Bouncing Buffalo 4/22/2021

The IT Nation Secure CTF had 65 attendees spread over 36 teams. Over 24 hours, seven teams completed all the challenges working until the very last minute. Through the Perch console, the teams investigated a simulated buffalo jump where the adversary compromises the MSP to used privileged accounts against their clients.

In this buffalo jump scenario, the attacker compromised evilecorp.com using WPScan to find the username evilecorpadmin, then brute-forced the password. Next, the attacker brute-forced the password for the same username on the MSP Automate server through RDP. Finally, after some reconnaissance of the server, the empire stager is dropped in the environment to allow persistence via Windows Task Scheduler. Then automate is used to distribute stagers on each client’s machines. Once persistence is configured on all machines, the attacker ran Dearcrypt ransomware.

The CTF participants followed this four-hour attack from start to finish through the logs and packets captured in Perch. Some of the flags were easy to find for most teams, such as the plaintext password passed to evilecorp.com. Others were much more complicated, with only 7 teams solving them. Everyone that participated enjoyed learning Perch while competing for the grand prize. As the competition came to an end, many participants said they would like to see more events like the IT Nation Secure CTF.

Leave a Reply

Your email address will not be published.