CyberDefenders - Hawkeye CTF
Intro
CyberDefenders.org, hosted a challenging hawkeye stealer challenge. You the challenger/IR team have to investigate the pcap, and answer questions about the infected victim and the location and domain ownership of the attack. No reversing in this one, it can be solved using python, wireshark, and native OS tools, with some OSINT using Virus Total.
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
Walkthrough
1) How many packets does the capture have?
Python
from scapy.all import *
a=rdpcap('/Users/apdavies03/Downloads/stealer.pcap')
len(a)
4003
Answer:
4003
2) At what time was the first packet captured?
Wireshark:
- Apr 10, 2019 21:37:07.129730000 BST
Python:
>>> a[0].time
Decimal('1554928627.129730')
import time
time.ctime(a[0].time)
'Wed Apr 10 21:37:07 2019'
Answer:
2019-04-10 20:37:07 UTC
3) What is the duration of the capture?
python:
>>> time.ctime(a[4002].time)
'Wed Apr 10 22:40:48 2019'
Wed Apr 10 22:40:48 2019 - Wed Apr 10 21:37:07 2019 = 1:03:41
Answer:
01:03:41
4) What is the most active computer at the link level?
Wireshark:
- statistics -> ethernet
Answer:
00:08:02:1c:47:ae
5) Manufacturer of the NIC of the most active system at the link level?
Hint:
- Internet lookup
Answer:
Hewlett-Packard
6) Where is the headquarters of the company that manufactured the NIC of the most active computer at the link level?
Answer:
Palo Alto
7) The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture?
Hint:
- 1 private address is a network device
- 4 ips -1 =
Answer:
3
8) What is the name of the most active computer at the network level?
Wireshark
- DHCP -> Hostname
Answer:
Beijing-5cd1-PC
9) What is the IP of the organization’s DNS server?
Answer:
10.4.10.4
10) What domain is the victim asking about in the 204 packets?
python:
b[203].qd.qname
Answer:
proforma-invoices.com
11) What is the IP of the domain in the previous question?
Python:
a[205].an.rdata
Answer:
217.182.138.150
12) Indicate the country to which the IP in the previous section belongs.
Hint:
- geoip/whois
Answer:
France
13) What operating system does the victim’s computer run?
strings ~/Downloads/stealer.pcap|grep -i windows|uniq
Answer:
Windows NT 6.1
14) What is the name of the malicious file downloaded by the accountant?
Answer:
tkraw_Protected99.exe
15) What is the md5 hash of the downloaded file?
Hint:
- Wireshark
- Export HTTP Objects
md5 tkraw_Protected99.exe
MD5 (tkraw_Protected99.exe) = 71826ba081e303866ce2a2534491a2f7
Answer:
71826ba081e303866ce2a2534491a2f7
16) What is the name of the malware according to Malwarebytes?
Answer:
Spyware.HawkEyeKeyLogger
17) What software runs the webserver that hosts the malware?
Answer:
LiteSpeed
18) What is the public IP of the victim’s computer?
Hint:
- bot.whatismyipaddress.com
Answer:
173.66.146.112
19) In which country is located the email server to which the stolen information is sent?
Hint:
- whois
- 23.229.162.69
Answer:
United States
20) What is the creation date of the domain to which the information is exfiltrated?
Hint:
- macwinlogistics.in
Answer:
2014-02-08
21) Analyzing the first extraction of information. What software runs the email server to which the stolen information is sent?
Answer:
Exim 4.91
22) To which email account is the stolen information sent?
Answer:
sales.del@macwinlogistics.in
23) What is the password used by the malware to send the email?
Hint:
- U2FsZXNAMjM=
Answer:
Sales@23
24) Which malware variant exfiltrates information?
Hint:
- Hawkeye varient
- base64 decode email subject
Answer:
Reborn v9
25) What are the bankofamerica access credentials? username:password
Hint:
- tcp stream 24
Answer:
roman.mcguire:P@ssw0rd$
26) Every how many minutes is the information collected exfiltrated?
Hint:
- Last email timings
Answer:
10
Share on: