Protect and Defend

One of the categories in the Department of Energy’s CyberForce Program - Conquer the Hill: Adventurer Edition 2021

CyberForce 2021 Writeup

Table of Contents

  1. Protect and Defend
    1. Protect and Defend: Anomaly 54 (20pts)
    2. Protect and Defend: Anomaly 55 (20pts)
      1. Solution
    3. Protect and Defend: Anomaly 58 (20pts)
    4. Protect and Defend: Anomaly 69 (20pts)
      1. Solution
    5. Protect and Defend: Anomaly 95 (20pts)
      1. Solution
    6. Protect and Defend: Anomaly 26 (50pts)
      1. Solution
    7. Protect and Defend: Anomaly 46 (50pts)
    8. Protect and Defend: Anomaly 56 (50pts)
      1. Solution
    9. Protect and Defend: Anomaly 57 (50pts)
    10. Protect and Defend: Anomaly 65 (50pts)
    11. Protect and Defend: Anomaly 66 (50pts)
    12. Protect and Defend: Anomaly 68 (50pts)
    13. Protect and Defend: Anomaly 13 (100pts)
    14. Protect and Defend: Anomaly 19 (100pts)
    15. Protect and Defend: Anomaly 44 (100pts)
    16. Protect and Defend: Anomaly 64 (100pts)
      1. Solution

Protect and Defend: Anomaly 54 (20pts)

The PCAP file Malware-Dec2018.pcap was sampled from one of the exploits used in the Dec 2018 CyberForce competition. Analyze the PCAP file and determine the Microsoft Security Bulletin number describing this vulnerability.

Answer format: MS##-###

Protect and Defend: Anomaly 55 (20pts)

Question: The chart shown in Splunk-PortScanningTraffic.png was generated by a SOC. It shows a sharp uptick in port scanning activity on a specific port about a third of the way across the graph. This corresponds to the release of a new Metasploit Module.
a. What is the name of the Metasploit Module? b. What port number is being scanned?

Answer format: a,b

Syntax hint: Apples, ####

Solution

The highest peak on the graph takes place on 2019-09-07 which aligns with the BlueKeep Exploit. https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/ recommends 1. Disallow external connections to local machines on port 3389 (TCP/UDP) at the perimeter firewall.* Which seems to make 3389 the port being attacked.

Ans: BlueKeep, 3389

Protect and Defend: Anomaly 58 (20pts)

Given PCAPNG file, analyze and assess which CVE was targeted with the exploit used in the traffic.

Syntax hint: Answer format: CVE-XXXX-XXXX

Protect and Defend: Anomaly 69 (20pts)

A user at your company was recently seen to be browsing a potentially malicious website. A packet capture was saved from this website visit, and you have been tasked with determining what image the user opened from the website. Analyze this packet capture file (anomaly_packets.cap) with an appropriate tool and provide the answer of what animals (plural noun) are displayed in the file “DSC07858.JPG”.

Syntax hint: answer is not case sensitive, no spaces

Solution

Opened the pcap file. File> export objects > http

Check the files marked DSC07858.JPG and saw dolphins jumping out of the water. Note: There’s another photo marked DSC07858.JPG but that doesn’t have any animals in it.

no-alignment

Ans: dolphins

Protect and Defend: Anomaly 95 (20pts)

What are the three categories of controls for a defense in depth approach? (Please submit your answer with commas in alphabetical order. For example: Apples, bananas, oranges)

Solution

Ans: Administrative, Physical, Technical

Protect and Defend: Anomaly 26 (50pts)

Part of your responsibilities as a security engineer is to perform code reviews for certain projects in your organization. A developer recently pushed new code for a public facing web application. Review the provided code and identify if there are any potential security issues.

For this anomaly, you do not need to run the actual code, just visually review it. The security issue in this project maps directly to the OWASP Top 10. For your answer, you will provide the codified OWASP category. So for example, if you believe there is an Injection vulnerability, your answer would be: A1:2017-Injection

The OWASP Top 10 can be found here: https://owasp.org/www-project-top-ten/2017/

The codified categories are found in the table of contents of that page

A PDF version of the OWASP Top 10 is also provided with this anomaly. The codified categories can also be found in the table of contents, or page 2, of the PDF.

