Network-Based Attacks CTF 1

Network and host-based penetration testing often involves analysing and uncovering details about services, vulnerabilities, and potential points of compromise. This lab focuses on post-exploitation activities such as analysing traffic to identify malicious activity, investigating infected hosts, and extracting critical information using forensic techniques.

In this scenario, a network has been compromised, and your objective is to analyze captured network traffic to extract key information about the attack. You will use tools like Wireshark to examine network activity and identify malicious actions, affected systems, and associated artifacts.

This lab emphasizes the importance of network forensics in identifying indicators of compromise and investigating incidents for effective incident response.
In this lab environment, you will have GUI access to a Kali machine with access to a captured network packet file test.pcap.

Objective: Use network analysis techniques to identify and capture the following flags related to the infection and attack:

Flag 1: What is the URL accessed by the infected user that returned a 200 OK response code.
Flag 2: What is the IP address, MAC address of the infected Windows client?
Flag 3: Which Wireshark filter can you use to determine the victim’s hostname from NetBIOS Name Service traffic, and what is the detected hostname for this malware infection?
Flag 4: Which user got infected and ran the mystery_file.ps1 PowerShell script?
Flag 5: What User-Agent string indicates the traffic generated by a PowerShell script?
Flag 6: Which wallet extension ID is associated with the Coinbase wallet?

32\RuntimeBroker.exe -EmbeddingF-·ID: 2864, Name: SearchApp.exe, CommandLine: "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaF-`ID: 5252, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\RuntimeBroker.exe -EmbeddingF-¤ID: 5532, Name: backgroundTaskHost.exe, CommandLine: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:MicrosoftEdge.AppXbnf56tvebb2bnpah2t4s0emv5ws4vxt1.mcaF-ID: 5608, Name: backgroundTaskHost.exe, CommandLine: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXfkd8mejksk4ancwf4vtyhmkvtzn1jcbs.mcaF-ÂID: 4636, Name: PhoneExperienceHost.exe, CommandLine: "C:\Program Files\WindowsApps\Microsoft.YourPhone_1.23052.121.0_x64__8wekyb3d8bbwe\PhoneExperienceHost.exe" -ComServer:Background -EmbeddingF-`ID: 2392, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\RuntimeBroker.exe -EmbeddingF-`ID: 5724, Name: RuntimeBroker.exe, CommandLine: C:\Windows\System32\RuntimeBroker.exe -EmbeddingF-\ID: 5760, Name: smartscreen.exe, CommandLine: C:\Windows\System32\smartscreen.exe -EmbeddingF-ID: 3952, Name: powershell.exe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\rwalters\Documents\mystery_file.ps1'"F-QID: 5956, Name: conhost.exe, CommandLine: \??\C:\W

erbirdF.%USERPROFILE%\AppData\Roaming\Comodo\IceDragonF3%USERPROFILE%\AppData\Roaming\8pecxstudios\CyberfoxF;%USERPROFILE%\AppData\Roaming\NETGATE Technologies\BlackHawF=%USERPROFILE%\AppData\Roaming\Moonchild Productions\Pale MoonEE!EArmoryE# %appdata%E%E'EArmoryE#*.walletE%…E!EAtomicE#    %appdata%E%E'EatomicE#*E%E!EBinanceE#   %appdata%E%E'EBinanceE#*app-store*E%…E!ECoinomiE#%localappdata%E%E'ECoinomi\Coinomi\CacheE#*E%E'ECoinomi\Coinomi\dbE#*E%E'ECoinomi\Coinomi\walletsE#*E%E!EElectrumE#   %appdata%E%E'EElectrum\walletsE#*E%…E!EEthereumE#   %appdata%E%E'EEthereum\walletsE#*E%…E!EExodusE# %appdata%E%E'EExodus\exodus.walletE#*E%…E'EExodusE#*.jsonE%…E!EGuardaE# %appdata%E%E'EGuardaE#*E%E!EJaxxE#  %appdata%E%E'Ecom.liberty.jaxxE#*E%E!EMoneroE#%userprofile%\DocumentsE%E'EMonero\walletsE#*E%…E)¥
ffnbelfdoeiohenkjibnmadjiehjhajb|YoroiWallet
ibnejdfjmmkpcnlpebklmnkoeoihofec|Tronlink
jbdaocneiiinmjbjlgalhcelgbejmnid|NiftyWallet
nkbihfbeogaeaoehlefnkodbefgpgknn|Metamask
afbcbjpbpfadlkmhmclhkeeodmamcflc|MathWallet
hnfanknocfeofbddgcijnmhnfnkdnaad|Coinbase
fhbohimaelbohpjbbldcngcnapndodjp|BinanceChain
odbfpeeihdkbihmopkbjmoonfanlbfcl|BraveWallet
hpglfhgfnhbgpjdenjgmdgoeiappafln|GuardaWallet
blnieiiffboillknjnepogjhkgnoapac|EqualWallet
cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
fihkakfo