Analyze
One of the categories in the Department of Energy’s CyberForce Program - Conquer the Hill: Adventurer Edition 2021
Table of Contents
- Analyze
- Analyze: Anomaly 1 (20pts)
- Analyze: Anomaly 15 (20pts)
- Analyze: Anomaly 28 (20pts)
- Analyze: Anomaly 29 (20pts)
- Analyze: Anomaly 73 (20pts)
- Analyze: Anomaly 87 (20pts)
- Analyze: Anomaly 91 (20pts)
- Analyze: Anomaly 94 (20pts)
- Analyze: Anomaly 72 (30pts)
- Analyze: Anomaly 9 (50pts)
- Analyze: Anomaly 21 (50pts)
- Analyze: Anomaly 70 (100pts)
Analyze: Anomaly 1 (20pts)
During your lunch break, you decide to investigate your team to ensure they are staying on task. Running a simple task over your network to obtain the .pcap file below, you see your employees have all been distracted by the same webpage. What website should you consider blocking in the future?
Syntax hint: answer is not case sensitive, no spaces include ‘.com’ in your answer
Solution
To find the answer I took a look at the included pcap file and filtered by dns
I checked the rest of the entries which were ad servers, probably serving ads for coolmath.
Ans: coolmathgames.com
Analyze: Anomaly 15 (20pts)
As a member of the cyber team at your organization, you have been asked to analyze the attached piece of malware. Based on the vector through which this malware is captured, there is reason to believe the file contains something of a digital tag or signature of the malware author, and it is up to you to perform rudimentary hex analysis (or another tool) of the binary to find it.
syntax hint: no spaces
Solution
I ran the snowman decompiler by https://derevenets.com/ to get the code.
int64_t __gmon_start__ = 0;
void _init() {
int64_t rax1;
rax1 = __gmon_start__;
if (rax1) {
rax1();
}
return;
}
int64_t __cxa_finalize = 0;
void fun_10b0(int64_t rdi) {
goto __cxa_finalize;
}
/* std::ios_base::Init::Init() */
int64_t _ZNSt8ios_base4InitC1Ev = 0x1086;
void fun_1080(int64_t rdi) {
goto _ZNSt8ios_base4InitC1Ev;
}
int64_t __cxa_atexit = 0x1046;
void fun_1040(int64_t rdi, int64_t rsi, int64_t rdx) {
goto __cxa_atexit;
}
int64_t _ITM_deregisterTMCloneTable = 0;
int64_t deregister_tm_clones(int64_t rdi) {
int64_t rax2;
rax2 = 0x7070;
if (1 || (rax2 = _ITM_deregisterTMCloneTable, rax2 == 0)) {
return rax2;
} else {
goto rax2;
}
}
/* std::ios_base::Init::~Init() */
int64_t _ZNSt8ios_base4InitD1Ev = 0;
/* __static_initialization_and_destruction_0(int, int) */
void _Z41__static_initialization_and_destruction_0ii(int32_t edi, int32_t esi) {
int64_t rax3;
if (edi == 1 && esi == 0xffff) {
fun_1080(0x7191);
rax3 = _ZNSt8ios_base4InitD1Ev;
fun_1040(rax3, 0x7191, "`p");
}
return;
}
int64_t _Unwind_Resume = 0x1096;
int64_t fun_1090(int64_t rdi) {
goto _Unwind_Resume;
}
/* std::basic_ostream<char, std::char_traits<char> >& std::operator<< <std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*) */
int64_t _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc = 0x1056;
void fun_1050(int64_t rdi, int64_t rsi, void* rdx) {
goto _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc;
}
/* std::allocator<char>::allocator() */
int64_t _ZNSaIcEC1Ev = 0x10a6;
void fun_10a0(void* rdi, int64_t rsi, void* rdx) {
goto _ZNSaIcEC1Ev;
}
/* std::allocator<char>::~allocator() */
int64_t _ZNSaIcED1Ev = 0x1066;
void fun_1060(void* rdi, int64_t rsi, void* rdx) {
goto _ZNSaIcED1Ev;
}
/* std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) */
int64_t _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_ = 0x1076;
void fun_1070(void* rdi, int64_t rsi, void* rdx) {
goto _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_;
}
/* std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() */
