EscapeRoom blue team ctf

Category : Digital Forensics

1525 Players

4.5 (212)

Medium

What service did the attacker use to gain access to the system?

Weight : 50 | Solved : 1147

What attack type was used to gain access to the system?(one word)

Weight : 50 | Solved : 1059

What was the tool the attacker possibly used to perform this attack?

Weight : 50 | Solved : 1026

How many failed attempts were there?

Weight : 50 | Solved : 914

What credentials (username:password) were used to gain access? Refer to shadow.log and sudoers.log.

Weight : 100 | Solved : 691

What other credentials (username:password) could have been used to gain access also have SUDO privileges? Refer to shadow.log and sudoers.log.

Weight : 100 | Solved : 661

What is the tool used to download malicious files on the system?

Weight : 50 | Solved : 845

How many files the attacker download to perform malware installation?

Weight : 50 | Solved : 835

What is the main malware MD5 hash?

Weight : 100 | Solved : 743

Q10

What file has the script modified so the malware will start upon reboot?

Weight : 150 | Solved : 713

Q11

Where did the malware keep local files?

Weight : 150 | Solved : 691

Q12

What is missing from ps.log?

Weight : 150 | Solved : 673

Q13

What is the main file that used to remove this information from ps.log?

Weight : 200 | Solved : 653

Q14

Inside the Main function, what is the function that causes requests to those servers?

Weight : 200 | Solved : 567

Q15

One of the IP's the malware contacted starts with 17. Provide the full IP.

Weight : 200 | Solved : 703

Q16

How many files the malware requested from external servers?

Weight : 100 | Solved : 692

Q17

What are the commands that the malware was receiving from attacker servers? Format: comma-separated in alphabetical order

Weight : 200 | Solved : 478

Instructions:

Unzip the challenge (pass: cyberdefenders.org) and use your analysis tools to examine provided PCAPs and log files.

Scenario:

You as a soc analyst belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.

This challenge is a combination of several entry to intermediate-level tasks of increasing difficulty focusing on authentication, information hiding, and cryptography. Participants will benefit from entry-level knowledge in these fields, as well as knowledge of general Linux operations, kernel modules, a scripting language, and reverse engineering. Not everything may be as it seems. Innocuous files may turn out to be malicious so take precautions when dealing with any files from this challenge.

Helpful Tools:

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

4dd5e257c4bef0f950a37bb1e401f3dd990929bf
Password:

cyberdefenders.org
Size:

15M
Published:

Aug. 18, 2020, midnight

First blood

Limbo

961 days ago

Last solve

EmilienL

1 day ago

Authors

EscapeRoom blue team ctf

Category : Digital Forensics

PCAP

Wireshark

Linux