-
Notifications
You must be signed in to change notification settings - Fork 1
/
question5.tex
57 lines (49 loc) · 2.45 KB
/
question5.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
\chapter{Question 5 - Network Forensics}
\section{Preparation}
It wasn't clear what was going to be required for the network forensics part
of the competition, so not much preparation could be done. For the most part,
preparation consisted of getting familiar with using the tools that would
likely be required, such as Wireshark.
\section{Given Information}
All teams were given a file: network-forensics.zip\\
The file contained a network capture file (PCAP).
\section{Question 5.1}
\textbf{a) What is the CVE of the vulnerability used to exploit the mail server?
\\b) What was the operating system that was targeted?
\\\\
Example answer format: [CVE-1234-1234] [msdos]}
\subsection{Approach}
The network capture was of a telnet session between a client and a server. At
a point in the connection sequence, the server identifies itself as FreeBSD.
This was the operating system that was targeted by the attack.
Inspection of the capture showed some unusual packets in the key exchange,
and searching vulnerability databases for issues in the FreeBSD telnet
daemon involving the key exchange revealed just one CVE, which fit the
capture exactly. This CVE was CVE-2011-4862 \cite{CVE-2011-4862}.
\section{Question 5.2}
\textbf{The first payload contains shellcode that invokes system calls i.e.
"int80". The first system call is "socket". What are the next two system calls
(remember the target OS)?
\\\\
Example answer format: [syscall1] [syscall2]}
\subsection{Approach}
The approach required to answer this question was not found by the team.
Several different methods were tried, including various ways of
disassembling the payload, but the assembly code to launch system calls
was not found in the payloads. This meant that they must have been
obfuscated in some way, but it was not apparent how to decode them.
\section{Question 5.3}
\textbf{Deobfuscate the second payload to reveal the triple DES key. The key is
the flag}
\subsection{Approach}
The same problem as in Question 5.2 prevented the team being able to answer
this question.
\section{Question 5.4}
\textbf{Once the third payload is decrypted with the above key, it drops out a
binary. Deobfuscate the key hidden in the binary. The key is the flag}
\subsection{Approach}
As they key in Question 5.3 was not found, this question could not be attempted
\section{Question 5.5}
\textbf{Decode the communication and retrieve the flag}
\subsection{Approach}
As they key in Question 5.3 was not found, this question could not be attempted