Forum Discussion

Dark_Knight666's avatar
Dark_Knight666
Icon for Silver I rankSilver I
2 months ago

Trick or Treat on Specter Street: Ghost of the SOC

Hi there, Am I right as obvious that it may seem that for me to login to Kibana, I need to access this through the Elastic IP address that I have entered in my browser? If so I'm getting the error m...
help & support
ThreatWhisperer's avatar
ThreatWhisperer
Icon for Bronze II rankBronze II
2 months ago

I succeeded in practically all steps except the last one.
I found the ghost's first communication, the human account, the scripts folder, and the service account.
I can connect with the human account (for which I know the password), but I don't know how to use the service account, for which I don't have the credentials, so I can't do much.
I found a simple way to avoid the annoying messages using the human account, but I can't really eliminate the presence.
Did I miss something?
Any good advice?

Samh051's avatar
Samh051
Icon for Bronze III rankBronze III
2 months ago

Its tricky. The svc account password is stored plain text in a file somewhere.

Try look for something on the machine which looks a little out of place, then go deeper. 

 

  • ThreatWhisperer's avatar
    ThreatWhisperer
    Icon for Bronze II rankBronze II
    2 months ago

    Ah, that was easy, thx!
    Now I've got the password, and I can e.g. use it to disable that account, but it doesn't seem to be enough to remove the persistence :-(
    Edit: Never mind, I found another thread here discussing the same lab with the right hint to proceed!