Modify wording of puzzle pages; fix ircd service bug

This commit is contained in:
Neale Pickett 2011-01-06 08:43:40 -07:00
parent 563aef3205
commit 8744a4b2f6
17 changed files with 2 additions and 75 deletions

View File

@ -43,7 +43,7 @@ EOF
<form action="/puzzler.cgi" method="post" accept-charset="utf-8">
<input type="hidden" name="c" value="$cat">
<input type="hidden" name="p" value="$points">
Team:<input name="t" size="8">
Team hash:<input name="t" size="8">
Answer:<input name="a" size="20">
<input type="submit" value="submit">
</form>

View File

@ -1,13 +0,0 @@
You have suspicions that a certain windows box has been infected by a Trojan. You have been given access to a memory image from this box.<A href="http://10.1.1.2/10/xp-laptop-2005-06-25.img">xp-laptop-2005-06-25.img</A> Use the memory image to determine if the machine has been infected.
</BR>
In order to answer the questions:
</BR>
- Determine if the machine has been infected.
</BR>
- If it has not been infected, list "no" as your answer.
</BR>
- If it has been infected, list the process name of the Trojan
</BR>
HINT: You know from googling that the Trojan uses the passWD.log file.

View File

@ -1 +0,0 @@
lsass.exe

View File

@ -1,2 +0,0 @@
What is the method of attack?
<A href="http://10.1.1.2/100/evilUser.dmp">image file</A>

View File

@ -1 +0,0 @@
dll injection

View File

@ -1,15 +0,0 @@
You are currently employed as a SW engineer at KELCY INC. One of your clients has informed you that $10,000 has been deducted from their accounts from an authorized user. They have delivered a software image for you to investigate. Determine if the machine has been compromised.
</BR>
In order to answer the questions:
</BR>
- Determine if the machine has been compromised.
</BR>
- If it has not been compromised, list "no" as your answer.
</BR>
- If it has been compromised, list the file name (with its extension) being used by the malicious software
</BR>
<A href="http://10.1.1.2/20/winxppro.vmem">winxppro.vmem</A>

View File

@ -1 +0,0 @@
klog.txt

View File

@ -1,2 +0,0 @@
What is the name of what was injected?
<A href="http://10.1.1.2/100/evilUser.dmp">image file</A>

View File

@ -1 +0,0 @@
winsecur.dll

View File

@ -1,10 +0,0 @@
SA Dumas from the Albuquerque FBI Cyber Squad has alerted you that Antoniette Balls (Iranian postdoc with a username of "aballs@tipmeover.org") working at the lab has been in contact with Iranian Jihad organization. Find the code that she is transmitting to the Iranian Jihad Organization.
<A href="http://10.1.1.2/250/ntds.dit">AD database</A>
<BR>
<BR>
To: Help Desk,
Subject: Here is the .dit file for the domain controller as requested. Let me know if you need anything else.
Ask for Gary:
505.452.6718
505.280.8668

View File

@ -1 +0,0 @@
Dirka Dirka

View File

@ -1,12 +0,0 @@
Determine which file has been winrared in this archive.
</BR>
</BR>
In order to answer the questions:
</BR>
- List the file name (including extension) of the file that has been winrared
</BR>
<A href="http://10.1.1.2/400/Snapshot7_winrarChallenge.vmem">image file</A>
<A href="http://10.1.1.2/400/topSecret.rar">rar file</A>

View File

@ -1 +0,0 @@
avatar.txt

View File

@ -1,11 +0,0 @@
You know that a machine has been comprimised. There is a malicious piece of software that logs all key strokes from a computer's keyboard. Find the driver associated with the malicious piece of software.
</BR>
</BR>
In order to answer the questions:
</BR>
- List the driver name with its full path
</BR>
<A href="http://10.1.1.2/20/winxppro.vmem">winxppro.vmem</A>

View File

@ -1 +0,0 @@
C:\WINDOWS\system32\klog.sys

View File

@ -1 +0,0 @@
$(eval $(call STANDARD_PUZZLE, forensics))

View File

@ -1,4 +1,4 @@
#! /bin/sh
exec 2>&1
exec /opt/ngircd/bin/ngircd --config ./ngircd.conf --nodaemon
exec /opt/ircd/bin/ngircd --config ./ngircd.conf --nodaemon