OpenWire Lab
CyberDefenders Network Forensics Lab
Introduction
During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.
Question 1
By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?
Answer 1
Using NetworkMiner I was looking for an IP address that had a lot of sent and received packets. Which is normally a sign on a C2 server sending commands back and forth.
Question 2
Initial entry points are critical to trace the attack vector back. What is the port number of the service the adversary exploited?
Answer 2
Knowing that I am looking for a port that OpenWire is running on, a quick search online let me to documentation that told me that the port 61616 was what I was looking for. This was collaborated with a few conversations between the C2 server and the target machine via said port.
Question 3
Following up on the previous question, what is the name of the service found to be vulnerable?
Answer 3
This answer is in the brief and the website from the above answer. Apache ActiveMQ.
Question 4
The attacker’s infrastructure often involves multiple components. What is the IP of the second C2 server?
Answer 4
There are 2 IP addresses listed when looking at NetworkMiner that don’t have corresponding operating systems. 128.199.52.72.
Question 5
Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?
Answer 5
Browsing the files tab on NetworkMiner, I can see 3 files, 2 .xml files and one .elf file. docker.elf being an executable file that would happen to be the reverse shell that was left.
Question 6
What Java class was invoked by the XML file to run the exploit?
Answer 6
Looking through the code of invoice.xml I can see that none of the code is obfuscated so its rather easy to read. Before it grabs the docker file and executes it, it uses the following class:
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">Question 7
To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?
Answer 7
Knowing I am looking for a 2023 vulnrability a quick search online allowed me to find the following:
Press enter or click to view image in full size
Question 8
The vendor addressed the vulnerability by adding a validation step to ensure that only valid Throwable classes can be instantiated, preventing exploitation. In which Java class and method was this validation step added?
Answer 8
I tend to struggle a little when reading code. I needed a couple of hints for this one.
BaseDataStreamMarshaller.createThrowable
Last updated