Post Fri Aug 24, 2007 11:33 pm

Skillz June 07 Winning Entry - Creative

Andrew Laman

Thanks Matt for the great challenge.  I really appreciate you taking the time to put it together (I'm a big Firefly/Serenity fan).

Don - thanks for hosting and good luck with ChicagoCon.

-Andy

---------------------------------------------------------------------------------

"No power in the 'verse can stop me!" exclaims Kaylee as she begins typing on the keyboard.

E:\sysinternals>tcpvcon.exe -a -n

TCPView v2.34 - TCP/UDP endpoint lister
Copyright (C) 1998-2003 Mark Russinovich Sysinternals - www.sysinternals.com

[TCP] C:\niskabot.exe
     PID:     404
     State:   ESTABLISHED
     Local:   172.16.30.129:1080
     Remote:  172.16.30.1:6667

Rubbing grease on the monitor, Kaylee says "There's that little bugger.  All nicely labeled niskabot and running on port 6667 for me, Shiny!"  She continues to type.

E:\sysinternals>procexp.exe

Watching Process Explorer in the background, she keeps typing.

E:\sysinternals>pskill niskabot.exe

PsKill v1.12 - Terminates processes on local or remote systems Copyright (C) 1999-2005  Mark Russinovich Sysinternals - www.sysinternals.com

Process niskabot.exe killed.

"Now, that there should do it...Huh!??!" Kaylee gasps as she sees a new process pop up in the Process Explorer window.

Stepping out from the shadows, her bare feet barely make a sound.
River grabs the keyboard.  "It's broken.  Contradictions, false logistics - doesn't make sense."

C:\>netstat -nao

Active Connections

Proto  Local Address          Foreign Address        State           PID
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       924
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
TCP    127.0.0.1:1035         0.0.0.0:0              LISTENING       1164
TCP    172.16.30.129:139      0.0.0.0:0              LISTENING       4
TCP    172.16.30.129:1081     172.16.30.1:6667       ESTABLISHED     1111
UDP    0.0.0.0:445            *:*                                    4
UDP    0.0.0.0:500            *:*                                    704
UDP    127.0.0.1:123          *:*                                    1020
UDP    172.16.30.129:123      *:*                                    1020
UDP    172.16.30.129:137      *:*                                    4
UDP    172.16.30.129:138      *:*                                    4

"River, no no.  What are you doing?" shouts Kaylee.

"Sysinternals is not a natural part of Windows.  It doesn't belong, you can't use it." continues River as she types on the keyboard.

C:\>wmic process list brief
HandleCount  Name                 Priority  ProcessId  ThreadCount
WorkingSetSize
0            System Idle Process  0         0          1            28672
427          System               8         4          50           258048
21           smss.exe             11        560        3            409600
455          csrss.exe            13        624        12           2596864
524          winlogon.exe         13        648        18           4128768
277          services.exe         9         692        15           3346432
344          lsass.exe            9         704        18           1458176
213          svchost.exe          8         856        16           5099520
284          svchost.exe          8         924        10           4247552
1319         svchost.exe          8         1020       60           22945792
191          ccSetMgr.exe         8         1236       6            4018176
294          ccEvtMgr.exe         8         1264       16           2998272
56           VMwareService.exe    13        388        3            3022848
104          alg.exe              8         1164       5            3579904
36           wscntfy.exe          8         1708       1            2330624
435          explorer.exe         8         1720       13           7733248
32           VMwareTray.exe       8         516        1            3096576
79           VMwareUser.exe       8         1780       3            4730880
242          ccApp.exe            8         1788       8            8585216
99           ctfmon.exe           8         1812       1            3551232
32           cmd.exe              8         3164       1            2813952
239          procexp.exe          13        3804       4            16363520
28           niskabot.exe         8         1111       1            1888256
139          wmic.exe             8         2200       3            5853184
141          wmiprvse.exe         8         2256       6            5722112

"River, Sysinternals was bought by Microsoft like a million centuries ago." says Kaylee.

"So, we'll integrate non-progressional evolution theory with Microsoft's acquisition of Sysinternals.  Niskabot is running with the process id of two elevens.  Eleven.  Important number.  Prime number.
One goes into the house of eleven eleven times, but always comes out one.  This recovery after failure is a problem."  River continues to type.

C:\>sc delete niskabot
C:\>regedit

Navigating to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
keys, River deletes Microsoft Update=niskabot.exe.

C:\>wmic process 1111 delete

"River, you can't go use'n the system tools on a compromised system.
What if them system tools were modified?" says Kaylee as she tries to tug the keyboard out of River's hands.

Mal interrupts the keyboard tug-of-war "Are we going to get my boat fixed to-DAY!?"

"Day is a vestigial mode of time measurement based on solar cycles.
It's not applicable..." states River as she lets go of the keyboard.

"Come on Mal.  Let me introduce her to Vera." Jayne begs staring at River.

River glances up at Jayne, "I can kill you with my brain."

Simon grabs River's arm and starts walking her off the bridge as River mumbles, "Liou coe shway duh biao-tze huh hoe-tze duh bun ur-tze."

Mal ignores them, "You tell me right now, little Kaylee, you really think you can fix this?"

"Sure. Yeah. I think so. 'Sides, if I mess up, not like you'll be able to yell at me." says Kaylee with a smile. "You see Capt'n, if I just move the source over to one of my Linux boxes, and grep for 'RegisterCommand'...there, now let's see what we can be doin' with this list of commands.  Oh uh, a password."  but Mal has turned his attention back to Wash.

Kaylee continues anyways, "See this assembl'r code, Zoey.  Well, it appears they're try'n to obfuscate the password."  Kaylee puts the password in order and MalloryWasHot! shows up on the grease covered screen.

"Hey ya'll look." shouts Kaylee.  "Someone must've see Mal in the wagon on Triumph all fancy'd up in that purty floral bonnet and dress."

Confused Jayne looks over Kaylee's shoulder at the monitor.  "Oh crap, Justine Bateman is attacking us!" he screams as he is jumps back from the screen.

"Jayne, it is common knowledge that Lucy Mallory was one of the passengers on Stagecoach." inserts Book.  "As a 1939 Western Classic, Stagecoach..."

Zoey interrupts "Alice and Bob are always defend'n themselves against attacks from Eve and Mallory.  This must be some of their code."

Everyone looks over to Mal.
...

Mal:  "Uh.. ok.  Great then.  Wash!  How are we doin'?"


Posted by Don.
Last edited by don on Fri Aug 24, 2007 11:42 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME