ECSM HackMe challenge
13 October 2014 | CERT Polska

PL_ECSM_logo_2014October is a month designated by the European Commision and ENISA as a European Cyber Security Month. NASK and CERT Polska are one of the partners in this endeavor. Third week of October is dedicated to students and application security. For this reason we have prepared a HackMe challenge that you can take part in. If you are a Polish resident, you can also win some prizes (see the Polish version of this post for details). Good luck and have fun! We will publish solution, with the results, by the end of the month.

Background story

You have become a computer incident response team member in a large governmental contractor working in the defense sector. Do not worry, it is only a job for a day and we do not require you to deal with a horrible ticketing system. At the beginning of October, 2014, one of the Data Loss Prevention systems detected an FTP connection. This connection was originating from one the employees private laptops. It was against the company security policy to bring private devices to the workplace or to even connect to the company VPN using them. However, because the project deadline was nearing, it was not an uncommon practice and was generally tolerated.

Tomek, the laptop owner, was an employee widely known in the IT Security department. His ability to click on every link that he received in the spam e-mail was simply astonishing. He regularly attended the security awareness trainings, but he saw them as a colossal waste of his valuable time. However, he was a rather technical user – he knew how to use popular applications as well as a proprietary software dedicated to his everyday work.

FTP connections were not something unusual for this workplace. Employees very often send their projects to the remote server using FTP protocol. However, it was always done trough a VPN or SSH tunnel. This connection was different – there was no secure tunnel and the destination server definitely was not located in the company infrastructure.

The challenge

Your task is to analyze infection of Tomek’s computer. Since Tomek was a known spam-lover, all of his network traffic was routinely recorded to the PCAP files. Unfortunately, Tomek is on a sick leave. Hence, you cannot either inquiry him or analyze his laptop. The Risk Assessment department puts a time pressure on you, so you have to act fast and cannot wait for him to get back to work. You only have a PCAP file (md5 fingerprint of the unpacked file:

<span class="text">dddee4a69dd4a7bdcd060a258098ecef</span>

) which was recorded somewhere around the time of infection and you must answer two questions concerning the odd FTP connection.

    1. What is the SHA256 of the file that was extracted from Tomek laptop? This fingerprint must be of the file as it was on Tomek’s laptop just before the infection.
    2. What is the name of the file extracted from Tomek’s laptop? Of course, this name must be of the file that was on the Tomek’s computer just before the infection.

    Zgłoszenia

    Odpowiedzi na zadane pytania należy zgłaszać przez ten formularz. Proszę pamiętać o podaniu prawdziwego adresu e-mail do komunikacji z nami. Można zgłaszać odpowiedzi wielokrotnie. Prosimy jednak nie zgłaszać odpowiedzi podanych poniżej, ponieważ nie są one poprawne.

    • Skrót SHA256: 04bdf3bf46f525f99a310758da007aac54cae189533f5aef76cfb4f5d41e6efa
    • Nazwa pliku: nothing_to_see_here.txt

    IP address of the Tomek’s laptop in the PCAP file is

    <span class="text">192.168.56.101</span>

    .

    The answers provided below are not correct.

    • SHA256:
      <span class="text">04bdf3bf46f525f99a310758da007aac54cae189533f5aef76cfb4f5d41e6efa</span>
    • Filename:
      <span class="text">nothing_to_see_here.txt</span>

    Good luck! If you have any questions, feel free to write us an e-mail: [email protected]. Remember to include tag

    <span class="text">[ECSM HackMe]</span>

    in the subject line.

    The contest has ended. You can find solution here.

Share: