I know it's one of the challenge labs but I'm fairly sure I'm missing something extremely straight forward, it's 100 point difficulty 4.... Someone help me please! I'm banging my head against a wall with this one!If anyone can point me in the right direction of the specific persistence mechanism I think that would be a startQ8. Use the service account to delete the spirit's persistence mechanism. The methods you employ to gain access to this account are up to you.

Hey Yammmy, could you share what you've tried and I'll try to give you a hint from there on? The credentials are hidden in a file on the haunted host :)

Thanks Yammmy and clowdier!, super hint I was totally lost trying to use meterpreter and those stuffs hahah.I finally complete the labs from this week!

This wasn't anything too suprising. A recusive search of the word svc (full name will be faster) will get you the creds you desire.

DG seems to be some sort of god-level challenge exterminator. I assume they can help you.

LewisMutton The answer to Q6 will clue you into the persistence mechanism you need to delete :)

Trick or Treat on Specter Street: Ghost of the SOC

29 Replies

steven

Silver II

4 days ago

maybe I was too radical, i've deleted everything which was not by windows :)

Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\*' } | ForEach-Object {
  try {
    Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction Stop | Out-Null
    Unregister-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Confirm:$false -ErrorAction Stop
    Write-Host "Removed: $($_.TaskPath)$($_.TaskName)"
  } catch {
    Write-Warning "Failed: $($_.TaskPath)$($_.TaskName) — $($_.Exception.Message)"
  }
}

solved the lab and removed some services too much, but hey, .. to be on the safe side :)

SamDickison
Community Manager
3 days ago
Purge the services!

CyberSharpe
Silver I
8 days ago
This wasn't anything too suprising. A recusive search of the word svc (full name will be faster) will get you the creds you desire.
- clowdier
  Immerser
  5 days ago
  Precisely!
Yammmy
Bronze II
11 days ago
Same here. How do I get access to the service account? Been trying for hours!
- clowdier
  Immerser
  11 days ago
  Hey Yammmy, could you share what you've tried and I'll try to give you a hint from there on? The credentials are hidden in a file on the haunted host :)
  - edgarloredo
    Bronze II
    9 days ago
    Hello clowdier, I think I am kind of lost after a few hours here, is the file part of the SyncEngine or should I change my mind and look for something different? I have tried a lot of things hahaha, maybe right now I am overlooking a lot of stuff.
- SamDickison
  Community Manager
  11 days ago
  clowdier got any more hints?
clowdier
Immerser
12 days ago
LewisMutton The answer to Q6 will clue you into the persistence mechanism you need to delete :)
- LewisMutton
  Bronze III
  12 days ago
  Yeah, I got that, but I can't identify the specific instance of said persistence mechanism 😅
  - clowdier
    Immerser
    11 days ago
    I see! If you've already brought up a list of all instances of that specific persistence type, and then reviewed the details for each one, one of them will look suspicious!
SamDickison
Community Manager
12 days ago
DG seems to be some sort of god-level challenge exterminator. I assume they can help you.