Tomcat shells

Web shells memory write up

WIN-CEKM08E74HR-20150611-222930.raw

All I know is that this dump is from a machine running a web server which has been compromised. I don't know how it was compromised, nor do I have any other details about the server itself.

Identify the OS profile Set environment variable 'mem' to /mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw

$ cd /root/volatility
$ mem=/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
$ python vol.py -f $mem imageinfo

Volatility results

Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw)
                      PAE type : No PAE
                           DTB : 0x122000L
                          KDBG : 0x8190ac98L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0x8190b800L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-06-11 22:29:32 UTC+0000
     Image local date and time : 2015-06-11 18:29:32 -0400

Would be reasonable to assume it will be Win2008 based on the 'web server' part of the challenge.

$ python vol.py -f $mem --profile=Win2008SP1x86 pslist

Processes of interest;

0x831f3d90 cmd.exe                3248   1728      0 --------      0      0 2015-06-11 22:21:49 UTC+0000   2015-06-11 22:21:49 UTC+0000
0x8363c7f0 tasklist.exe           3256   3248      0 --------      0      0 2015-06-11 22:21:49 UTC+0000   2015-06-11 22:21:49 UTC+0000
0x835f5718 cmd.exe                3520   1728      0 --------      0      0 2015-06-11 22:24:04 UTC+0000   2015-06-11 22:24:04 UTC+0000
0x830e9d90 cmd.exe                3572   2032      1       17      0      0 2015-06-11 22:25:00 UTC+0000
0x8362fca0 bg.jpg                 3580   3572      1       61      0      0 2015-06-11 22:25:00 UTC+0000
0x835eba10 cmd.exe                3604   1728      0 --------      0      0 2015-06-11 22:25:15 UTC+0000   2015-06-11 22:25:15 UTC+0000
0x836407b0 cmd.exe                3612   1728      0 --------      0      0 2015-06-11 22:25:24 UTC+0000   2015-06-11 22:25:24 UTC+0000
0x830e2d90 tasklist.exe           3620   3612      0 --------      0      0 2015-06-11 22:25:24 UTC+0000   2015-06-11 22:25:24 UTC+0000
0x83693bc0 TrustedInstalle        2364    596      3      104      0      0 2015-06-11 22:26:34 UTC+0000
0x832e7020 csrss.exe              2664   2684      8      188      2      0 2015-06-11 22:26:55 UTC+0000
0x83125cd8 winlogon.exe           2732   2684      3      114      2      0 2015-06-11 22:26:55 UTC+0000
0x82a3f530 taskeng.exe            2448   1012      9      226      2      0 2015-06-11 22:27:17 UTC+0000
0x83681610 dwm.exe                2860   1160      3       70      2      0 2015-06-11 22:27:17 UTC+0000
0x837241d8 explorer.exe           2428   2856     17      425      2      0 2015-06-11 22:27:18 UTC+0000
0x83117020 jusched.exe            3056   2428      1       50      2      0 2015-06-11 22:27:18 UTC+0000
0x83632d08 VBoxTray.exe           3060   2428      9      228      2      0 2015-06-11 22:27:18 UTC+0000
0x83201b90 Tomcat7w.exe           2816   2428      2       50      2      0 2015-06-11 22:27:18 UTC+0000
0x83116ad8 wuauclt.exe            3360   1012      2      142      2      0 2015-06-11 22:27:32 UTC+0000
0x8311ec10 cmd.exe                4032   2428      1       19      2      0 2015-06-11 22:29:10 UTC+0000

Server appears to be a Windows 2008 box running Tomcat7. Pull network information

$ python vol.py -f $mem --profile=Win2008SP1x86 netscan

0x1eda4db0         TCPv4    -:8080                         58.64.141.245:1057   CLOSED           1728     Tomcat7.exe

Looks like this server is listening on 192.168.56.30. There's a remote connection associated with PID 1728 / Tomcat7.exe This PID is also the PPID for numerous cmd.exe

Let's run pstree to see the family (could also run pstree -v)

 $ python vol.py -f $mem --profile=Win2008SP1x86 pstree

0x837241d8:explorer.exe                             2428   2856     17    425 2015-06-11 22:27:18 UTC+0000
. 0x83201b90:Tomcat7w.exe                            2816   2428      2     50 2015-06-11 22:27:18 UTC+0000
. 0x83117020:jusched.exe                             3056   2428      1     50 2015-06-11 22:27:18 UTC+0000
. 0x8311ec10:cmd.exe                                 4032   2428      1     19 2015-06-11 22:29:10 UTC+0000

. 0x83139650:services.exe                             596    520      6    234 2015-06-11 22:05:29 UTC+0000
.. 0x832dc560:Tomcat7.exe                            1728    596     28    360 2015-06-11 22:05:56 UTC+0000
... 0x835eba10:cmd.exe                               3604   1728      0 ------ 2015-06-11 22:25:15 UTC+0000
... 0x836407b0:cmd.exe                               3612   1728      0 ------ 2015-06-11 22:25:24 UTC+0000
.... 0x830e2d90:tasklist.exe                         3620   3612      0 ------ 2015-06-11 22:25:24 UTC+0000
... 0x831f3d90:cmd.exe                               3248   1728      0 ------ 2015-06-11 22:21:49 UTC+0000
.... 0x8363c7f0:tasklist.exe                         3256   3248      0 ------ 2015-06-11 22:21:49 UTC+0000
... 0x835f5718:cmd.exe                               3520   1728      0 ------ 2015-06-11 22:24:04 UTC+0000

Dump Tomcat PID memory (1728)

$ python vol.py -f $mem --profile=Win2008SP1x86 memdump -p 1728 -D /mnt/volatility/DF/tomcat-dump/

Strings output 1728.dmp to readable

$ strings -a /mnt/volatility/DF/tomcat-dump/1728.dmp > /mnt/volatility/DF/tomcat-dump/1728strings.txt

COMPUTERNAME=WIN-CEKM08E74HR
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
LOCALAPPDATA=C:
2\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\ProgramData\Oracle\Java\javapath;C:\Wi
:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=
ENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\Program
UvDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
Format
USERDOMAIN=WORKGROUP
USERNAME=WIN-CEKM08E74HR$
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows

       "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //RS//Tomcat7

58.64.141.245 - tomcat [11/Jun/2015:18:07:04 -0400] "POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99 HTTP/1.1" 200 158

58.64.141.245 - - [11/Jun/2015:18:07:27 -0400] "POST /webfiles/ HTTP/1.1" 200 2367
58.64.141.245 - - [11/Jun/2015:18:07:37 -0400] "POST /webfiles/ HTTP/1.1" 200 2460
58.64.141.245 - - [11/Jun/2015:18:07:51 -0400] "POST /webfiles/ HTTP/1.1" 200 2388
58.64.141.245 - - [11/Jun/2015:18:09:26 -0400] "POST /webfiles/ HTTP/1.1" 200 8973
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "POST /webfiles/ HTTP/1.1" 200 48896
58.64.141.245 - - [11/Jun/2015:18:12:42 -0400] "POST /webfiles/ HTTP/1.1" 200 2245
58.64.141.245 - - [11/Jun/2015:18:13:16 -0400] "POST /webfiles/ HTTP/1.1" 200 2278
58.64.141.245 - - [11/Jun/2015:18:15:24 -0400] "POST /webfiles/ HTTP/1.1" 200 2261
58.64.141.245 - - [11/Jun/2015:18:15:34 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:16:31 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:19:52 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:21:49 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:24:04 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:15 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:25 -0400] "POST /webfiles/ HTTP/1.1" 200 5305

Looking for shells

$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i 'post' | more

Let's see when 58.64.141.245 first accessed the web server.

58.64.141.245 - - [08/Jun/2015:19:38:44 -0400] "GET /manager/html HTTP/1.1" 401 2538

$ grep -C10 "58\.64\.141\.245" /mnt/volatility/DF/tomcat-dump/1728strings.txt

58.64.141.245 - - [11/Jun/2015:18:27:51 -0400] "GET /webfiles/?sort=1&downfile=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 975 - - [11/Jun/2015:18:27:37 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714
58.64.141.245 - - [11/Jun/2015:18:27:44 -0400] "GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 972 7:34 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714/1.1" 200 3714 - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroot HTTP/1.1" 200 8863
58.64.141.245 - - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714

Let's focus on the activity around 'GET /webfiles'

