Forensic - l337 S4uc3
đź“śScenario
Everyone has heard of targeted attacks. Detecting these can be challenging, responding to these can be even more challenging. This scenario will test your network and host-based analysis skills to figure out the who, what, where, when, and how of this incident. There is sure to be something for all skill levels and the only thing you need to solve the challenge is some l337 S4uc3 !
Q1 - PCAP : Development.wse.local is a critical asset for the Wayne and Stark Enterprises, where the company stores new top-secret designs on weapons. Jon Smith has access to the website and we believe it may have been compromised, according to the IDS alert we received earlier today. First, determine the Public IP Address of the webserver ?
We are looking for a DNS named "Development.wse.local"
We save the .pcapng file into .pcap file with wireshark and use NetworkMiner to extract the public IP that interests us.
Answer : 74.204.41.73
Q2 - PCAP : Alright, now we need you to determine a starting point for the timeline that will be useful in mapping out the incident. Please determine the arrival time of frame 1 in the "GrrCON.pcapng" evidence file.
On the .pcapng with Wireshark we get the "2013-09-11 00:51:07 CEST" converted in UTC timestamp : "2013-09-11 22:51:07 UTC"
Answer : 22:51:07 UTC
Q3 - PCAP : What version number of PHP is the development.wse.local server running ?
Find a HTTP request, Follow the HTTP Stream check the response given by the Apache Server to find the version of PHP on the X-Powered-By field.
Answer : 5.3.2
Q4 - PCAP : What version number of Apache is the development.wse.local web server using ?
Same as the Q3 check the Stream and read the version on the response on the Server field.
Answer : 2.2.14
Q5 - IR : What is the common name of the malware reported by the IDS alert provided ?
Check the IR-Alert.png file given with the PCAPNG file, you can read this :
Answer : Zeus
Q6 - PCAP : Please identify the Gateway IP address of the LAN because the infrastructure team reported a potential problem with the IDS server that could have corrupted the PCAP
As we can see in the first 5 packages the IP Gateway is 172.16.0.1
Answer : 172.16.0.1
Q7 - IR : According to the IDS alert, the Zeus bot attempted to ping an external website to verify connectivity. What was the IP address of the website pinged ?
According to IR-Alert.png file the external IP that Zeus bot try to ping is 74.125.225.112
Answer : 74.125.225.112
Q8 - PCAP : It’s critical to the infrastructure team to identify the Zeus Bot CNC server IP address so they can block communication in the firewall as soon as possible. Please provide the IP address ?
Using the Brim Security we can find the Zeus Bot CNC server IP
We use the following request :
event_type=="alert" alert.signature=="ET MALWARE Zbot POST Request to C2"
Answer : 88.198.6.20
Q9 - PCAP : The infrastructure team also requests that you identify the filename of the “.bin” configuration file that the Zeus bot downloaded right after the infection. Please provide the file name ?
We can go on File -> Export Objects -> HTTP then filter with the .bin extention and find cf.bin
We can also retrieve the file on NetworkMiner in Files section
Answer : cf.bin
Q10 - PCAP : No other users accessed the development.wse.local WordPress site during the timeline of the incident and the reports indicate that an account successfully logged in from the external interface. Please provide the password they used to log in to the WordPress page around 6:59 PM EST ?
First convert 6:59 PM EST to UTC give 22:59 on UTC
Now go in Credentials page on NetworkMiner
Answer : wM812ugu
Q11 - PCAP : After reporting that the WordPress page was indeed accessed from an external connection, your boss comes to you in a rage over the potential loss of confidential top-secret documents. He calms down enough to admit that the design's page has a separate access code outside to ensure the security of their information. Before storming off he provided the password to the designs page “1qBeJ2Az” and told you to find a timestamp of the access time or you will be fired. Please provide the time of the accessed Designs page ?
Always on the same page on NetworkMiner we find a connexion with the password "1qBeJ2Az"
Answer : 23:04:04 UTC
Q12 - PCAP : What is the source port number in the shellcode exploit ? Dest Port was 31708 IDS Signature GPL SHELLCODE x86 inc ebx NOOP
On Wireshark we use the following filter : tcp.dstport == 31708 || udp.dstport == 31708 to cover and find the good one
Answer : 39709
Q13 - PCAP : What was the Linux kernel version returned from the meterpreter sysinfo command run by the attacker ?
We need to find some packet that contains sysinfo so we use the frame contains "sysinfo" filter.
We follow the TCP Stream and search the Linux keyword
Answer : 2.6.32-38-server
Q14 - PCAP : What is the value of the token passed in frame 3897 ?
On Wireshark we use the following filter : frame.number == 3897 to extract the token.
Answer : b7aad621db97d56771d6316a6d0b71e9
Q15 - PCAP : What was the tool that was used to download a compressed file from the webserver ?
We remember that the webserver IP is 74.204.41.73 so we filter on Brim with _path=="http" host=="74.204.41.73" after that we can scroll and find the compressed file that we want.
Answer : wget
Q16 - PCAP : What is the download file name the user launched the Zeus bot ?
We know that the CNC server IP address is 88.198.6.20 so we can therefore filter a first time with this information.
We can aslo aply the HTTP filter to get this
ip.addr == 88.198.6.20 && http.request.method == GET
We follow the first TCP Stream and notice that the request get a 404 Error
We follow the second stream and get our downloaded file
Answer : bt.exe
Q17 - Memory : What is the full file path of the system shell spawned through the attacker's meterpreter session ?
We use volatility to analyse the webserver.vmss file with the linux_pstree plugin
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pstree
We notice two stange sh process spawned by apache2 that's not normal
We investigate on this two process with the following plugin
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_psaux | grep 127
Answer : /bin/sh
Q18 - Memory : What is the Parent Process ID of the two 'sh' sessions ?
We already find it in the previous question :)
Answer : 1042
Q19 - Memory : What is the latency_record_count for PID 1274 ?
First we need to get the Offset for PID 1274 with
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pslist | grep 1274
To see the latency_record_count we need to analyse the offset 0xffff880006dd8000 structures, you can use the dt command.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_volshell
dt("task_struct",0xffff880006dd8000)
Answer : 0
Q20 - Memory : For the PID 1274, what is the first mapped file path ?
We can use the linux_proc_maps plugin to prints the process map information.
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_proc_maps -p 1274
Answer : /bin/dash
Q21 - Memory : What is the md5hash of the receive.1105.3 file out of the per-process packet queue ?
First we need to extract the receive.1105.3 file with linux_pkt_queues plugin Â
vol.py -f webserver.vmss --profile=LinuxDFIRwebsvrx64 linux_pkt_queues -D /home/user/Documents
Then use md5sum tool to get the md5 hash
md5sum receive.1105.3
184c8748cfcfe8c0e24d7d80cac6e9bd  receive.1105.3
Answer : 184c8748cfcfe8c0e24d7d80cac6e9bd
Useful Infos to setup your memory analysis with volatility :
This article demonstrates how to generate a profile in Linux using Volatility 2
The author of this challenge already provided the zip file containing module.dwarf and System.map on the file DFIRWebsvr.zip.
The next step is to move the zip file into the volatility plugin. If you don’t know the path, use the following command :
locate volatility/plugins/overlays/linux
or
sudo find /home/ -type d -name volatility
Move the zip file into the volatility/plugins/overlays/linux path
Make sure that the profile is register by volatility 2 with this command :
vol.py --info | grep DFIRwebsvr
