EscapeRoom Blue Team Challenge Wirte-Up
Category : Network Forensics
LEVEL : Medium
Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/18
Scenario:
- You as a soc analyst belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.
This challenge is a combination of several entry to intermediate-level tasks of increasing difficulty focusing on authentication, information hiding, and cryptography. Participants will benefit from entry-level knowledge in these fields, as well as knowledge of general Linux operations, kernel modules, a scripting language, and reverse engineering. Not everything may be as it seems. Innocuous files may turn out to be malicious so take precautions when dealing with any files from this challenge.
Helpful Tools:
Q1-What service did the attacker use to gain access to the system?
I load The PCAP With Brim tool , and used this filter to show the activity :
count() by _path | sort -r 
There is 54 SSH connection , so the service the attacker used is SSH.
THE Answer : SSH Q2-What attack type was used to gain access to the system?(one word)
Since there is 54 SSH login attempts so
THE Answer : bruteforceQ3-What was the tool the attacker possibly used to perform this attack?
Once I read this question I think about (https://www.kali.org/tools/hydra/)
THE Answer : hydra Q4-How many failed attempts were there?
To answer this question i need to see SSH details , so i used this filter :
_path=="ssh"
From the image above there is 2 valid login attempts , so the failed attempts = 54–2 = 52 attempts .
THE Answer : 52Q5-What credentials (username:password) were used to gain access? Refer to shadow.log and sudoers.log?
- Going to sudoers.log to see suder users , and I guess the user name is manager .
- to get the password we need to crack hash from shadow.log using hashcat.
manager:$6$SaltVal2$ybuPu7Nmo9LKn0p0ozhFhFw2SS2cqkLsx8c5OEAWFkIJjtXBEJqxUQzLh900QMgFTGiw6YuFDueNAapfLKt0f1:15549:0:99999:7:::STEPS To Crack the hashs :
1-echo '$6$SaltVal2$ybuPu7Nmo9LKn0p0ozhFhFw2SS2cqkLsx8c5OEAWFkIJjtXBEJqxUQzLh900QMgFTGiw6YuFDueNAapfLKt0f1'> hash.txt
2- hashcat -a 0 -m 1800 hash.txt rockyou.txt
3-wait!!!!!!!!!!!!!!!!!!!1
THE Answer : manager:forgotQ6-What other credentials (username:password) could have been used to gain access also have SUDO privileges? Refer to shadow.log and sudoers.log.
- same as the Previous question so I won’t solve it , it’s on yours
THE Answer : sean:spectreQ7-What is the tool used to download malicious files on the system?
- Easy one open the PCAP with wireshark , and filter with user-agent :
Filter : http.user_agent
THE Answer : wgetQ8-How many files the attacker download to perform malware installation?
- I filter the PCAP with http request method , and there is 12 downloaded file 9 of them is images so number of files : 12–9= 3 files.
Filter : http.request.method==GET
THE Answer : 3Q9-What is the main malware MD5 hash?
- pack to Birm tool and filter with files , and scroll to
mime_type and you will find the exe , and double click on it to see the deitals .
Filter : _path=="files"
THE Answer : 772b620736b760c1d736b1e6ba2f885bQ10-What file has the script modified so the malware will start upon reboot?
- So I extract the 3 file using wireshark and use strings command
hope to find any thing useful and I found !!!
THE Answer : /etc/rc.localQ11-Where did the malware keep local files?
Easy Form image above :
THE Answer : /var/mail/Q12-What is missing from ps.log?
open the ps.log file and look at it , you will notice that the malware process not found (/var/mail/mail)
THE Answer : /var/mail/mailQ13-What is the main file that used to remove this information from ps.log?
- Back to this image again , you will see the file used to remove the malware process form ps.log
THE Answer : sysmod.ko Q15-One of the IP's the malware contacted starts with 17. Provide the full IP.
- Go to wireshark>statistics>endpoints
there is 5 IP-Addr , but from answer format (17xx.xxx.xxx.xxx)
THE Answer : 174.129.57.253Q16-How many files the malware requested from external servers?
- So Easy from Q8 we know that 12 file were downloaded and 3 of them are the malware so files the malware request = 12–3 =9 (images)
THE Answer : 9Q17-What are the commands that the malware was receiving from attacker servers? Format: comma-separated in alphabetical order.
- IT’s need some knowledge with reverse engineering which I’m
a nope on it , so I saw another Write-up .
THE Answer : NOP,RUN
