Skip to content

Remotely Exploitative - 2

Category: Celistic

Description

After this port scan occurred, it appears that the attackers utilized a known vulnerability to gain unauthorized access to the machine.

Which vulnerability did the attackers exploit after performing the port scan?

Flag format: full CVE number of exploited vulnerability. Example: if the exploited vulnerability was Log4Shell, the flag would be CVE-2021-44228**

Write-up

  • To investigate potential unauthorized access to the machine, we can analyze the Suricata Alerts dashboard.
  • Suricata is a widely recognized detection and prevention system designed to monitor network traffic and identify possible security threats or malicious activities.
  • We start by filtering the alerts based on the IP address of hr_workstation_f, which was obtained in the Remotely Exploitative - 1 task and corresponds to 10.111.10.65.
  • Upon examining the Alerts - Name table, we observed occurrences of the MS17-010 alert.
  • The MS17-010 alert indicates the presence of a vulnerability in the Microsoft SMB v1 server that can be exploited for remote code execution (RCE).
  • Specifically, the MS17-010 alert is associated with the Common Vulnerabilities and Exposures (CVE) identifier CVE-2017-0144.

Flag: CVE-2017-0144