Skip to content

Remotely Exploitative - 1

Category: Celistic

Description

Celestic’s security operations center (SOC) detected a port scan from an external IP address to a machine located on one of their maintenance networks.

Machines on this maintenance network are all on subnet 10.111.10/24 and traffic from this network has been ingested into Malcolm. Celestic’s security team would like your help analyzing this port scan activity and correlating it with any additional malicious traffic.

Which open TCP ports was the port scan able to detect?

Flag format: TCP port numbers, in ascending order, comma delimited. Example: 22,23,8080**

Write-up

  • To identify the devices in the maintenance network subnet 10.111.10/24, we refer to the Zeek Known Summary dashboard.
  • Among the devices in that subnet, we find a device named hr_workstation_f with the IP address 10.111.10.65.
  • To gather more information about this device, we apply a filter in our analysis using the following criteria: related.ip == 10.111.10.65.
  • Upon analyzing the open ports on this device, we discover that ports 139, 445, and 3389 are suspicious as they seem to be associated with unknown network protocols.

Flag: 139,445,3389