CyberDefenders HoneyBOT Challenge Write-up

Hello everyone! I am going to show you how I completed this challenge!

To get the attacker's address, I went into the Conversations tab in Wireshark, then I selected the IPV4 option. Here, you see a large number of packets and bytes from address A, which is typical from an attacking host. Therefore the IP is 98.114.205.102. Therefore for question 2, the victim's IP is 192.150.11.111

​I looked up the IP of the attacker, and they are located in the United States. This can be done with any IP geolocation tool. 

Again in the conversations tab, you can find the amount of TCP sessions. In the packet capture, there are 5 TCP sessions. The answer is actually right in front of you because if you look at the TCP tab, there is the number 5. 

​Now you have to find how long the attack was. I did this by simply noting the time of the first packet, and the time of the last packet. The first packet was sent at 03:28:28 and the last at 03:28:44. 44 - 28 is 16. So the attack lasted 16 seconds.

Here highlighted in green shows a DsRoleUpgradeDownlevelServer request which is used to start the attack.

A Google search for that term including the term CVE brought me to this page - https://nvd.nist.gov/vuln/detail/CVE-2003-0533. At the top, the CVE is listed. 

​Looking into more detail to find the protocol to carry on the attack, there is a lot of packets that used SMB. Therefore, it is SMB. 

This screenshot covers questions 9 through 11. Select "Follow" from the "Tools" menu and then "TCP stream". On the bottom right, there is a little box with up and down arrows that says "Stream" right before it. Click on the up arrow twice, or type in 2. Here we see that FTP was used. The next question asks what is the downloaded malware, and it shows here that it is ssms.exe. For question 11, the port number is also listed in this screenshot. It is port 8884.
​

Now head to stream 4. You will then need to select the "Save As" option in the bottom and save it in a .bin format. I called my file honey.bin. Head onto VirusTotal.com and select the option to upload a file. Select the "Details" tab, then on the bottom you will see the initial date it was reported (2007? I'm getting nostalgic!).

First you must find the packets that come shortly before the highlighted green packets as shown here and inspect them. I found this to be helpful because where the DSRoleUpgradeDownlevelServer request and response were sent, shellcode was sent over in a packet before the highlighted packets.

Head on over to packet 29, and there looks to be suspicious shellcode

​Again, go to the "Tools" tab, "Follow", then ""TCP". Then head on over to the first stream. Save it in a raw format. This will need to have an .sc format so it can be used with scdbg. 
​

Run the GUI program then open the file you saved from Wireshark. Make sure the boxes as shown here are checked and press "Launch". 

​Select option 1. As shown here, the last two rows show the numbers of 99. 

This makes sense because in Wireshark, you see a repetitive set of 0909090. This would indicate that XOR'ing is taking place. So the key to used to encode the shellcode is 0x99. 

In the output, you can find the port the shellcode binds to, it is 1957.

​To find the technique the shellcode used to determine its OS in memory, it used the Kernel32.dll. A Google search for GetProcAddress as shown in the screenshot above lead me to this documentation from Microsoft where the screenshot below was pulled from - https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress. 

GetProcAddress retrieved the address of an exported function or variable from the specified dynamic-link library (DLL).