Crown Jewel 1
https://app.hackthebox.com/sherlocks/CrownJewel-1
In this challenge we have a couple different log sources, including event logs as well as a Master File Table
Ref: https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
As far as tools go, I am planning on using chainsaw as much as I can to get more familiar with it
https://github.com/WithSecureLabs/chainsaw
We will also need a way to view the MFT, for this we will be using some more of Eric Zimmermans tools. Specifically, we will use MFTECmd and EZViewer
https://ericzimmerman.github.io/#!index.md
Task 1
Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state.
For this first task, we will look for Volume Shadow Copy using chainsaw
From here we get a single hit, this has the timestamp we are looking for.
2024-05-14 03:42:16
Task 2
When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process
For this next task we will be using chainsaw again, this time searching for vssvc (The volume shadow copy service)
We get a couple results back. Among these we can see the following
SubjectUserName: DC01$ (This is the account running vssvc)
CallerProcessName: C:\Windows\System32\VSSVC.exe (The process we are searching for)
Groups:
Administrators
Backup Operators
PID: 828
This question is weird because it asks for User Groups, Subject account name, and the PID, but we don’t actually need the PID in our answer
Task 3
Identify the Process ID (in Decimal) of the volume shadow copy service process.
We have this answer in the logs we are currently looking at, we just need to convert them to decimal.
0x1190 = 4496 decimal
4496
Task 4
Find the assigned Volume ID/GUID value to the Shadow copy snapshot when it was mounted.
For this task, we will search for volumeshadowcopy (no spaces this time) and we get a couple results
The part of this log that gives us our answer is the ColumeCorrelationID.
06C4A997-CCA8-11ED-A90F-000C295644F9
Task 5
Identify the full path of the dumped NTDS database on disk.
For this task, we need to move away from the logs and look at the MFT.
Grab MFTECmd from: https://ericzimmerman.github.io/#!index.md
Export the mft as a csv.
We will then filter down to .dit files and then looking for one that was recently created/
Here we can see .\Users\Administrator\Documents\backup_sync_dc
C:\Users\Administrator\Documents\backup_sync_dc\ntds.dit
Task 6
When was newly dumped ntds.dit created on disk?
We can see this answer on the same cvs / line as before.
My screenshot looks weird because I kept messing with the number/date formatting trying to figure out what I was missing, turns out the answer is a second off for some reason?
2024-05-14 03:44:22
Task 7
A registry hive was also dumped alongside the NTDS database. Which registry hive was dumped and what is its file size in bytes?
We can find this by filtering the logs down to the parent path of .\Users\Administrator\Documents\backup_sync_dc
We can see another file SYSTEM, and the file size.
SYSTEM, 17563648
Overall, this was a good place to get more comfortable with Chainsaw and I learned a bit about the Master File Table.
Killian Sherer 