# Trident Lab

Q1) The attacker conducted a port scan on the victim machine. How many open ports did the attacker find?

```
tcp.flags.syn == 1 && tcp.flags.ack == 0
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FC5X2tELyFHyDBLsPORZI%2FScreenshot.png?alt=media&#x26;token=b6521336-65af-4944-a80b-c377a7c768a7" alt=""><figcaption></figcaption></figure>

The attacker's IP address is 192.168.112.128. If the victim responds to an open port, it will reply with packets containing the SYN and ACK flags. Let's filter for these responses.

```
tcp.flags.syn == 1 && tcp.flags.ack == 1 && ip.dst == 192.168.112.128
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FFxOloWE720fQWbdBaqQL%2FScreenshot(1).png?alt=media&#x26;token=1c6c1c32-8402-42f6-a87e-6c1570bd9476" alt=""><figcaption></figcaption></figure>

Or using NetworkMiner.

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FyYYTJeePONKVdDdftjF5%2FScreenshot(3).png?alt=media&#x26;token=655b717a-3f9a-4446-8519-9ebf0d8d5d5f" alt=""><figcaption></figcaption></figure>

Answer:  7

Q2) What is the victim's email address?

```
smtp
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FJaRQbpLR1INRTpLCSfrQ%2FScreenshot(4).png?alt=media&#x26;token=cff54e97-8414-4585-b232-d5720c70460a" alt=""><figcaption></figcaption></figure>

Or using NetworkMiner.

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2F6QeXFXjSQ1dpD2wx2gxR%2FScreenshot(5).png?alt=media&#x26;token=341ab9e3-18d3-4037-a783-7d7541181dce" alt=""><figcaption></figcaption></figure>

Answer:  <joshua@cyberdefenders.org>

Q3) The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.

```
http.request.method == GET and ip.dst == 192.168.112.128
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FKlR2gkj8LgRkwR9CfBpO%2FScreenshot(6).png?alt=media&#x26;token=12b89488-7e9e-4483-8d31-535b4d8bd93d" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FiEjzSftsVWh5Ffi5MVv5%2FScreenshot(7).png?alt=media&#x26;token=b368ac44-66eb-4946-bddb-fac792b0ae6b" alt=""><figcaption></figcaption></figure>

Answer:  <http://192.168.112.128/word.html>

Q4) What is the Microsoft Office version installed on the victim machine?

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FaHYt68etB7ZuN8PeY7C8%2FScreenshot(9).png?alt=media&#x26;token=50e74b72-bc14-4333-b28a-0bb6c3b4848c" alt=""><figcaption></figcaption></figure>

Answer:  15.0.4517

Q5) The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?

```
http.request.method == GET and ip.dst == 192.168.112.128
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FFtpnVLx27fsLFRbV4omT%2FScreenshot(10).png?alt=media&#x26;token=a2a04399-0174-4554-a5d3-5aa1e63a1190" alt=""><figcaption></figcaption></figure>

Alternatively, we can download the file and perform a search within it.

```bash
grep -i ".cab" word.html
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2F7M382Z8jgpqGYxsNGsi5%2FScreenshot(12).png?alt=media&#x26;token=2e488eb4-082a-49d3-9b4a-d87091535d7d" alt=""><figcaption></figcaption></figure>

Answer:  <http://192.168.112.128/word.cab>

Q6) The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?

From <https://github.com/klezVirus/CVE-2021-40444>

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FjuacxZrBCcEBcpAPXk4n%2FScreenshot(13).png?alt=media&#x26;token=9a75490d-d5df-4c9f-8e6e-13cdb01e895b" alt=""><figcaption></figcaption></figure>

Answer: zipslip

Q7) Analyzing the dll file what is the API used to write the shellcode in the process memory?

```bash
strings word.cab
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FNuO941FtZfZT3TR9fDwK%2FScreenshot(14).png?alt=media&#x26;token=0cb59a93-2343-4898-9598-376dcba77591" alt=""><figcaption></figcaption></figure>

Answer:  WriteProcessMemory


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/trident-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.