Div0 Playground — Incident Response Challenges

I've been playing the 5 challenges in the 'Incident Response' zone at the Div0 playground,

https://www.div0.sg/playground.

Here are some notes and pointers for each of the challenges in case some of you are stuck:

1. Needle in Haystack

This involved using a Kibana interface to answer questions about an incident. This challenge isn't too complicated and provides a chance to experience searching through and manipulating data with Kibana.

I found that some of the challenges were best solved using the 'Visualize' pane, which allows us to aggregate the data in ways that are commonly useful in investigations, such as:

• Count

• Unique count

• Terms (get the count of each unique value)

Some resources on creating visualisations in Kibana:

• https://www.elastic.co/guide/en/kibana/6.8/createvis.html

• https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-aggregations-bucket-terms-aggregation.html

• https://www.elastic.co/guide/en/elasticsearch/reference/6.8/search-aggregations-metrics-valuecount-aggregation.html

2. Forensics I

This challenge involved obtaining a PDF from a disk image and getting the flag from within the PDF.

Some people have reached out to me about having difficulties in mounting the image and thus were unable to see the file within a filesystem. A small tip would be to think of an alternative way where a certain file type of interest can be obtained from within a larger file, and how files are identified by other tools to have a particular file type.

Once you obtain the file of the target file type, it should be smooth sailing from there.

3. Forensics II

This challenge required using the Volatility memory analysis tool to analyse a Windows memory dump.

For this challenge, I only used Volatility to answer the first question and used Linux utilities for questions 2 and 3. Not sure if this was the intended way it was to be solved, but reach out if you managed to solve them using Volatility!

4. Forensics III

This challenge was on analysing Firefox artefacts, and using tools such as firefox_decrypt.py, which had a feature to guess the password for a user's Firefox profile and view saved login information.

I used a little bash scripting to help with the brute-forcing, you might want to read up on basic bash loops as well.

References:

• https://github.com/unode/firefox_decrypt/

• https://www.cyberciti.biz/faq/linux-unix-bash-for-loop-one-line-command/

5. Forensics IV

Here we have access to a machine, with a running Docker container that has been compromised and had a backdoor added to it.

As you get a shell on the system you should notice something peculiar quite soon. Analyse the anomaly with GDB to see what the program needs and what it tries to do. For people unfamiliar with GDB you could try analysing the program with a decompiler, such as Ghidra to get a better sense of how the program operates.

For the second question, my hint would be to focus on time and try to find the flag based on when it might have appeared.

That's all I have now, happy hacking!

If you are still stuck and want some guidance to see whether you aren't going down a rabbit hole, come discuss the challenges with us on the Div0 Discord Server on the #playground channel!

Alternatively, you can find me online:

• www.linkedin.com/in/kiameng

• https://twitter.com/teokiameng