Tomcat shells
Tomcat shells
Web shells memory write up
WIN-CEKM08E74HR-20150611-222930.raw
All I know is that this dump is from a machine running a web server which has been compromised. I don't know how it was compromised, nor do I have any other details about the server itself.
Identify the OS profile Set environment variable 'mem' to /mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
$ cd /root/volatility
$ mem=/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
$ python vol.py -f $mem imageinfo
Volatility results
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw)
PAE type : No PAE
DTB : 0x122000L
KDBG : 0x8190ac98L
Number of Processors : 1
Image Type (Service Pack) : 2
KPCR for CPU 0 : 0x8190b800L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2015-06-11 22:29:32 UTC+0000
Image local date and time : 2015-06-11 18:29:32 -0400
Would be reasonable to assume it will be Win2008 based on the 'web server' part of the challenge.
$ python vol.py -f $mem --profile=Win2008SP1x86 pslist
Processes of interest;
0x831f3d90 cmd.exe 3248 1728 0 -------- 0 0 2015-06-11 22:21:49 UTC+0000 2015-06-11 22:21:49 UTC+0000
0x8363c7f0 tasklist.exe 3256 3248 0 -------- 0 0 2015-06-11 22:21:49 UTC+0000 2015-06-11 22:21:49 UTC+0000
0x835f5718 cmd.exe 3520 1728 0 -------- 0 0 2015-06-11 22:24:04 UTC+0000 2015-06-11 22:24:04 UTC+0000
0x830e9d90 cmd.exe 3572 2032 1 17 0 0 2015-06-11 22:25:00 UTC+0000
0x8362fca0 bg.jpg 3580 3572 1 61 0 0 2015-06-11 22:25:00 UTC+0000
0x835eba10 cmd.exe 3604 1728 0 -------- 0 0 2015-06-11 22:25:15 UTC+0000 2015-06-11 22:25:15 UTC+0000
0x836407b0 cmd.exe 3612 1728 0 -------- 0 0 2015-06-11 22:25:24 UTC+0000 2015-06-11 22:25:24 UTC+0000
0x830e2d90 tasklist.exe 3620 3612 0 -------- 0 0 2015-06-11 22:25:24 UTC+0000 2015-06-11 22:25:24 UTC+0000
0x83693bc0 TrustedInstalle 2364 596 3 104 0 0 2015-06-11 22:26:34 UTC+0000
0x832e7020 csrss.exe 2664 2684 8 188 2 0 2015-06-11 22:26:55 UTC+0000
0x83125cd8 winlogon.exe 2732 2684 3 114 2 0 2015-06-11 22:26:55 UTC+0000
0x82a3f530 taskeng.exe 2448 1012 9 226 2 0 2015-06-11 22:27:17 UTC+0000
0x83681610 dwm.exe 2860 1160 3 70 2 0 2015-06-11 22:27:17 UTC+0000
0x837241d8 explorer.exe 2428 2856 17 425 2 0 2015-06-11 22:27:18 UTC+0000
0x83117020 jusched.exe 3056 2428 1 50 2 0 2015-06-11 22:27:18 UTC+0000
0x83632d08 VBoxTray.exe 3060 2428 9 228 2 0 2015-06-11 22:27:18 UTC+0000
0x83201b90 Tomcat7w.exe 2816 2428 2 50 2 0 2015-06-11 22:27:18 UTC+0000
0x83116ad8 wuauclt.exe 3360 1012 2 142 2 0 2015-06-11 22:27:32 UTC+0000
0x8311ec10 cmd.exe 4032 2428 1 19 2 0 2015-06-11 22:29:10 UTC+0000
Server appears to be a Windows 2008 box running Tomcat7. Pull network information
$ python vol.py -f $mem --profile=Win2008SP1x86 netscan
0x1eda4db0 TCPv4 -:8080 58.64.141.245:1057 CLOSED 1728 Tomcat7.exe
Looks like this server is listening on 192.168.56.30. There's a remote connection associated with PID 1728 / Tomcat7.exe This PID is also the PPID for numerous cmd.exe
Let's run pstree to see the family (could also run pstree -v)
$ python vol.py -f $mem --profile=Win2008SP1x86 pstree
0x837241d8:explorer.exe 2428 2856 17 425 2015-06-11 22:27:18 UTC+0000
. 0x83201b90:Tomcat7w.exe 2816 2428 2 50 2015-06-11 22:27:18 UTC+0000
. 0x83117020:jusched.exe 3056 2428 1 50 2015-06-11 22:27:18 UTC+0000
. 0x8311ec10:cmd.exe 4032 2428 1 19 2015-06-11 22:29:10 UTC+0000
. 0x83139650:services.exe 596 520 6 234 2015-06-11 22:05:29 UTC+0000
.. 0x832dc560:Tomcat7.exe 1728 596 28 360 2015-06-11 22:05:56 UTC+0000
... 0x835eba10:cmd.exe 3604 1728 0 ------ 2015-06-11 22:25:15 UTC+0000
... 0x836407b0:cmd.exe 3612 1728 0 ------ 2015-06-11 22:25:24 UTC+0000
.... 0x830e2d90:tasklist.exe 3620 3612 0 ------ 2015-06-11 22:25:24 UTC+0000
... 0x831f3d90:cmd.exe 3248 1728 0 ------ 2015-06-11 22:21:49 UTC+0000
.... 0x8363c7f0:tasklist.exe 3256 3248 0 ------ 2015-06-11 22:21:49 UTC+0000
... 0x835f5718:cmd.exe 3520 1728 0 ------ 2015-06-11 22:24:04 UTC+0000
Dump Tomcat PID memory (1728)
$ python vol.py -f $mem --profile=Win2008SP1x86 memdump -p 1728 -D /mnt/volatility/DF/tomcat-dump/
Strings output 1728.dmp to readable
$ strings -a /mnt/volatility/DF/tomcat-dump/1728.dmp > /mnt/volatility/DF/tomcat-dump/1728strings.txt
COMPUTERNAME=WIN-CEKM08E74HR
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
LOCALAPPDATA=C:
2\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\ProgramData\Oracle\Java\javapath;C:\Wi
:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=
ENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\Program
UvDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
Format
USERDOMAIN=WORKGROUP
USERNAME=WIN-CEKM08E74HR$
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows
"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //RS//Tomcat7
58.64.141.245 - tomcat [11/Jun/2015:18:07:04 -0400] "POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99 HTTP/1.1" 200 158
58.64.141.245 - - [11/Jun/2015:18:07:27 -0400] "POST /webfiles/ HTTP/1.1" 200 2367
58.64.141.245 - - [11/Jun/2015:18:07:37 -0400] "POST /webfiles/ HTTP/1.1" 200 2460
58.64.141.245 - - [11/Jun/2015:18:07:51 -0400] "POST /webfiles/ HTTP/1.1" 200 2388
58.64.141.245 - - [11/Jun/2015:18:09:26 -0400] "POST /webfiles/ HTTP/1.1" 200 8973
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "POST /webfiles/ HTTP/1.1" 200 48896
58.64.141.245 - - [11/Jun/2015:18:12:42 -0400] "POST /webfiles/ HTTP/1.1" 200 2245
58.64.141.245 - - [11/Jun/2015:18:13:16 -0400] "POST /webfiles/ HTTP/1.1" 200 2278
58.64.141.245 - - [11/Jun/2015:18:15:24 -0400] "POST /webfiles/ HTTP/1.1" 200 2261
58.64.141.245 - - [11/Jun/2015:18:15:34 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:16:31 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:19:52 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:21:49 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:24:04 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:15 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:25 -0400] "POST /webfiles/ HTTP/1.1" 200 5305
Looking for shells
$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i 'post' | more
Let's see when 58.64.141.245 first accessed the web server.
