A PCAP analysis exercise highlighting attacker's interactions with honeypots and how automatic exploitation works.. (Note that the IP address of the victim has been changed to hide the true location.)
| # | Question | Weight | Solved | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | What is the attacker's IP address? | 50 | 93 | ||||||||||||
| 2 | What is the target's IP address? | 50 | 93 | ||||||||||||
| 3 | Provide the country code for the attacker's IP address (a.k.a geo-location). | 50 | 88 | ||||||||||||
| 4 | How many TCP sessions are present in the captured traffic? | 100 | 87 | ||||||||||||
| 5 | How long did it take to perform the attack (in seconds)? | 100 | 85 | ||||||||||||
| 6 | What is the operating system of the target host? | 100 | 86 | ||||||||||||
| 7 | Provide the CVE number of the exploited vulnerability. | 100 | 57 | ||||||||||||
| 8 | Which protocol was used to carry over the exploit? | 100 | 88 | ||||||||||||
| 9 | Which protocol did the attacker use to download additional malicious files to the target system? | 100 | 84 | ||||||||||||
| 10 | What is the name of the downloaded malware? | 100 | 80 | ||||||||||||
| 11 | The attacker's server was listening on a specific port. Provide the port number. | 100 | 80 | ||||||||||||
| 12 | When was the involved malware first submitted to VirusTotal for analysis? | 150 | 51 | ||||||||||||
| 13 | What is the key used to encode the shellcode? | 200 | 32 | ||||||||||||
| 14 | What is the port number the shellcode binds to? | 200 | 59 | ||||||||||||
| 15 | The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process? | 300 | 50 | ||||||||||||