$ grep -C10 "GET \/webfiles" /mnt/volatility/DF/tomcat-dump/1728strings.txt

GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1
accept:*/**
referer:http://192.168.56.30:8080/webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroott
accept-language:en-uss
user-agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0))
accept-encoding:gzip, deflatee
host:192.168.56.30:80800
connection:Keep-Alivee
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
0A17D08FE321DF87835231D798244
--
Accept-Encoding: gzip, deflate
Host: 192.168.56.30:8080
Connection: Keep-Alive
Cookie: JSESSIONID=983D1DF88F7A229E9D2C5DD76804F120
Authorization: Basic dG9tY2F0OnRvbWNhdA==

Authorisation is base64. Let's decode it.

$ echo dG9tY2F0OnRvbWNhdA== | base64 -d
tomcat:tomcat

Found interesting strings in 1728strings.txt

178956:Created by jsp File Browser v.

Let's focus on that.

179973:"                <small>jsp File Browser version
179974-C by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
179975- </center>
179976-</html>
179977-java/util/zip/ZipFile

246416- <div class="formular">
246417- <form class="formular2" action="/webfiles/" enctype="multipart/form-data" method="POST">
246418-         <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246419-         <input type="hidden" name="sort" value="1">
246420-         <input type="file" class="textfield" onKeypress="event.cancelBubble=true;" name="myFile">
246421-         <input title="Upload selected file to the current working directory
246422-" type="Submit" class="button" name="Submit" value="Upload"
246423-         onClick="javascript:popUp('/webfiles/')">
246424- </form>
246425-    <form class="formular2" action="/webfiles/" method="POST">
246426-         <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246427-         <input type="hidden" name="sort" value="1">
246428-         <input type="hidden" name="command" value="">
246429-         <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
246430- </form>
246431-    </div>
246432-
246433- <hr>
246434- <center>
246435:         <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
246436- </center>
246437-</bo
246438-H7
246439- H7
246440- H7
246441- Wp<
246442-/manager/images/asf-logo.gif
246443-org.apache.catalina.filters.CSRF_NONCE
246444-multipart/form-data; boundary=---------------------------7df134640124
246445-/manager/images/tomcat.gif
246446-org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99
246447-en-us
246448-262D313C4A6E085593AF3CAD4F4E7A99
246449-W/"2066-1431019026000"
246450-36791
246451-Thu, 07 May 2015 17:17:06 GMT
246452-W/"7279-1431019026000"
246453-/manager/html/upload
246454-/manager/html

248751-/webfiles/tml/uploadlogo.gif
248752-sort=1&file=C:\inetpub\wwwroot\sm.gif5Csm.gif3C4A6E085593AF3CAD4F4E7A99
248753-HTTP/1.1 200 OK
248754-Server: Apache-Coyote/1.1
248755-Content-Disposition: inline;filename="sm.gif"
248756-Content-Type: image/gif;charset=ISO-8859-1
248757-Content-Length: 97
248758-Date: Thu, 11 Jun 2015 22:27:44 GMT
248759-Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F
248760-pe="hidden" name="dir" value="C:\inetpub\wwwroot">
248761-         <input type="hidden" name="sort" value="1">
248762-         <input type="hidden" name="command" value="">
248763-         <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
248764- </form>
248765-    </div>
248766-
248767- <hr>
248768- <center>
248769:         <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>

38887-      out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
38888-      out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");
65343-      out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
65344-      out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");

Let's find this shell.

58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574

$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i '\.bat'

<snip>
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascriptonitor=C:\fakepath\12.bat12.bat
C:\fakepath\12.bat
Content-Disposition: form-data; name="myFile"; filename="12.bat"
uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascript=C:\inetpub\wwwrootwwroot12.bat
uplMonitor=C%3A%5Cfakepath%5C12.bat
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
C:\fakepath\12.bat
<snip>
GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1
Content-Disposition: form-data; name="myFile"; filename="12.bat"
<snip>
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 865
58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574

Right. C:\fakepath\12.bat - let's dump this batch script

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i "12\.bat"

Volatility Foundation Volatility Framework 2.6.1
0x000000001ee373f8      8      0 -W-rw- \Device\HarddiskVolume1\Windows\12.bat

