Try Hack Me: Conti

This room was released on 1/7/2021 and it is rated Medium in difficulty. Shou-out to the room creator, @heavenraiza who also recognized Bohan Zhang for the challenge. You can access the room at https://tryhackme.com/room/contiransomwarehgh.

This is a blueteam challenge. The skills/tools to be tested and needed to complete this challenge are Splunk and Googling. I liked this room because my Splunking skills need brushing up.

I intentionally masked parts of the answers so you will have to perform some hands-on work to find the entirety of the answers. This was a great room to practice SIEM skills using Splunk.

  • Can you identify the location of the ransomware?
    • C:\*****\*************\*********\***.**e
  • What is the Sysmon event ID for the related file creation event?
    • **
  • Can you find the MD5 hash of the ransomware?
    • 2********************C
  • What file was saved to multiple folder locations?
    • r*****.**t
  • What was the command the attacker used to add a ner user to the compromised system?
    • n** **** /*** ************* *************$
The query I used was host=”WIN-AOQKG2AS2Q7″ net user /add
  • The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?
    • C:\*******\********\*****************\**.*\**********.***,*:\*******\********\****\********.**e
The query I used was host=”WIN-AOQKG2AS2Q7″ sourcetype=”WinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=”8″
  • The attacker also retreieved the system hashes. What is the process image used for getting the system hashes?
    • C:\*******\********\*****.**e
The query I used was host=”WIN-AOQKG2AS2Q7″ sourcetype=”WinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=”8″
  • What is the web shell the exploit deployed to the system?
    • i***********.***x
The query I used was host=”WIN-AOQKG2AS2Q7″ sourcetype=”iis” cs_method=POST c_ip=”10.10.10.2″
The query I used was index=* i**********.***x
  • What three CVEs did this exploit leverage?
    • CVE-****-****,CVE-****-*****,CVE-****-*****

I spent way more time researching for the answer to the last question than answering the first 9 questions. So, to help you with the last question. I found the answers in an article published by https://www.cyfirma.com. Don’t waste your time trying to enter the CVEs from the three latest Microsoft Exchange ProxyShell: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 that were all discovered by Orange Tsai during the Pwn2Own 2021 hacking contest.

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

3 Comments

  1. I always look forward to your posts and write-ups. How long did it take you? I thought it humorous you were like “don’t waste your time”. ha

    Liked by 1 person

Leave a comment

Leave a Reply to jdmorto Cancel reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: