forensicskween

WALKTHROUGHS

CTF WALKHROUGHS

By Platform

CTF
CyberDefenders
44Writeups
DEFCON2019
4Writeups
DFA2020
6Writeups
HackTheBox
43Writeups
MVS2021
5Writeups
Other
1Writeups
TryHackMe
6Writeups

By Category

Cryptography

HackTheBox: signup

The aliens attacked our territory and stole our necessary supplies and kept them in a secure manner. We can get them back, but it requires a lot of data samples. Fortunately, we have some stuff to get back what we need. But, are we lucky enough?!

HackTheBox: ElElgamal

After some minor warnings from IDS, you decide to check the logs to see if anything suspicious is happening. Surprised by what you see, you realise that one of your honeypots has been compromised with a cryptominer. As you look at the processes, you discover a backdoor attached to one of them. The backdoor retrieves the private key from the /key route of a C2. It establishes a session by sending an encrypted initilazation sequence. After the session is established, it waits for commands. The commands are encrypted and executed by the source code you found. Unfortunately, the IDS could not detect the request to /key and the machine was rebooted after the compromise, so the key cannot be found on the stack. Can you find out if any data was exfiltrated from the honeypot to mitigate future attacks?

Forensics

CyberDefenders: NintendoHunt

You have been hired as a digital forensics investigator to investigate a potential security breach at a company. The company has recently noticed unusual network activity and suspects that there may be a malicious process running on one of their computers. Your task is identifying the malicious process and gathering information about its activity.

CyberDefenders: Hafinum-APT

Windows Event Logs Analysis Challenge, and I am happy to introduce my rebrand of my old script to make a sqlite database out of Windows Event Logs!!!

HackTheBox: Seized

Miyuki is now after a newly formed ransomware division which works for Longhir. This division’s goal is to target any critical infrastructure and cause financial losses to their opponents. They never restore the encrypted files, even if the victim pays the ransom. This case is the number one priority for the team at the moment. Miyuki has seized the hard-drive of one of the members and it is believed that inside of which there may be credentials for the Ransomware’s Dashboard. Given the AppData folder, can you retrieve the wanted credentials?

RomHack 2022: You Got Mail

Our CEO’s computer was compromised in a phishing attack. The attackers took care to clear the PowerShell logs, so we don’t know what they executed. Can you help us?

HackTheBox: Free Services

Intergalactic Federation stated that it managed to prevent a large-scale phishing campaign that targeted all space personnel across the galaxy. The enemy’s goal was to add as many spaceships to their space-botnet as possible so they can conduct distributed destruction of intergalactic services (DDOIS) using their fleet. Since such a campaign can be easily detected and prevented, malicious actors have changed their tactics. As stated by officials, a new spear phishing campaign is underway aiming high value targets. Now Klaus asks your opinion about a mail it received from “sales@unlockyourmind.gal”, claiming that in their galaxy it is possible to recover it’s memory back by following the steps contained in the attached file.

HackTheBox: Lure

The finance team received an important looking email containing an attached Word document. Can you take a look and confirm if it’s malicious?

HackTheBox: No Place To Hide

We found evidence of a password spray attack against the Domain Controller, and identified a suspicious RDP session. We’ll provide you with our RDP logs and other files. Can you see what they were up to?

HackTheBox: Rogue

SecCorp has reached us about a recent cyber security incident. They are confident that a malicious entity has managed to access a shared folder that stores confidential files. Our threat intel informed us about an active dark web forum where disgruntled employees offer to give access to their employer’s internal network for a financial reward. In this forum, one of SecCorp’s employees offers to provide access to a low-privileged domain-joined user for 10K in cryptocurrency. Your task is to find out how they managed to gain access to the folder and what corporate secrets did they steal.

HackTheBox: Insider

A potential insider threat has been reported, and we need to find out what they accessed. Can you help?

HackTheBox: Export

We spotted a suspicious connection to one of our servers, and immediately took a memory dump. Can you figure out what the attackers were up to?

HackTheBox: Event Horizon

Our CEO’s computer was compromised in a phishing attack. The attackers took care to clear the PowerShell logs, so we don’t know what they executed. Can you help us?

HackTheBox: Chase

One of our web servers triggered an AV alert, but none of the sysadmins say they were logged onto it. We’ve taken a network capture before shutting the server down to take a clone of the disk. Can you take a look at the PCAP and see if anything is up?

HackTheBox: MarketDump

We have got informed that a hacker managed to get into our internal network after pivoiting through the web platform that runs in public internet. He managed to bypass our small product stocks logging platform and then he got our costumer database file. We believe that only one of our costumers was targeted. Can you find out who the customer was?

HackTheBox: Persistence

We’re noticing some strange connections from a critical PC that can’t be replaced. We’ve run an AV scan to delete the malicious files and rebooted the box, but the connections get re-established. We’ve taken a backup of some critical system files, can you help us figure out what’s going on?

HackTheBox: Marshal in the Middle

The security team was alerted to suspicous network activity from a production web server.
Can you determine if any data was stolen and what it was?

CyberDefenders: l337 S4uc3

Everyone has heard of targeted attacks. Detecting these can be challenging, responding to these can be even more challenging. This scenario will test your network and host-based analysis skills to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels and the only thing you need to solve the challenge is some l337 S4uc3!

