SANS 2022 Holiday Hack Challenge & KringleCon | by K O M A L | Jan, 2023

SANS 2022 Holiday Hack Challenge & KringleCon | by K O M A L | Jan, 2023

Let’s dive straight into these suspicious file investigation challenge and answer their questions.

A suspicious pcap file was provided to investigate a malicious network traffic. For anyone who doesn’t have wireshark can use this free online pcap file analyzer for investigation (although having wireshark is best!) –

Below is the wireshark Terminal found inside the Tolkien Ring Cave that I also used for analysing suspicious.pcap file and to answer the questions for this challenge.

Q 1. There are objects in the pcap file that can be exported by the wireshark and/or tshark. What type of objects can be exported from this pcap?

Ans. HTTP – one of the objects(protocols) that can be exported from this pcap is HTTP.

Q 2. What is the file name of the largest file we can export?

Ans. app.php – This was the only largest file found under the HTTP communication

Q 3. What packet number starts the app.php?

Ans. 687 – The server from the IP responded with ‘HTTP/1.1 200 OK’ This is when the app.php was started.

mv ‘pcap challege.pcap’ pcap.pcap

tshark -r ‘pcap.pcap’ | grep -w “(text/html)”

Q 4. What is the IP of the Apache Server?

Ans. – we can see below that this IP is sending out the HTTP 200 OK response to

Q 5. What file is saved to the infected host?

Ans. Ref_Sept24– – Looking at one of the http files, I noticed an incomplete script messsage (missing </script> tag). Upon downloading this http file, it was downloaded as a zip file in my folder named ‘Ref_Sept24–2020’.

Q 6. Attackers used bad TLS certificates in this traffic. Which coutries were they registered to? Submit the names of the countries in alphabetical order separated by commas (Ex: Norway, South Korea).

Ans. Ireland, Israel, South Sudan, United states – Here we looked for the bad certificate(s).

tshark -nr ‘pcap challenge.pcap’ -2 -R “ssl.handshake.certificate” -V | less

Q 7. Is the Host Infected?

Ans. Yes

Solve the mystery around the given powershell event logs and answer some questions. This challenge was solved using the Windows event viewer app.

Q. 1 What Month/Day/Year did the attack take place?

Ans. 12/24/2022 – This is when the highest number of activity took place which deemed suspicious.

Q 2. An attacker got a secret from a file. What was the orginal file’s name?

Ans. Recipe.txt – This was the orginal file found when traced back in the event log viewer app.

Q 3. The content of the previous file were retrieved, changed and stored to a variable by the attacker. This was done multiple times. Submit the last full powershell line that performed only these actions.

Ans. $foo = Get-Content .\Recipe| % {$_ -replace ‘honey’, ‘fish oil’}

Q 4. Afte storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit th last full powershell line that performed only this action.

Ans. $foo | Add-Content -Path ‘Recipe’

Q 5. The attacker ran the previous command against one file multiple times. What is the name of the file?

Ans. Recipe.txt

Q 6. Were any files deleted?

Yes – Two files were found to have been deleted. Recipe.txt and receipe_updated.txt

Q 7. Was the original file (from question 2) deleted?

Ans. No – The original file is Recipe (without the extension) and the one we saw was deleted was recipe.txt – Hence, the original file was never deleted.

Q 8. What is the event ID of the logs that shows the actual command lines the attacker typed and ran?

Ans. 4104 – Looking at these two logs, at event ID 40962 we can see the attacker has started the powershell console and at event ID 4104 the attacker executed a remote command.

Q 9. Is the secret ingredient compromised?

Yes. Honey was replaced with fish Oil.

10. What is the secret ingredient?


That’s all Folks! Thanks for reading.


Leave a Reply

Your email address will not be published. Required fields are marked *

fb logo
recover dogecoin from a scam
recover ethereum from a scammer
hire a hacker to hack iphone
hire a hacker to hack snapchat
hire a hacker to hack a windows computer
error: Content is protected !!