All posts by WtF

[Cybercamp 2015] [Forense 2.1] Write Up

Description

The company of Mr. Garcia has been robbed of 74,300€ from his bank account. The theft was committed without the knowledge of Mr. García or people in charge of IT.

Some of the money has been retrieved thanks to the speed of the bank to block the target account, but Mr. Garcia is determined to know how this unfortunate incident occurred, as he invested in forming security technicians and purchasing a perimeter antivirus solution for workstations.

After the incident, we have been asked to do a forensic analysis of the machine, but unfortunately these devices have been handled incorrectly and have no value for our review. Fortunately the system administrator, before the network failure, (do not know if caused by the incident) got a file with network traffic of the same day as the theft of bank accounts.

Download

Question: What IP is the attacker?

Continue reading [Cybercamp 2015] [Forense 2.1] Write Up

[HackingWeek 2015] [Forensic 4] Write Up

Introduction

The supplied memory image was captured on a compromised machine, analyze it to answer questions (this is the same image for the four forensic tests, useless to download several times).

When the machine was compromised, the attacker installed a Command & Control software that is currently inactive but must contact a server to receive his orders.
Find the server name and the port on which the malware should connect.
The validation key is servername:portnumber.

dump.gz (md5sum:1273931ce359f59bce95ce4507e1f4bf)

Continue reading [HackingWeek 2015] [Forensic 4] Write Up

[HackingWeek 2015] [Forensic 3] Write Up

Introduction

The supplied memory image was captured on a compromised machine, analyze it to answer questions (this is the same image for the four forensic tests, useless to download several times).

Find the password for the admin user that is located somewhere in memory.

dump.gz (md5sum:1273931ce359f59bce95ce4507e1f4bf)

Continue reading [HackingWeek 2015] [Forensic 3] Write Up

[HackingWeek 2015] [Crypto4] Write Up

Introduction

Session Start: Thu Feb 05 20:49:04 2015
Session Ident: #mastercsi
[20:49] * Now talking in #mastercsi
[20:49] * Topic is 'http://mastercsi.labri.fr/'
[20:49] * Set by admin!~admin on Sat Nov 22 00:06:50
[20:49] and I got an old RSA key that Alice used
[20:49] alice, alice's? you gotta be kidding me?
[20:49] haha no
[20:49] but there was just half, I had to complete with random values to make it work
[20:49] it seems to work anyway, if you have something to decipher...
[20:49] wait, I have her public key lying around somewhere, and even an encrypted file. I've always wondered what it was ...
[20:49] maybe it's the same key?
[20:50] I sent you the thing, take a look
[21:22] * Disconnected
Session Close: Thu Feb 05 21:22:11 2015

The validation key is the message encrypted with the private key of Alice, rebuild it using the following files:

alice.pub
mykey.pem (If you have some issues trying to download this file : right click -> save as …)
secret

Continue reading [HackingWeek 2015] [Crypto4] Write Up