2018-10-01: TWO PCAPS I PROVIDED FOR UISGCON CTF

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

THE TWO PCAP FILES:

• 2018-10-01-UISGCON-CTF-pcap-1-of-2.pcap.zip   1.6 MB (1,591,839 bytes)
• 2018-10-01-UISGCON-CTF-pcap-2-of-2.pcap.zip   14.1 MB (14,120,524 bytes)

 

BACKGROUND

Earlier this year, I provided two pcaps as part of a Capture The Flag (CTF) competition for UISGCON14 in October 2018.  UISGCON is an annual cyber security conference in the Ukraine (link), and this was the 14th UISGCON.

Shown above: Screenshot from the UISGCON website in early October 2018 before the conference.

 

According to the website, "UISGCON is the oldest and well-known Ukrainian conference on Information Security, driven by community and organized under the aegis of the NGO 'Ukrainian Information Security Group' (UISG)..."  From what I understand, these two pcap files were part of 25 tasks used in the conference's CTF.

I'm told this material can go public now.  These pcaps contain activity I routinely post about here at malware-traffic-analysis.net, so it shouldn't be a big challenge for anyone who follows this blog.

 

DETAILS

FIRST PCAP:  2018-10-01-UISGCON-CTF-pcap-1-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• IP range:  172.16.1[.]0/24 (172.16.1[.]0 through 172.16.1[.]255)
• Gateway IP:  172.16.1[.]1
• Broadcast IP:  172.16.1[.]255
• Domain Controller (DC):  Maricheika-DC at 172.16.1[.]3
• Domain:  maricheika[.]net

TASKS I SUGGESTED:

• State the time and date of this infection.
• Determine the IP address of the infected Windows client.
• Determine the host name of the infected Windows client.
• Determine the MAC address of the infected Windows client.
• Determine the Windows user account name used on the infected Windows client.
• Determine the SHA256 hash of the Word document downloaded by the victim.
• Determine the type of malware used in the initial infection.
• Determine the public IP address of the infected Windows client.

 

SECOND PCAP:  2018-10-01-UISGCON-CTF-pcap-2-of-2.pcap.zip

LAN SEGMENT PROPERTIES:

• IP range:  10.1.75[.]0/24 (10.1.75[.]0 through 10.1.75[.]255)
• Gateway IP:  10.1.75[.]1
• Broadcast IP:  10.1.75[.]255
• Domain Controller (DC):  PixelShine-DC at 10.1.75[.]4
• Domain:  pixelshine[.]net

TASKS I SUGGESTED:

• State the time and date of this infection.
• Determine the IP address of the infected Windows client.
• Determine the host name of the infected Windows client.
• Determine the MAC address of the infected Windows client.
• Determine the Windows user account name used on the infected Windows client.
• Determine the SHA256 hash of the Word document downloaded by the victim.
• Determine the SHA256 hash of the first malware binary sent to the infected Windows client.
• Determine the time the Domain Controller (DC) at 10.1.75[.]4 became infected.
• Determine the SHA256 hash of the second malware binary sent to the infected Windows client (same file retrieved as radiance.png and table.png).
• What are the two file hashes for executables you can retrieve from the SMB traffic using Wireshark?
• Determine the two families of malware the Windows client was infected with.
• Determine the one family of malware the DC was infected with.
• Determine the public IP address of the infected Windows client.

 

ANSWERS

• Click here for the answers.

 

Click here to return to the main page.