Open in app

Sign in

Write

Sign in

l337 S4uc3 Blue Team Challenge Write-Up

BY : AHMED NASSER

أحمد ناصر
7 min readNov 24, 2023

Category : Threat Hunting

LEVEL : Medium

Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/83

Scenario

Everyone has heard of targeted attacks. Detecting these can be challenging, responding to these can be even more challenging. This scenario will test your network and host-based analysis skills as a soc analyst to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels and the only thing you need to solve the challenge is some l337 S4uc3!

Tools

  1. Volatility
  2. Wireshark
  3. Networkminer
  4. Brimsecurity

Q1-PCAP: Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today. First, determine the Public IP Address of the webserver?

  • Open The pcapng whit wireshark file and save it with extension pcap
  • open the pcap with NetworkMiner , once opened you will see the Public IP-addr :
development.wse.local
THE Answer : 74.204.41.73

Q2-PCAP: Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please determine the arrival time of frame 1 in the “GrrCON.pcapng” evidence file.

  • Open The PCAP with wireshark and look to the first packet
 22:51:07 utc

Q3-PCAP: What version number of PHP is the development.wse.local server running?

  • I Filtered the pcap with http host in wireshartk and go to any post method (ex : packet 4282) and flow HTTP stream :
THE Filter : http.host=="development.wse.local"
tcp stream eq 159
THE Answer : 5.3.2

Q4-PCAP: What version number of Apache is the development.wse.local web server using?

  • From the screenshot above and look at the server :
THE Answer : 2.2.14

Q5-IR: What is the common name of the malware reported by the IDS alert provided?

  • look at IR-Alert image in the task files , so we cans Easily we name of the malware :
IR-Alert
THE Answer : zeus

Q6-PCAP: Please identify the Gateway IP address of the LAN because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP

  • An easy way to do that is to search for ARP requests. Filtering with arp:
arp protocol
  • from the image above we see that , the first 5 packets are arp request (Broadcast) from 172.16.0.108 to 172.16.0.1 ( which is the gateway)
THE Answer : 172.16.0.1

Q7-IR: According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity. What was the IP address of the website pinged?

  • back to IR-Alert we can easy see the destination IP-add :
THE Answer : 74.125.225.112

Q8-PCAP: It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please provide the IP address?

there are more than one solutions , but I take the easy one :

  • open the pcap with Networkminer , and since we know the soure IP of the alert form IR-Alert ( which is 172.16.0.109) and go to :
  • Host 172.16.0.109 > incoming sessions > server , we can see the Zeus Bot CNC server
THE Answer : 88.198.6.20

Q9-PCAP: The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please provide the file name?

  • Go to NetworkMiner > file , and search for bin file :
THE Answer : cf.bin

Q10-PCAP: No other users accessed the development.wse.local WordPress site during the timeline of the incident and the reports indicate that an account successfully logged in from the external interface. Please provide the password they used to log in to the WordPress page around 6:59 PM EST?

  • I used networkminer to extract the password easily and search the password used around 6:59 PM :
THE Answer : wM812ugu

Q11-PCAP: After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design’s page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please
provide the time of the accessed Designs page?

  • Same as the previous question , go credentials tap in NetworkMiner and search form the given password “1qBeJ2Az” :
THE Answer : 23:04:04 utc

Q12-PCAP: What is the source port number in the shellcode exploit? Dest Port was 31708 IDS Signature GPL
SHELLCODE x86 inc ebx NOOP

  • Easy one just filter the PCAP with dest port and you will see the source port :
THE Answer : 39709

Q13-PCAP: What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker?

  • To answer this question i used this filter , and go to packet 4040 and flow TCP stream , you will get the answer
tcp stream eq 155
THE Answer : 2.6.32-38-server

Q14-PCAP: What is the value of the token passed in frame 3897?

  • Easy go packet 3897 and flow HTTP stream :
tcp stram eq 151
THE Answer : b7aad621db97d56771d6316a6d0b71e9

Q15-PCAP: What was the tool that was used to download a compressed file from the webserver?

  • Open the pcap with Brim tool and use this filter to see the user agent by count :
THE Filter : _path=="http" | count() by user_agent 
THE Answer : Wget

Q16-PCAP: What is the download file name the user launched the Zeus bot?

  • To answer i filtered the PCAP with HTTP GET Method and search for any exe file :
THE Answer : bt.exe

Q17-Memory: What is the full file path of the system shell spawned through the attacker’s meterpreter session?

  • When using volatility to analysis Linux memory Dump first we need to generate a profile for this Dump , For more information about generate a Linux profile read this article Read here .
  • the challenge files already provided the zip file containing module.dwarf and System.map , so we can skip the above step .
  • We need To move the zip file into the volatility plugins , and to find where volatility plugins we can use this commend :
locate volatility/plugins/overlays/linux
1- the path in my machine is  :
/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux
2-to move the zip file use this commend :
sudo mv DFIRwebsvr.zip /usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux

Now every thing is ready :

He asks about the path of shell , so we can use linux_psaux plugin

vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_psaux 
THE Answer : /bin/sh

Q18-Memory: What is the Parent Process ID of the two ‘sh’ sessions?

  • we can use linux_pstree plugin to display process parent/child relationship .
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pstree 
THE Answer : 1042

THE END

BY : Ahmed Nasser

--

--

أحمد ناصر
أحمد ناصر

Written by أحمد ناصر

76 Followers
25 Following

CyberSecurity Analyst || DFIR || CTF player

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams