type
status
date
slug
summary
tags
category
icon
password
Catagory
Materials
Retired
Retired
Due date
Jul 11, 2024 03:04 PM
Status
Belong in
Progress
Khalid has just logged onto a host that he and his team use as a testing host for many different purposes. It’s off their corporate network but has access to lots of resources on the network. The host is used as a dumping ground for a lot of people at the company, but it’s very useful, so no one has raised any issues. Little does Khalid know; the machine has been compromised and company information that should not have been on there has now been stolen – it’s up to you to figure out what has happened and what data has been taken.
224.0.0.251 外部Dns server
192.168.157.2 內部dns server
使用office 365
Task 1
At a glance, what protocol seems to be suspect in this attack?
DNS
Task 2
There seems to be a lot of traffic between our host and another, what is the IP address of the suspect host?
Ans:192.168.157.145
Task 3
What is the first command the attacker sends to the client?
Ans:whoami
Task 4
What is the version of the DNS tunneling tool the attacker is using?
Ans:0.07
Task 5
The attackers attempts to rename the tool they accidentally left on the clients host. What do they name it to?
Ans:win_installer.exe
Task 6
The attacker attempts to enumerate the users cloud storage. How many files do they locate in their cloud storage directory?
Ans:0
Task 7
What is the full location of the PII file that was stolen?
Ans:C:\users\test\documents\client data optimisation\user details.csv
Task 8
Exactly how many customer PII records were stolen?
Ans:721
Reference
- DNS Tunneling
- wireshark display filter cheetsheet
- 作者:ji3g4gp
- 連結:https://gpblog.vercel.app//article/HTB-Sharklocks-Litter
- 著作權:本文採用 CC BY-NC-SA 4.0 許可協議,轉載請註明出處。