CyberDefenders: BlueTeam CTF Challenges

Exfiltrated

SHA1SUM	1f190082a122f74baa19f1b8189bbb0172301c66
Published	Nov. 2, 2021
Author	CyberDefenders
Size	3.3 GB
Tags	Linux RedHat Disk Keylogger

Instructions	Uncompress the challenge (pass: cyberdefenders.org)

Your progress

0% Completed0/15 Questions

Your score

0/1600

Digital Forensics

Last solve

today by dsplice

Scenario

The enterprise EDR alerted for possible exfiltration attempts originating from a developer RedHat Linux machine. A fellow SOC member captured a disk image for the suspected machine and sent it for you to analyze and identify the attacker's footprints.

Tools

#	Question	Weight	Solved
#1	What is the RHEL version installed on the machine?	50	276
Hint Report an issue

#2	How many users have a login shell?	50	274
Hint Report an issue

#3	How many users are allowed to run the sudo command on the system?	100	262
Hint Report an issue

#4	What is the 'rossatron' user password?	50	231
Hint Report an issue

#5	What is the Victim's IP address?	50	238
Hint Report an issue

#6	What service did the attacker use to gain access to the system?	100	245
Hint Report an issue

#7	What is the attacker's IP address?	50	245
Hint Report an issue

#8	What authentication attack did the attacker use to gain access o the system?	100	236
Hint Report an issue

#9	How many users the attacker was able to bruteforce their password?	100	236
Hint Report an issue

#10	When did the attack start? (DD/MM/YYYY)	50	227
Hint Report an issue

#11	What is the user used by the attacker to gain initial access to system?	150	225
Hint Report an issue

#12	What is the MITRE ID of the technique used by the attacker to achieve persistence?	150	207
Hint Report an issue

#13	What is the CVE number used by the attacker to escalate his Privilege?	150	202
Hint Report an issue

#14	After gaining more privilege the attacker dropped a backdoor to gain more persistence which receives commands from Gmail account. What is the email used to send commands?	200	210
Hint Report an issue

#15	The attacker downloaded a keylogger to capture users' keystrokes. What is the secret word the attacker was able to exfiltrate?	250	175
Hint Report an issue

Submit Writeup