Windows_Bootkit_Remediate Challenges Setup Guide Table of Contents Pre-Challenge Prep On Admin-Station via Mobaterm and Terra On Op Station via in-class Ubuntu workstation On in-class Ubuntu workstation Manual setup on Admin-Station via Mobaterm and Terra Troubleshooting 1. "Win_Bootkit.vdi is corrupted or the file doesn’t work." 2. "There is no Win_Bootkit.vdi.7z on my system." 3. "I tried to qemu and got the following error" 4. "I tried to qemu and got the following error." 5. "When I run qemu, it says it doesn’t have video functions." 6. "The Mobaterm download instructions didn’t work for me." The purpose of these instructions is to provide students with clear, consistent, and repeatable steps for interacting with the Win_Bootkit.vdi file towards completing the Windows_bootkit_remediate challenges. Pre-Challenge Prep On Admin-Station via Mobaterm and Terra Open mobaterm and ssh into 10.xx.0.6 Mobaterm allows for forwarding of graphics from Linux machines to Windows On ssh connection to 10.xx.0.6 in Mobaterm Unzip Win_Bootkit.vdi.7z (this takes about 15 minutes) p7zip -d Win_Bootkit.vdi.7z Win_Bootkit.vdi Start the Virtual Machine qemu-system-x86_64 -device usb-ehci -m 2G -net none Win_Bootkit.vdi On Op Station via in-class Ubuntu workstation Find your IP address from your project space in vta.cybbh.space Left side nav bar → Project → Compute → Instances → linux_opstation_xxxx - 10.50.x.x If you do not have a set of Op Stations refer to https://cctc.cybbh.io/students/students/latest/Day_0_Setup.html#_vta_stack_build_for_opstations SSH into your personal Linux Op Station, using -X to forward graphics Ex. ssh -X student@10.50.x.x Download Win_Bootkit.vdi.7z (takes a couple minutes) wget http://10.50.0.1:8080/class/linux_stu_img/Win_Bootkit.vdi.7z Install prerequisites sudo apt-get update sudo apt install qemu-utils qemu-system-x86 p7zip-full -y Extract the Virtual Disk Image (vdi) (this takes about 15 minutes) p7zip -d Win_Bootkit.vdi.7z Win_Bootkit.vdi Start the Virtual Machine qemu-system-x86_64 -device usb-ehci -smp 2 -m 2G -net none Win_Bootkit.vdi The switch -smp allocates two CPU cores; memory is specified with -m On in-class Ubuntu workstation Pull up terminal on classroom workstation Download Win_Bootkit.vdi.7z (takes a couple minutes) wget http://10.50.0.1:8080/class/linux_stu_img/Win_Bootkit.vdi.7z Extract the Virtual Disk Image (vdi) file-roller -h Win_Bootkit.vdi.7z This may take a while Start the Virtual Machine qemu-system-x86_64 -device usb-ehci -smp 2 -m 2G -net none Win_Bootkit.vdi Remove the files from the workstation when challenge complete rm Win_Bootkit.vdi* You must delete your files when done with them! Manual setup on Admin-Station via Mobaterm and Terra Download Mobaterm using the command below $webclient=New-Object System.Net.Webclient; $webclient.DownloadFile("https://download.mobatek.net/2152021112100754/MobaXterm_Portable_v21.5.zip", "C:\Users\andy.dwyer\Desktop\mobaterm.zip") If this fails see Troubleshooting #6 below. Extract Mobaterm and put it on andy.dwyer’s Desktop Expand-Archive C:\Users\andy.dwyer\Desktop\mobaterm.zip -DestinationPath C:\Users\andy.dwyer\Desktop\mobaterm Install Mobaterm C:\Users\andy.dwyer\Desktop\mobaterm\MobaXterm_Personal_21.5.exe /passive Open mobaterm and ssh into 10.xx.0.6 On ssh connection to 10.xx.0.6 in Mobaterm Download Win_Bootkit.vdi.7z wget http://10.50.0.1:8080/class/linux_stu_img/Win_Bootkit.vdi.7z Unzip Win_Bootkit.vdi.7z (this takes about 15 minutes) p7zip -d Win_Bootkit.vdi.7z Win_Bootkit.vdi Start the Virtual Machine qemu-system-x86_64 -device usb-ehci -m 2G -net none Win_Bootkit.vdi Troubleshooting 1. "Win_Bootkit.vdi is corrupted or the file doesn’t work." Remove the old file and re-extract. rm Win_Bootkit.vdi 7z x /root/Win_Bootkit.vdi.7z Create a backup copy of Win_Bootkit.vdi so you don’t have to re-extract if you break something. 2. "There is no Win_Bootkit.vdi.7z on my system." If wget isn’t working, have a fellow classmate send you a copy of their file with the 'scp command'. scp /root/Win_Bootkit.vdi.7z <Your Linux Opstation IP>:./Win_Bootkit.vdi.7z 3. "I tried to qemu and got the following error" qemu-system-x86_64: cannot set up guest memory 'pc.ram': Cannot allocate memory It’s likely that the bootkit did not close properly. While ssh’d into the Linux OpStation, run reboot in terminal. Let it boot back up and ssh back into the Linux Opstation. If you find another fix, let your instructor know and we’ll document it. 4. "I tried to qemu and got the following error." qemu-system-x86_64: -show-cursor: Failed to get "write" lock Is another process using the image? ps -elf | grep qemu Find the Process ID (PID) for the qemu process. kill -9 <qemu pid> Run qemu. 5. "When I run qemu, it says it doesn’t have video functions." Did you ssh -X into the Linux Machine? Make sure it’s a capital X, not a lowercase x. 6. "The Mobaterm download instructions didn’t work for me." Navigate to https://mobaxterm.mobatek.net/download-home-edition.html via browser. Download the Portable Edition (of the Home Edition). Unzip the archive. Run the executable.