CyberDefenders: l337 S4uc3

Everyone has heard of targeted attacks. Detecting these can be challenging, responding to these can be even more challenging. This scenario will test your network and host-based analysis skills to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels and the only thing you need to solve the challenge is some l337 S4uc3!

Information

Category Name: l337 S4uc3

Files: c64-grrcon2013.zip 122.4 MB
– GrrCON.pcapng 4 MB
– IR-Alert.png 78 KB
– Ubuntu10-4/DFIRwebsvr.zip 597 KB
– Ubuntu10-4/webserver.vmss 518 MB

My Recommendations

This is my personal preference, I like being organized and deleting the folder when I’m done with it.

mkdir Documents/CyberDefenders/L337s4uc3 && cd Documents/CyberDefenders/L337s4uc3

Download it from CyberDefenders and verify the file with sha1sum:

sha1sum /path/to/c64-grrcon2013.zip

SHA1: 94ac99ef544086f0be9f5f6b00ae1a0834b0027b

Then extract it with the provided the password.

Walkthrough

1. ...determine the Public IP Address of the webserver?

PCAP: Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today…

First, we can filter the pcap with http.host == “development.wse.local”:

This helps us find the private IP address. Next, we filter for ip.addr == 172.16.0.108 && http.request. The request shows the Public IP address of the webserver:

Answer:  74.204.41.73

2. ...determine the arrival time of frame 1 in the "GrrCON.pcapng" evidence file.

PCAP: Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please…

The arrival time of frame 1 is at 2013-09-10 22:51:08 UTC:

The answer doens’t require rounding to the nearest decimal.

Answer: 22:51:07 UTC

3. What version number of PHP is the development.wse.local server running?

PCAP

Using the ‘Find’ feature for php, and filtering for ip.addr == 172.16.0.108, frame 3887 shows that the PHP version is 5.3.2:

Answer: 5.3.2

4. What version number of Apache is the development.wse.local web server using?

PCAP

In the same frame as the previous question, the webserver is running Apache 2.2.14:

Answer: 2.2.14

5. What is the common name of the malware reported by the IDS alert provided?

IR
				
					display IR-Alert.png

				
			

At the top of the screenshot, the alert reports an ET TROJAN Zeus Request:

 

Answer: Zeus

6. Identify the Gateway IP address of the LAN...

PCAP: …because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP

An easy way to do that is to search for ARP requests. Filtering with arp:

The first packets are ARP broadcasts , requesting an IP, and asking to tell IP 172.16.0.1 . So 172.16.0.1  is the Gateway IP address.

Answer: 172.16.0.1

7. What was the IP address of the website pinged?

IR: According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity…

The Zeus bot pinged Google, which has IP address 74.125.225.112.

Answer: 74.125.225.112 

 
 

8. ...provide the IP address?

PCAP: It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please…

We know that the Zeus bot pinged 74.125.225.112 , so we can look for packets corresponding to that address with filter ip.addr == 74.125.225.112.

There are two tcp streams matching. The ZeuxBot tried to get webhp from google, as seen in packet 3654. If we follow the TCP Stream we will find the following:

The first line shows that 3rd party cookie is allowed, which in this case is a non-secure http link to a python file, most likely from the requests Python package. Moreover, the HTML file shows a link to ‘webhp‘. If we now use the Find Bytes feature, and look for webhp, the only other mention is in an executable Downloaded from IP 88.198.6.20, in tcp stream 141:

 

We can filter for this IP Address with ip.addr == 88.198.6.20. This particular conversation appears to be a C2C convo:

Answer:  88.198.6.20

9. ...provide the file name?

PCAP: The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please…

We can quickly look for downloaded files by going on the Export Objects –> HTTP. Then, we can filter for ‘.bin’:

Answer: cf.bin

10. ...provide the password they used to log in to the WordPress page around 6:59 PM EST?

