TryHackMe Velociraptor Walk-Through

First task that has any questions is…

Task 2

Question 1: Using the documentation, how would you launch an Instant Velociraptor on Windows?

It’s in the documentation. Scroll to “Instant Velociraptor” and you will find…

Answer: Velociraptor.exe gui

Task 3

Question 1: What is the hostname for the client?

Open the Ubuntu terminal and run:

./velociraptor-v0.5.8-linux-amd64 --config velociraptor.config.yaml frontend -v

Let that run for a while….

Then launch Chrome and click on the short cut under the search bar called Velociraptor

If you get the warning about your connection not being private, click the advanced button, then proceed to 127.0.0.1

Enter the sign-in information given in task 3 instructions.

Once it comes up click on the magnifying glass next to the search bar:

Then this loads…

Boom! Hostname.

Answer:

thm-velociraptor.eu-west-1.compute.internal

Question 2: What is listed as the agent version?

From our last step go ahead and click on that Client ID link. It opens up a page with Agent Version on it.

Answer:

2021-04-11T22:11:10Z

Question 3: In the Collected tab, what was the VQL command to query the client user accounts?

Click the collected button at the top of the page. Then click on the requests tab in the bottom frame. The VQL statement we are looking for is the fourth one down:

Answer:

LET Generic_Client_Info_Users_0_0=SELECT Name, Description, Mtime AS LastLogin FROM Artifact.Windows.Sys.Users()

Question 4: In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?

If you didn’t run the whoami command while running through the instructions, do that now. Click on magnifying glass then the Client ID and then on the right upper of the screen you will see the “>_ Shell” button click that run whoami. Then you will see this in the results tab here:

In the screenshot above you can see the column header name is Stdout.

Answer: Stdout

Question 5: In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?

This is not the same as pulling the VQL from the previous answer. For this one we have to go to the Log tab after we run the command. There we find the VQL command that was run in the second line. Copy that out starting at the [powershell…

Answer:

[powershell -ExecutionPolicy Unrestricted -encodedCommand RwBlAHQALQBEAGEAdABlAA==]

Task 4

Question 1: Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?

The answer for this is in the screenshots for the instructions:

Answer: Ubuntu on Windows Subsystem for Linux

Question 2: Review the output. How many files were uploaded?

I hope you did the exercise otherwise, you won’t find the answer. Take the time go back and do the exercise, then you can find the answer after the process completes:

I’m pretty sure I didn’t do anything wrong here. I see 19 files uploaded and saw other walk-through’s getting the same answer. But the answer TryHackMe wants is 20.

Answer: 20

Task 5

Question 1: Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)

The answer to this is in the documentation. Read the paragraph under VFS accessors.

Answer: ntfs accessor

Question 2: Which accessor provides file-like access to the registry? (format: xyz accessor)

This answer is also in the documentation same section.

Answer: registry accessor

Question 3: What is the name of the file in $Recycle.Bin?

Ok, time to get real. Dive back into Velociraptor and click the little file folder on the left navigation, it’s called virtual file system in the nav. Click File > C: > $Recycle.Bin ? S-1….. file folder under recyclebin. There is your file.

Answer: desktop.ini

Question 4: There is hidden text in a file located in the Admin’s Documents folder. What is the flag?

Alright, Click C: again followed by Users > Administrator > Documents.

The file we want is called flag.txt and we will need to collect it from the host, in order to get the Textview tab to be clickable.

Answer: THM{VkVMT0NJUkFQVE9S}

Task 6

Question 1: What is followed after the SELECT keyword in a standard VQL query?

The answer to this question is found in the documentation. Read the Whitespace section.

Answer: Column Selectors

Question 2: What goes after the FROM keyword?

Keep reading same sentence to get the next anwser.

Answer: VQL Plugin

Question 3: What is followed by the WHERE keyword?

Just keep reading.. Just keep reading… next sentence has the next answer.

Answer: filter expression

Question marked by a “?”. This is also in the documentation, but you will need to navigate to notebooks. Look in number 5 for…

After clicking the Edit Cell button, you can type VQL directory into the cell. As you type, the GUI offers context sensitive suggestions about what possible completions can appear at the cursor. Typing “?” will show all suggestions possible.

Answer: ?

Question: What plugin would you use to run PowerShell code from Velociraptor?

Back to the documentation. Read the section about “Extending Artifacts – PowerShell” to find…

Answer: execve()

Task 7

Question 1: What are the arguments for parse_mft()?

It’s in the documentation. Look under time analysis for…

Answer: parse_mft(filename=”C:/$MFT”, accessor=”ntfs”)

Question 2: What filter expression will ensure that no directories are returned in the results?

Once again answer in the documentation. Filesystem doc under Glob Results.

Answer: IsDir

Task 8

Start the new machine.

Question 1: What is the name in the Artifact Exchange to detect Printnightmare?

Start up Velociraptor by opening a DOS shell and typing…

cd desktop
Velociraptor.exe gui

Let’s check the documentation. Using search I found. https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/

Answer is in the documentation! Again!

Answer: Windows.Detection.PrintNightmare

Question 2: Per the above instructions, what is your Select clause? (no spaces after commas)

Replace the **** per the instructions.

Answer:

SELECT “C:/” + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file=”C:/” + FullPath) AS PE

Question 3: What is the name of the DLL that was  placed by the attacker?

We have to create a notebook and plugin some VQL that we build using the previous answer as a template:

SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE

29 rows later, we see a oddly named DLL as the last row…

Answer: nightmare.dll

Question 4: What is the PDB entry?

Once you have the above, just look at the PDB line.

Answer: C:\Users\caleb\source\repos\nightmare\x64\Release\nightmare.pdb