OpTinselTrace24-3: Blizzard Breakdown
OpTinselTrace24-3: Blizzard Breakdown
Embedded Files
Marah setelah mengetahui dirinya tidak masuk dalam Daftar Baik (Nice List) musim liburan ini, seorang elf tertentu—yang sangat dipengaruhi oleh Krampus—menjadi pemberontak dan bertekad untuk membalas dendam. Didorong oleh amarah, ia merancang rencana jahat untuk menyabotase Natal dengan menargetkan aset paling penting Santa Claus—arsip data S3 miliknya! Repositori ini menyimpan informasi sensitif, termasuk cetak biru mainan baru, logistik liburan, jadwal produksi mainan, dan yang paling penting, daftar hadiah yang sangat didambakan! Dengan persiapan Natal yang sedang berlangsung, gangguan apa pun pada penyimpanan ini dapat menyebabkan kekacauan di seluruh operasi, mengancam kelancaran musim liburan semua orang. Akankah keajaiban liburan bertahan, atau akankah Natal berakhir dengan kekecewaan?
Category: CLOUD || Level: MEDIUM
TASK 1: The Victim Elf shared credentials that allowed the Rogue Elf to access the workstation. What was the Client ID that was shared?
Answer: 95192516
TASK 2: What is the IP address of the Rogue Elf used during the attack?
Answer: 146.70.202.35
Task 3: What is the name of the executable the victim ran to enable remote access to their system?
Answer: AA_V3.EXE
Task 4: What time (UTC) did the Rogue Elf connect to the victim's workstation?
Answer: 2024-11-13 12:23:34
Task 5: The Rogue Elf compromised an AWS Access Key. What is the AWS Access Key ID obtained from the victim's workstation?
Answer: AKIA52GPOBQCBFYGAYHI
Task 6: Which S3 bucket did the Rogue Elf target during the incident?
Answer: arctic-archive-freezer
Task 7: Within the targeted S3 bucket, what is the name of the main directory where the files were stored?
Answer: Claus_Operation_Data
Task 8: What time (UTC) did the Rogue Elf disable versioning for the S3 bucket?
Answer: 2024-11-13 15:31:15
Task 9: What is the MITRE ATT&CK Technique ID associated with the method used in Question 8?
Answer: T1490
Task 10: What time (UTC) was the first restore operation successfully initiated for the S3 objects?
Answer: 2024-11-13 15:43:49
Task 11: Which retrieval option did the Rogue Elf use to restore the S3 objects?
Answer: Expedited
Task 12: What is the filename of the S3 object that the Rogue Elf attempted to delete?
Answer: GiftList_Worldwide.csv
Task 13: What is the size (MB) of the S3 object that the Rogue Elf targeted in Question 12?
Answer: 152 => (19 * 8 = 152)
┌──(glmx㉿kali)-[~/Desktop/BlizzardBreakdown/AWS-CloudTrail]
└─$ zcat ./*/*/*/*/*|grep 'GiftList_Worldwide.csv' |jq '.Records.[]|select(.requestParameters.key=="Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv")|{b: .requestParameters.key, a:.additionalEventData.bytesTransferredOut}'
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 0
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 0
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 8388608
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 505
}
{
"b": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv",
"a": 0
}
┌──(glmx㉿kali)-[~/Desktop/BlizzardBreakdown/AWS-CloudTrail]
└─$ zcat ./*/*/*/*/*|grep 'GiftList_Worldwide.csv' |jq '.Records.[]|select(.requestParameters.key=="Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv")|{b: .requestParameters.key, a:.additionalEventData.bytesTransferredOut}'|grep 83
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
"a": 8388608
┌──(glmx㉿kali)-[~/Desktop/BlizzardBreakdown/AWS-CloudTrail]
└─$ zcat ./*/*/*/*/*|grep 'GiftList_Worldwide.csv' |jq '.Records.[]|select(.requestParameters.key=="Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv")|{b: .requestParameters.key, a:.additionalEventData.bytesTransferredOut}'|grep 83|wc
19 38 285
Task 14: The Rogue Elf uploaded corrupted files to the S3 bucket. What time (UTC) was the first object replaced during the attack?
Answer: 2024-11-13 16:10:03
Task 15: What storage class was used for the S3 objects to mimic the original settings and avoid suspicion?
Answer: GLACIER
"requestParameters": {
"bucketName": "arctic-archive-freezer",
"Host": "arctic-archive-freezer.s3.us-east-1.amazonaws.com",
"key": "Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt",
"x-amz-storage-class": "GLACIER"
},
"responseElements": {
"x-amz-server-side-encryption": "AES256",
"x-amz-storage-class": "GLACIER"
},
Google Sites
Report abuse