HoneyBOT Blue Team Challenge
这是一道流量分析结合shellcode的题,后面要用scDbg分析Shellcode,整体难度适中
这个网站的练习题目质量都挺高的,建议师傅们尝试打一打
练习地址:
blueteam-ctf-challenges
Q1
What is the attacker’s IP address?
98.114.205.102
可以看出来发送命令的流量是98.114.205.102 发到 192.150.11.111的,所以可以确认攻击方是:98.114.205.102
Q2
What is the target’s IP address?
192.150.11.111
被控制方是192.150.11.111
Q3
Provide the country code for the attacker’s IP address (a.k.a geo-location).
US
放网上查一下ip,发现是“漂亮国”的的ip
Q4
How many TCP sessions are present in the captured traffic?
5
从0-4,一共五个
Q5
How long did it take to perform the attack (in seconds)?
6
分别看一下第一个包和最后一个包的区别
Q7
Provide the CVE number of the exploited vulnerability.
CVE-2003-0533
发现有一个DsRoleUpgradeDownlevelServer,上网搜一下得到相关的漏洞信息
Q8
Which protocol was used to carry over the exploit?
SMB
smb攻击,前面漏洞里面有提到
Q9
Which protocol did the attacker use to download additional malicious files to the target system?
ftp
从后面可以看出来,攻击者利用ftp上传的马
Q10
What is the name of the downloaded malware?
ssms.exe
下载了一个ssms.exe
Q11
The attacker’s server was listening on a specific port. Provide the port number.
8884
open 8884
Q12
When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD
2007-06-27
Q13
What is the key used to encode the shellcode?
0x99
看一下smb数据,可以发现有一段比较可疑的数据
利用winhex将可疑数据提取出来,前后都是9090,把这些删掉
用scDbg工具查看一下
通过查看资料,得到key,利用key对所有bit进行异或解密
参考网址:
https://www.cnblogs.com/dsli/p/7222807.html
Q14
What is the port number the shellcode binds to?
1957
同上面
Q15
The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?
Kernel32.dll
可以看到shellcode中多次使用
函数
https://baike.baidu.com/item/GetProcAddress/1633633?fr=ge_ala
发现是这个Kernel32.dll里面的
后面找漏洞、分析shellcode这些还是学到了不少新的东西,欢迎各位师傅们交流,互相讨论