Tolkien Ring - Suricatta Regatta Walkthrough

-

"Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints."

Challenge Difficulty: 3/5 

Progressing further with the challenge after completing Windows Event Logs, we speak to Fitzy shortstacks and we are being asked to write sruicatta rules which will alert on specific traffic. If this is your first introduction to suricatta rules, below is a quick primer before we get to the solutions. Based on the learning from the suricatta site, below is the rule schema


<action>

alert, pass, reject…… - defines the action you would like the system to take when you rule hits the condition

<protocol>

dns, snmp…… - defines on which protocol you would like this rule to be active on

<source>

can be a specific source IP or any

<port>

can be a specific source Port or any

<direction>

 -> -< <>    -defines the direction of the traffic

<destination>

can be a specific source IP or any

<port>

can be a specific source Port or any

<Rule Options>

( msg:"blah", Allows you to define the alert msg

<query object> content:"app.php", allows you to match a specific content in the traffic

Sid – allows to give a signature id to the rule written 

nocase – allows us to not differentiate between uppercase lowercase characters

) 


Now lets answer the questions asked in the terminal.

Red box highlights on the question, where the rest of the note help us with on how to add Suricata rules by using any file editor on suricatta.rules files and after adding validate by running ./rule_checker to see if the added rule is accepted.

 

Terminal question has given us the first rule’s requirements where we can pick DNS traffic towards adv.epostoday.uk, Alert msg “known bad DNS lookup, possible Dridex infection” and there is not specific IP or port numbers given. Using our data schema for suricatta rules, below is the rule for this question.

 

alert dns any any -> any any (msg:”Known bad DNS lookup, possible Dridex infection”; dns.query; content:”adv.epostoday.uk”; nocase; sid:1000;)

 

Question2: 


Highlighted red box contains question 2, where this time we have been asked to write an alert rule for HTTP traffic from specific IP address 192.185.57.242 with a custom msg as indicated in red font. Based on the requirements given, below is the rule for question 2

 

alert http 192.185.57.242 any <> any any (msg:”Investigate suspicious connections, possible Dridex infection”;sid:1001;)

 

Question 3: 


Now the 3rd rule is to match and alert on SSL certificate “heardbellith[.]Icanwepeh[.]nagoya” and provide the msg given as per red font in above screenshot for the TLS protocol. And based on the requirement there is no specific port or IP address that needs to be matched. Based on the given requirements, below is the rule for question 3

 

alert tls any any -> any any (msg:”Investigate bad certificates, possible Dridex infection”; tls.cert_subject; content:”heardbellith.Icanwepeh.nagoya”; nocase;sid:1002;)

 

Question 4:


4th rule request being to Match and alert on HTTP traffic, looking for one line from Javascript “let byteCharacters = atob”, alert with a custom msg as indicated by the red font. Again, no specific IP or ports numbers given. Following is the rule for question 4

 

alert http any any -> any any (msg:”Suspicious JavaScript function, possible Dridex infection”; http.response_body;content:”let byteCharacters = atob”;sid:1003;)


Reference

  • https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html
  • https://suricata.readthedocs.io/en/suricata-6.0.0/rules/http-keywords.html#rules-http-uri-normalization

Tolkien Ring Level Full map



Ring Unlocked !


Tolkien Ring – since this part of the challenge was network based, guess where the names came from – Token ring ;)



Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Tolkien Ring - Wireshark Practice walkthrough

-
Image
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark Difficulty Rating: 1/5 Hints Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark   Solutions 1. What kinds of objects can be exported in the pcap file ?  HTTP Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.   2. Name of the biggest file you can export ?  app.php (808kB) Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php     3. Packet number where app.php starts ?   687 In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for tha
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more