Write-up author: jon-brandy
During recent auditing, we noticed that network authentication is not forced upon remote connections to our Windows 2012 server. That led us to investigate our system for suspicious logins further. Provided the server's event logs, can you find any suspicious successful login? To get the flag, connect to the docker service and answer the questions.\
- NONE
- First, unzip the
.zip
given.
RESULT
- Hmm.. Let's run the host given using netcat.
RESULT
- It seems we need to enumerate the log file to find the correct answer, let's open the event log file using event viewer
- Based on the question asked, let's open event log file related to it, found event log
security
.
RESULT
- Yep got it right, let's answer
security
.
RESULT
- Notice, we can traverse this:
- Since it's about successfull logon, then we need to search about successfull logon.
RESULT
- This should be the correct one, because the example ans is an id, let's enter the event id.
RESULT
- To answer this question, scroll down and you'll find this:
RESULT
- Let's search authPackage that stands out different.
RESULT
- When i traverse again, found this one:
- Let's enter
2022-09-28T13:10:57
. The reason i put 15, because i'm in Indonesia and the time stamp is 7 hours ahead, so i need to reduce 7 hours.
- Got the flag!
HTB{34sy_t0_d0_4nd_34asy_t0_d3t3ct}