CyberDefenders: BSidesJeddah-Part2 blueteam challenge.

BSidesJeddah-Part2

SHA1SUM	ea5eafd18e01f9be152a7952b7b35e804f320583
Published	Dec. 14, 2021
Author	CyberDefenders
Size	1.5 GB
Tags	Volatility Autopsy DFIR Memory Forensics

Instructions	Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions.

Your progress

0% Completed0/21 Questions

Your score

0/2700

Memory Image Forensics

Last solve

today by Firewall

Scenario

The #NSM gear flagged suspicious traffic coming from one of the organization's web servers. Analyze the server's captured memory image and figure out what happened.

Tools

Volatility

#	Question	Weight	Solved
#1	What is the SHA256 hash value of the RAM image?	50	91
Hint Report an issue

#2	What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)	50	77
Hint Report an issue

#3	What volatility2 profile is the most appropriate for this machine. imageinfo will take a long try to figure another way to determine the profile? (ex: Win10x86_14393)	150	76
Hint Report an issue

#4	What is the computer's name?	50	75
Hint Report an issue

#5	What is the system IP address?	50	72
Hint Report an issue

#6	How many established network connections were at the time of acquisition?	50	72
Hint Report an issue

#7	What is the PID of explorer.exe?	50	72
Hint Report an issue

#8	What is the title of the webpage the admin visited using IE?	50	68
Hint Report an issue

#9	What company developed the program used for memory acquisition?	100	68
Hint Report an issue

#10	What is the administrator user password?	100	58
Hint Report an issue

#11	What is the version of the WebLogic server installed on the system?	150	58
Hint Report an issue

#12	The admin set a port forward rule to redirect the traffic from the public port to the WebLogic admin portal port. What is the public and WebLogic admin portal port number? Format PublicPort:WebLogicPort (22:1337)	200	52
Hint Report an issue

#13	The attacker gain access through WebLogic Server. What is the PID of the process responsible for the initial exploit?	150	60
Hint Report an issue

#14	what is the PID of the next entry to the previous process? (Hint: ActiveProcessLinks list)	200	52
Hint Report an issue

#15	How many threads does the process responsible for the initial exploit have?	150	50
Hint Report an issue

#16	The attacker gain access to the system through the webserver. What is the CVE number of the vulnerability exploited?	200	48
Hint Report an issue

#17	The attacker used the vulnerability he found in the webserver to execute a reverse shell command to his own server. Provide the IP and port of the attacker server? Format: IP:port	200	54
Hint Report an issue

#18	multiple files were downloaded from the attacker's web server. Provide the Command used to download the PowerShell script used for persistence?	200	42
Hint Report an issue

#19	What is the MITRE ID related to the persistence technique the attacker used?	200	42
Hint Report an issue

#20	After maintaining persistence, the attacker dropped a cobalt strike beacon. Try to analyze it and provide the Publickey_MD5.	200	39
Hint Report an issue

#21	What is the URL of the exfiltrated data?	150	42
Hint Report an issue