CyberDefenders: Emprisa Maldoc

As a SOC analyst, you were asked to inspect a suspected document a user received in his inbox. One of your colleagues told you that he could not find anything suspicious. However, throwing the document into the sandboxing solution triggered some alerts.
Your job is to investigate the document further and confirm whether it’s malicious or not.

CyberDefenders: MalDoc101

It is common for threat actors to utilize living off the land (LOTL) techniques, such as the execution of PowerShell to further their attacks and transition from macro code. This challenge is intended to show how you can often times perform quick analysis to extract important IOCs. The focus of this exercise is on static techniques for analysis.

CyberDefenders: Pwned-DC

An ActiveDirectory compromise case: adversaries were able to take over corporate domain controller. Investigate the case and reveal the Who, When, What, Where, Why, and How.

TryHackMe: Investigating Windows

This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.

Connect to the machine using RDP. The credentials the machine are as follows:

TryHackMe: Startup

We are Spice Hut, a new startup company that just made it big! We offer a variety of spices and club sandwiches (in case you get hungry), but that is not why you are here. To be truthful, we aren’t sure if our developers know what they are doing and our security concerns are rising. We ask that you perform a thorough penetration test and try to own root. Good luck!

TryHackMe: h4cked

Find out what happened by analysing a .pcap file and hack your way back into the machine. It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.

CyberDefenders: HawkEye

An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.

CyberDefenders: XLM Macros

Recently, we have seen a resurgence of Excel-based malicous office documents. Howerver, instead of using VBA-style macros, they are using older style Excel 4 macros. This changes our approach to analyzing these documents, requiring a slightly different set of tools. In this challenge, you’ll get hands-on with two documents that use Excel 4.0 macros to perform anti-analysis and download the next stage of the attack.

CyberDefenders: Obfuscated

During your shift as a SOC analyst, the enterprise EDR alerted a suspicious behavior from an end-user machine. The user indicated that he received a recent email with a DOC file from an unknown sender and passed the document for you to analyze.

CyberDefenders: GetPDF

PDF format is the de-facto standard in exchanging documents online. Such popularity, however, has also attracted cyber criminals in spreading malware to unsuspecting users. The ability to generate malicious pdf files to distribute malware is a functionality that has been built into many exploit kits. As users are less cautious about opening PDF files, the malicious PDF file has become quite a successful attack vector. The network traffic is captured in lala.pcap contains network traffic related to a typical malicious PDF file attack, in which an unsuspecting user opens a compromised web page, which redirects the user’s web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user’s machine.

CyberDefenders: DetectLog4j

For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on the log4j library. Many of them are not known till now. We created a challenge to test your ability to detect, analyze, mitigate and patch products vulnerable to log4shell.

CyberDefenders: Hunter

The SOC team got an alert regarding some illegal port scanning activity coming from an employee’s system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user’s system to perform some investigations.

There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!

It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!

Your objective is to analyze the image and to either confirm or deny this theory.

CyberDefenders: DeepDive

You have given a memory image for a compromised machine. Analyze the image and figure out attack details.

CyberDefenders: BankingTroubles

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.

The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim’s system.

Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.

CyberDefenders: Insider

After Karen started working for ‘TAAUSAI,’ she began to do some illegal activities inside the company. ‘TAAUSAI’ hired you to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

CyberDefenders: HireMe

Karen is a security professional looking for a new job. A company called “TAAUSAI” offered her a position and asked her to complete a couple of tasks to prove her technical competency. Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.

CyberDefenders: DumpMe

One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.

CyberDefenders: Spotlight

There is an amazing range of open-source tools for Mac Forensics. My favorite ever is mac_apt, and I solved all questions (except one which requires mounting the E01 image) with it. The most important filetypes in Mac Forensics are the Property Lists (.plist) and Sqlite databases. These usually hold the most precious artifacts and information. Mac_apt does the job automatically and gathers the best, crunchiest artifacts into a pretty, well organized sqlite database.

Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today’s case investigations.

CyberDefenders: LGDroid

Our IR team took a disk dump of the android phone. Analyze the dump and answer the provided questions.

Misc

DFA 2020: MISC

This category is a mix of javascript, crypto and zip file recovery. To repair the corrupted zip file, you will need a hex editor (if repairing manually). Otherwise, it’s not very time-consuming and you can easily score extra points.

Osint

CyberDefenders: L’espion

You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.

Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.

Investigate the incident, find the insider, and uncover the attack actions.

DFA 2020: MISC

This category is a mix of javascript, crypto and zip file recovery. To repair the corrupted zip file, you will need a hex editor (if repairing manually). Otherwise, it’s not very time-consuming and you can easily score extra points.

DFA 2020: OSINT

OSINT is short for Open-Source Intelligence. Whilst many open-source OSINT tools exist, often it’s best to start with different search engines. For deeper analyses, the OSINT Framework is my go-to. For this part of the challenge, you just need a combination of Google, Bing, Yandex and DuckDuckGo. Most is solvable with Google only!

Mobile

CyberDefenders: Jailbroken

iOS Forensics is similar to Mac Forensics, but the images are usually either Full filesystem (a filesystem copy of a jailbroken device) or logical (usually acquired with iTunes).
There are many open-source tools available for both. I used ios_apt, iLEAPP and walitean for this category.

Jailbroken is an iPad case investigation that exposes different aspects of IOS systems.

CyberDefenders: LGDroid

Our IR team took a disk dump of the android phone. Analyze the dump and answer the provided questions.

Socials

Twitter Github
Resources
None
Pages

Copyright © 2023 forensicskween

Exit mobile version
%%footer%%