CyberDefenders - HoneyBot CTF
Intro
CyberDefenders.org, hosted a fun 24-hr reversing CTF. For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!
Walkthrough
A simple pcap analysis is all thats needed for the first few questions…
1) What is the attacker’s IP address?
Answer:
98.114.205.102
2) What is the target’s IP address?
Answer:
192.150.11.111
3) Provide the country code for the attacker’s IP address (a.k.a geo-location).
Hint:
- OSINT
- whois
Answer:
US
4) How many TCP sessions are present in the captured traffic?
Wireshark - Statistics - Destinations & Ports
Answer:
5
5) How long did it take to perform the attack (in seconds)?
Hint:
- Capture is 24sec
- There are few seconds of legitimate traffic either side of the attack traffic
Answer:
16
7) Provide the CVE number of the exploited vulnerability.
Hint:
- Packet 38
- description field a ‘DsROLEUpgradeDownLevelServer’
Answer:
CVE-2003-0533
8) Which protocol was used to carry over the exploit?
Answer:
SMB
9) Which protocol did the attacker use to download additional malicious files to the target system?
Answer:
ftp
10) What is the name of the downloaded malware?
Answer:
ssms.exe
11) The attacker’s server was listening on a specific port. Provide the port number.
Answer:
8884
12) When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD
Hint:
- Extract the sample
- get hash
- VirusTotal - Details - History Link
Answer:
2007-06-27
13) What is the key used to encode the shellcode?
Hint:
- The source-code for the exploit can be founder here: Exploit-db 293
- Cyberchef Shellcode decode
Answer:
0x99
14) What is the port number the shellcode binds to?
Hint:
- reverse the shellcode?
- use scdbg
Answer:
1957
15)The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?
Answer:
Kernel32.dll
Share on: