Skip to content

Remotely Exploitative - 3

Category: Celistic

Description

Celestic’s security team believes that after the attackers used EternalBlue, they utilized a reverse TCP connection to gain control over the machine using a tool such as meterpreter.

Which port on the attacker’s machine did this reverse TCP connection call back to?

Flag format: port number used for reverse TCP connection. Example: 4444**

Write-up

  • To locate the network logs associated with the reverse TCP connection, we can modify our filter by swapping the source and destination IP addresses: destination.ip == 50.19.212.156 && source.ip == 10.111.10.65. The IP addresses were obtained from the information provided in the Remotely Exploitative - 2 scenario.
  • Applying this filter, we were able to narrow down the network traffic to two packets under Suricata Alerts - Logs table in the Suricata Alerts dashboard.
  • By examining these packets, we identified the source ports used, namely 445 and 42871.
  • The presence of the high port number 42871, which appears random and unusual, suggests its association with the reverse TCP connection established during the attack.

Flag: 42871