CTF

Nic-Graham.com

Nic-Graham.com

DFIR CTF

Nic Graham

Context

Training | Challenging | Learning

I designed this CTF for the British Army to train the next generation of DFIR specialists.


A wide range of experience was expected, from experienced threat hunters to sysadmins with no DFIR knowledge, therefore the questions were deliberately made to lead the competing teams through their investigation.

I also provided a one-day training package covering:

  • Fundamentals
    • Cyber kill chain, NTFS theory, process heirarchy
  • Tools
    • Autopsy, Volatility, Wireshark, HxD 
  • Artefacts
    • MACB, processes, prefetch

Creation

Exploits | Intent | Scenario


I planned for two vulnerabilities providing escalated privileges to the victim machine, one web and one remote buffer overflow. The web attack was a simple RFI in a custom made PHP site, and the overflow had a public proof of concept attack released within the Metasploit framework.

These relatively simple attacks would leave good artefacts in the evidences, ensuring the challenge difficulty was still accessible to less skilled competitors. Deliberate actions were made to obfuscate some artefacts in order to provide and increase in difficulty: ports already in use for other processes were reused for the attacker's connections,  and the attacker repeated the exploitation process after "accidently" killing a reverse shell.


A scenraio was then crafted around the exploited software. The vulnerable website and chat server were repurposed into an individual's CV website, with the attacker being an overzealous  co-worker asked to give  feedback on it.


Planning complete, a virtual machine was used to capture the evidences. The victim performed some normal administrative tasks to setup some extra challenges, and was then exploited.

Wireshark ran on the victim's machine during the attack to capture network traffic, while the disk and memory images were taken directly from the virtualisation suite.

Try it yourself

Identify | Hunt | Attribute


Click the button to download the training package, questions, evidence and walkthrough

Some evidence files contain reverse shells, no other malware is present

  • Size: 3.86 GB
  • MD5:

    2b75e0869cf6a23c55b8c98a56015af0

  • SHA1:
    90a2ef3960218c3be97f4e0e26f88429237b076e
  • SHA256:

    703c97fa20e259cb638bf38830b68003916f525f89d39356d24b0951a70bc45b

Download