Boss Of The SOC v1
一、题目介绍&环境
SHA1SUM 89719952101ffdf7ee577aaed9a5f6c98934b812
Published Aug. 3, 2020
Author Splunk Team
Size 1.9 GiB
Instructions
Virtualbox: unzip the VM (pass: cyberdefenders.org), start VM, and access Splunk from host machine via http://127.0.0.1:8000
VMware: login to the VM using vagrant/vagrant and grab the IP address of the VM using "IP address" command. Access Splunk from the host machine using the IP address assigned to the VM via http://x.x.x.x:8000
Challenge Files:
bots1.ova (Memory: 4 GB, CPU: 2 Cores, Disk: 5.5 GB)
直接下载ova后导入vmware,账号密码vagrant/vagrant,然后查看虚拟机IP,然后访问http://ip:8000
二、解题(网络部分解题步骤,勒索部分待更新)
首先看一下有哪些index,* | stats count by index
,发现只有botsv1一个index
筛选source,
* index=botsv1
| stats count by source
| sort -count
| head 10
1、This is a simple question to get you familiar with submitting answers. What is the name of the company that makes the software that you are using for this competition? Just a six-letter word with no punctuation.
答:splunk
2、What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
来自 Po1s0n1vy 组的某个人扫描 imreallynotbatman.com 以查找 Web 应用程序漏洞的可能 IP 地址是什么?
答:这里既然是扫描,肯定会存在多条相同源目主机的日志,可以使用查询条件:index="botsv1" sourcetype=stream:http | stats count by src_ip, dest_ip | sort -count
查看IP排序,如下图所示:
可以看到源IP为40.80.148.42的日志较多,再查询该IP的日志,发现确实是AWVS扫描器:
或者直接按源IP次数排序:
index=botsv1 sourcetype=stream:http
| stats count by src_ip
| sort -count
再看一下目的IP的次数排序,确定服务器IP为:192.168.250.70
index=botsv1 sourcetype=stream:http src_ip="40.80.148.42"
| stats count by dest_ip
| sort -count
3、What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")
答:acunetix
4、What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
查看服务器使用的CMS,这里可以根据URL结构进行确定:
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42"
| stats count by uri
| sort -count
| head 10
答:joomla
9、What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
什么 IP 地址可能试图对 imreallynotbatman.com 进行暴力密码攻击?
爆破的话,如果攻击者未对源IP进行代理池设置,则会存在同一个源IP出现较多http请求,所以直接查询目的IP为网站服务器,源IP的排序
确定了两个请求较多的外网IP,一个是之前的扫描器IP 40.80.148.42,一个是23.22.63.114。首先查看扫描器IP的http请求的类型排序:
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42"
| stats count by http_method
| sort -count
然后筛选出登录相关请求格式,这里就是dest_content,在其中查找username字段,显示查询出的前十条,这里就找到了登陆表单,在其中找到了登陆表单里的username和passwd字段:
index=botsv1 imreallynotbatman.com sourcetype=stream:http src_ip="40.80.148.42" http_method="POST" username
| table dest_content
| head 10
或者:
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="23.22.63.114" dest_ip="192.168.250.70" http_method="POST" username passwd
| top limit=20 form_data
既然找到了登陆表单和登陆字段,如果是爆破,则会多次访问这个登陆表单,所以直接查询访问该登录表单的源IP次数,发现爆破IP 23.22.63.114:
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd*
| stats count by src_ip
15、What was the first brute force password used?
使用的第一个暴力破解密码是什么?
答:12345678
1)第一种思路,攻击中尝试输入的第一个密码是什么,那就是正则提取出用户名密码,根据时间排序:
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd*
| rex field=form_data "username=(?<u>\w+)"
| rex field=form_data "passwd=(?<p>\w+)"
| table _time, u, p
| sort by _time
| head 5
2)第二种,使用tail命令(函数):
index=botsv1 imreallynotbatman.com sourcetype="stream:http" src_ip="23.22.63.114" dest_ip="192.168.250.70" http_method="POST" username passwd
| tail 1
17、What was the correct password for admin access to the content management system running imreallynotbatman.com?
管理员访问运行imreallynotbatman.com的CMS的正确密码是什么?