PCAP: No other users accessed the development.wse.local WordPress site during the timeline of the incident and the reports indicate that an account successfully logged in from the external interface. Please…

By default, the timestamps are in UTC timezone. We need to convert the 6:59 PM timestamp to UTC, which is 10:59 PM. Now, we can filter the pcap by time and protocol: frame.time >= “2013-09-10 22:59:00” && http.request:

Frame 5456 contains a POST method for mime-type www-form-urlencoded. The user that logged in was Jsmith, and the password used wM812ugu.

Answer: wM812ugu

11. ...provide the time of the accessed Designs page

PCAP
After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design’s page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please …

We can simply filter for http.request.method == POST. The last frame returned contains the post_password 1qBeJ2Az:

Answer: 23:04:04 UTC

12. What is the source port number in the shellcode exploit?

PCAP
Dest Port was 31708 IDS Signature GPL SHELLCODE x86 inc ebx NOOP

Filtering for udp.dstport == 31708:

The Source Port is 39709.

Answer: 39709

13. What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker?

PCAP

Following tcp stream 155:

Answer: 2.6.32-38-server

14. What is the value of the token passed in frame 3897?

PCAP

Filtering with: frame.number == 3987:

Answer: b7aad621db97d56771d6316a6d0b71e9

15. What was the tool that was used to download a compressed file from the webserver?

PCAP

Filtering for http.request.method == GET:

Frame 5304 is the only one containing a compressed file extension (.tar.gz):

The user-agent for this request is Wget, so the file was downloaded with wget.

Answer: wget

16. What is the download file name the user launched the Zeus bot?

PCAP

As we previously saw, the only place where we found the string ‘webhp’ other than the IP address pinged by the Zeus Bot was in TCP stream 141. That TCP Stream contained the data for HTTP request – GET bt.exe:

Unfortunately, the executable cannot be retrieved as it the TCP data is fragmented with [x bytes missing in capture file].

Answer: bt.exe

17. What is the full file path of the system shell spawned through the attacker's meterpreter session?

MEMORY

Using the linux_psaux plugin:

				
					vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_psaux
				
			

PID 1274, which is also a sh process (see question 18) uses option -c meaning the commands are read from string, which in this case is /bin/sh.

Answer: /bin/sh

18. What is the Parent Process ID of the two 'sh' sessions?

MEMORY
				
					 vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pslist
				
			

Both sh sessions ultimately have Parent Process Id 1042, which is apache2.

Answer: 1042

19. What is the latency_record_count for PID 1274?

MEMORY

I had to google for the answer, and found this write-up for the challenge. The solution by Wyatt Roersma is to use linux_volshell, and get the dt for “task_struct: 

				
					vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_volshell
#inside the shell
cc(pid=1274)
proc()
#returns [task_struct task_struct] @ 0xFFFF880006DD8000
dt("task_struct",0xFFFF880006DD8000)
				
			

Answer: 0

20. For the PID 1274, what is the first mapped file path?

MEMORY

Using the linux_proc_maps plugin, which shows ‘details of process memory, including heaps, stacks, and shared libraries’:

				
					vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_proc_maps --pid 1274
				
			

The first file is /bin/dash:

Answer: /bin/dash

21. What is the md5hash of the receive.1105.3 file out of the per-process packet queue?

MEMORY

First, using the linux_pkt_queues plugin:

				
					mkdir pkts
vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pkt_queues -D pkts
#prints Wrote 32 bytes to receive.930.10
#Wrote 32 bytes to receive.1105.3

#calculating md5 hash
md5sum pkts/receive.1105.3
#returns 184c8748cfcfe8c0e24d7d80cac6e9bd
				
			

Answer: 184c8748cfcfe8c0e24d7d80cac6e9bd

TLDR

– This challenge is a nice mix between Network and Disk forensics. 
– Use Wireshark for parsing the pcap, and volatility2 for the memory dump.

Recent Posts

Follow Us

Featured Video

Guide

Discover more from forensicskween

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%