58.64.141.245 - - [08/Jun/2015:19:38:44 -0400] "GET /manager/html HTTP/1.1" 401 2538
$ grep -C10 "58\.64\.141\.245" /mnt/volatility/DF/tomcat-dump/1728strings.txt
58.64.141.245 - - [11/Jun/2015:18:27:51 -0400] "GET /webfiles/?sort=1&downfile=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 975 - - [11/Jun/2015:18:27:37 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714
58.64.141.245 - - [11/Jun/2015:18:27:44 -0400] "GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 972 7:34 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714/1.1" 200 3714 - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroot HTTP/1.1" 200 8863
58.64.141.245 - - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714
Let's focus on the activity around 'GET /webfiles'
$ grep -C10 "GET \/webfiles" /mnt/volatility/DF/tomcat-dump/1728strings.txt
GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1
accept:*/**
referer:http://192.168.56.30:8080/webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroott
accept-language:en-uss
user-agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0))
accept-encoding:gzip, deflatee
host:192.168.56.30:80800
connection:Keep-Alivee
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
0A17D08FE321DF87835231D798244
--
Accept-Encoding: gzip, deflate
Host: 192.168.56.30:8080
Connection: Keep-Alive
Cookie: JSESSIONID=983D1DF88F7A229E9D2C5DD76804F120
Authorization: Basic dG9tY2F0OnRvbWNhdA==
Authorisation is base64. Let's decode it.
$ echo dG9tY2F0OnRvbWNhdA== | base64 -d
tomcat:tomcat
Found interesting strings in 1728strings.txt
178956:Created by jsp File Browser v.
Let's focus on that.
179973:" <small>jsp File Browser version
179974-C by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
179975- </center>
179976-</html>
179977-java/util/zip/ZipFile
246416- <div class="formular">
246417- <form class="formular2" action="/webfiles/" enctype="multipart/form-data" method="POST">
246418- <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246419- <input type="hidden" name="sort" value="1">
246420- <input type="file" class="textfield" onKeypress="event.cancelBubble=true;" name="myFile">
246421- <input title="Upload selected file to the current working directory
246422-" type="Submit" class="button" name="Submit" value="Upload"
246423- onClick="javascript:popUp('/webfiles/')">
246424- </form>
246425- <form class="formular2" action="/webfiles/" method="POST">
246426- <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246427- <input type="hidden" name="sort" value="1">
246428- <input type="hidden" name="command" value="">
246429- <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
246430- </form>
246431- </div>
246432-
246433- <hr>
246434- <center>
246435: <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
246436- </center>
246437-</bo
246438-H7
246439- H7
246440- H7
246441- Wp<
246442-/manager/images/asf-logo.gif
246443-org.apache.catalina.filters.CSRF_NONCE
246444-multipart/form-data; boundary=---------------------------7df134640124
246445-/manager/images/tomcat.gif
246446-org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99
246447-en-us
246448-262D313C4A6E085593AF3CAD4F4E7A99
246449-W/"2066-1431019026000"
246450-36791
246451-Thu, 07 May 2015 17:17:06 GMT
246452-W/"7279-1431019026000"
246453-/manager/html/upload
246454-/manager/html
248751-/webfiles/tml/uploadlogo.gif
248752-sort=1&file=C:\inetpub\wwwroot\sm.gif5Csm.gif3C4A6E085593AF3CAD4F4E7A99
248753-HTTP/1.1 200 OK
248754-Server: Apache-Coyote/1.1
248755-Content-Disposition: inline;filename="sm.gif"
248756-Content-Type: image/gif;charset=ISO-8859-1
248757-Content-Length: 97
248758-Date: Thu, 11 Jun 2015 22:27:44 GMT
248759-Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F
248760-pe="hidden" name="dir" value="C:\inetpub\wwwroot">
248761- <input type="hidden" name="sort" value="1">
248762- <input type="hidden" name="command" value="">
248763- <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
248764- </form>
248765- </div>
248766-
248767- <hr>
248768- <center>
248769: <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
38887- out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
38888- out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");
65343- out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
65344- out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");
Let's find this shell.
