2024 HITCON Cyber Range 學生場 Write_up

# 2024 HITCON Cyber Range 學生場 Write_up 在來之前完全沒摸過藍隊，但就是秉持著**我是來學習的**精神(X 就是沒有參加初賽的快樂學生，AIS3讚! 從開始說明規則之後就完全茫掉了跟題目乾瞪眼到中午之後才大概知道要怎麼做，才開始瘋狂解題。 ~~但解到後面之後發現可以善用刪去法、條件、跟答案爆破~~ ## 環境介紹大概長這樣但我沒很懂(~~資網重修~~ ![image](https://hackmd.io/_uploads/rkNvtikWJl.png) 然後會像這樣有題目要填找到的答案 ![image](https://hackmd.io/_uploads/HkyFtsJZyl.png) 全對才有分，錯了會有禁答懲罰(最多3分鐘)，但會告訴你哪個錯![image](https://hackmd.io/_uploads/SkDbqiybJl.png) 所以可以把可能答案填一填，說不定就矇對了(X ![image](https://hackmd.io/_uploads/BJfiqjJZ1e.png) Log Viewer像這樣，要學一下怎麼用，是splunk的 ## Digital Storm (+50 pts) > Our intrusion detection system has flagged unusual network activity indicative of automated scanning tools. The scans appear to be systematically probing our network for vulnerabilities. > Investigate this incident and determine the nature and extent of the scanning activity. 有人在做壞壞的掃描 Apache Log打開就看的到 ![image](https://hackmd.io/_uploads/Hytr7vyW1l.png) 所以 ![image](https://hackmd.io/_uploads/H1v8QDk-kg.png) ## Web Intrusion (+100 pts) > After automated scanning, a targeted attack was detected. > An attacker exploited a vulnerability in our web server to gain unauthorized access to the system. 那個壞壞的人掃描完，就在web幹壞事設定status 200 找他有存取成功的指令在看到第6頁的時候發現他掃描完開始幹大事了，看來就是這裡 ![image](https://hackmd.io/_uploads/BJ9GVDJZkg.png) 綜合在Apache log首頁看到的version資訊 ![image](https://hackmd.io/_uploads/S1y84vkW1l.png) 問題是這是哪個CVE 2.4.58其實版本蠻新的，||，加上大哥的場外救援||加上這是Hitcon 2024 Cyber Range [只能是橘神啦](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/) ![image](https://hackmd.io/_uploads/rkZRVP1-1g.png) ## Config Raid (+50 pts) > Our security monitoring system flagged suspicious activity on a critical server, including unexpected account usage followed by unusual file access. > Sensitive configuration files appear to have been accessed and downloaded. Investigate this incident and provide details about the timing and destination of the data movement. 他web shell完開始偷東西了! 綜合題目說的**意外的帳戶使用** ![image](https://hackmd.io/_uploads/rJUwBvyWJg.png) 試了一下這個就成功了 ![image](https://hackmd.io/_uploads/SkaAHwkWkg.png) ## VPN interfusion (+50 pts) > Following the web server breach, the attacker discovered VPN credentials in the stolen configuration files. > These credentials were then used to establish an unauthorized VPN connection. 這隊友寫的 ![image](https://hackmd.io/_uploads/BkVeLvJ-ke.png) ## Internal Recon (+75 pts) > After gaining unauthorized VPN access, the attacker initiated an internal network scan. > Detect and analyze this scanning activity to understand the attacker's reconnaissance efforts within our network. 也是神隊友 ![image](https://hackmd.io/_uploads/BkE-8v1ZJl.png) ## Credential Spread (+50 pts) > Using the credentials obtained from the network sniffing attack, the attacker successfully logged into a new machine on the network. 在AD Log看到在09:10之後最早的rlee這個人的登錄是在 ![image](https://hackmd.io/_uploads/ry-svDyWJg.png) 然後也可以找到最早的登入時間 ![image](https://hackmd.io/_uploads/rkvM_PkZke.png) 他本來都在刷22然後443 但突然出現445 之後就可以登入了所以就想說試試看就中了 ![image](https://hackmd.io/_uploads/HyrI8v1bJg.png) ## 結論我以為我的硬碟空間很夠，結果並沒有 ![image](https://hackmd.io/_uploads/SJrvTPJZJe.png) 主辦提供的VM都開不起來，一整個我好爛🥲 但還是感謝AIS3和比賽當天才第一次見面的隊友們玩到後面真的覺得很好玩還想繼續玩下去，可惜時間有限雖然我真的好菜，**勇奪最後一名** ![image](https://hackmd.io/_uploads/r1C_OikZye.png) 但是能還見到又一陣子沒見到的朋友們，開心開心🥰 :::spoiler ||很猶豫要不要公開，但反正寫得這麼爛也不會有人看嘿嘿|| :::