$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001ee373f8 -D /mnt/volatility/DF/tomcat-dump/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1ee373f8   None   \Device\HarddiskVolume1\Windows\12.bat

Examine 12.bat

$ cat /mnt/volatility/DF/tomcat-dump/file.None.0x8362e730.dat

@echo off
c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif

pstree verbose

$ python vol.py -f $mem --profile=Win2008SP1x86 pstree -v

..... 0x8362fca0:bg.jpg                              3580   3572      1     61 2015-06-11 22:25:00 UTC+0000
         audit: \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
         cmd: c:\inetpub\wwwroot\bg.jpg  -e -o c:\inetpub\wwwroot\sm.gif
         path: c:\inetpub\wwwroot\bg.jpg

Let's determine what bg.jpg actually is

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'bg\.jpg'

Volatility Foundation Volatility Framework 2.6.1
0x000000001ede1ba0      8      0 -W-rw- \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
0x000000001f2dc170      7      0 R--r-d \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg

$ sha1sum /mnt/volatility/DF/tomcat-dump/file.*
c0d7899cc49bf2cb4f3abe663dc6a62ed69c06ff  /mnt/volatility/DF/tomcat-dump/file.None.0x832c0680.dat

26019082706f9898a716d8803f57cc70365c821b  /mnt/volatility/DF/tomcat-dump/file.None.0x8362fb20.img

$ strings file.None.0x8362fb20.img

WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Options:
        -l              List logon sessions and NTLM credentials (default).
                        Optional: -r<refresh interval>.
        -s              Changes NTLM credentials of current logon session.
                        Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
        -o              saves all output to a file.
        -r              Lists logon sessions and NTLM credentials indefinitely.
                        Refreshes every 5 seconds if new sessions are found.
        -c              Run <cmd> in a new session with the specified NTLM credentials.
                        Parameters: <cmd>.
        -e              Lists logon sessions NTLM credentials indefinitely.
                        Refreshes every time a logon event occurs.
                        Parameters: <filename>.
        -i              Specify LUID instead of use current logon session.
                        Parameters: <luid>.
        -d              Delete NTLM credentials from logon session.
                        Parameters: <luid>.
        -a              Use Addresses.
                        Parameters: <addresses>
        -f              Force 'safe mode'.
        -g              Generate LM & NT Hash.
                        Parameters: <password>.
        -K              Dump Kerberos tickets to file (unix & 'windows wce' format)
Error in cmdline!. Bye!.
        -k              Read Kerberos tickets from file and insert into Windows cache
username wrong format!.
        -w              Dump cleartext passwords stored by the digest authentication package
        -v              verbose output.

So it's windows credential editor. -e for credentials, -o for output. Review sm.gif

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'sm\.gif'

Volatility Foundation Volatility Framework 2.6.1
0x000000001edf6640      1      0 R--rw- \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif

$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001edf6640 -D /mnt/volatility/DF/tomcat-dump/wce

Volatility Foundation Volatility Framework 2.6.1
DataSectionObject
0x1edf6640 None \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif


$ strings /mnt/volatility/DF/tomcat-dump/wce/file.None.0x830f1448.dat
Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F

Identifying tasks

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'tasks'

Volatility Foundation Volatility Framework 2.6.1
0x000000001ee03280      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
0x000000001ee49ba8      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
0x000000001f122450      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
0x000000001f127f80      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
0x000000001f1e8bd8     17      1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
0x000000001f1eb750      8      0 -W-r-- \Device\HarddiskVolume1\Windows\System32\Tasks\At1
0x000000001f22da78     10      1 RW-r-- \Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT
0x000000001f22e9c8      6      1 R--rw- \Device\HarddiskVolume1\Windows\Tasks
0x000000001f231b18      2      0 R--r-d \Device\HarddiskVolume1\Windows\System32\taskschd.dll
0x000000001f2638d0      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries
*0x000000001f297ad8      8      0 -W-r-d \Device\HarddiskVolume1\Windows\Tasks\At1.job*
0x000000001f2e7ed0      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Server Manager\ServerManager


$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f297ad8 -D /mnt/volatility/DF/tomcat-dump/tasks
$ strings -el /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat

c:\windows\12.bat
SYSTEM
Created by NetScheduleJobAdd.

