events, what is the AuthPackage that stands out as different from all the rest? (for example: http)
> ntlm
[+] Correct!
What is the timestamp of the suspicious login (yyyy-MM-ddTHH:mm:ss) UTC? (for example, 2021-10-10T08:23:12)
>
Finally, we can suppress those events where the user authenticating is vagrant
(as shown in the previous image):
And we have only 3 events. Two of them are ANONYMOUS LOGON
, and the last one is authenticating as Administrator
, so it is suspicious.
Flag
We can take the timestamp of the suspicious event and answer the question to get the flag:
What is the timestamp of the suspicious login (yyyy-MM-ddTHH:mm:ss) UTC? (for example, 2021-10-10T08:23:12)
> 2022-09-28T13:10:57
[+] Correct!
[+] Here is the flag: HTB{4n0th3r_d4y_4n0th3r_d0wngr4d3...}