mirror of https://github.com/dirtbags/moth.git
Modify wording of puzzle pages; fix ircd service bug
This commit is contained in:
parent
563aef3205
commit
8744a4b2f6
|
@ -43,7 +43,7 @@ EOF
|
||||||
<form action="/puzzler.cgi" method="post" accept-charset="utf-8">
|
<form action="/puzzler.cgi" method="post" accept-charset="utf-8">
|
||||||
<input type="hidden" name="c" value="$cat">
|
<input type="hidden" name="c" value="$cat">
|
||||||
<input type="hidden" name="p" value="$points">
|
<input type="hidden" name="p" value="$points">
|
||||||
Team:<input name="t" size="8">
|
Team hash:<input name="t" size="8">
|
||||||
Answer:<input name="a" size="20">
|
Answer:<input name="a" size="20">
|
||||||
<input type="submit" value="submit">
|
<input type="submit" value="submit">
|
||||||
</form>
|
</form>
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
|
|
||||||
You have suspicions that a certain windows box has been infected by a Trojan. You have been given access to a memory image from this box.<A href="http://10.1.1.2/10/xp-laptop-2005-06-25.img">xp-laptop-2005-06-25.img</A> Use the memory image to determine if the machine has been infected.
|
|
||||||
</BR>
|
|
||||||
In order to answer the questions:
|
|
||||||
</BR>
|
|
||||||
- Determine if the machine has been infected.
|
|
||||||
</BR>
|
|
||||||
- If it has not been infected, list "no" as your answer.
|
|
||||||
</BR>
|
|
||||||
- If it has been infected, list the process name of the Trojan
|
|
||||||
</BR>
|
|
||||||
HINT: You know from googling that the Trojan uses the passWD.log file.
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
lsass.exe
|
|
|
@ -1,2 +0,0 @@
|
||||||
What is the method of attack?
|
|
||||||
<A href="http://10.1.1.2/100/evilUser.dmp">image file</A>
|
|
|
@ -1 +0,0 @@
|
||||||
dll injection
|
|
|
@ -1,15 +0,0 @@
|
||||||
|
|
||||||
|
|
||||||
You are currently employed as a SW engineer at KELCY INC. One of your clients has informed you that $10,000 has been deducted from their accounts from an authorized user. They have delivered a software image for you to investigate. Determine if the machine has been compromised.
|
|
||||||
</BR>
|
|
||||||
In order to answer the questions:
|
|
||||||
</BR>
|
|
||||||
- Determine if the machine has been compromised.
|
|
||||||
</BR>
|
|
||||||
- If it has not been compromised, list "no" as your answer.
|
|
||||||
</BR>
|
|
||||||
- If it has been compromised, list the file name (with its extension) being used by the malicious software
|
|
||||||
</BR>
|
|
||||||
<A href="http://10.1.1.2/20/winxppro.vmem">winxppro.vmem</A>
|
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
klog.txt
|
|
|
@ -1,2 +0,0 @@
|
||||||
What is the name of what was injected?
|
|
||||||
<A href="http://10.1.1.2/100/evilUser.dmp">image file</A>
|
|
|
@ -1 +0,0 @@
|
||||||
winsecur.dll
|
|
|
@ -1,10 +0,0 @@
|
||||||
SA Dumas from the Albuquerque FBI Cyber Squad has alerted you that Antoniette Balls (Iranian postdoc with a username of "aballs@tipmeover.org") working at the lab has been in contact with Iranian Jihad organization. Find the code that she is transmitting to the Iranian Jihad Organization.
|
|
||||||
<A href="http://10.1.1.2/250/ntds.dit">AD database</A>
|
|
||||||
<BR>
|
|
||||||
<BR>
|
|
||||||
To: Help Desk,
|
|
||||||
Subject: Here is the .dit file for the domain controller as requested. Let me know if you need anything else.
|
|
||||||
|
|
||||||
Ask for Gary:
|
|
||||||
505.452.6718
|
|
||||||
505.280.8668
|
|
|
@ -1 +0,0 @@
|
||||||
Dirka Dirka
|
|
|
@ -1,12 +0,0 @@
|
||||||
|
|
||||||
Determine which file has been winrared in this archive.
|
|
||||||
</BR>
|
|
||||||
</BR>
|
|
||||||
In order to answer the questions:
|
|
||||||
</BR>
|
|
||||||
- List the file name (including extension) of the file that has been winrared
|
|
||||||
</BR>
|
|
||||||
<A href="http://10.1.1.2/400/Snapshot7_winrarChallenge.vmem">image file</A>
|
|
||||||
<A href="http://10.1.1.2/400/topSecret.rar">rar file</A>
|
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
avatar.txt
|
|
|
@ -1,11 +0,0 @@
|
||||||
|
|
||||||
You know that a machine has been comprimised. There is a malicious piece of software that logs all key strokes from a computer's keyboard. Find the driver associated with the malicious piece of software.
|
|
||||||
</BR>
|
|
||||||
</BR>
|
|
||||||
In order to answer the questions:
|
|
||||||
</BR>
|
|
||||||
- List the driver name with its full path
|
|
||||||
</BR>
|
|
||||||
<A href="http://10.1.1.2/20/winxppro.vmem">winxppro.vmem</A>
|
|
||||||
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
C:\WINDOWS\system32\klog.sys
|
|
|
@ -1 +0,0 @@
|
||||||
$(eval $(call STANDARD_PUZZLE, forensics))
|
|
|
@ -1,4 +1,4 @@
|
||||||
#! /bin/sh
|
#! /bin/sh
|
||||||
|
|
||||||
exec 2>&1
|
exec 2>&1
|
||||||
exec /opt/ngircd/bin/ngircd --config ./ngircd.conf --nodaemon
|
exec /opt/ircd/bin/ngircd --config ./ngircd.conf --nodaemon
|
||||||
|
|
Loading…
Reference in New Issue