l337 S4uc3
01. PCAP: Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today. First, determine the Public IP Address of the webserver?
02. PCAP: Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please determine the arrival time of frame 1 in the "GrrCON.pcapng" evidence file.
Here is a link to convert your time https://www.epochconverter.com/
03. PCAP: What version number of PHP is the development.wse.local server running?
04. PCAP: What version number of Apache is the development.wse.local web server using?
05. IR: What is the common name of the malware reported by the IDS alert provided?
06. PCAP: Please identify the Gateway IP address of the LAN because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP
172.16.0.107. IR: According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity. What was the IP address of the website pinged?
08. PCAP: It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please provide the IP address?
09. PCAP: The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please provide the file name?
10. PCAP: No other users accessed the development.wse.local WordPress site during the timeline of the incident and the reports indicate that an account successfully logged in from the external interface. Please provide the password they used to log in to the WordPress page around 6:59 PM EST?
11. PCAP: After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design's page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please provide the time of the accessed Designs page?
Change pcapng to pcap:
$ editcap -F libpcap file.pcapng file.pcap
12. PCAP: What is the source port number in the shellcode exploit? Dest Port was 31708 IDS Signature GPL SHELLCODE x86 inc ebx NOOP
13. PCAP: What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker?
14. PCAP: What is the value of the token passed in frame 3897?
15. PCAP: What was the tool that was used to download a compressed file from the webserver?
16. PCAP: What is the download file name the user launched the Zeus bot?
17. Memory: What is the full file path of the system shell spawned through the attacker's meterpreter session?
Firstly, you need to import volatility profile from given file. Create .zip file with these 2 files and copy .zip file to /volatility/volatility/plugins/overlays/linux. And then check with python2 volatility/vol.py --info. You will see this profile.
python volatility/vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxLinuxDFIRwebsvrx64x64 linux_pslist
..apache2 1040 33
..apache2 1042 33
...sh 1274 33
....sh 1275 33 18. Memory: What is the Parent Process ID of the two 'sh' sessions?
104219. Memory: What is the latency_record_count for PID 1274?
020. Memory: For the PID 1274, what is the first mapped file path?
python volatility/vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxLinuxDFIRwebsvrx64x64 linux_proc_maps -p 1274
21. Memory:What is the md5hash of the receive.1105.3 file out of the per-process packet queue?
python volatility/vol.py -f Ubuntu10-4/webserver.vmss --profile=LinuxLinuxDFIRwebsvrx64x64 linux_pkt_queues -D result
Last updated
Was this helpful?