Pwned-DC blue team ctf

Category : Digital Forensics, Malware Analysis

1383 Players

4.5 (48)

Difficult

What is the OS Product name of PC01?

Weight : 50 | Solved : 537

On 21st November, there was unplanned power off for PC01 machine. How long was PC01 powered on till this shutdown?

Weight : 50 | Solved : 358

Who was the last logged-in user on PC01?

Weight : 50 | Solved : 454

What is the IP address of PC01?

Weight : 50 | Solved : 415

Which port was assigned to man service on PC01?

Weight : 50 | Solved : 322

What is the "Business.xlsx" LogFile Sequence Number?

Weight : 100 | Solved : 315

What is the GUID of the C drive on PC01 machine?

Weight : 100 | Solved : 267

What link did the user visit on 2021-11-22 at 19:45:55 UTC?

Weight : 50 | Solved : 315

How many bytes were received by firefox?

Weight : 100 | Solved : 216

Q10

What is the folder name where note.txt resides?

Weight : 50 | Solved : 336

Q11

Which volatility 2 profile should be used to analyze the memory image?

Weight : 100 | Solved : 304

Q12

Analyzing the memory what is the physical address of the SOFTWARE registry hive?

Weight : 50 | Solved : 264

Q13

What is the master key of the user "0xMohammed"?

Weight : 150 | Solved : 124

Q14

Using the provided word list, what is the password of the user "0xMohammed"?

Weight : 150 | Solved : 142

Q15

What is the name of the first malware detected by Windows Defender?

Weight : 100 | Solved : 241

Q16

Provide the date and time when the attacker clicked send (submitted) the malicious email?

Weight : 150 | Solved : 164

Q17

What is the IP address and port on which the attacker received the reverse shell? IP:PORT

Weight : 150 | Solved : 124

Q18

Analyzing the reverse shell. What is the first argument given to InternetErrorDlg API?

Weight : 100 | Solved : 106

Q19

What is the MITRE ID of the technique used by the attacker to achieve persistence?

Weight : 100 | Solved : 128

Q20

What is the attacker's C2 domain name?

Weight : 50 | Solved : 133

Q21

what is the name of the tool used by the attacker to collect AD information?

Weight : 100 | Solved : 170

Q22

What is the PID of the malicious process?

Weight : 50 | Solved : 171

Q23

What is the family of ransomware?

Weight : 100 | Solved : 157

Q24

What is the command invoked by the attacker to download the ransomware?

Weight : 50 | Solved : 127

Q25

Provide the number of ransomware process' privileges that are enabled by default?

Weight : 150 | Solved : 122

Q26

What is the pool tag of the ransomware process?

Weight : 200 | Solved : 103

Q27

What is the address where the ransomware stored the 567-byte key under the malicious process' memory?

Weight : 200 | Solved : 94

Q28

What is the 8-byte word hidden in the ransomware process's memory?

Weight : 150 | Solved : 91

Q29

What is the virtual address of the device where the ransomware file where opened?

Weight : 150 | Solved : 90

Q30

What is the physical address where the ransomware file is stored in memory?

Weight : 150 | Solved : 87

Q31

What is the ransomware file's internal name?

Weight : 150 | Solved : 94

Q32

Analyzing the ransomware file. what is the API used to get the geographical location?

Weight : 100 | Solved : 89

Instructions:

Uncompress the challenge (pass: cyberdefenders.org)

Scenario:

An ActiveDirectory compromise case: adversaries were able to take over the corporate domain controller. As a soc analyst, Investigate the case and reveal the Who, When, What, Where, Why, and How.

Tools:

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

83252e85cd396125643cce6c180465c75d89f93e
Password:

cyberdefenders.org
Size:

3.5 GB
Published:

March 28, 2022, midnight

First blood

[email protected]

422 days ago

Last solve

ozer0x777

4 days ago

Authors

Pwned-DC blue team ctf

Category : Digital Forensics, Malware Analysis

Memory

Disk

WIndows