Seized Blue Team Challenge Walkthrough Write-Up
Category : Endpoint Forensics
level :Medium
Challenge Download Link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/92
Instructions:
- Unzip the challenge (pass: cyberdefenders.org), investigate this case, and answer the provided questions.
- Use the latest version of Volatility, place the attached Volatility profile “Centos7.3.10.1062.zip” in the following path volatility/volatility/plugins/overlays/linux.
Scenario:
Using Volatility, utilize your memory analysis skills as a security blue team analyst to Investigate the provided Linux memory snapshots and figure out attack details.
Supportive Tools:
First of all :
- move the ZIP file “Centos7.3.10.1062.zip” into volatility Plugins directory .
- to locate this directory just use this command :
└─$ locate volatility/plugins/overlays/linux. in my machine the directory is :
/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux└─$ sudo cp Centos7.3.10.1062.zip /usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linuxTo insure every thing is ok :
Now all is ready to go
Q1-What is the CentOS version installed on the machine?
- We can use grep command to the answer :
└─$ grep -a "Linux release" dump.mem
or go to google and search with kernel number to get Centos version :
THE Answer : 7.7.1908Q2-There is a command containing a strange message in the bash history. Will you be able to read it?
- Use linux_bash plugin to list bash history :
└─$ vol.py -f dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_bash
- there is encoded {Base64} value in bash history so , so to CyberChef to decode it:
THE Answer : shkCTF{l3ts_st4rt_th3_1nv3st_75cc55476f3dfe1629ac60}Q3-What is the PID of the suspicious process?
- Use linux_psaux to Gather processes along with full command line and start time:
└─$ vol.py -f dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_psaux
from image above we see netcat process that is listening on port 12345
- or use linux-pslist plugin :
└─$ vol.py -f dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_pslist
THE Answer : 2854Q4-The attacker downloaded a backdoor to gain persistence. What is the hidden message in this backdoor?
- Back again to bash history , we can see that the attacker downloaded some file form Github :
- from the image above , we now know the link to the backdoor .
- Now open the link , and check the backdoor files :
- Do to snapshot.py and read the script , you will find this link :
. Now open the link , you will find a encoded value {Base64} , Go to CyberChef to decode :
THE Answer : shkCTF{th4t_w4s_4_dumb_b4ckd00r_86033c19e3f39315c00dca}Q5-What are the attacker’s IP address and the local port on the targeted machine?
- Easy Just use linux_netstat plugin :
└─$ vol.py -f dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_netstat
From the image above we see that :
- netcat connection to 192.168.49.1 ( the attacker) through port 12345
THE Answer : 192.168.49.1:12345Q6-What is the first command that the attacker executed?
- Use linx_psaux plugin Gather processes along with full command line and start time:
└─$ vol.py -f dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_psaux
from the image , you can see the first commend before netcat connection :
python -c import pty; pty.spawn("/bin/bash")Q8-What is the name of the rootkit that the attacker used?
- we can use linux_check_syscall plugin which checks for hooked functions which is a common tactic among rootkits for avoiding detection, and grep “hooked”
└─$ vol.py -f dump.mem --profile=LinuxCentos7_3_10_1062x64 linux_check_syscall | grep -i hooked
THE Answer: sysemptyrectQ9-The rootkit uses crc65 encryption. What is the key?
- We can use strings commend and grep the memory dump with rootkit name :
└─$ strings dump.mem|grep -i "sysemptyrect"
THE Answer : 1337tibbartibbarTHE END
BY : Ahmed Nasser
