{"id":199,"date":"2019-01-17T04:27:48","date_gmt":"2019-01-17T04:27:48","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=199"},"modified":"2019-01-17T04:27:57","modified_gmt":"2019-01-17T04:27:57","slug":"pepper-minstix-yule-log-analysis","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/pepper-minstix-yule-log-analysis\/","title":{"rendered":"
Pepper Minstix – Yule Log Analysis<\/center>"},"content":{"rendered":"\n

We speak to Pepper Minstix, who has been a victim of password spraying!
“We fear that they were successful in accessing one of our Elf Web Access accounts,
but we don’t know which one.
Parsing through .evtx files can be tricky, but there’s a Python script that can help you convert it into XML for easier grep’ing.”<\/p>\n\n\n\n

We are given this URL <\/a>for a hint.<\/p>\n\n\n\n

When we open the terminal for Yule Log Analysis were greeted with this.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

“I am Pepper Minstix, and I’m looking for your help.
Bad guys have us tangled up in pepperminty kelp!
“Password spraying” is to blame for this our grinchy fate.
Should we blame our password policies which users hate?

Here you’ll find a weblog filled with failure and success.
One successful login there requires your redress.
Can you help us figure out which user attacked?
Tell us who fell victim, and please handle this with tact.

Submit the compromised webmail username to
“run to answer” to complete this challenge.”<\/p>\n\n\n\n

So, check the logs. Find the one who fell victim and use run to answer to submit the compromised webmail username.<\/p>\n\n\n\n

We have three files “evtx_dump. Py<\/a>“, “ho-ho-no.evtx” and “runtoanswer” evtx_dump.py is a python script to “Dump a binary EVTX file into XML” which is for ho-ho-no.evt which is the weblog filled with failure and success and run to answer where we submit our answer.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

I am using the command python evtx_dump. Py ho-ho-no.evtx, where given a whole butch of logs.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

I could spend hours going through each event and finding who’s user was attacked. However, the challenge is to figure out which user was attacked and “Submit the
compromised webmail username to run to answer to complete this challenge.”
Password Spraying: “Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password.”<\/p>\n\n\n\n

So, we need to find which username has logged in more than once. I have an idea!
First let’s run python evtx_dump.py ho-ho-no.evtx > log.text this will dump all of ho
ho-no.evtx into log.text.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Now let’s look at some of the log’s and find the username prefix, which is “TargetUserName”.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Now we have the prefix; we use grep to find only the TargetUserName parts.
grep -r “TargetUserName” log.text.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Ok! Now have the Usernames we needed, so let’s copy them. So in this case, use this website<\/a> to paste them in, and this website makes the following “Count Duplicates in a List Online Tool.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So the answer is “minty. candycane”, why? We’ll see because of minty candy cane duplicates itself six times! Which means the password spraying looped this username.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Thinking outside the box here!<\/p>\n\n\n\n

References:
\nhttps:\/\/www.somacon.com\/p568.php
\nhttps:\/\/www.howtoforge.com\/tutorial\/linux-grep-command\/
\nhttps:\/\/resources.infosecinstitute.com\/password-spraying\/<\/p>\n","protected":false},"excerpt":{"rendered":"

We speak to Pepper Minstix, who has been a victim of password spraying!“We fear that they were successful in accessing one of our Elf Web Access accounts,but we don’t know which one.Parsing through .evtx files…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-199","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-3d","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/199","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=199"}],"version-history":[{"count":1,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/199\/revisions"}],"predecessor-version":[{"id":208,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/199\/revisions\/208"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=199"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=199"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=199"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}