AzurePot blue team ctf

Category : Digital Forensics

278 Players

4.4 (25)

Medium

File => sdb.vhd
There is a script that runs every minute to do cleanup. What is the name of the file?

Weight : 10 | Solved : 99

File => sdb.vhd
The script in the Q#1 terminates processes associated with two Bitcoin miner malware files. What is the name of 1st malware file?

Weight : 10 | Solved : 90

File => sdb.vhd
The script in Q#1 changes the permissions for some files. What is their new permission?

Weight : 10 | Solved : 91

File => sdb.vhd
What is the sha256 of the botnet agent file?

Weight : 20 | Solved : 76

File => sdb.vhd
What is the name of the botnet in Q#4?

Weight : 10 | Solved : 77

File => sdb.vhd
What IP address matches the creation timestamp of the botnet agent file in Q#4?

Weight : 25 | Solved : 72

File => sdb.vhd
What URL did the attacker use to download the botnet agent?

Weight : 25 | Solved : 65

File => sdb.vhd
What is the name of the file that the attacker downloaded to execute the malicious script and subsequently remove itself?

Weight : 30 | Solved : 54

File => sdb.vhd
The attacker downloaded sh scripts. What are the names of these files?

Weight : 30 | Solved : 57

Q10

File => UAC
Two suspicious processes were running from a deleted directory. What are their PIDs?

Weight : 20 | Solved : 57

Q11

File => UAC
What is the suspicious command line associated with the 2nd PID in Q#10?

Weight : 20 | Solved : 54

Q12

File => UAC
UAC gathered some data from the second process in Q#10. What is the remote IP address and remote port that was used in the attack?

Weight : 20 | Solved : 55

Q13

File => UAC
Which user was responsible for executing the command in Q#11?

Weight : 10 | Solved : 51

Q14

File => UAC
Two suspicious shell processes were running from the tmp folder. What are their PIDs?

Weight : 20 | Solved : 47

Q15

File => ubuntu.20211208.mem
What is the MAC address of the captured memory?

Weight : 10 | Solved : 45

Q16

File => ubuntu.20211208.mem
From Bash history. The attacker downloaded an sh script. What is the name of the file?

Weight : 20 | Solved : 46

Scenario:

This Ubuntu Linux honeypot was put online in Azure in early October to watch what happens with those exploiting CVE-2021-41773.

Initially, there was a large number of crypto miners that hit the system. You will see one cron script meant to remove files named kinsing in /tmp. This was a way of preventing these miners so more interesting things could occur.

There are three files:

– sdb.vhd.gz – VHD of the main drive obtained through an Azure disk snapshot
– ubuntu.20211208.mem.gz – Dump of memory using Lime
– uac.tgz – Results of UAC running on the system

Items were obtained in the order above – the drive was snapshotted, memory was grabbed, then UAC was run.

As a soc analyst, analyze the artifacts and answer the questions.

Helpful Tools:

FTK Imager
Notepad++
grep
awk

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

8204bf80b148b7b2ae1e0d3753da5d2511431ab6
Password:

cyberdefenders.org
Size:

3.2 GB
Published:

April 20, 2023, midnight

First blood

elmø

46 days ago

Last solve

thugonomist

2 days ago

Authors

AzurePot blue team ctf

Category : Digital Forensics

Memory

Disk

Linux