int64_t _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev = 0x1036;
void fun_1030(void* rdi, int64_t rsi, void* rdx) {
goto _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev;
}
int64_t __libc_start_main = 0;
int64_t main();
void __libc_csu_init(int32_t edi, int64_t rsi, int64_t rdx);
void __libc_csu_fini();
void _start() {
void* rsp1;
int64_t rdx2;
int64_t rax3;
rsp1 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(__zero_stack_offset()) + 8);
__libc_start_main(main, __return_address(), rsp1, __libc_csu_init, __libc_csu_fini, rdx2, (reinterpret_cast<uint64_t>(rsp1) & 0xfffffffffffffff0) - 8 - 8, rax3);
__asm__("hlt ");
}
void _fini() {
return;
}
void fun_1152() {
return;
}
void __libc_csu_fini() {
return;
}
int64_t g7010 = 0;
void fun_1036() {
goto g7010;
}
int64_t _ITM_registerTMCloneTable = 0;
void fun_1119() {
int64_t rax1;
if (1)
goto 0x1158;
rax1 = _ITM_registerTMCloneTable;
if (!rax1)
goto 0x1158;
goto rax1;
}
/* completed.7452 */
signed char completed_7452 = 0;
int64_t __dso_handle = 0x7060;
int64_t __do_global_dtors_aux() {
int1_t zf1;
int64_t rax2;
int1_t zf3;
int64_t rdi4;
int64_t rax5;
zf1 = completed_7452 == 0;
if (!zf1) {
return rax2;
} else {
zf3 = __cxa_finalize == 0;
if (!zf3) {
rdi4 = __dso_handle;
fun_10b0(rdi4);
}
rax5 = deregister_tm_clones(rdi4);
completed_7452 = 1;
return rax5;
}
}
void _GLOBAL__sub_I_main() {
_Z41__static_initialization_and_destruction_0ii(1, 0xffff);
return;
}
void fun_1086() {
goto 0x1020;
}
void fun_1046() {
goto 0x1020;
}
void __libc_csu_init(int32_t edi, int64_t rsi, int64_t rdx) {
int64_t r14_4;
int64_t r13_5;
int32_t r12d6;
int64_t rbx7;
int64_t rdi8;
r14_4 = rdx;
r13_5 = rsi;
r12d6 = edi;
_init();
if (!0) {
*reinterpret_cast<int32_t*>(&rbx7) = 0;
*reinterpret_cast<int32_t*>(reinterpret_cast<int64_t>(&rbx7) + 4) = 0;
do {
*reinterpret_cast<int32_t*>(&rdi8) = r12d6;
*reinterpret_cast<int32_t*>(reinterpret_cast<int64_t>(&rdi8) + 4) = 0;
*reinterpret_cast<int64_t*>(0x6db8 + rbx7 * 8)(rdi8, r13_5, r14_4);
++rbx7;
} while (2 != rbx7);
}
return;
}
void frame_dummy() {
goto 0x1120;
}
void fun_1096() {
goto 0x1020;
}
void fun_1056() {
goto 0x1020;
}
int64_t main() {
void* rbp1;
int64_t rsi2;
void* rdx3;
void* rdx4;
void* rdx5;
void* rdx6;
void* rdx7;
rbp1 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(__zero_stack_offset()) - 8);
fun_10a0(reinterpret_cast<int64_t>(rbp1) - 20, rsi2, rdx3);
rdx4 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(rbp1) - 20);
fun_1070(reinterpret_cast<int64_t>(rbp1) - 64, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Interdum velit euismod in pellentesque. Elementum eu facilisis sed odio morbi. Egestas fringilla phasellus faucibus scelerisque eleifend. Orci sagittis eu volutpat odio facilisis. Pretium aenean pharetra magna ac placerat vestibulum. Eleifend mi in nulla posuere sollicitudin aliquam ultrices sagittis. Vulputate ut pharetra sit amet aliquam. Amet dictum sit amet justo donec. Metus dictum at tempor commodo ullamcorper. Morbi blandit cursus risus at ultrices mi. Dolor sit amet consectetur adipiscing elit. Scelerisque fermentum dui faucibus in ornare quam. Consequat ac felis donec et odio. Ut porttitor leo a diam sollicitudin tempor id eu nisl. Risus quis varius quam quisque id.Sed risus pretium quam vulputate. Sem viverra aliquet eget sit amet. Lacinia quis vel eros donec ac odio. Sapien faucibus et molestie ac feugiat sed lectus. Ac tortor dignissim convallis aenean et. Et magnis dis partu", rdx4);
fun_1060(reinterpret_cast<int64_t>(rbp1) - 20, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Interdum velit euismod in pellentesque. Elementum eu facilisis sed odio morbi. Egestas fringilla phasellus faucibus scelerisque eleifend. Orci sagittis eu volutpat odio facilisis. Pretium aenean pharetra magna ac placerat vestibulum. Eleifend mi in nulla posuere sollicitudin aliquam ultrices sagittis. Vulputate ut pharetra sit amet aliquam. Amet dictum sit amet justo donec. Metus dictum at tempor commodo ullamcorper. Morbi blandit cursus risus at ultrices mi. Dolor sit amet consectetur adipiscing elit. Scelerisque fermentum dui faucibus in ornare quam. Consequat ac felis donec et odio. Ut porttitor leo a diam sollicitudin tempor id eu nisl. Risus quis varius quam quisque id.Sed risus pretium quam vulputate. Sem viverra aliquet eget sit amet. Lacinia quis vel eros donec ac odio. Sapien faucibus et molestie ac feugiat sed lectus. Ac tortor dignissim convallis aenean et. Et magnis dis partu", rdx4);
fun_10a0(reinterpret_cast<int64_t>(rbp1) - 19, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Interdum velit euismod in pellentesque. Elementum eu facilisis sed odio morbi. Egestas fringilla phasellus faucibus scelerisque eleifend. Orci sagittis eu volutpat odio facilisis. Pretium aenean pharetra magna ac placerat vestibulum. Eleifend mi in nulla posuere sollicitudin aliquam ultrices sagittis. Vulputate ut pharetra sit amet aliquam. Amet dictum sit amet justo donec. Metus dictum at tempor commodo ullamcorper. Morbi blandit cursus risus at ultrices mi. Dolor sit amet consectetur adipiscing elit. Scelerisque fermentum dui faucibus in ornare quam. Consequat ac felis donec et odio. Ut porttitor leo a diam sollicitudin tempor id eu nisl. Risus quis varius quam quisque id.Sed risus pretium quam vulputate. Sem viverra aliquet eget sit amet. Lacinia quis vel eros donec ac odio. Sapien faucibus et molestie ac feugiat sed lectus. Ac tortor dignissim convallis aenean et. Et magnis dis partu", rdx4);
rdx5 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(rbp1) - 19);
fun_1070(reinterpret_cast<int64_t>(rbp1) - 96, "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghij", rdx5);
fun_1060(reinterpret_cast<int64_t>(rbp1) - 19, "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghij", rdx5);
fun_10a0(reinterpret_cast<int64_t>(rbp1) - 18, "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghij", rdx5);
rdx6 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(rbp1) - 18);
fun_1070(reinterpret_cast<int64_t>(rbp1) - 0x80, "The flag you're looking for is here: {fakelatin}\n", rdx6);
fun_1060(reinterpret_cast<int64_t>(rbp1) - 18, "The flag you're looking for is here: {fakelatin}\n", rdx6);
fun_10a0(reinterpret_cast<int64_t>(rbp1) - 17, "The flag you're looking for is here: {fakelatin}\n", rdx6);
rdx7 = reinterpret_cast<void*>(reinterpret_cast<int64_t>(rbp1) - 17);
fun_1070(reinterpret_cast<int64_t>(rbp1) - 0xa0, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. In vitae turpis massa sed elementum tempus egestas. Dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in. Pellentesque dignissim enim sit amet. Sapien nec sagittis aliquam malesuada bibendum arcu. Euismod nisi porta lorem mollis. Eu ultrices vitae auctor eu. Nunc mi ipsum faucibus vitae aliquet nec. Turpis egestas maecenas pharetra convallis posuere morbi. Quisque egestas diam in arcu cursus euismod. Ultricies mi eget mauris pharetra et ultrices neque ornare. In hendrerit gravida rutrum quisque non tellus orci ac auctor. Quisque non tellus orci ac auctor augue mauris. Vitae elementum curabitur vitae nunc. Tellus elementum sagittis vitae et leo. Sit amet consectetur adipiscing elit pellentesque. Diam donec adipiscing tristique risus nec. Egestas purus viverra accumsan in nisl nisi scelerisque eu. Eget egestas purus viverra accumsan in.\nPhasellus vestibulum lorem sed ris", rdx7);
fun_1060(reinterpret_cast<int64_t>(rbp1) - 17, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. In vitae turpis massa sed elementum tempus egestas. Dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in. Pellentesque dignissim enim sit amet. Sapien nec sagittis aliquam malesuada bibendum arcu. Euismod nisi porta lorem mollis. Eu ultrices vitae auctor eu. Nunc mi ipsum faucibus vitae aliquet nec. Turpis egestas maecenas pharetra convallis posuere morbi. Quisque egestas diam in arcu cursus euismod. Ultricies mi eget mauris pharetra et ultrices neque ornare. In hendrerit gravida rutrum quisque non tellus orci ac auctor. Quisque non tellus orci ac auctor augue mauris. Vitae elementum curabitur vitae nunc. Tellus elementum sagittis vitae et leo. Sit amet consectetur adipiscing elit pellentesque. Diam donec adipiscing tristique risus nec. Egestas purus viverra accumsan in nisl nisi scelerisque eu. Eget egestas purus viverra accumsan in.\nPhasellus vestibulum lorem sed ris", rdx7);
fun_1050(0x7080, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ", rdx7);
fun_1030(reinterpret_cast<int64_t>(rbp1) - 0xa0, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ", rdx7);
fun_1030(reinterpret_cast<int64_t>(rbp1) - 0x80, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ", rdx7);
fun_1030(reinterpret_cast<int64_t>(rbp1) - 96, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ", rdx7);
fun_1030(reinterpret_cast<int64_t>(rbp1) - 64, "Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.\nLorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ", rdx7);
return 0;
}
void fun_12c2() {
int64_t rbp1;
int64_t rsi2;
void* rdx3;
int64_t rax4;
int64_t rax5;
int64_t rbp6;
int64_t rsi7;
void* rdx8;
int64_t rbp9;
int64_t rsi10;
void* rdx11;
fun_1060(rbp1 - 20, rsi2, rdx3);
rax5 = fun_1090(rax4);
fun_1060(rbp6 - 19, rsi7, rdx8);
fun_1030(rbp9 - 64, rsi10, rdx11);
fun_1090(rax5);
}
void fun_10a6() {
goto 0x1020;
}
void fun_1066() {
goto 0x1020;
}
void fun_1076() {
goto 0x1020;
}
void fun_12ed() {
int64_t rbp1;
int64_t rsi2;
void* rdx3;
int64_t rbp4;
int64_t rsi5;
void* rdx6;
fun_1060(rbp1 - 18, rsi2, rdx3);
fun_1030(rbp4 - 96, rsi5, rdx6);
}
void fun_12fe() {
int64_t rbp1;
int64_t rsi2;
void* rdx3;
int64_t rbp4;
int64_t rsi5;
void* rdx6;
fun_1060(rbp1 - 17, rsi2, rdx3);
fun_1030(rbp4 - 0x80, rsi5, rdx6);
}
void fun_130f() {
int64_t rbp1;
int64_t rsi2;
void* rdx3;
fun_1030(rbp1 - 0xa0, rsi2, rdx3);
}
This is the part you are looking for.
fun_1070(reinterpret_cast<int64_t>(rbp1) - 0x80, "The flag you're looking for is here: {fakelatin}\n", rdx6);
fun_1060(reinterpret_cast<int64_t>(rbp1) - 18, "The flag you're looking for is here: {fakelatin}\n", rdx6);
fun_10a0(reinterpret_cast<int64_t>(rbp1) - 17, "The flag you're looking for is here: {fakelatin}\n", rdx6);
Ans: fakelatin
Analyze: Anomaly 28 (20pts)
Assess the threat intelligence brief located in the folder attached with the question and identify the name of the encoded WIN API
syntax hint: answer is not case sensitive, no spaces
Solution
Located in the PDF there’s a table on page 3 with the contents.
Ans: FervencyPoseuseChitchat
Analyze: Anomaly 29 (20pts)
Based off of the threat intel report from Anomaly 28, from which IP do the macros download the Sekur payload ?
For your answer, please only input the first 5 digits of the IP - ex: 111.11
Solution
Page 6 of the PDF
Ans: 154.16
Analyze: Anomaly 73 (20pts)
This voluntary Framework has five functions: Identify, Protect, Respond, Recover, and what?
