Hacking Note
  • 🧐Cyber Defenders
    • Flare-on 1
    • KrakenKeylogger
    • AzurePot
    • Sysinternals
    • BlackEnergy
    • Eli
    • MrGamer
    • GET PDF
  • 😎HackTheBox Machine
    • Surveillance
    • Monitored
    • Skyfall
    • WifineticTwo
    • Analytics
    • Lantern
  • 🙂TryHackMe Room
    • Squid Game
    • Stealth
  • 😐Some CTF Pentest Boxs
    • AKasec CTF 2024
      • AKasec CTF 2024 ( English Writeup )
  • Pwnable.VN
    • Mineme2
  • 👿Fortresses Hackthebox
    • Jet
Powered by GitBook
On this page
  1. Cyber Defenders

AzurePot

Link : https://cyberdefenders.org/blueteam-ctf-challenges/azurepot/

PreviousKrakenKeyloggerNextSysinternals

Last updated 1 year ago

Q1 File => sdb.vhd There is a script that runs every minute to do cleanup. What is the name of the file?

Answer : .remove.sh

Q2 File => sdb.vhd The script in the Q#1 terminates processes associated with two Bitcoin miner malware files. What is the name of 1st malware file?

Answer : kinsing

Q3 File => sdb.vhd The script in Q#1 changes the permissions for some files. What is their new permission?

Answer : 444

Q4 File => sdb.vhd What is the sha256 of the botnet agent file?

Answer : 0e574fd30e806fe4298b3cbccb8d1089454f42f52892f87554325cb352646049

Q5 File => sdb.vhd What is the name of the botnet in Q#4?

Description : https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami

Answer : tsunami

Q6 File => sdb.vhd What IP address matches the creation timestamp of the botnet agent file in Q#4?

Created Time of file dk86

Q7 File => sdb.vhd What URL did the attacker use to download the botnet agent?

Answer : http://138.197.206.223:80/wp-content/themes/twentysixteen/dk86

Q8 File => sdb.vhd What is the name of the file that the attacker downloaded to execute the malicious script and subsequently remove itself?

Answer : .install

Q9 File => sdb.vhd The attacker downloaded sh scripts. What are the names of these files?

Answer : 0_cron.sh, 0_linux.sh, ap.sh

Q10 File => UAC Two suspicious processes were running from a deleted directory. What are their PIDs?

Answer : 6388, 20645

Q11 File => UAC What is the suspicious command line associated with the 2nd PID in Q#10?

Answer : sh .src.sh

Q12 File => UAC UAC gathered some data from the second process in Q#10. What is the remote IP address and remote port that was used in the attack?

Answer : 116.202.187.77:56590

Q13 File => UAC Which user was responsible for executing the command in Q#11?

Answer : daemon

Q14 File => UAC Two suspicious shell processes were running from the tmp folder. What are their PIDs?

Answer : 15853, 21785

Q15 File => ubuntu.20211208.mem What is the MAC address of the captured memory?

Answer : 00:22:48:26:3b:16

Q16 File => ubuntu.20211208.mem From Bash history. The attacker downloaded an sh script. What is the name of the file?

Answer : unk.sh

🧐