靶场介绍:
Simon, a developer working at Forela, notified the CERT team about a note that appeared on his desktop. The note claimed that his system had been compromised and that sensitive data from Simon's workstation had been collected. The perpetrators performed data extortion on his workstation and are now threatening to release the data on the dark web unless their demands are met. Simon's workstation contained multiple sensitive files, including planned software projects, internal development plans, and application codebases. The threat intelligence team believes that the threat actor made some mistakes, but they have not found any way to contact the threat actors. The company's stakeholders are insisting that this incident be resolved and all sensitive data be recovered. They demand that under no circumstances should the data be leaked. As our junior security analyst, you have been assigned a specific type of DFIR (Digital Forensics and Incident Response) investigation in this case. The CERT lead, after triaging the workstation, has provided you with only the Notepad++ artifacts, suspecting that the attacker created the extortion note and conducted other activities with hands-on keyboard access. Your duty is to determine how the attack occurred and find a way to contact the threat actors, as they accidentally locked out their own contact information.
Simon 是 Forela 的一名开发人员,他向 CERT 团队通报了桌面上出现的一张纸条。纸条声称他的系统已被入侵,Simon 工作站的敏感数据已被收集。肇事者对他的工作站进行了数据勒索,现在威胁说,除非满足他们的要求,否则将在暗网上发布这些数据。Simon 的工作站包含多个敏感文件,包括计划中的软件项目、内部开发计划和应用程序代码库。威胁情报团队认为威胁行为者犯了一些错误,但他们没有找到任何联系威胁行为者的方法。公司的利益相关者坚持要求解决此事件并恢复所有敏感数据。他们要求在任何情况下都不应泄露数据。作为我们的初级安全分析师,您被分配了此案的特定类型的 DFIR(数字取证和事件响应)调查。CERT 负责人在对工作站进行分类后,只向您提供了 Notepad++ 工件,怀疑攻击者创建了勒索纸条并通过实际操作键盘进行了其他活动。您的职责是确定攻击是如何发生的,并找到联系威胁行为者的方法,因为他们意外锁定了自己的联系信息。
task1:What is the full path of the script used by Simon for AWS operations?
Simon 用于 AWS 操作的脚本的完整路径是什么?
打开config.xml,找到与AWS有关的行
task1 answer:"C:\Users\Simon.stark\Documents\Dev_Ops\AWS_objects migration.pl"
task2:The attacker duplicated some program code and compiled it on the system, knowing that the victim was a software engineer and had all the necessary utilities. They did this to blend into the environment and didn't bring any of their tools. This code gathered sensitive data and prepared it for exfiltration. What is the full path of the program's source file?
攻击者复制了一些程序代码并在系统上编译它,他们知道受害者是一名软件工程师,并且拥有所有必要的实用程序。他们这样做是为了融入环境,并没有带任何工具。此代码收集敏感数据并准备将其泄露。程序源文件的完整路径是什么?
打开session.xml,找到filename="C:\Users\Simon.stark\Desktop\LootAndPurge.java" 即为答案
task2 answer:C:\Users\simon.stark\Desktop\LootAndPurge.java
task3:What's the name of the final archive file containing all the data to be exfiltrated?
包含所有要泄露数据的最终存档文件的名称是什么?
翻阅LootAndPurge.java@2023-07-24_145332文件,在createZipArchive函数内可以找到答案
task3 answer:Forela-Dev-Data.zip
task4:What's the timestamp in UTC when attacker last modified the program source file?
攻击者上次修改程序源文件的 UTC 时间戳是多少?
翻阅session.xml,找到originalFileLastModifTimestamp="-1354503710" originalFileLastModifTimestampHigh="31047188"这一行,丢给AI跑结果
结果deepseek跑出来怎么样都是2023-07-24 14:53:23这个答案,永远都是错误的,翻阅了一下别人的wp,发现答案是2023-07-24 09:53:23,郁闷
这里借用了外网大佬的代码
点击查看代码
import datetime# Provided Variables
originalFileLastModifTimestamp = -1354503710
originalFileLastModifTimestampHigh = 31047188# Combine The Two Parts to Get The Full Timestamp
full_timestamp = (originalFileLastModifTimestampHigh << 32) | (originalFileLastModifTimestamp & 0xFFFFFFFF)# Convert The Timestamp to Seconds
timestamp_seconds = full_timestamp / 10**7# Convert to a DateTime Object
timestamp = datetime.datetime(1601, 1, 1) + datetime.timedelta(seconds=timestamp_seconds)print(timestamp)
把这段代码丢给deepseek,问为什么存在差异,答案是因为HTB的时间存在五小时时差,无语之
task4 answer:2023-07-24 09:53:23
task5:The attacker wrote a data extortion note after exfiltrating data. What is the crypto wallet address to which attackers demanded payment?
攻击者在窃取数据后写了一封数据勒索信。攻击者要求付款的加密钱包地址是什么?
打开YOU HAVE BEEN HACKED.txt@2023-07-24_150548文件,随便进入一个文件下方的网站
打开发现需要密码,在LootAndPurge.java@2023-07-24_145332文件的main函数中可以看到密码
登录后即可看到答案所需要的钱包地址
task5 answer:0xca8fa8f0b631ecdb18cda619c4fc9d197c8affca
task6:What's the email address of the person to contact for support?
需要联系支持人员的电子邮件地址是什么?
同task5,钱包地址的下方就是电子邮件地址
task6 answer:CyberJunkie@mail2torjgmxgexntbrmhvgluavhj7ouul5yar6ylbvjkxwqf6ixkwyd.onion
