Day 1: Baby APT
This is the most wonderful time of the year, but not for Santa's incident response team.
Since Santa went digital, everyone can write a letter to him using his brand new website.
Apparently an APT group hacked their way in to Santa's server and destroyed his present list.
Could you investigate what happened?
We are presented with a pcap file to download called
There are a lot of TCP and HTTP packets. We can simply view the TCP streams. Seems like most of them showcase an exploitation attempt and evidence.
We can see that the attacker managed to perform some form of command injection into the Drupal application.
Scrolling through the various streams, only the last one stand out.
Hmm. Some fun commands from the attacker!
Let's base64 decode it to find out what was sent.
echo SFRCezBrX24wd18zdjNyeTBuM19oNHNfdDBfZHIwcF8wZmZfdGgzaXJfbDN0dDNyc180dF90aDNfcDBzdF8wZmYxYzNfNGc0MW59 | base64 -d