Defense
There were 11 Defense challenges with four having two or more sub-challenges, for a total of 20 flags to find with 1720 points possible.
Time to start sleuthing! I'm definitely better at defense than offense, and was able to complete these within a few days without any hints. I kind of wish I knew what the hints said though.
D1 - Secure Your Perimeter
Prerequisites: Complete the tutorial.
The first Defense challenge was testing your understanding of Common Vulnerabilities and Exposures better known as CVEs. They told you to submit the CVE of the highest priority vulnerability to remediate from the list. The flag was in the CVE ID format.
Given:
What is vulnerability scanning and how does it work? by Digital Defense
PDF of a network diagram
json file containing the vulnerability scanner's results (over 700 lines, probably over 80 different results, screenshot below)

D2 - Look for Insider Threats
Prerequisites: Complete the tutorial.
One standard way to look for insider threats is to try to find sensitive data in places it shouldn't be.
For this one, you are required to use Regex to find Tax Identification Numbers (TINs) that have been encrypted by a script that they give you. You are also given a script file to run the Regex against. If you enter the successful Regex into the downloaded script, it'll give you the flag.
Below is the description of the script and the actual script that encrypts the TINs.
The "encryption" method, which they've taken to calling Visionàry Algorithm Protecting IDs, involves modifying each digit using its corresponding value in the passphrase: LUCKYLION
def vapid(tin, key="LUCKYLION") -> bytes:
if isinstance(key, str):
key = key.encode("ascii")
if isinstance(tin, bytes):
tin = tin.decode("ascii")
key_len = len(key)
ciphertext = []
for idx, character in enumerate(tin):
ciphertext.append(int(character) + key[idx % key_len])
return bytes(ciphertext)
For example:
000000000 becomes LUCKYLION
111111111 becomes MVDLZMJPO
They give an example run of a regex script against the python script:
python snort.py 'regex(_|\s+)goes_?here$'
In addition to the above, you are also given an additional resource to learn about Regex.: RegExr, an online tool for learning Regular Expressions.
D3 - Investigate a Suspicious Email
Prerequisites: Complete the tutorial.
Someone forwarded you a suspicious email. See if you can find evidence of phishing.

D4 - Write IOC detection
Prerequisites: Complete D3.
After determining information about a credential harvesting site, write a Suricata rule to alert on outgoing HTTP traffic to the phishing domain. The flag is the missing information.
You are given a partially complete Suricata rule to start with:
alert http $CORP_NET any -> $EXTERNAL_NET any (msg:"Detected traffic to wood-chewers.trees"; http.host; _____________; sid:1000001; rev:1;)
You are also given an additional resource to learn about Suricata: https://docs.suricata.io/en/latest/
D5.1 - Identify compromised user
Prerequisites: Complete D4.
Alright! You've got a Suricata rule set up to alert you on any traffic going there. Now you need to review the logs you've collected for any potential compromised users!
You are given another json file that is the output from the Suricata rule. From this, you need to identify how many users you'll need to review.
Given:
suricata_alert.json (screenshot below)

D5.2 - Identify compromised user
Prerequisites: Complete D5.1.
Continue reviewing the same json file to determine how we can actually tell if a user may have sent credentials to the phishing site. The flag is the field name and value that you can use to determine this. Here's another screenshot of another section of that file to help.

D5.3 - Identify compromised user
Prerequisites: Complete D5.2.
After determining how we can tell if information has been sent or not, use this to determine the IP address responsible for that traffic. The IP is the flag.
D5.4 - Identify compromised user
Prerequisites: Complete D5.3.
This time, we're given network logs in a CSV file. We're also given that the IP address belongs to host WDIGCVY2S with user bob_wctf24. The flag is the bash query command that will quickly let you identify data associated with the IP found in the previous sub-challenge.
Given:
networklogs.csv
D6 - PCAP Analysis
Prerequisites: Complete D5.4.
As you have probably guessed, this time we're given a PCAP to determine which tool was downloaded on the host and where it came from. The flag is the full request URI that the tool was downloaded from.
Given:
pcap.zip (which contains anydesk_hostonly.pcapng)
D7.1 - Review Connection Logs (Host A)
Prerequisites: Complete D6.
Now we know the user, host, and tool that was used to infiltrate our network! The next step is to determine what was done with AnyDesk. However, where do we even start? This time we're not given any files - the flag is the full path (beginning with C:) to the directory where AnyDesk's logs are stored.
D7.2 - Review Connection Logs (Host A)
Prerequisites: Complete D7.1.
Now that we have AnyDesk's logs, can we identify the fields in the logs that identify our attacker? The flag this time is the attacker's IP and exact timestamp of when the connection was opened in the following format: YYYY-MM-DD 00:00:00.000,IP.IP.IP.IP
Given:
ad_svc.trace (screenshot below)

D8 - YARA Analysis
Prerequisites: Complete D7.2.
This was one Defense challenge that gave most people trouble, including me! A json file is given to you that contains Strelka's analysis of the malicious file. You're asked to create a YARA rule that will detect the same file.
You are given:
curl -H "Content-Type: text/plain" <URL> -X POST -d 'rule test {condition: true}'
strelka.json (screenshots below)


D9.1 - Review Connection Logs (Host B)
Prerequisites: Complete D8.
Like before, we're given more logs to analyze. This time though, we obtained them from a host that we detected the activity by using the YARA rule we created in the previous challenge. We're asked to use the logs to determine three things and submit all three as the flag: 1) Upload or Download to/from our internal host? 2) Directory Name on the remote machine? 3) Port Number on the internal machine that accepted the connection?
Given:
ad.trace

user.conf

ad_svc.trace (different file than D7.2)

D9.2 - Review Connection Logs (Host B)
Prerequisites: Complete D9.1.
Same scenario as D9.1, but this time the flag is the path (beginning with C:) of the directory that the threat actor dropped a file into on our host using the logs.
Given:
ad.trace (same file as D9.1)
user.conf (slightly different file than D9.1)
ad_svc.trace (same file as D9.1)
D10.1 - Strelka Analysis
Prerequisites: Complete D9.2.
We've identified another suspicious file on this host, so now we need to determine if it's malicious. This can be done using the automated Strelka sandbox. We have to submit the right command to Strelka in order to find the flag, which is the SHA256 hash of the file.
Given:
Path to Suspicious File: C:\Users\wctf24\AppData\Local\Temp\img_001.scr
The actual file was not given.
curl -H "Content-Type: application/json" <URL> -X POST -d '{"host": "", "path": ""}'
D10.2 - Strelka Analysis
Prerequisites: Complete D10.1.
Continuing the analysis from D10.1, what is the epoch timestamp of the Portable Executable (PE) file?
D10.3 - Strelka Analysis
Prerequisites: Complete D10.2.
Continuing the analysis from the previous sub-challenge, what is the PE checksum in hex?
D10.4 - Strelka Analysis
Prerequisites: Complete D10.3.
Continuing the analysis from the previous sub-challenge, what is the name of the malware?
D10.5 - Strelka Analysis
Prerequisites: Complete D10.4.
Continuing the analysis from the previous sub-challenge, what is the C2 identified in the DarkGate config?
D11 - Trace the handoff
Prerequisites: Complete D10.5.
Based on all of the prior investigation and analysis, the threat actor has access to our environment. Based on threat intelligence, we know that threat actors often sell access to quickly and easily monetize their efforts. Now search for who bought the access. Their Tox ID is the flag
All Defense Challenges complete!
Last updated