58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574
$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i '\.bat'
<snip>
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascriptonitor=C:\fakepath\12.bat12.bat
C:\fakepath\12.bat
Content-Disposition: form-data; name="myFile"; filename="12.bat"
uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascript=C:\inetpub\wwwrootwwroot12.bat
uplMonitor=C%3A%5Cfakepath%5C12.bat
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
C:\fakepath\12.bat
<snip>
GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1
Content-Disposition: form-data; name="myFile"; filename="12.bat"
<snip>
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 865
58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574
Right. C:\fakepath\12.bat - let's dump this batch script
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i "12\.bat"
Volatility Foundation Volatility Framework 2.6.1
0x000000001ee373f8 8 0 -W-rw- \Device\HarddiskVolume1\Windows\12.bat
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001ee373f8 -D /mnt/volatility/DF/tomcat-dump/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1ee373f8 None \Device\HarddiskVolume1\Windows\12.bat
Examine 12.bat
$ cat /mnt/volatility/DF/tomcat-dump/file.None.0x8362e730.dat
@echo off
c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif
pstree verbose
$ python vol.py -f $mem --profile=Win2008SP1x86 pstree -v
..... 0x8362fca0:bg.jpg 3580 3572 1 61 2015-06-11 22:25:00 UTC+0000
audit: \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
cmd: c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif
path: c:\inetpub\wwwroot\bg.jpg
Let's determine what bg.jpg actually is
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'bg\.jpg'
Volatility Foundation Volatility Framework 2.6.1
0x000000001ede1ba0 8 0 -W-rw- \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
0x000000001f2dc170 7 0 R--r-d \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
$ sha1sum /mnt/volatility/DF/tomcat-dump/file.*
c0d7899cc49bf2cb4f3abe663dc6a62ed69c06ff /mnt/volatility/DF/tomcat-dump/file.None.0x832c0680.dat
26019082706f9898a716d8803f57cc70365c821b /mnt/volatility/DF/tomcat-dump/file.None.0x8362fb20.img
$ strings file.None.0x8362fb20.img
WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Options:
-l List logon sessions and NTLM credentials (default).
Optional: -r<refresh interval>.
-s Changes NTLM credentials of current logon session.
Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-o saves all output to a file.
-r Lists logon sessions and NTLM credentials indefinitely.
Refreshes every 5 seconds if new sessions are found.
-c Run <cmd> in a new session with the specified NTLM credentials.
Parameters: <cmd>.
-e Lists logon sessions NTLM credentials indefinitely.
Refreshes every time a logon event occurs.
Parameters: <filename>.
-i Specify LUID instead of use current logon session.
Parameters: <luid>.
-d Delete NTLM credentials from logon session.
Parameters: <luid>.
-a Use Addresses.
Parameters: <addresses>
-f Force 'safe mode'.
-g Generate LM & NT Hash.
Parameters: <password>.
-K Dump Kerberos tickets to file (unix & 'windows wce' format)
Error in cmdline!. Bye!.
-k Read Kerberos tickets from file and insert into Windows cache
username wrong format!.
-w Dump cleartext passwords stored by the digest authentication package
-v verbose output.
So it's windows credential editor. -e for credentials, -o for output. Review sm.gif
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'sm\.gif'
Volatility Foundation Volatility Framework 2.6.1
0x000000001edf6640 1 0 R--rw- \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001edf6640 -D /mnt/volatility/DF/tomcat-dump/wce
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject
0x1edf6640 None \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif
$ strings /mnt/volatility/DF/tomcat-dump/wce/file.None.0x830f1448.dat
Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F
Identifying tasks
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'tasks'
Volatility Foundation Volatility Framework 2.6.1
0x000000001ee03280 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
0x000000001ee49ba8 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
0x000000001f122450 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
0x000000001f127f80 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
0x000000001f1e8bd8 17 1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
0x000000001f1eb750 8 0 -W-r-- \Device\HarddiskVolume1\Windows\System32\Tasks\At1
0x000000001f22da78 10 1 RW-r-- \Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT
0x000000001f22e9c8 6 1 R--rw- \Device\HarddiskVolume1\Windows\Tasks
0x000000001f231b18 2 0 R--r-d \Device\HarddiskVolume1\Windows\System32\taskschd.dll
0x000000001f2638d0 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries
*0x000000001f297ad8 8 0 -W-r-d \Device\HarddiskVolume1\Windows\Tasks\At1.job*
0x000000001f2e7ed0 1 0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Server Manager\ServerManager
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f297ad8 -D /mnt/volatility/DF/tomcat-dump/tasks
$ strings -el /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat
c:\windows\12.bat
SYSTEM
Created by NetScheduleJobAdd.
