CyberDefenders.org, hosted a fun 24-hr reversing CTF. For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
A simple pcap analysis is all thats needed for the first few questions…
1) What is the attacker’s IP address?
2) What is the target’s IP address?
3) Provide the country code for the attacker’s IP address (a.k.a geo-location).
4) How many TCP sessions are present in the captured traffic?
Wireshark - Statistics - Destinations & Ports
5) How long did it take to perform the attack (in seconds)?
- Capture is 24sec
- There are few seconds of legitimate traffic either side of the attack traffic
7) Provide the CVE number of the exploited vulnerability.
- Packet 38
- description field a ‘DsROLEUpgradeDownLevelServer’
8) Which protocol was used to carry over the exploit?
9) Which protocol did the attacker use to download additional malicious files to the target system?
10) What is the name of the downloaded malware?
11) The attacker’s server was listening on a specific port. Provide the port number.
12) When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD
- Extract the sample
- get hash
- VirusTotal - Details - History Link
13) What is the key used to encode the shellcode?
14) What is the port number the shellcode binds to?
- reverse the shellcode?
- use scdbg
15)The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?