| SHA1SUM | 6556e7d46e89bf2ea68e05cf101920e2de071a22 |
| Published | Jan. 15, 2022 |
| Author | CyberDefenders |
| Size | 2.8 GB |
| Tags | Windows Disk ransomware log4shell |
| Instructions |
|
Your progress
Your score
0/2000
Category
Digital Forensics
Scenario
For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on the log4j library. Many of them are not known till now. We created a challenge to test your ability to detect, analyze, mitigate and patch products vulnerable to log4shell.
Tools:
| # | Question | Weight | Solved | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| #1 |
What is the computer hostname? |
50 | 405 | ||||||||||||
|
|
|||||||||||||||
| #2 |
What is the Timezone of the compromised machine? |
50 | 357 | ||||||||||||
|
|
|||||||||||||||
| #3 |
What is the current build number on the system? |
50 | 345 | ||||||||||||
|
|
|||||||||||||||
| #4 |
What is the computer IP? |
50 | 340 | ||||||||||||
|
|
|||||||||||||||
| #5 |
What is the domain computer was assigned to? |
50 | 339 | ||||||||||||
|
|
|||||||||||||||
| #6 |
When was myoussef user created? |
50 | 302 | ||||||||||||
|
|
|||||||||||||||
| #7 |
What is the user mhasan password hint? |
50 | 298 | ||||||||||||
|
|
|||||||||||||||
| #8 |
What is the version of the VMware product installed on the machine? |
50 | 313 | ||||||||||||
|
|
|||||||||||||||
| #9 |
What is the version of the log4j library used by the installed VMware product? |
100 | 299 | ||||||||||||
|
|
|||||||||||||||
| #10 |
What is the log4j library log level specified in the configuration file? |
100 | 288 | ||||||||||||
|
|
|||||||||||||||
| #11 |
The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload? |
50 | 246 | ||||||||||||
|
|
|||||||||||||||
| #12 |
The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload? |
50 | 241 | ||||||||||||
|
|
|||||||||||||||
| #13 |
When was the first successful login to vsphere WebClient? |
100 | 229 | ||||||||||||
|
|
|||||||||||||||
| #14 |
What is the attacker's IP address? |
100 | 238 | ||||||||||||
|
|
|||||||||||||||
| #15 |
What is the port the attacker used to receive the cobalt strike reverse shell? |
200 | 206 | ||||||||||||
|
|
|||||||||||||||
| #16 |
What is the script name published by VMware to mitigate log4shell vulnerability? |
50 | 217 | ||||||||||||
|
|
|||||||||||||||
| #17 |
In some cases, you may not be able to update the products used in your network. What is the system property needed to set to 'true' to work around the log4shell vulnerability? |
50 | 212 | ||||||||||||
|
|
|||||||||||||||
| #18 |
What is the log4j version which contains a patch to CVE-2021-44228? |
50 | 214 | ||||||||||||
|
|
|||||||||||||||
| #19 |
Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class? |
100 | 190 | ||||||||||||
|
|
|||||||||||||||
| #20 |
Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable? |
150 | 193 | ||||||||||||
|
|
|||||||||||||||
| #21 |
What is the executable used by the attacker to gain persistence? |
150 | 182 | ||||||||||||
|
|
|||||||||||||||
| #22 |
When was the first submission of ransomware to virustotal? |
50 | 184 | ||||||||||||
|
|
|||||||||||||||
| #23 |
The ransomware downloads a text file from an external server. What is the key used to decrypt the URL? |
100 | 168 | ||||||||||||
|
|
|||||||||||||||
| #24 |
What is the ISP that owns that IP that serves the text file? |
100 | 175 | ||||||||||||
|
|
|||||||||||||||
| #25 |
The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for? |
100 | 167 | ||||||||||||