DNS codified (50pts)
Una captura un tanto sospechosa ... translates to a suspicious capture:
Analyzing the file with wireshark i found this line:
63 96.986931 126.96.36.199 188.8.131.52 HTTP 163 GET /secure-atom128c-online HTTP/1.1
something or somebody used the site http://crypo.bz.ms/secure-atom128c-online to encrypt something.
for example the subdomain name of
decrypting it using the same page we get:
FLAGISHAVENODNSWHATMDOING = A5r1AJ6fDGhiAguUAGufHJX1HGkGfJ6eAqCC
This is Scada (100pts)
Operators of a water treatment plant have detected malfunctions in several PLCs and HMIs. Because of previous security incidents a monitoring equipment has been attached to a switch, which has been configured to receive all traffic inside the treatment plant in the aim to analyze it.
A pcap file is facilitated to the investigators, so is a map with PLCs variables and a screenshot from the HMI to visualize the industrial control process.
Download pcap: euskalhack_industrial_forensics_challenge.rar
- Find the IP of the HMI
- Find the IP of the PLC
- Which protocol do they use to communicate with eachother?
172.16.136.134 and PLC
172.16.136.133in Network Miner:
Example Modbus/TCP Traffic in Wireshark:
Don’t stop me now (300pts)
Find the secrets of user alpacino. Download Virtualbox VM.
First look at the VM presents us with a logged in user (alpacino) executing two tasks:
Trying default password reveal nothing, neither does a scan with nmap, but there are snapshots in the VM folder. Which gives me the idea to extract the VM’s memory:
VBoxManage.exe debugvm "WinXP" dumpvmcore --filename=memory.raw
We now have a memory dump and can proceed to inspect it usingn the volatility framework. First of all we need to determine the profile:
$ volatility imageinfo -f memory.raw`
The suggested VM profile is WinXPSP2x86 which we can use to get a list of all running processes:
$ volatility --profile=WinXPSP2x86 -f memory.raw pslist
So alpacino is running TrueCrypt and the KeePass Password Manager. It comes to my mind, that using the password manager there may be some password in the clipboard. And indeed there is something…
las rosas son Rojas y el mar es Violeta 123.. as a password doesn’t get me any further. So TrueCrypt is next and fortunally volatility comes with a module called truecryptsummary:
$ volatility --profile=WinXPSP2x86 -f memory.raw truecryptsummary
Now you can go either way:
- Enter the XP Machine using konboot (grab old/free version) and bypassing the admin password
- or (if you want to leave the machine untouched) extract the container. The method is described in this presentation: Mastering Truecrypt - Windows 8 and Server 2012 Memory Forensics (page 19)
I’ll go the the fastest way which is bypassing the admin login:
Memory Extraction of Truecrypt keys is a known flaw and has been discussed in detail: