I know it's one of the challenge labs but I'm fairly sure I'm missing something extremely straight forward, it's 100 point difficulty 4.... Someone help me please! I'm banging my head against a wall with this one!If anyone can point me in the right direction of the specific persistence mechanism I think that would be a startQ8. Use the service account to delete the spirit's persistence mechanism. The methods you employ to gain access to this account are up to you.

Hey Yammmy, could you share what you've tried and I'll try to give you a hint from there on? The credentials are hidden in a file on the haunted host :)

Thanks Yammmy and clowdier!, super hint I was totally lost trying to use meterpreter and those stuffs hahah.I finally complete the labs from this week!

This wasn't anything too suprising. A recusive search of the word svc (full name will be faster) will get you the creds you desire.

DG seems to be some sort of god-level challenge exterminator. I assume they can help you.

LewisMutton The answer to Q6 will clue you into the persistence mechanism you need to delete :)

Trick or Treat on Specter Street: Ghost of the SOC

36 Replies

CyberSharpe
Silver I
28 days ago
This wasn't anything too suprising. A recusive search of the word svc (full name will be faster) will get you the creds you desire.
- ClaudiaBusuioc
  Immerser
  25 days ago
  Precisely!
SamDickison
Community Manager
2 months ago
DG seems to be some sort of god-level challenge exterminator. I assume they can help you.
ClaudiaBusuioc
Immerser
2 months ago
LewisMutton The answer to Q6 will clue you into the persistence mechanism you need to delete :)
- LewisMutton
  Bronze III
  2 months ago
  Yeah, I got that, but I can't identify the specific instance of said persistence mechanism 😅
  - ClaudiaBusuioc
    Immerser
    31 days ago
    I see! If you've already brought up a list of all instances of that specific persistence type, and then reviewed the details for each one, one of them will look suspicious!
Yammmy
Bronze II
31 days ago
Same here. How do I get access to the service account? Been trying for hours!
- ClaudiaBusuioc
  Immerser
  31 days ago
  Hey Yammmy, could you share what you've tried and I'll try to give you a hint from there on? The credentials are hidden in a file on the haunted host :)
  - Yammmy
    Bronze II
    31 days ago
    Thanks! I tried reading the logs / using hydra / did a search on the haunted machine but couldn’t find anything useful
- SamDickison
  Community Manager
  31 days ago
  ClaudiaBusuioc got any more hints?
steven
Silver II
24 days ago
maybe I was too radical, i've deleted everything which was not by windows :)
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\*' } | ForEach-Object { try { Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction Stop | Out-Null Unregister-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Confirm:$false -ErrorAction Stop Write-Host "Removed: $($_.TaskPath)$($_.TaskName)" } catch { Write-Warning "Failed: $($_.TaskPath)$($_.TaskName) — $($_.Exception.Message)" } }
solved the lab and removed some services too much, but hey, .. to be on the safe side :)
- SamDickison
  Community Manager
  23 days ago
  Purge the services!
- jitu
  Bronze I
  15 days ago
  How do you run this with the service account credential? I schedule a task and chose to run it with the svc credential, but it does not delete the persistence. I just removes some local tasks for the normal user.
  - edgarloredo
    Bronze III
    15 days ago
    If you already have svc credentials, try to open Schedule Task as svc user and you can easily find and delete the task