Puzzle #6: Ann’s Aurora

The Puzzle

Ann Dercover is after SaucyCorp’s Secret Sauce recipe. She’s been trailing the lead developer, Vick Timmes, to figure out how she can remotely access SaucyCorp’s servers. One night, while conducting reconnaissance, she sees him log into his laptop (10.10.10.70) and VPN into SaucyCorp’s headquarters.

Leveraging her connections with international hacking organizations, Ann obtains a 0-day exploit for Internet Explorer and launches a client-side spear phishing attack against Vick Timmes. Ann carefully crafts an email to Vick containing tips on how to improve secret sauce recipes and sends it. Seeing an opportunity that could get him that Vice President of Product Development title (and corner office) that he’s been coveting, Vick clicks on the link. Ann is ready to strike…

You are the forensic investigator. Your mission is to analyze the packet capture containing Ann’s exploit, build a timeline, and submit your evidence including…

 

1. What was the full URI of Vick Timmes’ original web request? (Please include the port in your URI.)

http 프로토콜을 필터링하면 http://10.10.10.10:8080/index.php 라는 것을 알 수 있습니다.

 

2. In response, the malicious web server sent back obfuscated JavaScript. Near the beginning of this code, the attacker created an array with 1300 elements labeled “COMMENT”, then filled their data element with a string. What was the value of this string?

HTTP 스트림을 보면 vEI라는 것을 알 수 있습니다.

 

3. Vick’s computer made a second HTTP request for an object.

       a. What was the filename of the object that was requested? index.phpmfKSxSANkeTeNrah.gif

     

 b. What is the MD5sum of the object that was returned? df3e567d6f16d040326c7a0ea29a4f41

4. When was the TCP session on port 4444 opened? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

 첫 번째 패킷의 Time 필드 값 1.265851이지만 소수점 첫째 자리까지 반올림하도록 요구하므로 답은 1.3초입니다.

 

5. When was the TCP session on port 4444 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

[FIN, ACK] 플래그의 Time 필드 값 87.58714이지만 소수점 첫째 자리까지 반올림하도록 요구하므로 답은 87.6초입니다.

 

6. In packet 17, the malicious server sent a file to the client.

17번째 패킷을 선택합니다.

   

TCP 스트림 기능을 사용하면 "MZ" 문자열 그리고 "이 프로그램은 DOS 모드에서 실행할 수 없습니다"라는 문자열을 보면 Window 실행파일이라는 것을 알 수 있습니다.

 a. What type of file was it? Choose one:

• Windows executable
• GIF image
• PHP script
• Zip file
• Encrypted data

     b. What was the MD5sum of the file? b062cb8344cd3e296d8868fbef289c7c

 

7. Vick’s computer repeatedly tried to connect back to the malicious server on port 4445, even after the original connection on port 4444 was closed. With respect to these repeated failed connection attempts:

 

두 그림과 같이 세 패킷마다 0에서 1로 주기적으로 변경되는 패턴을 보입니다. 따라서 이 문제의 답은 세 번째 패킷마다입니다.

 

a. How often does the TCP initial sequence number (ISN) change? (Choose one.)

• Every packet
• Every third packet
• Every 10-15 seconds
• Every 30-35 seconds
• Every 60 seconds

b. How often does the IP ID change? (Choose one.)

• Every packet
• Every third packet
• Every 10-15 seconds
• Every 30-35 seconds
• Every 60 seconds

c. How often does the source port change? (Choose one.)

• Every packet
• Every third packet
• Every 10-15 seconds
• Every 30-35 seconds
• Every 60 seconds

8. Eventually, the malicious server responded and opened a new connection. When was the TCP connection on port 4445 first successfully completed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

연결 설정에 실패한 패킷을 나타내는 빨간색-검은색 배경에서 연결에 성공한 패킷을 나타내는 파란색 배경으로 바뀌는 첫 번째 패킷의 시간은 123.674296으로 약 123.7초입니다.

 

9. Subsequently, the malicious server sent an executable file to the client on port 4445. What was the MD5 sum of this executable file?

 b062cb8344cd3e296d8868fbef289c7c

 

10. When was the TCP connection on port 4445 closed? (Provide the number of seconds since the beginning of the packet capture, rounded to tenths of a second. ie, 49.5 seconds)

198.4초