I know it's one of the challenge labs but I'm fairly sure I'm missing something extremely straight forward, it's 100 point difficulty 4.... Someone help me please! I'm banging my head against a wall with this one!If anyone can point me in the right direction of the specific persistence mechanism I think that would be a startQ8. Use the service account to delete the spirit's persistence mechanism. The methods you employ to gain access to this account are up to you.

Hey Yammmy, could you share what you've tried and I'll try to give you a hint from there on? The credentials are hidden in a file on the haunted host :)

Thanks Yammmy and clowdier!, super hint I was totally lost trying to use meterpreter and those stuffs hahah.I finally complete the labs from this week!

This wasn't anything too suprising. A recusive search of the word svc (full name will be faster) will get you the creds you desire.

DG seems to be some sort of god-level challenge exterminator. I assume they can help you.

LewisMutton The answer to Q6 will clue you into the persistence mechanism you need to delete :)

Trick or Treat on Specter Street: Ghost of the SOC

37 Replies

steven
Ambassador
4 months ago
maybe I was too radical, i've deleted everything which was not by windows :)
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike '\Microsoft\*' } | ForEach-Object { try { Disable-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -ErrorAction Stop | Out-Null Unregister-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath -Confirm:$false -ErrorAction Stop Write-Host "Removed: $($_.TaskPath)$($_.TaskName)" } catch { Write-Warning "Failed: $($_.TaskPath)$($_.TaskName) — $($_.Exception.Message)" } }
solved the lab and removed some services too much, but hey, .. to be on the safe side :)
- jitu
  Bronze I
  4 months ago
  How do you run this with the service account credential? I schedule a task and chose to run it with the svc credential, but it does not delete the persistence. I just removes some local tasks for the normal user.
  - PRABAKARANRAMAMURTHY
    Advocate
    4 months ago
    Have you got the credentials? jitu
- SamDickison
  Community Manager
  4 months ago
  Purge the services!
CyberSharpe
Ambassador
4 months ago
This wasn't anything too suprising. A recusive search of the word svc (full name will be faster) will get you the creds you desire.
- ClaudiaBusuioc
  Alumni
  4 months ago
  Precisely!
Yammmy
Bronze II
4 months ago
Same here. How do I get access to the service account? Been trying for hours!
- ClaudiaBusuioc
  Alumni
  4 months ago
  Hey Yammmy, could you share what you've tried and I'll try to give you a hint from there on? The credentials are hidden in a file on the haunted host :)
  - edgarloredo
    Advocate
    4 months ago
    Hello clowdier, I think I am kind of lost after a few hours here, is the file part of the SyncEngine or should I change my mind and look for something different? I have tried a lot of things hahaha, maybe right now I am overlooking a lot of stuff.
- SamDickison
  Community Manager
  4 months ago
  ClaudiaBusuioc got any more hints?
ClaudiaBusuioc
Alumni
4 months ago
LewisMutton The answer to Q6 will clue you into the persistence mechanism you need to delete :)
- LewisMutton
  Ambassador
  4 months ago
  Yeah, I got that, but I can't identify the specific instance of said persistence mechanism 😅
  - ClaudiaBusuioc
    Alumni
    4 months ago
    I see! If you've already brought up a list of all instances of that specific persistence type, and then reviewed the details for each one, one of them will look suspicious!
SamDickison
Community Manager
4 months ago
DG seems to be some sort of god-level challenge exterminator. I assume they can help you.