Cyber Defenders - Escaperoom CTF
Intro
CyberDefenders.org, have a fun challenge where you have to disect a PCAP file. The objective is to answer a series of questions while investigating an incident where a user has been hacked, and malware executed on their system.
You are provided with the following files to aid in your analysis:
- PCAP
Walkthrough
1) What service did the attacker use to gain access to the system?
- wireshark - observe ssh traffic
Answer:
ssh
2) What attack type was used to gain access to the system?(one word)
- Theres a lot of ssh traffic, so assuming a bruteforce is happening!
- confirmed from log files
Answer:
bruteforce
3) What was the tool the attacker possibly used to perform this attack?
Hint:
- common linux bruteforce tool
Answer:
hydra
4) How many failed attempts were there?
Hint:
- wireshark count ssh streams 54, 2 are successful 54-2
Answer:
52
5) What credentials (username:password) were used to gain access? Refer to shadow.log and sudoers.log.
Hint:
- use john and rockyou
Answer:
manager:forgot
6) What other credentials (username:password) could have been used to gain access also have SUDO privileges?
Refer to shadow.log and sudoers.log.
Answer:
sean:spectre
7) What is the tool used to download malicious files on the system?
Hint:
- wireshark filter: http
Answer:
wget
8) How many files the attacker download to perform malware installation?
Hint:
- wireshark filter : http count get requests
Answer:
3
9) What is the main malware MD5 hash?
Hints:
- wireshark stream 54
- cyberchef convert
- md5
Answer:
772b620736b760c1d736b1e6ba2f885b
10) What file has the script modified so the malware will start upon reboot?
Hint:
- wireshark stream 56
Answer:
/etc/rc.local
11) Where did the malware keep local files?
Answer:
/var/mail/
12) What is missing from ps.log?
Answer:
/var/mail/mail
13) What is the main file that used to remove this information from ps.log?
Hint:
- wireshark stream 56
Answer:
sysmod.ko
14) Inside the Main function, what is the function that causes requests to those servers?
Hint:
- upx (unpack the exe)
- strings
Answer:
requestFile
15) One of the IP’s the malware contacted starts with 17. Provide the full IP.
Hints:
- wireshark statistics
- or unpack the malware
Answer:
174.129.57.253
16) How many files the malware requested from external servers?
Answer:
9
17) What are the commands that the malware was receiving from attacker servers? Format: comma-separated in alphabetical order?
- Extract object
- unpack as UPX compressed (you should have already done this for q14.)
- We used Ghidra
- lookup main function
- then choice of: decrypttmessage or processmessage functions
Notice these hex encoded strings
0x52554e3a :RUN
0x4e4f500 .NOP
Answer:
nop,run
Share on: