Boss Of The SOC v1 Writeup

11 min readFeb 3, 2023

https://cyberdefenders.org/blueteam-ctf-challenges/15

Today I will assist you to solve the Boss of the SOC v1 challenge in the easiest way from the Splunk team hosted at Cyberdefenders.org.

Let’s go.

Questions and Solutions

1. This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.

Given that he is the originator of the challenge, it is pretty simple. The answer is Splunk.

Answer: Splunk

2. What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?

Let’s start by focusing our search on events connected to “imreallynotbatman.com” by using the below query.

Query: imreallynotbatman.com

First method: Scanners are usually easy to catch. Since it is targeting “imreallynotbatman.com”, we need to check the source IPs of potential attackers. Here we see three source IPs.

Now that we know 192.168.x.x are private IPs, we have 2 suspects.

Due to the high volume of requests to “imreallynotbatman.com” most likely 40.80.148.42 is suspect.

Second method: We can basically search for

Query: imreallynotbatman.com SCAN

This query will show us as few alerts as possible and only one source IP from incoming traffic.

Answer: 40.80.148.42

3. What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, “Microsoft” or “Oracle”)

From 2nd question’s second method let’s investigate 7 events to confirm the origin of these requests.

When we get details into these events, we see that the Acunetix web scanner was used to scan the website for vulnerabilities.

Answer: Acunetix

4. What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)

A content management system, often abbreviated as CMS, is software that helps users create, manage, and modify content on a website without the need for specialized technical knowledge. Examples of content management systems: WordPress, Joomla, Drupal, Magento, Squarespace, Wix, Ghost.

Query: c_ip=”192.168.250.70"

| stats count by url

Answer: Joomla

5. What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, “notepad.exe” or “favicon.ico”).

As we know defacement flow is different. In this case, the website “imreallynotbatman.com” has been compromised, and a malicious file that defaced the site has been made available for download. The source IP will change to the web server IP of imreallynotbatman.com pulling the defacement picture file from the attackers website because the server has already been compromised by the attacker. Let’s first trace the IP of the imreallynotbatman.com website, assuming the scanner IP is the one who defaced.

Query: imreallynotbatman.com src_ip=”40.80.148.42″

This will give us 192.168.250.70-target IP.

Now that the defacement picture is being received by the web server, we will utilize that in our query as the client IP. Use the query below, and since the request’s url is displayed, let’s perform statistics to display.

Query: c_ip=192.168.250.70

| stats count by url

Here, we need to identify the file that defaced the website. Finally, we go the defacement image

Answer : poisonivy-is-coming-for-you-batman.jpeg

6. This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?

In the previous question we can see that the FQDN where defacement image request was made from prankglassinebracket.jumpingcrab.com.

Answer : prankglassinebracket.jumpingcrab.com

7. What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?

Going deeper into the attack, let’s look at events :

Query: c_ip=”192.168.250.70" url=http://prankglassinebracket.jumpingcrab.com:1337:1337/poisonivy-is-coming-for-you-batman.jpeg

Here we have one destination IP associated with malicious domain prankglassinebracket.jumpingcrab.com:

Answer : 23.22.63.114

8. Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?

First, we must search for domain names from 23.22.63.114 in Virustotal.

po1s0n1vy.com most likely associated with the Po1s0n1vy APT group.

Let’s check it out on whoxy.com.

I checked all this mails and lillian.rose@po1s0n1vy.com was valid.

Answer : lillian.rose@po1s0n1vy.com

9. What IP address is likely attempting a brute force password attack against imreallynotbatman.com?

As we know brute force attack happens against target IP. So, target IP is our-local IP: 192.168.250.70.

In Brute Force also http method mostly happens in message body like POST request.

Query: dest_ip=”192.168.250.70" imreallynotbatman.com http_method=POST

|stats count BY src, form_data, status

Answer : 23. 22.63.114

10. What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, “notepad.exe” or “favicon.ico”)

We already know the IP of the web server. To answer this question, I will search for *.exe file extensions with a POST request:

Query: dest_ip=192.168.250.70 sourcetype=”stream:http” POST *.exe

Getting details we can see suspicious 3791.exe:

Answer : 3791.exe

11. What is the MD5 hash of the executable uploaded?

Searching for 3791.exe’s MD5 hash, we can see that we have only 1 source:

In Event Descriptions we have 2 types of events. We will search for Process Create, because executable is uploaded.

There is also a special 3791.exe file in the program file:

Going dipper:

Query: 3791.exe md5 source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” EventDescription=”Process Create” app=”C:\\inetpub\\wwwroot\\joomla\\3791.exe”

Answer : AAE3F5A29935E6ABCC2C2754D12A9AF0

12. GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy’s initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.

If this malware connects to Po1s0n1vy’s initial attack infrastructure, then we know its IP: 23.22.63.114

I’ll look it up on Virustotal and check its details in the File Reference section:

Let’s check the suspicious MirandaTateScreensaver.scr.exe file in detail:

So it’s malicious, let’s take its hash value:

Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8

13. What is the special hex code associated with the customized malware discussed in question 12? (Hint: It’s not in Splunk)

The answer to this question is written in the Virustotal community section:

Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21

14. One of Po1s0n1vy’s staged domains has some disjointed “unique” whois information. Concatenate the two codes together and submit them as a single answer.

Check this domains in https://www.whoxy.com/whois-history/demo_result.php:

Only waynecorinc.com returned different response:

Answer: 31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74

15. What was the first brute force password used?

Query: src=”23.22.63.114" imreallynotbatman.com http_method=POST form_data=*username*passwd*

| table form_data, _time, status

| sort by _time

Answer: 12345678

16. One of the passwords in the brute force attack is James Brodsky’s favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?

Search for List of songs by Coldplay and choose six character words:

1) A L I E N S

2) Clocks

3) Fix You

4) Oceans

5) Shiver

6) Sparks

7) Yellow

Search for them one by one in the Splunk query:

Query: src=”23.22.63.114" imreallynotbatman.com http_method=POST form_data=”*username*passwd=<words>*”

| table form_data, _time, status

| sort by _time

Finally, yellow suits for it:

Query: src=”23.22.63.114" imreallynotbatman.com http_method=POST form_data=”*username*passwd=yellow*”

| table form_data, _time, status

| sort by _time

Answer: yellow

17. What was the correct password for admin access to the content management system running “imreallynotbatman.com”?

Search for brute force query:

Query: imreallynotbatman.com http_method=POST form_data=”*username*passwd*”

Here we see that it have 2 connection types: close and keep-alive: select keep alive:

Query: imreallynotbatman.com http_method=POST form_data=”*username*passwd*” connection_type=”Keep-Alive”

Find passwd:

Answer: batman

18. What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example “5” not “5.23213”)

In this case, we must write some functions:
Query: src=”23.22.63.114" imreallynotbatman.com http_method=POST form_data=*username*passwd*

| rex field=”form_data” “passwd=(?<passwd>\w+)”

| eval passwd_len = len(passwd)

| stats avg(passwd_len) as avg_passwd_len

| eval avg_passwd_len = round(avg_passwd_len,3)

Answer: 6

19. How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.

Query: imreallynotbatman.com http_method=POST form_data=”*username*passwd*”

| rex field=”form_data” “passwd=(?<passwd>\w+)”

| search passwd=”batman”

| transaction passwd

| table duration

Answer: 92.17

20. How many unique passwords were attempted in the brute force attempt?

dc is Distinct Count
Query: imreallynotbatman.com http_method=POST form_data=”*username*passwd*”

| rex field=”form_data” “passwd=(?<passwd>\w+)”

| stats dc(passwd) as “Total Unique Password”

Answer: 412

21. What was the most likely IP address of we8105desk in 24AUG2016?

Search Source ip statistics on host=we8105desk on 24/08/2016:

Query: host=we8105desk src=”we8105desk.waynecorpinc.local”

| stats count by src_ip

Answer: 192.168.250.100

22. Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

Query: Cerber host=”suricata-ids.waynecorpinc.local”

Answer: 2816763

23. What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Query: source=”stream:dns” src_ip=”192.168.250.100"

Answer: cerberhhyed5frqa.xmfir0.win

24. What was the first suspicious domain visited by we8105desk in 24AUG2016?

From 21th question we knew we8105desk’s IP as a 192.168.250.100.

Answer: solidaritedeproximite.org

25. During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

First run *VBS

Then click on app field and look at the two entries whose count is just 1 (since script probably run only once to start encryption process).

After finding the correct one, e.g. C:\Windows\SysWOW64\wscript.exe, we can get the code inside the field ParentCommandLine (and it’s length):

Query: *VBS app=”C:\\Windows\\SysWOW64\\wscript.exe”

| eval length=len(ParentCommandLine)

| table length

Answer: 4490

26. What is the name of the USB key inserted by Bob Smith?

friendly name is a term used to refer to a device, application file, certificate or other IT asset instead of its technical identifier. Friendly names are used to complement unique identifiers (UIDs), which are numeric or alphanumeric strings assigned to entities by default.

Standard query: sourcetype=WinRegistry friendlyname

| stats count by registry_value_data

Answer: MIRANDA_PRI

27. Bob Smith’s workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?

Query: src_ip=”192.168.250.100" sourcetype=”stream:smb”

| stats count by path

Answer: 192.168.250.20

28. How many distinct PDFs did the ransomware encrypt on the remote file server?

Remote file server might be we9041srv.waynecorpinc.local.

Query: *.pdf dvc=”we9041srv.waynecorpinc.local”

| stats dc(Relative_Target_Name)

Answer: 257

29. The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?

If you are familiar with vbscript, you will know that it may be launched using either wscript (which is the most popular) or cscript. Let’s utilize this to focus our search so that it includes the relevant file.

Query: 121214.tmp wscript