Challenge #1 - Web Server Case

Challenge #1 - Web Server Case

    A company’s web server has been breached through their website. Our team arrived just in time to take a forensic image of the running system and its memory for further analysis. All of the case files can be found here. Old upload could be found below (I'm using them as an alternative now):

    1. System Image: here
    2. System Memory: here
    3. Hashes: here
    4. Passwords = here
    5. Other download URLs from (Archive.org) could be found here: here
      To successfully solve this challenge, a report with answers to the tasks below is required:
      1. What type of attacks has been performed on the box?
      2. How many users has the attacker(s) added to the box, and how were they added?
      3. What leftovers (files, tools, info, etc) did the attacker(s) leave behind? (assume our team arrived in time and the attacker(s) couldn’t clean and cover their tracks)
      4. What software has been installed on the box, and were they installed by the attacker(s) or not?
      5. Using memory forensics, can you identify the type of shellcode used?
      6. What is the timeline analysis for all events that happened on the box?
      7. What is your hypothesis for the case, and what is your approach in solving it?
      8. Is there anything else you would like to add?
      Bonus Question: what are the directories and files, that have been added by the attacker(s)? List all with proof.
      Important Note: do not use commercial tools for your own learning benefit.

      End of Case.

    Post a Comment