search

Bsides Jeddah CTF Part 1

Scenario:As a security consultant, a phishing attack attributed to a popular APT group targeted one of your customers. Given the provided PCAP trace, analyze the attack and answer challenge questions

LogoTrident | Blue team challenge.CyberDefenderschevron-right

hashtag
Q1 What is the victim's MAC address?

From the statistics, it seems that IP 192.168.112.139 has a 100% connection rate.

Then it is the victim

So the answer is its mac address

Answer: 00:0C:29:B7:CA:91

hashtag
Q2 What is the address of the company associated with the victim's machine MAC address?

Let us search for mac address lookup at google...

Answer: 3401 Hillview Avenue Palo Alto CA 94304 US

hashtag
Q3 What is the attacker's IP address?

We knew before that the victim's IP was 192.168.112.139

Then we can filter the communications done with this IP

There are many connections and RST flag so this ip make port scanning

Answer: 192.168.112.128

hashtag
Q4 What is the IPv4 address of the DNS server used by the victim machine?

Make a filter for DNS protocol and lookup for the DNS connection from 192.168.112.139

Answer:192.168.112.2

hashtag
Q5 What domain is the victim looking up in packet 5648?

Answer: omextemplates.content.office.net

hashtag
Q6 What is the server certificate public key that was used in TLS session: 731300002437c17bdfa2593dd0e0b28d391e680f764b5db3c4059f7abadbb28e

Let us make a filter for TLS protocol and search in packets details with the given session id

now search for the public key in the details

Answer: 64089e29f386356f1ffbd64d7056ca0f1d489a09cd7ebda630f2b7394e319406

hashtag
Q7 What domain is the victim connected to in packet 4085?

Go to packet 4085 and follow the TCP stream

Answer: v10.vortex-win.data.microsoft.com

hashtag
Q8 The attacker conducted a port scan on the victim's machine. How many open ports did the attacker find?

We could find it by making the following filter :

(tcp.flags.ack == 1) && (tcp.flags.syn == 1) && (ip.src == 192.168.112.139 )

And look at the ports it is :

587 – 135 - 139 – 143 – 25 – 445 – 110

Answer: 7

hashtag
Q9 Analyze the pcap using the provided rules. What is the CVE number falsely alerted by Suricata?

Unfortunately, I didn’t have brim to examine so I find the answer from the hinds

Answer: CVE-2020-11899

hashtag
Q10 What is the command parameter sent by the attacker in packet number 2650?

Answer: kali

hashtag
Q11 What is the stream number which contains email traffic?

Let us make a filter for the DNS protocol

Answer: 1183

hashtag
Q12 What is the victim's email address?

Let us make follow the TCP stream and look up for “to”

Answer: joshua@cyberdefenders.orgenvelope

hashtag
Q13 What was the time attacker sent the email?

From the previous screen “Date”

Answer: 12:31:54

hashtag
Q14 What is the version of the program used to send the email?

From the previous screen “X-Mailer”

Answer: 1.56

hashtag
Q15 What is the MD5 hash of the email attachment?

We have to save the email by exporting imf object

Now open the email by outlook then save the attachment,

Finally, examine the attachment at virustotal website

Answer: 55e7660d9b21ba07fc34630d49445030

hashtag
Q16 What is the CVE number the attacker tried to exploit using the malicious document?

From virustotal website Previous screen

Answer: cve-2021-40444

hashtag
Q17 The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.

From the community tab or by examining it at triage

Answer: http://192.168.112.128/word.htmlarrow-up-right

hashtag
Q19 What is the Microsoft Office version installed on the victim machine?

Go find user-agent

Answer: 15.0.4517

hashtag
Q20 The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?

Go find any file with CAB extension!

Answer: http://192.168.112.128/word.cabarrow-up-right

hashtag
Q21 The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?

Export the file then examine it at virustotal website

Then search for CVE-2021-40444 vulnerability

Answer: ZipSlip

hashtag
Q22 The CAB file contains a malicious dll file. What is the tool used to generate the dll?

From the previous virus total examination

The file is word.dll

And the payload is meterpreter so the tool is Metasploit

Answer: Metasploit

hashtag
Q23 What is the path of the dropped malicious dll file? Replace your username with IEUser

Using Triage website to find the path

Answer: C:\Users\Admin\AppData\Local\Temp\msword.inf with changing Admin to IEuser

hashtag
Q24 Analyzing the dll file what is the API used to write the shellcode in the process memory?

From the Previous Triage website screen

Answer: WriteProcessMemory

hashtag
Q26 Which port was configured to receive the reverse shell?

Let us make a filter to find all HTTP requests

Scroll down and follow the TCP stream

Answer: 443

PreviousWhoamiNextHireMe

Last updated