사전 준비
- 데이터 파일 (비밀번호 infected)
- Zui (구 Brim)
풀이
Q1. Looking through the alerts in Brim, what is the vulnerability name and its corresponding CVE?
- suricata.rules 파일에서 내용 확인
정답
PrintNightmare, CVE-2021-34527
Q2. What is Attacker's IP?
- Ports 탭 목록에서 IP 확인
정답
10.10.10.4
Q3. What is Attacker's share path?
- challenge-v1.pcapng 파일에서 내용 확인
정답
\\10.10.10.2\share
Q4. What is the name of the malicious DLL file hosted by the attacker?
- challenge-v1.pcapng 파일에서 내용 확인
정답
notsostealthy.dll
Q5. What is the sha256 hash of the DLL file?
- notsostealthy.dll 파일을 검색한 후, MD5 해쉬값 확인
- VirusTotal에서 sha256 확보
정답
fa1ee835869ea97559359568043aea3a52508b360cfc5195a3d7fbb60cef55a5
Q6. What is the email address used for the self-signed SSL Certificate in the traffic?
- challenge-v1.pcapng 파일에서 내용 확인
정답
override@shields.mertz.net
Q7. What is the domain user used by the attacker to exploit the vulnerability?
- Users 탭에서 확인
정답
BELLYBEAR\Jesse.Harmon
Q8. What is the exploit server's hostname?
- Users 탭에서 확인
정답
WIN-FLO4EU2VMSM
Q9. What is the username created by the attacker for persistence?
- Users 탭에서 확인
정답
hacker
Q10. What is the event ID for user creation in Windows, and when was the user being created?
- 사용자 생성 Event ID로 검색
정답
4720, 2021-08-16 19:31:46Z
Q11. What process name is used to establish the shell connection between the attacker's machine and the Windows server? and what is the listening port on the attacker's machine?
- 네트워크 접속을 하는 프로세스 발견
정답
rundll32.exe, 443
Q12. The attacker used a famous post-exploitation framework to create the DLL file and establish the shell connection to the Windows server, what is the payload the attacker used?
- VirusTotal에서 공격 이름 확인
- 해당 공격의 payload 검색
정답
windows/meterpreter/reverse_https
Q13. The attacker left a text file for the user Administrator, can you find what the filename is?
- FileSystem에서 파일 확인
정답
This-Is-Really-A-Nightmare.txt