$ xxd /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat

00000000: 0006 0100 7cbf 6c48 bcaa 564e 928f 06eb  ....|.lH..VN....
00000010: 7057 4ccb 4600 ca00 0000 0000 3c00 0a00  pWL.F.......<...
00000020: 2000 0000 0014 730f 0000 0000 0113 0400   .....s.........
00000030: 0200 e021 df07 0600 0400 0b00 1200 1900  ...!............
00000040: 0000 1c00 0100 1200 6300 3a00 5c00 7700  ........c.:.\.w.
00000050: 6900 6e00 6400 6f00 7700 7300 5c00 3100  i.n.d.o.w.s.\.1.
00000060: 3200 2e00 6200 6100 7400 0000 0000 0000  2...b.a.t.......
00000070: 0700 5300 5900 5300 5400 4500 4d00 0000  ..S.Y.S.T.E.M...
00000080: 1e00 4300 7200 6500 6100 7400 6500 6400  ..C.r.e.a.t.e.d.
00000090: 2000 6200 7900 2000 4e00 6500 7400 5300   .b.y. .N.e.t.S.
000000a0: 6300 6800 6500 6400 7500 6c00 6500 4a00  c.h.e.d.u.l.e.J.
000000b0: 6f00 6200 4100 6400 6400 2e00 0000 0000  o.b.A.d.d.......
000000c0: 0800 0000 0000 0000 0000 0100 3000 0000  ............0...
000000d0: df07 0600 0b00 0000 0000 0000 1200 1900  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 0000 0000 0000 0000 0000 0100 0100  ................
00000100: 3c56 fcbd fe46 561b 1843 6c37 2c42 d847  <V...FV..Cl7,B.G
00000110: 8146 13f0 4dc0 8ca1 6385 9699 3525 f122  .F..M...c...5%."
00000120: a49a 20ed 4b99 5850 df79 17f8 0f16 4777  .. .K.XP.y....Gw
00000130: b394 0b70 a307 7bd4 993b a5d4 71a0 0a19  ...p..{..;..q...

Dump security logs to identify who created scheduled task

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'security'

Volatility Foundation Volatility Framework 2.6.1
0x000000001ee09960      3      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\RegBack\SECURITY
0x000000001f091600     11      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY
0x000000001f1ed2c0     13      1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
0x000000001fa06ed8      1      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG1
0x000000001fa31308     17      1 RWDr-d \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
0x000000001fa31b00      1      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG2
0x000000001fa37a60      1      1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Operational.etl
0x000000001fa37b08      1      1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Diagnostic.etl

$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f1ed2c0 -D /mnt/volatility/DF/tomcat-dump/security-log/

Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1f1ed2c0   None   \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
SharedCacheMap 0x1f1ed2c0   None   \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx

Renamed file.None.0x831ef6a0.vacb to file.None.0x831ef6a0.vacb.evtx Opened in Event Viewer, refined by ID 4698 (new scheduled task has been created)

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4698</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12804</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2015-06-11T22:13:16.426336000Z" /> 
  <EventRecordID>7273</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="608" ThreadID="2268" /> 
  <Channel>Security</Channel> 
  <Computer>WIN-CEKM08E74HR</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">WIN-CEKM08E74HR$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TaskName">\At1</Data> 
  <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?>
  <Task version="1.0" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo /> <Triggers> <TimeTrigger> <StartBoundary>2015-06-11T18:25:00</StartBoundary> </TimeTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>@AtServiceAccount</UserId> <LogonType>InteractiveTokenOrPassword</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Actions Context="Author"> <Exec> <Command>c:\windows\12.bat</Command> </Exec> </Actions> </Task></Data> 
  </EventData>
  </Event>

Executive Summary

We have a Tomcat7 installation on a Windows 2008 server. Access was gained with default tomcat credentials (tomcat/tomcat). A file was uploaded which provided SYSTEM level access. Windows Credential Editor (WCE) was uploaded, a scheduled task was created which executed WCE and dumped local credentials into a single file. The attacker downloaded that file remotely, gaining access to the local Administrator account credentials. All attacks took place on 11th June 2015 from the IP 58.64.141.245

PreviousDEFCON 2019 forensics NextMagnet Weekly CTF

Last updated 4 years ago

Was this helpful?