Cyber Defenders - Nuke the Browser CTF
Intro
CyberDefenders.org, have a fun challenge where you need to disect a PCAP file. The objective is to answer a series of questions while investigating an incident where a user has been hacked, and malware executed on their system.
You are provided with the following files to aid in your analysis:
- PCAP
Walkthrough
1) Multiple systems were targeted. Provide the IP address of the highest one.
Hint:
- Wireshark - Statistics - Endpoints
Answer:
10.0.5.15
2) What protocol do you think the attack was carried over?
Answer:
http
3) What was the URL for the page used to serve malicious executables (don’t include URL parameters)?
Answer:
http://sploitme.com.cn/fg/load.php
4) What is the number of the packet that includes a redirect to the french version of Google and probably is an indicator for Geo-based targeting?
Hint:
- first redirect to Google.fr
Answer:
299
5) What was the CMS used to generate the page ‘shop.honeynet.sg/catalog/’? (Three words, space in between)
Answer:
osCommerce Online Merchant
6) What is the number of the packet that indicates that ‘show.php’ will not try to infect the same host twice?
Answer:
366
7) One of the exploits being served targets a vulnerability in “msdds.dll”. Provide the corresponding CVE number.
Hint:
- Google msds.dll cve
Answer:
CVE-2005-2127
8) What is the name of the executable being served via ‘http://sploitme.com.cn/fg/load.php?e=8’ ?
Hint:
- Use Network Miner
Answer:
e.exe
9) One of the malicious files was first submitted for analysis on VirusTotal at 2010-02-17 11:02:35 and has an MD5 hash ending with ‘78873f791’. Provide the full MD5 hash.
Answer:
52312bb96ce72f230f0350e78873f791
10) What is the name of the function that hosted the shellcode relevant to ‘http://sploitme.com.cn/fg/load.php?e=3’?
Hint:
- Use Network Miner
Answer:
aolwinamp
11) Deobfuscate the JS at ‘shop.honeynet.sg/catalog/’ and provide the value of the ‘click’ parameter in the resulted URL.
Answer:
84c090bd86
12) Deobfuscate the JS at ‘rapidshare.com.eyu32.ru/login.php’ and provide the value of the ‘click’ parameter in the resulted URL.
Answer:
3feb5a6b2f
13) What was the version of ‘mingw-gcc’ that compiled the malware?
Hint:
- Wireshark tcp.stream==5
Answer:
3.4.5
14) The shellcode used a native function inside ‘urlmon.dll’ to download files from the internet to the compromised host. What is the name of the function?
Answer:
URLDownloadToFile
Share on: