O7 Bypass the EDR

You cashed in your creds and now have initial access to a host in The Lucky Lion's internal network - one step closer to payday!! You better make sure you've got more than one way into this environment in case someone kicks you out - perhaps it would be prudent to download and install some remote management software for future use.

That might be easier said than done, though... you expect The Lucky Lion's security tools might give you trouble. Fortunately, another member of The Mound has written an EDR killer ("f4c3st4b") specific to the EDR you identified earlier. The only issue might be getting it on the host.

Objectives

• Download AnyDesk on the victim machine

• It's not as easy as it sounds!

Flag Format Flag will be wrapped: wicys2024{flag_goes_here} In this example

• flag_goes_here

• wicys2024{flag_goes_here}

• {flag_goes_here}

would all be accepted as valid flags.

Required Tools

• Web Browser

• AnyDesk SIMULATED LINK: https://anydesk.com.example/downloads/anydesk.bin

• "f4c3st4b" EDR Killer SIMULATED LINK: https://github.com.example/the-mound/facestab/releases/download/v4.2.0/facestab

Additional Resources

• https://www.bleepingcomputer.com/news/security/ransomware-gangs-abuse-process-explorer-driver-to-kill-security-software

https://target-httpd.chals.io/shell/edr.html Solution: Target created a fake bash shell that they call NARSH ("Not A Real SHell"), fake links, and a fake program ("f4c3st4b" based off of "backstab") with fake commands. The shell is a buggy web app that needs restarts, cause it'll suddenly stop processing commands. "help" is a command in bash (but not in Kali Linux). So if you try "help", they programmed it to give a list of available commands: cat, cd, clear, echo, ls, mkdir, pwd, chmod, curl, and ps. But these commands have a lot of their functionality removed. For example, ps limits you to just "ps" and "ps -A". Without "-A", you won't see the PID for the EDR, which is "10". But I'm getting ahead of myself. The first step is always to enumerate your target. Looking through the shell, I noticed the /tmp directory gives me execute permissions, so I go in. I also notice that /usr/bin/cguard has root permissions and can run scripts, which means I can use it to bypass the EDR to download things.

At first, I tried to run curl with cguard, which wasted hours of my life, cause it only needed a URL. When it works, it automatically 'downloads' facestab into /tmp. (The reality though, is the fake shell gave you more access cause you submitted the right 'script'.) But cguard won't let me download Anydesk too! This is because the challenge is about simulating the act of getting a malicious driver onto a target. That's why it recommended an article about Aukill.

For Aukill to work, the steps are:

1. gain access to the machine

2. download Aukill (in our case, we had a script service that allowed us to download facestab)

3. run Aukill so that it adds a vulnerable driver to the kernel and lets you kill processes

4. kill the EDR process using Aukill

Using facestab to kill the EDR was infuriating though, cause they said to attack like Aukill, but facestab doesn't behave like Aukill! And they said facestab is like backstab, but facestab doesn't even have all of backstab's commands! And the help page for facestab is supposed to list all available commands, but they purposely left one out! What help page leaves out its own commands?!

When you run "help" on facestab, it only shows two options: -h and -p. The hidden one is -k. And they expected you to look up backstab to figure this part out.

Finally, they expect you to run facestab by using the same URL that you used to 'download' it with cguard. Which makes no sense when you already downloaded facestab into /tmp! But this will 'kill' the EDR. After that, you can curl for the Anydesk link and get the flag.

Flag: wicys2024{anydeskanytime}

Special Thanks to Nicci Colby: After confirming I had 99.9% of the problem figured out by myself, Nicci nudged me towards the hidden option.