Solution

Provided code to look at:

from hashlib import md5
from typing import NamedTuple

from aiopg import Connection


class User(NamedTuple):
    id: int
    username: str
    email: str
    pwd_hash: str
    is_admin: bool

    @classmethod
    def from_raw(cls, raw: tuple):
        return cls(*raw) if raw else None

    @staticmethod
    async def get(conn: Connection, id_: int):
        async with conn.cursor() as cur:
            await cur.execute(
                'SELECT id, email, username, pwd_hash, is_admin '
                'FROM users WHERE id = %s',
                (id_,),
            )
            return User.from_raw(await cur.fetchone())

    @staticmethod
    async def get_by_username(conn: Connection, username: str):
        async with conn.cursor() as cur:
            await cur.execute(
                'SELECT id, email, username, pwd_hash, is_admin '
                'FROM users WHERE username = %s',
                (username,),
            )
            return User.from_raw(await cur.fetchone())

    def hash_password(self, password: str):
        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()

Looks like exposed data.

Ans: A3:2017-Sensitive Data Exposure

Protect and Defend: Anomaly 46 (50pts)

Your boss emails you an image, claiming that it contains a key to one of your top rival’s databases. Can you find it?

syntax hint: answer is not case sensitive, no spaces

Protect and Defend: Anomaly 56 (50pts)

Given an nmap scan, analyze and assess which port has the most vulnerability and has the highest number of CVE vulns listed for the specific version running of the service.

Syntax hint: In your answer, just give the port number

Solution

Port 3306 is Mysql which has the highest number of vulnerabilities.

Ans: 3306

Protect and Defend: Anomaly 57 (50pts)

You have identified the target network is using wireless router DLink DIR-412 and downloaded the firmware. Search for hardcoded user:password in the firmware for connecting with telnet to conduct a penetration test.

Syntax hint: answer is not case sensitive, no spaces, include special characters

Protect and Defend: Anomaly 65 (50pts)

What is the path+filename of the misconfigured file.

Syntax hint: Submit answer as path/filename, example: /etc/apache2/hosts.deny

Protect and Defend: Anomaly 66 (50pts)

Given the following docker image, what potentially malicious host:port is the container calling out to.

syntax hint: Answer with host:port, for example: google.com:80

Protect and Defend: Anomaly 68 (50pts)

The security team at your company has recently produced a log of network traffic that is particularly troubling, as they believe it might have included the exchange or Malware. Using an intrusion detection system such as Snort, analyze the packet capture they have provided to you (snort_anomaly_capture.pcap). Using the capabilities of this software, determine the name of the first incident of malware present (specifically look at traffic from 192.168.1.135:445 to 192.168.1.112:49759).

Syntax hint: Submit the name of the malware as your answer (exclude the MALWARE-CNC designation before the name).

Protect and Defend: Anomaly 13 (100pts)

One of your coworkers on the cybersecurity team identified malicious beaconing coming from three machines in your network. Examine the network traffic capture to see what data (if any) was exfiltrated.

syntax hint: not case sensitive, no spaces

Protect and Defend: Anomaly 19 (100pts)

An employee at your organization was recently terminated after they were suspected of performing malicious activities at work. Unfortunately, they were using a second system they had set up separately from the rest of the work domain, in addition to their workstation, as they had been afforded a high trust level. The cyber team recovered the /etc/passwd and /etc/shadow files from their system but are unable to access the second system. You have been asked to crack the files to retrieve the password for the user ‘eowyn’, in hopes that the same username and password were used on the other system.

Syntax hint: answer is not case sensitive, no spaces

Protect and Defend: Anomaly 44 (100pts)

Your IDS system generated an alert for a known malicious IP, 40.122.151.219, that appears to be part of a watering hole attack. Examine the packet capture file from the affected subnet to determine the cause of the suspicious activity.If this is a true positive, examine the associated traffic to determine whether the compromise was successful.

syntax hint: answer is not case sensitive, no spaces

Protect and Defend: Anomaly 64 (100pts)

Given the cyphertext, key, and code to create the ciphertext, can you find the plaintext?

syntax hint: include special characters, no spaces

Solution

I searched the files and found that string. For most of the competition this was marked wrong until they corrected it later so I believed it was a red herring.

I found the string in the file marked enc.py

class C(PULLY):
    def __new__(cls):
        return ZZTOP('KEY{congrats_you_found_me_:P}')

Ans: congrats_you_found_me_:P