CorelightOS CTF Writeup
This was a short two hour CTF hosted by Corelight over multiple sessions. Due to an extra space character while entering a flag, I got stuck at one problem for way too long and did not complete either PCAP 1 or 2.
You could either ssh and use the Linux command line to grep through log files or use an SIEM like Splunk.
I used both, so for now I'll only write the flag for each question then maybe one day revisit with the bash-fu.
PCAP 1
Resources
To access the dataset, use any of the following:
Splunk (no login required)
Elastic (credentials below)
SSH to <REDACTED>, and look in ~/tsv_logs/pcap1
Credentials:
Username: <REDACTED>
Password: <REDACTED>
Once you've logged to the tool of your choice, enter the flag "FreePointsPlease" below to unlock the questions for this scenario. You can always return to this question later
FreePointsPlease
Question 1
An HTTP request is made to a specific PHP page. What is the name of that page?
whoami
Question 2
What is one of the IP addresses where that PHP page was hosted?
66.228.32.31
Question 3
What is the IP address that mail.ventascintas.com resolved to?
142.4.4.112
Question 4
What was the IP address that w01099b7.kasserver.com resolved to?
85.13.157.226
Question 5
There is a fairly "generic" X.509 self-signed certificate from a company in London. Can you figure out the domain? (Format: domainname.com)
example.com
Question 6
There is a unique JA3 hash associated with this "generic" certificate. What is that hash?
35492f143de0f906215ea3aaf6ee0a74
Question 7
What was the most recent JA3S hash associated with the previous JA3?
f2e1706526fe0692ee36be58110ffc83
Question 8s
What specific encryption algorithm was used with the aforementioned certificate?
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Question 9
Let's pick apart that X.509 further; there is a unique City that only shows up with this suspicious certificate. What is that City?
London
Question 10
What department does that previous certificate allegedly correspond to?
IT Department
Question 11
What is the SHA1 of the previously-mentioned X.509 certificate?
answer not confirmed
Question 12
As part of this traffic, there were two executables downloaded from 104.168.98.206. What is the SHA1 of the most recently downloaded?
answer not confirmed
Question 13
An executable was downloaded from 124.158.6.218. What was the name of that executable?
i5pv72yr.exe
Question 14
There was a document downloaded in this PCAP that has some Spanish flair to it. What was that document's name?
answer not confirmed
Question 15
What IP address did mail.casaroyal.cl resolve to?
200.75.0.9
Question 16
There's an email address sending suspicious emails (that maybe, maybe looks like a FireEye competitor). What is that email address?
[email protected]
Question 17
An analyst was reading an introduction to threat hunting and came across a User-Agent string that looked familiar: "WinHTTP sender". What is the hostame of the infected host?
SKINNER-WIN-PC
Question 18
Let's pivot on some metadata. There are some weird user agents in this PCAP; which "WinHTTP" one only shows up once?
WinHTTP sender/1.0
Question 19
I did some JA3S hunting; there are some suspicious domains in there associated with some SMTP traffic. There's one JA3S that appears to be associated with port 80. What is the organization of the issuer, owned by GoDaddy?
Starfield Technologies\\, Inc.
Question 20
We've heard from intel that another suspicious document has been found. Email subjects included the word "dossier" - what was the name of the attachment?
INF 17844.doc
Question 21
Reverse engineering team came back; there was an odd executable in the PCAP. They've provided a SHA1 indicator of 026064006b987ed951ffce4f03c4394f557bf588. Can you determine what the downloaded file name was?
i5pv72yr.exe
PCAP 2
Resources
To access the dataset, use any of the following:
Splunk (no login required)
Elastic (credentials below)
SSH to <REDACTED>, and look in ~/tsv_logs/pcap2
Credentials:
Username: <REDACTED>
Password: <REDACTED>
Once you've logged to the tool of your choice, enter the flag "FreePointsPlease" below to unlock the questions for this scenario. You can always return to this question later
FreePointsPlease
Question 1
There are multiple site using Let's Encrypt - what is one of the Subject Names?
tile.openstreetmap.org
Question 2
Looking at all of the traffic, what is the unique JA3 hash that was observed?
bc6c386f480ee97b9d9e52d472b772d8
Question 3
Uh-oh, looks like we have some unencrypted traffic! There were some requests for /en/www/. What hostname was this to?
afroamericanec.bit
Question 4
There was a particular MIME type of which only two files were observed. What is that MIME type?
answer not confirmed
Question 5
What IP address was that MIME type downloaded from?
answer not confirmed
Question 6
A server response appears to be using stenography to hide something in a GIF image. Zeek data can be used to identify a mismatch in the MIME type and filename to help us find a find the suspicious URI that returns this image.
What was the full URI that corresponded to the newest "GIF"?
/pixel.gif
Question 7
There is one odd HTTP request that did not have a corresponding server response code. What was the server IP address of this HTTP request/response pair?
188.165.62.40
Question 8
What MIME type corresponded to this odd request?
image/png
Question 9
Let's go back and revisit one of those Let's Encrypt sites. What is the IP address for the JA3S hash of e35df3e00ca4ef31d42b34bebaa2f86e ?
93.95.100.178
Question 10
What is the two-letter country code where this IP is located?
RU
Question 11
Who is listed as one of the administrative contacts, indicated by FVV36-RIPE?
REDACTED for privacy