A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened. Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge.
Challenge Files:
- victoria-v8.kcore.img: memory dump done by dd’ing /proc/kcore.
- victoria-v8.memdump.img: memory dump done with memdump.
- Debian5_26.zip: volatility custom Linux profile.
Supportive Tools:
# | Question | Weight | Solved | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | The attacker was performing a Brute Force attack. What account triggered the alert? | 50 | 54 | ||||||||||||
2 | How many were failed attempts there? | 50 | 42 | ||||||||||||
3 | What kind of system runs on the targeted server? | 50 | 46 | ||||||||||||
4 | What is the victim's IP address? | 100 | 55 | ||||||||||||
5 | What are the attacker's two IP addresses? (comma separated without spaces) | 100 | 54 | ||||||||||||
6 | What is the "nc" service PID number that was running on the server? | 150 | 52 | ||||||||||||
7 | What service was exploited to gain access to the system? | 150 | 50 | ||||||||||||
8 | What is the CVE number of exploited vulnerability? | 150 | 48 | ||||||||||||
9 | During this attack, the attacker downloaded two files to the server. What are they? | 100 | 45 | ||||||||||||
10 | What are the two port numbers involved in the process of data exfiltration? (comma separated without spaces) | 100 | 51 | ||||||||||||
11 | Which port did the attacker try to open on the firewall? | 100 | 35 | ||||||||||||