$ xxd /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat
00000000: 0006 0100 7cbf 6c48 bcaa 564e 928f 06eb ....|.lH..VN....
00000010: 7057 4ccb 4600 ca00 0000 0000 3c00 0a00 pWL.F.......<...
00000020: 2000 0000 0014 730f 0000 0000 0113 0400 .....s.........
00000030: 0200 e021 df07 0600 0400 0b00 1200 1900 ...!............
00000040: 0000 1c00 0100 1200 6300 3a00 5c00 7700 ........c.:.\.w.
00000050: 6900 6e00 6400 6f00 7700 7300 5c00 3100 i.n.d.o.w.s.\.1.
00000060: 3200 2e00 6200 6100 7400 0000 0000 0000 2...b.a.t.......
00000070: 0700 5300 5900 5300 5400 4500 4d00 0000 ..S.Y.S.T.E.M...
00000080: 1e00 4300 7200 6500 6100 7400 6500 6400 ..C.r.e.a.t.e.d.
00000090: 2000 6200 7900 2000 4e00 6500 7400 5300 .b.y. .N.e.t.S.
000000a0: 6300 6800 6500 6400 7500 6c00 6500 4a00 c.h.e.d.u.l.e.J.
000000b0: 6f00 6200 4100 6400 6400 2e00 0000 0000 o.b.A.d.d.......
000000c0: 0800 0000 0000 0000 0000 0100 3000 0000 ............0...
000000d0: df07 0600 0b00 0000 0000 0000 1200 1900 ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000f0: 0000 0000 0000 0000 0000 0000 0100 0100 ................
00000100: 3c56 fcbd fe46 561b 1843 6c37 2c42 d847 <V...FV..Cl7,B.G
00000110: 8146 13f0 4dc0 8ca1 6385 9699 3525 f122 .F..M...c...5%."
00000120: a49a 20ed 4b99 5850 df79 17f8 0f16 4777 .. .K.XP.y....Gw
00000130: b394 0b70 a307 7bd4 993b a5d4 71a0 0a19 ...p..{..;..q...
Dump security logs to identify who created scheduled task
$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'security'
Volatility Foundation Volatility Framework 2.6.1
0x000000001ee09960 3 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\RegBack\SECURITY
0x000000001f091600 11 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY
0x000000001f1ed2c0 13 1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
0x000000001fa06ed8 1 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG1
0x000000001fa31308 17 1 RWDr-d \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
0x000000001fa31b00 1 1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG2
0x000000001fa37a60 1 1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Operational.etl
0x000000001fa37b08 1 1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Diagnostic.etl
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f1ed2c0 -D /mnt/volatility/DF/tomcat-dump/security-log/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1f1ed2c0 None \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
SharedCacheMap 0x1f1ed2c0 None \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
Renamed file.None.0x831ef6a0.vacb to file.None.0x831ef6a0.vacb.evtx Opened in Event Viewer, refined by ID 4698 (new scheduled task has been created)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-06-11T22:13:16.426336000Z" />
<EventRecordID>7273</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="2268" />
<Channel>Security</Channel>
<Computer>WIN-CEKM08E74HR</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-CEKM08E74HR$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TaskName">\At1</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.0" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo /> <Triggers> <TimeTrigger> <StartBoundary>2015-06-11T18:25:00</StartBoundary> </TimeTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>@AtServiceAccount</UserId> <LogonType>InteractiveTokenOrPassword</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Actions Context="Author"> <Exec> <Command>c:\windows\12.bat</Command> </Exec> </Actions> </Task></Data>
</EventData>
</Event>
Executive Summary
We have a Tomcat7 installation on a Windows 2008 server. Access was gained with default tomcat credentials (tomcat/tomcat). A file was uploaded which provided SYSTEM level access. Windows Credential Editor (WCE) was uploaded, a scheduled task was created which executed WCE and dumped local credentials into a single file. The attacker downloaded that file remotely, gaining access to the local Administrator account credentials. All attacks took place on 11th June 2015 from the IP 58.64.141.245
Last updated