noone___'s blog
0%

THM打靶日寄56-Advent of Cyber 2024:Day20

发表于 分类于
针对C2的流量分析

怀疑该机器已经被入侵,所以筛出被害者机器的 ip

发现几个特殊的地方:

追踪一下看到:

以及:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
What was the first message the payload sent to Mayor Malware’s C2?
I am in Mayor!

What was the IP address of the C2 server?
10.10.123.224

What was the command sent by the C2 server to the target machine?
whoami

What was the filename of the critical file exfiltrated by the C2 server?
credentials.txt

What secret message was sent back to the C2 in an encrypted format through beacons?
THM_Secret_101