Trident Lab
Last updated
Last updated
Q1) The attacker conducted a port scan on the victim machine. How many open ports did the attacker find?
The attacker's IP address is 192.168.112.128. If the victim responds to an open port, it will reply with packets containing the SYN and ACK flags. Let's filter for these responses.
Or using NetworkMiner.
Answer: 7
Q2) What is the victim's email address?
Or using NetworkMiner.
Answer: joshua@cyberdefenders.org
Q3) The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.
Answer: http://192.168.112.128/word.html
Q4) What is the Microsoft Office version installed on the victim machine?
Answer: 15.0.4517
Q5) The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?
Alternatively, we can download the file and perform a search within it.
Answer: http://192.168.112.128/word.cab
Q6) The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?
From https://github.com/klezVirus/CVE-2021-40444
Answer: zipslip
Q7) Analyzing the dll file what is the API used to write the shellcode in the process memory?
Answer: WriteProcessMemory