Bsides Jeddah CTF Part 1
Scenario:As a security consultant, a phishing attack attributed to a popular APT group targeted one of your customers. Given the provided PCAP trace, analyze the attack and answer challenge questions
Q1 What is the victim's MAC address?
From the statistics, it seems that IP 192.168.112.139 has a 100% connection rate.
Then it is the victim
So the answer is its mac address
Answer: 00:0C:29:B7:CA:91
Q2 What is the address of the company associated with the victim's machine MAC address?
Let us search for mac address lookup at google...
Answer: 3401 Hillview Avenue Palo Alto CA 94304 US
Q3 What is the attacker's IP address?
We knew before that the victim's IP was 192.168.112.139
Then we can filter the communications done with this IP
There are many connections and RST flag so this ip make port scanning
Answer: 192.168.112.128
Q4 What is the IPv4 address of the DNS server used by the victim machine?
Make a filter for DNS protocol and lookup for the DNS connection from 192.168.112.139
Answer:192.168.112.2
Q5 What domain is the victim looking up in packet 5648?
Answer: omextemplates.content.office.net
Q6 What is the server certificate public key that was used in TLS session: 731300002437c17bdfa2593dd0e0b28d391e680f764b5db3c4059f7abadbb28e
Let us make a filter for TLS protocol and search in packets details with the given session id
now search for the public key in the details
Answer: 64089e29f386356f1ffbd64d7056ca0f1d489a09cd7ebda630f2b7394e319406
Q7 What domain is the victim connected to in packet 4085?
Go to packet 4085 and follow the TCP stream
Answer: v10.vortex-win.data.microsoft.com
Q8 The attacker conducted a port scan on the victim's machine. How many open ports did the attacker find?
We could find it by making the following filter :
(tcp.flags.ack == 1) && (tcp.flags.syn == 1) && (ip.src == 192.168.112.139 )
And look at the ports it is :
587 – 135 - 139 – 143 – 25 – 445 – 110
Answer: 7
Q9 Analyze the pcap using the provided rules. What is the CVE number falsely alerted by Suricata?
Unfortunately, I didn’t have brim to examine so I find the answer from the hinds
Answer: CVE-2020-11899
Q10 What is the command parameter sent by the attacker in packet number 2650?
Answer: kali
Q11 What is the stream number which contains email traffic?
Let us make a filter for the DNS protocol
Answer: 1183
Q12 What is the victim's email address?
Let us make follow the TCP stream and look up for “to”
Answer: joshua@cyberdefenders.org
Q13 What was the time attacker sent the email?
From the previous screen “Date”
Answer: 12:31:54
Q14 What is the version of the program used to send the email?
From the previous screen “X-Mailer”
Answer: 1.56
Q15 What is the MD5 hash of the email attachment?
We have to save the email by exporting imf object
Now open the email by outlook then save the attachment,
Finally, examine the attachment at virustotal website
Answer: 55e7660d9b21ba07fc34630d49445030
Q16 What is the CVE number the attacker tried to exploit using the malicious document?
From virustotal website Previous screen
Answer: cve-2021-40444
Q17 The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.
From the community tab or by examining it at triage
Answer: http://192.168.112.128/word.html
Q19 What is the Microsoft Office version installed on the victim machine?
Go find user-agent
Answer: 15.0.4517
Q20 The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?
Go find any file with CAB extension!
Answer: http://192.168.112.128/word.cab
Q21 The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?
Export the file then examine it at virustotal website
Then search for CVE-2021-40444 vulnerability
Answer: ZipSlip
Q22 The CAB file contains a malicious dll file. What is the tool used to generate the dll?
From the previous virus total examination
The file is word.dll
And the payload is meterpreter so the tool is Metasploit
Answer: Metasploit
Q23 What is the path of the dropped malicious dll file? Replace your username with IEUser
Using Triage website to find the path
Answer: C:\Users\Admin\AppData\Local\Temp\msword.inf with changing Admin to IEuser
Q24 Analyzing the dll file what is the API used to write the shellcode in the process memory?
From the Previous Triage website screen
Answer: WriteProcessMemory
Q26 Which port was configured to receive the reverse shell?
Let us make a filter to find all HTTP requests
Scroll down and follow the TCP stream
Answer: 443
Last updated