#Pooptoria

Overview:

The notorious threat actor Fancy Poodle has done it again! This time striking at Strikdaspoort Wastewater Treatment Plant in Pretoria, South Africa...

Do you have what it takes to solve the investigation while only using limited triage data? All before the license-dongle-wielding forensic analysts have checked their write blockers out of storage?

How It Works:

If you haven't previously, signed up for an account via the following Google form: SIGN UP
Once registered, you’ll receive instructions on how to access the CTF system via email. When you sign up, you’ll get 500 points as a gift. No questions asked.
For this investigation, you will be presented with 30 questions relating to the incident together with a set of triage data from a host you are required to investigate.
Each question is worth 100 points. This means, there are 3,000 points up for grabs in the Pooptoria investigation.
Getting stuck? Each question has a hint that will help you to the correct answer. But, use it wisely as a hint will deduct 50 points.
Like guessing answers? Each wrong answer will result in a penalty of 10 points.

Triage Evidence:

In Question 1, you will get a download link for your evidence.
The download is for a 101MB zip archive named PooptoriaTriage.zip (MD5: 865a739641a33fa9439e88cff9ad4833)
This archive contains the following two archives:

  • Windows.zip (60MB)
  • Psorted.zip (40MB)

  • Windows.zip
    This archive contains the contents of the following paths on the “Poop Controller” host:
  • C:\Windows\system32\config\
  • C:\Windows\system32\winevt\
  • This data can be processed by any tool of your choosing, or even manually reviewed.

    Psorted.zip
    A Log2Timeline Plaso (CSV) timeline has been created of the contents of the Windows.zip archived.
    The following commands were used to generate the timeline:
    # log2timeline /data/evidence.plaso /data/system32/
    # psort -o l2tcsv -w /data/psorted.csv /data/evidence.plaso

    This resulted in a 1GB csv file named psorted.csv. Zipped, it is around 40MB.

    Note: A 1GB csv file is cumbersome to work with. If you don’t already have a process or favourite tool to deal with such big files, you could try Eric Zimmerman’s EZViewer tool, available here: https://ericzimmerman.github.io/#!index.md

    It took a few moments to load the file, but seemed to do the job (Initial warning about filesize and all).

    Scenario Backstory:

    Strikdaspoort Wastewater Treatment Plant
    On Friday, March 12th 2021, the engineers on shift at Strikdaspoort Wastewater Treatment Plant in Pretoria, South Africa, were having an awkward socially distanced braai in their parking lot. The occasion? Jan Mahlangu’s 30th work anniversary. He started working at the Strikdaspoort plant in March 1991 as a cleaner, and has worked himself up to Assistant Operations Manager over his 30 year tenure.

    The facility was built during a 7 year stretch from 1913 through 1920, adjacent to the then Pretoria central business district and bordering the Apies river to its north. During the past few months, research students from the University of Jacaranda’s Computer Engineering department worked on an automation and integration project with the aim of modernising the plant’s manual control and monitoring systems.

    Being on a budget, the researchers managed to modify the plant’s simulation software (Simba) to hook into the main management system. This allowed them to monitor key indicators as well as make adjustments to certain plant operations. This was all done with a Windows desktop computer aptly named “Poop Controller”, located in the plant’s main control room. Due to recent Covid-19 social distancing regulations, students weren’t allowed to be on site during office hours. As such, they resorted to remote management of “Poop Controller”.

    Shortly after 14:30, just as Jan Mahlangu’s 30 year anniversary braai was drawing to a close, a red VW Golf pulled up to the front gate at the plant. The door swung open and out jumped the City’s mayoral committee member for Utility Services, Counselor Pieter Malherbe. An equally overweight security guard attempted to locate his infrared thermometer to screen Malherbe, but he was already through the pedestrian gate, striding like an anxious giraffe.

    A few minutes before, Malherbe climbed into his car following a fundraiser luncheon organised by the ‘Save the White-Shouldered House Moth Foundation’ at the Pretoria Zoo. As he switched on the radio, he heard the distressed voice of a concerned citizen phoning in to the Afternoon Drive radio show. Apparently, raw sewage was flowing down the Apies river from the Strikdaspoort Wastewater Treatment Plant. Malherbe, having his hopes set on becoming mayor in a few election cycles, thought he’d better drive the 2km to the plant to see for himself what was going on. To his shock, instead of seeing technicians attempting to resolve one of the biggest environmental disasters the Apies river has ever seen, the entire plant team was lounging on camping chairs in the parking lot. All of them blissfully unaware of the raw sewage being flushed into the river at the back of the plant.

    What transpired in the next few minutes at the plant was a blur. Technicians running, politicians swearing, switches flipping and sewage flowing. The plant had somehow gone into ‘backwash’ mode: instead of pumping clean water in from the adjacent river, it was spitting untreated sewage out. After a few minutes of pure chaos, a group of out of breath plant workers and one politician stood in the main control room, having managed to manually override and shut down the plant.

    Something like this has never happened before. What immediately became apparent to the team was that the emergency ‘Backwash’ lever was still in the “OFF” position. You also needed two keys to be able to switch it to the “ON” position. Like one man, they knew who, or rather what, was likely to blame: The “Poop Controller” desktop.

    Due to the massive public repercussions this event will likely create, together with the already continuous news coverage of human feces floating down the Apies River towards the Bon Accord dam, management made the decision to pull the desktop in question offline and submit it for full forensic analysis. Shortly before an army of pinstripe suit clad audit and risk type analysts descended on the Daspoort Wasterwater Treatment plant to secure the desktop in question, you phoned in a favour with one of the IT admins.

    Your goal? Understand what happened and how to prevent the same disaster at the other plants. Waiting 3 months for a final sanitised forensic report might be too late.

    Your contact agreed to help. You speedily sent him a list of file locations you’d like him to extract from the host. Unfortunately, the pinstripe suits arrived quite quickly, and your contact was only able to get the contents of the following two paths, before he had to shut it down:

  • C:\Windows\system32\config\
  • C:\Windows\system32\winevt\

  • There are some good news though: Some smart incident responder (possibly you) had the foresight to install Sysmon on the host a while back. The logs for Sysmon should be included in the triage package.

    [TOP]