Syntax hint: answer is not case sensitive, no spaces, one word answer
Solution
Ans: Detect
Analyze: Anomaly 87 (20pts)
Public key encryption uses how many keys?
Syntax hint: Give answer in numerical form
Solution
Ans: 2
Analyze: Anomaly 91 (20pts)
What is the name of an attack where a device is flooded with packets with all flags set?
Syntax hint: answer is not case sensitive, do not include “attack” in your answer
Analyze: Anomaly 94 (20pts)
What well-known computer virus exploited vulnerabilities present in Windows Explorer icon files?
Syntax: answer is not case sensitive
Solution
Ans: Stuxnet
Analyze: Anomaly 72 (30pts)
This main regulation was first enacted in 1996 and contains five titles, with the second title known as the Administrative Simplification. It required national standards for electronic health care transactions as well as national identifiers for the providers, insurance plans, and employers. Name this legislation in full.
Do not include the word “the” in your answer, and please include the year: e.g.,’ ______ of 1901’
Solution
Ans: Health Insurance Portability and Accountability Act of 1996
Analyze: Anomaly 9 (50pts)
One of your company’s wind turbines has been failing intermittently. The engineer assigned to the ticket thinks the controller might have been compromised and has asked you to help investigate. She has taken an image of the filesystem from the main controller. Can you figure out what’s wrong?
syntax hint: answer is a string
Solution
I used Autopsy and found a file marked Unalloc_67_38912_10485760
b0VIM 8.0
root
ubuntu
/mnt/data/d1d9a1cf-671f-467b-88cd-82540ec2b82b.log
utf-8
U3210
#"!
flag{642e92efb79421734881b53e1e1b18b6}flag{642e92efb79421734881b53e1e1b18b6}#!/bin/bash#!/bin/bash
echo "flag{642e92efb79421734881b53e1e1b18b6}"
----._ |__| _ ` \\________`-.-`. | |
<==( (| < _>------[__| (_) ____(__)) |--| | |
`--.____`-. `-+---+----' | | ___, //________.-'-,' | |
`-----| |_____________| |_____/_|_|_|_|_|_\,' / |
| | `---\ \ / /
___.-----------------------------------. `. `-.__ __.-' .'
|__ (===========================) ) `._ `----' _.'
`------------------------------------' `-._ _.-'
`--------'
.-----.__________________________.------. ___.--.__________.--._
========================================= `\_ ____.------'-----`-----.____
`------------------------._____.--------' [================================
_____ _.-| |---.__ |=========| `-----'
.-||| `--'---|___|------`--------'----------|
'--------------------._ ------==== O> /
`-. /
\ __.-'
\____.-----'
.---. _.---._ .---.
__=====.----'-------`----.=====__
=================================
\\ |`--._.--'| //
`=====|---------|====='
| _ |
| (_) |
`._ _.'
b0VIM 8.0
root
ubuntu
/mnt/data/d1d9a1cf-671f-467b-88cd-82540ec2b82b.log
utf-8
U3210
#"!
echo "flag{642e92efb79421734881b53e1e1b18b6}"
#!/bin/bash#!/bin/bash
echo "flag{642e92efb79421734881b53e1e1b18b6}"
utf-8
U3210
#"!
EOF EOF `---' `._ _.' | (_) | | _ | `=====|---------|=====' \\ |`--._.--'| // ================================= __=====.----'-------`----.=====__ .---. _.---._ .---.
\____.-----' \ __.-' `-. / '--------------------._ ------==== O> / .-||| `--'---|___|------`--------'----------| _____ _.-| |---.__ |=========| `-----'`------------------------._____.--------' [========================================================================= `\_ ____.------'-----`-----.____.-----.__________________________.------. ___.--.__________.--._
`--------' `------------------------------------' `-._ _.-'|__ (===========================) ) `._ `----' _.' ___.-----------------------------------. `. `-.__ __.-' .' | | `---\ \ / / `-----| |_____________| |_____/_|_|_|_|_|_\,' / | `--.____`-. `-+---+----' | | ___, //________.-'-,' | | <==( (| < _>------[__| (_) ____(__)) |--| | | ,--' ,-' .-+---+----._ |__| _ ` \\________`-.-`. | | ____.-----| | | | ___ \ |_|_|_|_| /`. \ | | |_____________.---/_____/___________ \ \ `-----------------------------------' .' ,-' `-. `.|___ (===========================) ) .' __.----.__ `. __.------------------------------------. _.-' `-._ _.--------._echo#!/bin/bash#!/bin/bash
echo "
_.--------._
__.------------------------------------. _.-' `-._
|___ (===========================) ) .' __.----.__ `.
`-----------------------------------' .' ,-' `-. `.
| |_____________.---/_____/___________ \ \
____.-----| | | | ___ \ |_|_|_|_| /`. \ |
,--' ,-' .-+---+----._ |__| _ ` \\________`-.-`. | |
<==( (| < _>------[__| (_) ____(__)) |--| | |
`--.____`-. `-+---+----' | | ___, //________.-'-,' | |
`-----| |_____________| |_____/_|_|_|_|_|_\,' / |
| | `---\ \ / /
___.-----------------------------------. `. `-.__ __.-' .'
|__ (===========================) ) `._ `----' _.'
`------------------------------------' `-._ _.-'
`--------'
.-----.__________________________.------. ___.--.__________.--._
========================================= `\_ ____.------'-----`-----.____
`------------------------._____.--------' [================================
_____ _.-| |---.__ |=========| `-----'
.-||| `--'---|___|------`--------'----------|
'--------------------._ ------==== O> /
`-. /
\ __.-'
\____.-----'
.---. _.---._ .---.
__=====.----'-------`----.=====__
=================================
\\ |`--._.--'| //
`=====|---------|====='
| _ |
| (_) |
`._ _.'
`---'
b0VIM 8.0
#n_h
root
ubuntu
/mnt/bin/generate_output
utf-8
U3210
#"!
EOF `---' `._ _.' | (_) | | _ | `=====|---------|=====' \\ |`--._.--'| // ================================= __=====.----'-------`----.=====__ .---. _.---._ .---.
\____.-----' \ __.-' `-. / '--------------------._ ------==== O> / .-||| `--'---|___|------`--------'----------| _____ _.-| |---.__ |=========| `-----'`------------------------._____.--------' [========================================================================= `\_ ____.------'-----`-----.____.-----.__________________________.------. ___.--.__________.--._
`--------' `------------------------------------' `-._ _.-'|__ (===========================) ) `._ `----' _.' ___.-----------------------------------. `. `-.__ __.-' .' | | `---\ \ / / `-----| |_____________| |_____/_|_|_|_|_|_\,' / | `--.____`-. `-+---+----' | | ___, //________.-'-,' | | <==( (| < _>------[__| (_) ____(__)) |--| | | ,--' ,-' .-+---+----._ |__| _ ` \\________`-.-`. | | ____.-----| | | | ___ \ |_|_|_|_| /`. \ | | |_____________.---/_____/___________ \ \ `-----------------------------------' .' ,-' `-. `.|___ (===========================) ) .' __.----.__ `. __.------------------------------------. _.-' `-._ _.--------._cat << EOF#!/bin/bash#!/bin/bash
cat << EOF
_.--------._
__.------------------------------------. _.-' `-._
|___ (===========================) ) .' __.----.__ `.
`-----------------------------------' .' ,-' `-. `.
| |_____________.---/_____/___________ \ \
____.-----| | | | ___ \ |_|_|_|_| /`. \ |
,--' ,-' .-+---+----._ |__| _ ` \\________`-.-`. | |
<==( (| < _>------[__| (_) ____(__)) |--| | |
`--.____`-. `-+---+----' | | ___, //________.-'-,' | |
`-----| |_____________| |_____/_|_|_|_|_|_\,' / |
| | `---\ \ / /
___.-----------------------------------. `. `-.__ __.-' .'
|__ (===========================) ) `._ `----' _.'
`------------------------------------' `-._ _.-'
`--------'
.-----.__________________________.------. ___.--.__________.--._
========================================= `\_ ____.------'-----`-----.____
`------------------------._____.--------' [================================
_____ _.-| |---.__ |=========| `-----'
.-||| `--'---|___|------`--------'----------|
'--------------------._ ------==== O> /
`-. /
\ __.-'
\____.-----'
.---. _.---._ .---.
__=====.----'-------`----.=====__
=================================
\\ |`--._.--'| //
`=====|---------|====='
| _ |
| (_) |
`._ _.'
`---'
#!/bin/bash
cat << EOF
_.--------._
__.------------------------------------. _.-' `-._
|___ (===========================) ) .' __.----.__ `.
`-----------------------------------' .' ,-' `-. `.
| |_____________.---/_____/___________ \ \
____.-----| | | | ___ \ |_|_|_|_| /`. \ |
,--' ,-' .-+---+----._ |__| _ ` \\________`-.-`. | |
<==( (| < _>------[__| (_) ____(__)) |--| | |
`--.____`-. `-+---+----' | | ___, //________.-'-,' | |
`-----| |_____________| |_____/_|_|_|_|_|_\,' / |
| | `---\ \ / /
___.-----------------------------------. `. `-.__ __.-' .'
|__ (===========================) ) `._ `----' _.'
`------------------------------------' `-._ _.-'
`--------'
.-----.__________________________.------. ___.--.__________.--._
========================================= `\_ ____.------'-----`-----.____
`------------------------._____.--------' [================================
_____ _.-| |---.__ |=========| `-----'
.-||| `--'---|___|------`--------'----------|
'--------------------._ ------==== O> /
`-. /
\ __.-'
\____.-----'
.---. _.---._ .---.
__=====.----'-------`----.=====__
=================================
\\ |`--._.--'| //
`=====|---------|====='
| _ |
| (_) |
`._ _.'
`---'
{33e75ff09dd601bbe69f351039152189}
{6ea9ab1baa0efb9e19094440c317e21b}
#!/bin/bash
read -r -d '' VAR << EOF
_.--------._
__.------------------------------------. _.-' `-._
|___ (===========================) ) .' __.----.__ `.
`-----------------------------------' .' ,-' `-. `.
| |_____________.---/_____/___________ \ \
____.-----| | | | ___ \ |_|_|_|_| /`. \ |
,--' ,-' .-+---+----._ |__| _ ` \\________`-.-`. | |
<==( (| < _>------[__| (_) ____(__)) |--| | |
`--.____`-. `-+---+----' | | ___, //________.-'-,' | |
`-----| |_____________| |_____/_|_|_|_|_|_\,' / |
| | `---\ \ / /
___.-----------------------------------. `. `-.__ __.-' .'
|__ (===========================) ) `._ `----' _.'
`------------------------------------' `-._ _.-'
`--------'
.-----.__________________________.------. ___.--.__________.--._
========================================= `\_ ____.------'-----`-----.____
`------------------------._____.--------' [================================
_____ _.-| |---.__ |=========| `-----'
.-||| `--'---|___|------`--------'----------|
'--------------------._ ------==== O> /
`-. /
\ __.-'
\____.-----'
.---. _.---._ .---.
__=====.----'-------`----.=====__
=================================
\\ |`--._.--'| //
`=====|---------|====='
| _ |
| (_) |
`._ _.'
`---'
echo $VAR
{6364d3f0f495b6ab9dcf8d3b5c6e0b01}
{182be0c5cdcd5072bb1864cdee4d3d6e}
{e369853df766fa44e1ed0ff613f563bd}
{1c383cd30b7c298ab50293adfecb7b18}
b0VIM 8.0
$n_t
root
ubuntu
/mnt/bin/generate_output
utf-8
U3210
#"!
echoeecho $VAR `---' `---' `._ _.' `---' `._ _.' | `---' `._ _.' | `---' `._ _.' | (_ `---' `._ _.' | (_) `---' `._ _.' | (_) `---' `._ _.' | (_) `---' `._ _.' | (_) `---' `._ _.' | (_) `---' `._ _.' | (_) `---' `._ _.' | (_) `---' `._ _.' | (_ `---' `._ _.' | `---' `._ _.' | `---' `._ _.' `---' `._ _.' `---' `._ _.' | (_ `---' `._ _.' | (_) `---' `._ _.' `---' `._ _.' `---' `._ _.' `---' `._ _.' `---' `._ _.' `---' `._ `---' `---' `---' `---' `---' `---' `---' `---' `cat #!/bin/bashb0VIM 8.0
root
ubuntu
/mnt/config/viento.ini
utf-8
3210
#"!
ExecutionFile=vientoctrl.binExecutionDir=/bin[RunInfo]
MaxLogSize=32KBDataDir=/dataTimestampFormat=YYYMMDDHHMMSSSeed=ThewindisatwisterofangerandwarningThewindbringsthefragranceoffreshlymownhayThewindisaracerawildstallionrunningThesweettasteofloveonaslowsummersday[Initialization]
Gateway=10.2.22.1NetMask=255.255.255.0IPAddress=10.2.22.222ProtocolVersion=4[EthernetIPDriver]
Password=aerokinesisUsername=redtornadoHostname=vientoctrl[Security]b0VIM 8.0
root
ubuntu
/mnt/config/viento.ini
utf-8
U3210
#"!
ExecutionFile=%2E%2E%2Fdata%2Fd1d9a1cf%2D671f%2D467b%2D88cd%2D82540ec2b82b%2ElogExecutionDir=/bin[RunInfo]
MaxLogSize=32KBDataDir=/dataTimestampFormat=YYYMMDDHHMMSSSeed=ThewindisatwisterofangerandwarningThewindbringsthefragranceoffreshlymownhayThewindisaracerawildstallionrunningThesweettasteofloveonaslowsummersday[Initialization]
Gateway=10.2.22.1NetMask=255.255.255.0IPAddress=10.2.22.222ProtocolVersion=4[EthernetIPDriver]
Password=aerokinesisUsername=redtornadoHostname=vientoctrl[Security]{ad61ab143223efbc24c7d2583be69251}
{d09bf41544a3365a46c9077ebb5e35c3}
{fbd7939d674997cdb4692d34de8633c4}
{28dd2c7955ce926456240b2ff0100bde}
{35f4a8d465e6e1edc05f3d8ab658c551}
{d1fe173d08e959397adf34b1d77e88d7}
{f033ab37c30201f73f142449d037028d}
{43ec517d68b6edd3015b3edc9a11367b}
{9778d5d219c5080b9a6a17bef029331c}
{fe9fc289c3ff0af142b6d3bead98a923}
{68d30a9594728bc39aa24be94b319d21}
{3ef815416f775098fe977004015c6193}
{93db85ed909c13838ff95ccfa94cebd9}
{c7e1249ffc03eb9ded908c236bd1996d}
{2a38a4a9316c49e5a833517c45d31070}
{7647966b7343c29048673252e490f736}
{8613985ec49eb8f757ae6439e879bb2a}
{54229abfcfa5649e7003b83dd4755294}
{92cc227532d17e56e07902b254dfad10}
{98dce83da57b0395e163467c9dae521b}
{f4b9ec30ad9f68f89b29639786cb62ef}
{812b4ba287f5ee0bc9d43bbf5bbe87fb}
{26657d5ff9020d2abefe558796b99584}
{e2ef524fbf3d9fe611d5a8e90fefdc9c}
{ed3d2c21991e3bef5e069713af9fa6ca}
{ac627ab1ccbdb62ec96e702f07f6425b}
flag{642e92efb79421734881b53e1e1b18b6}
The string flag{642e92efb79421734881b53e1e1b18b6}
looked interesting so I took and submitted it.
Ans: 642e92efb79421734881b53e1e1b18b6
Analyze: Anomaly 21 (50pts)
You are a member of the network security team at a major healthcare provider in north east region of the United States. A joint cybersecurity advisory coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) was recently put out detailing a ransomware campaign targeting the public health sector.
Your task is see if there any signs in your network of potential compromise related to this ransomware attack. You should review the threat intel report and see if it provides any indicators of compromise that you could use in conjunction with the DNS request logs you have been provided.
Your answer should identify the number of unique computers in your network that show signs of being infected with the ransomware identified in the intelligence report.
Syntax hint: this answer is in number format
Analyze: Anomaly 70 (100pts)
Imagine you are a Target Network Analyst for your company. Your responsibilities include: Conducts advanced analysis of collection and open-source data to ensure target continuity; to profile targets and their activities; and develop techniques to gain more target information. Determines how targets communicate, move, operate and live based on knowledge of target technologies, digital networks, and the applications on them. [NIST Guidelines Target Network Analyst AN-TGT-002]
For this challenge you are given an exported mySQL database table from a target of interest that contains employee arrival and departure times recorded in UTC. Assuming a normal workday is 8:00am to 4:30pm, use these times to determine what time zone the company is located in.
Syntax hint: The answer is the three-character time zone.