Noosphere

Network Based Attacks CTF

2 min read

+++ INITIATING LITURGICAL BROADCAST +++

By the Will of the Omnissiah, and the Authority vested in me as Magos Dominus, I transmit this holy data-burst unto the noosphere.

TODO

Pistas pa luego

  • CTRL + F search for strings coinbase y mystery
  • http.request.loquesea == 200
  • copy as plain text
  • para las IP y mac addresses , ten cuidado con las comas.
  • Para el user agent es WindowsPowerShell

LAB

Objective: Use network analysis techniques to identify and capture the following flags related to the infection and attack:

  • Flag 1: What is the domain name(abcd.site) accessed by the infected user that returned a 200 OK response code?
  • Flag 2: What is the IP address, MAC address of the infected Windows client?
  • Flag 3: Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?
  • Flag 4: Which user got infected and ran the mystery_file.ps1 PowerShell script?
  • Flag 5: What User-Agent string indicates the traffic generated by a PowerShell script?
  • Flag 6: Which wallet extension ID is associated with the Coinbase wallet?

Tools Used

Wireshark

Flag 1

Filter by: http.response.code == 200

Answer

623start.site

Flag 2

In the very same packet we can observe both the mac address of the destination ( client ) and its IP.

Answer

10.7.10.47,80:86:5b:ab:1e:c4

Flag 3

For this one we have to use nbns filter.

Answer

nbns,DESKTOP-9PEA63H

Flag4

For this we will be using the strings filter from wireshark.

There is a packet with the required occurrence , we if we copy the content in printable text we can get the user which executed this.

C:\Users\rwalters\Documents\mystery_file.ps1'"F-QID: 5956, Name: conhost.exe, CommandLine: \??\C:\W

Answer

rwalters

Flag 5

This is easy.

Answer

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.3031

Flag 6

We search “Coinbase” in the strings filter too.

Copy the content once again in printable text :

ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet
blnieiiffboillknjnepogjhkgnoapac|EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
fihkakfo

Answer

hnfanknocfeofbddgcijnmhnfnkdnaad

GLORY TO THE OMNISSIAH. PRAISE THE BINARY DIVINE.

+++ LITURGICAL BROADCAST COMPLETE +++

Graph View

Backlinks