CyberDefenders HoneyBOT Write-up

Mohab Salah

4 min readOct 17, 2023

The challenge in the Cyberdefender platform:https://cyberdefenders.org/blueteam-ctf-challenges/45

This write-up is based on Cyberdefender HoneyBOT challenge

Q1- What is the attacker’s IP address?

Looking at the packets in Zui I looked at the “Alert” that appeared

I was able to obtain the attacker’s IP and the target’s IP

Q2- What is the target’s IP address?

Q3- Provide the country code for the attacker’s IP address (a.k.a geo-location).

By searching the attacker’s IP address, I was able to obtain a connection that contained some of the attacker’s data

Q4- How many TCP sessions are present in the captured traffic?

I got the answer by looking at statistics > conversations

and the number of sessions behind the TCP Tab

Q5- How long did it take to perform the attack (in seconds)?

I got the answer by looking at statistics > capture file properties

Q7- Provide the CVE number of the exploited vulnerability.

When you look at Protocol Hierarchy Statistics

It caught my attention what happens in the SMP protocol

Searching for DCE/RPC protocol, I found this

The DCE/RPC protocol is a protocol for remote procedure calls. It is used widely in the modern Internet

And filtered by “dcerpc”

And search using this sentence (DsRoleUpgradeDownlevelServer)

Q8- Which protocol was used to carry over the exploit?

Q9- Which protocol did the attacker use to download additional malicious files to the target system?

Looking at Zui, I found that there was a protocol for files, and then a file was transferred. I concluded that this protocol was for transferring a malicious file.

Q10- What is the name of the downloaded malware?

Look in the Zui on Label File and search by hash in VirusTotal

I found the name of the malicious file

Q11- The attacker’s server was listening on a specific port. Provide the port number.

Look in the Zui on the Label “Alert”

Q12- When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD

Q13- What is the key used to encode the shellcode?
Q14- What is the port number the shellcode binds to?

These two questions are related to analyzing malicious files. You will download the malicious file and you will find the answer in it if you are a professional in analyzing malware.

Q15- The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?

By VirusTotal

If you have any comments on write-up, do not hesitate to contact me on LinkedIn:https://www.linkedin.com/in/mohab-salah/