NoVA CTF November 2011 Challenge

Beginnings of Capture the FlagAfter taking a few months off the folks over at NoVA CTF just released a new challenge to the NoVA Hackers list. They gave me permission to republish the challenge here for the rest of the community to enjoy.

A terrible “cyber” attack has taken place but fortunately network sensors captured a pcap of all network activity during this time. Your job, should you choose to accept it, is to examine the pcap and answer the following questions.

  1. Who was the attacker and victim?
  2. What went on before/during/after the attack?
  3. How was the machine exploited?

Here is the pcap file to examine. No prizes or anything but feel free to post your answers in the comments below.


Today’s post image is from

2 comments for “NoVA CTF November 2011 Challenge

  1. November 18, 2011 at 11:49 pm

    Who was the attacker and victim?

    attacker ==
    victim ==

    What went on before/during/after the attack?

    Before the attack the attacking IP address of tried connecting to the victim IP address on TCP port 4444, the attacker recieved a TCP reset packet, meaning the victim was not listening on this port thus the port was not open. during the attack the attacker exploited an SMB vulnerability that the victim was vulnerable too gaining a bind shell to the victim system on over tcp port 4444. The victim stored passwords to webmail and other web services he used in a text file the attacker was able to view. The attacker was also able to view the sourcecode of a rootkit stored on the victims drive as well as a encryption key of some sorts. After the attacker gained the information from the victims system he exited the bind shell and disconnected from the victims system.

    How was the machine exploited?

    The victim’s system was exploited by a SMB/DCERPC vulenrability in the browser service I believe. I can be wrong and I have had 7 beers so my vision is a bit fuzzy lol =) Did my best for a Friday night =) Now to have another beer and relax.

  2. November 19, 2011 at 2:05 pm

    Very nice! Anyone else?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.