CyberDefenders: BlueTeam CTF Challenges

Exfiltrated

SHA1SUM	1f190082a122f74baa19f1b8189bbb0172301c66
Published	Nov. 2, 2021
Author	CyberDefenders
Size	3.3 GB
Tags	Linux Incident Response FTK RedHat

Instructions	Uncompress the challenge (pass: cyberdefenders.org)

Your progress

0% Completed0/15 Questions

Your score

0/1600

Linux Disk Image Forensics

Last solve

4 days ago by Paradoxxs

Scenario

The enterprise EDR alerted for possible exfiltration attempts originating from a developer RedHat Linux machine. A fellow SOC member captured a disk image for the suspected machine and sent it for you to analyze and identify the attacker's footprints.

Tools

#	Question	Weight	Solved
#1	What is the RHEL version installed on the machine?	50	210
Hint Report an issue

#2	How many users have a login shell?	50	207
Hint Report an issue

#3	How many users are allowed to run the sudo command on the system?	100	197
Hint Report an issue

#4	What is the 'rossatron' user password?	50	180
Hint Report an issue

#5	What is the Victim's IP address?	50	177
Hint Report an issue

#6	What service did the attacker use to gain access to the system?	100	184
Hint Report an issue

#7	What is the attacker's IP address?	50	184
Hint Report an issue

#8	What authentication attack did the attacker use to gain access o the system?	100	176
Hint Report an issue

#9	How many users the attacker was able to bruteforce their password?	100	177
Hint Report an issue

#10	When did the attack start? (DD/MM/YYYY)	50	170
Hint Report an issue

#11	What is the user used by the attacker to gain initial access to system?	150	167
Hint Report an issue

#12	What is the MITRE ID of the technique used by the attacker to achieve persistence?	150	157
Hint Report an issue

#13	What is the CVE number used by the attacker to escalate his Privilege?	150	154
Hint Report an issue

#14	After gaining more privilege the attacker dropped a backdoor to gain more persistence which receives commands from Gmail account. What is the email used to send commands?	200	159
Hint Report an issue

#15	The attacker downloaded a keylogger to capture users' keystrokes. What is the secret word the attacker was able to exfiltrate?	250	137
Hint Report an issue

Submit Writeup