Cyber Defenders - LTE Fallen Wall CTF
Intro
CyberDefenders.org, have a fun IR CTF on the topic of LTE/4G hacking. The objective is to answer a series of questions while investigating an incident where a user has had their phone messages intercepted.
You are provided with the following files to aid in your analysis:
- Virtualbox VM with Kibana Interface
Walkthrough
1) Which diameter interface did the EPC nodes use?
Hints:
- layers.diameter.diameter_3GPP_IDR_Flags: 0x00000010
- layers.diameter.diameter_diameter_applicationId
Answer:
S6a
2) Which diameter command did the attacker use to discover and establish a connection with EPC nodes? (hyphens in between).
Answer:
Capabilities-Exchange
3) What was the hostname of the rejected connection?
Answer:
mme.malicious.org
4) What was the error returned to the attacker? (Underscore in between)
Hints:
- pivot off the 1minute where the events previously contained mme.malicious.org
- layers.diameter.diameter_diameter_cmd_code = 257 Capabilities-Exchange Answer
Answer:
DIAMETER_UNKNOWN_PEER
5) What was the hostname of the accepted connection?
Answer:
mme.operatorx.org
6) What is the value of the AVP used during traffic interception?
Hints:
- layers.diameter.diameter_avp-Subscription_Data-Service-Selection
Answer:
lte.tim.it
7) What was the spoofed hostname?
Answer:
mme.operatorx.org
8) Which node of the ‘cyberdefenders’ network communicated with the malicious peer?
Answer:
mme.cyberdefenders.org
9) What is the name of the node that accepted the attacker’s connection attempts?
Answer:
hss.cyberdefenders.org
10) What was the diameter command used to retrieve Alice’s location? (hyphens in between)
Answer:
3GPP-Insert-Subscriber-Data Request
11) What is the IMSI of Alice?
Hints:
- most traffic
Answer:
602050100000001
12) Which AVP is responsible for querying the location? (hyphens in between).
Answer:
IDR-FLAGs
13) Which flag was set in the tracking diameter command used to retrieve Alice’s location? (3 words, spaces in between)
Answer:
Current Location Request
14) Which AVP indicates that the attacker spoofed the origin hostname? (hyphens in between).
Answer:
host-ip-address
15) Peers autodiscovery caused an unexpected connection with a malicious peer. Provide the hostname of that malicious peer?
Answer:
mme2.cyberdefenders.org
16) Which AVP did the attacker use to intercept Alice’s data traffic? (hyphens in between).
Answer:
Service-Selection
17) Which diameter command did the attacker use to intercept Alice’s 2FA? (hyphens in between).
Answer:
3GPP-Update-Location Request
18) Which diameter command can the attacker use to intercept the radio air interface traffic? (hyphens in between).
Answer:
3GPP-Authentication-Information Request
Share on: