CMouse's Blog

CMouse's Blog

CyberForce-2019

This is my recap of my part in the preparation of the competition, including setting up NGINX as a reverse proxy and generating self-signed certificates for our website to be deployed via HTTPS.

In addition to hardening our infrastructure in advance and defending it against hackers in real time, the competition also provided 50 anomalies to analyze, which are basically CTF challenges. Here are write-ups for some of the challenges!

Solved Problems

Forensics

Anomaly 23: A Picture Paints a Thousand Bytes
A host on the corporate IT network has been compromised and is using DNS to phone home. This activity has been noticed and the DNS logs have been dumped. Analyze the DNS logs (Anomaly 23.log) and identify what information has been transferred. Hint: binwalk is your friend.

Anomaly 49
Our wily hacker doesn’t want the snooping admins to see the data content that is being stolen and has used a few tricks to mix things up. From the pcap file, find the original data content that the hacker exfiltrated. Flag is in the “cfc{}” format. Submit the flag including the cfc tag.

Reverse Engineering

Anomaly 6
An automated alert notified your security team to a potentially malicious script being executed on a users machine. Your job is to analyze the script to determine what it is doing. Note: During your analysis, the script should lead you to a sentence in English; this will be the answer you submit.

Anomaly 21: Shimo La Kumwagilia
Your IDS system generated an alert for a known malicious IP, 40.122.151.219, that appears to be part of a watering hole attack. Examine the accompanying packet capture file (Anomaly 21.pcap) from the affected subnet to determine the cause of the suspicious activity. If this is a true positive, examine the associated traffic to determine whether the compromise was successful. To solve, look for the flag{\<string>} value. To answer, submit only the \<string> portion of the flag. For example, if I were to uncover the flag with value: flag{d41d8cd98f00b204e9800998ecf8427e} I would submit d41d8cd98f00b204e9800998ecf8427e for the answer.

Anomaly 45
This is a simple “login” program for the Nuclear Power Plant. This program was created with no intention of security, so it was designed to have a single user and a single password. What is the flag? Answer format: flag {hidden_flag}

Expand all Back to top Go to bottom