一般错误密码都只输入尝试一次,所以直接筛选在登录请求中出现多次的密码即可(一般为2次)。
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<p>\w+)"
| stats count by p
| sort -count
| table p,count
| head 10
或者直接用where:
index=botsv1 imreallynotbatman.com sourcetype="stream:http" dest_ip="192.168.250.70" http_method="POST" username passwd
| rex field=form_data "passwd=(?<passwd>\w+)"
| stats count by passwd
| where count>1
18、What was the average password length used in the password brute forcing attempt rounded to closest whole integer?
密码暴力破解尝试中使用的平均密码长度是多少?四舍五入到最接近的整数.
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<p>\w+)"
| eval pl=len(p)
| stats avg(pl) as av
| eval avg_count=round(av,0)
| table avg_count
19、How many seconds elapsed between the time the brute force password scan identified the correct password and the compromised login rounded to 2 decimal places?
从爆破出正确密码到开始扫描(扫描器配置正确密码)中间间隔多少秒,两位小数。
答:92.17
index=botsv1 sourcetype=stream:http form_data=*username*passwd* | rex field=form_data "passwd=(?<p>\w+)"
| search p="batman"
| transaction p
| eval dur=round(duration,2)
| table dur
注:
Transaction是一个事件组,其中内容是在一定时间范围内一组概念关联的事件
20、How many unique passwords were attempted in the brute force attempt?
暴力破解中尝试了多少个不同的密码?
答:412
index=botsv1 imreallynotbatman.com sourcetype=stream:http http_method="POST" form_data=*username*passwd*
| rex field=form_data "passwd=(?<p>\w+)"
| dedup p
| stats count
注:dedup 删除指定字段中的相同值
21、What was the most likely IP address of we8105desk in 24AUG2016?
首先查看sourcetype:
index=botsv1 we8105desk
| stats count by sourcetype
| sort -count
然后统计IP:
index=botsv1 we8105desk sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| stats count by src_ip
| sort -count
答:192.168.250.100
10、What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")
index=botsv1 sourcetype="stream:http" dest_ip="192.168.250.70" "multipart/form-data"
| head 1
index=botsv1 sourcetype="stream:http" dest_ip="192.168.250.70" "multipart/form-data"
| stats count by part_filename{}
5、What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").
破坏 imreallynotbatman.com 网站的文件的名称是什么?请仅提交带有扩展名的文件名(例如,“notepad.exe”或“favicon.ico”)。
这里恶意文件只有两种方式可以出现在目的网站所在的服务器上,一种是攻击者上传,源ip是攻击者IP;一种是攻击者已获取网站服务器的webs hell,从自己的服务器(C2)上下载到网站服务器上,目的IP是攻击者IP。
index=botsv1 sourcetype="suricata" src_ip="23.22.63.114" dest_ip="192.168.250.70"
| stats count by http_method,http.hostname,http.url
| sort -count
index=botsv1 sourcetype="suricata" src_ip="192.168.250.70" dest_ip="23.22.63.114"
| stats count by http_method,http.hostname,http.url
| sort -count
答:poisonivy-is-coming-for-you-batman.jpeg
6、This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
该攻击使用动态DNS解析为恶意IP。 与此攻击相关的是什么完全限定域名(FQDN)?
index=botsv1 sourcetype="suricata" src_ip="192.168.250.70" dest_ip="23.22.63.114"
| stats count by http_method,http.hostname,http.url
| sort -count
答:prankglassinebracket.jumpingcrab.com
7、What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
答:23.22.63.114
8、Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
查询该IP对应的历史DNS解析记录,找到历史域名,查找注册邮箱
答:lillian.rose@po1s0n1vy.com
11、What is the MD5 hash of the executable uploaded?
首先查看上传文件3791.exe的数据来源类型:
index=botsv1 3791.exe md5 | stats count by sourcetype
然后查找其中的MD5值:
index=botsv1 3791.exe sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine="3791.exe"
| rex field=_raw MD5="(?<md5sum>\w+)"
| table md5sum
答:AAE3F5A29935E6ABCC2C2754D12A9AF0
三、参考
https://samsclass.info/50/proj/botsv1.htm
https://andickinson.github.io/blog/splunk-boss-of-the-soc-v1/
https://darkwing.moe/2020/07/30/BP-Splunk-TryHackMe/#