New DFIR challenge post

Here’s a challenge I created for the Lansing ISSA chapter annual Netwars event back in April. I’ve been meaning to post it for a while now and am finally getting around to it. This is different then most of the challenges I have done as this is based off a linux server compromise. Some may find it far more easier then previous ones, but never the less, here it is.

Once you download the .iso image you will be able to boot it in VMWare or Virtual Box (both have been tested). The challenge evidence files should be found on the desktop.

Login information:
Username: analyst
Password: issa2013

You can download the iso here:

As always, if you have any suggestions on how I can make these better, please let me know.

I will post the answers in a few weeks, but here are the questions.

1. What time did the attack begin?

2. What was the initial indicator?

3. What tool was used to scan the webserver?

4. What application was exploited to compromise the webserver?

5. What was the ip address of the attacker that compromised the webserver?

6. Were there any additional ip addresses used in the attack? If so, what are they?

7. What file was initially placed on the machine by the attacker

8. What directory was it located in?

9. What allowed the upload of that file?

10. What was the first operating system command executed by the attacker?

11. How did the attacker attempt to escalate privileges?

12. What was the timestamp that privilege escalation was attempted?

13. Is the machine still at risk for this method of privilege escalation? Why?

14. What files were placed on the webserver by the attacker?

15. How was the attacker able to place each file on the machine?

16. What additional tool was placed on the machine that gave the attacker direct access?

17. How did the attacker access this tool?

18. What did the attacker take from the webserver?

19: What are the md5 hashes of all the files taken?

20. What directory was created by the attacker?

21. What are the contents of this directory?

22. Was the attacker able to successfully execute the tool in this directory? How do you know?

23. What was the exact netstat command that was executed at Fri Feb 08 2013 18:53:37? What ports were listening based on the output from that command?

24. How was the attacker able to gain access to the database credentials?

25. List the points of remediation that need to occur as a result of the analysis performed.


One thought on “New DFIR challenge post

  1. Pingback: DFIR Challenge – ISSA 2013 – My Answers |

Comments are closed.