We need you 3/5
Category: Forensics
80 points
We know for sure that this server allowed to connect to infected machines. Can you check if a connection was instantiated?
Author: Worty
Format: Hero{IP:Port}
Solution
This is continuation of We need you 2/5 challenge.
~/git/volatility3/vol.py -f capture.mem windows.netstat
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created
0x85441538 TCPv4 10.0.2.15 49159 146.59.156.82 4444 ESTABLISHED 3296 nc.exe -
0x85fbf1f0 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 748 svchost.exe N/A
0x85fbf1f0 TCPv6 :: 135 :: 0 LISTENING 748 svchost.exe N/A
0x85fbfce8 TCPv4 0.0.0.0 135 0.0.0.0 0 LISTENING 748 svchost.exe N/A
0x860173b0 TCPv4 10.0.2.15 139 0.0.0.0 0 LISTENING 4 System N/A
0x861acc28 TCPv4 0.0.0.0 445 0.0.0.0 0 LISTENING 4 System N/A
0x861acc28 TCPv6 :: 445 :: 0 LISTENING 4 System N/A
0x861d6db8 TCPv4 0.0.0.0 5357 0.0.0.0 0 LISTENING 4 System N/A
0x861d6db8 TCPv6 :: 5357 :: 0 LISTENING 4 System N/A
0x85fcdd90 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 408 wininit.exe N/A
0x85fcdd90 TCPv6 :: 49152 :: 0 LISTENING 408 wininit.exe N/A
0x85fcd9a0 TCPv4 0.0.0.0 49152 0.0.0.0 0 LISTENING 408 wininit.exe N/A
0x86007aa0 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 800 svchost.exe N/A
0x86007aa0 TCPv6 :: 49153 :: 0 LISTENING 800 svchost.exe N/A
0x85fff4c0 TCPv4 0.0.0.0 49153 0.0.0.0 0 LISTENING 800 svchost.exe N/A
0x860b59c8 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 976 svchost.exe N/A
0x860b59c8 TCPv6 :: 49154 :: 0 LISTENING 976 svchost.exe N/A
0x860b5008 TCPv4 0.0.0.0 49154 0.0.0.0 0 LISTENING 976 svchost.exe N/A
0x86121500 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 492 services.exe N/A
0x86121500 TCPv6 :: 49155 :: 0 LISTENING 492 services.exe N/A
0x861217d0 TCPv4 0.0.0.0 49155 0.0.0.0 0 LISTENING 492 services.exe N/A
0x862c9b38 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 500 lsass.exe N/A
0x862c9b38 TCPv6 :: 49156 :: 0 LISTENING 500 lsass.exe N/A
0x862c9910 TCPv4 0.0.0.0 49156 0.0.0.0 0 LISTENING 500 lsass.exe N/A
0x862e72d0 TCPv4 0.0.0.0 49159 0.0.0.0 0 LISTENING - - N/A
0x861e8598 UDPv4 10.0.2.15 137 * 0 4 System 2021-04-19 17:17:38.000000
0x86213298 UDPv4 10.0.2.15 138 * 0 4 System 2021-04-19 17:17:38.000000
0x86021230 UDPv6 fe80::61b0:3a44:7ba4:e7df 1900 * 0 1456 svchost.exe 2021-04-19 17:19:34.000000
0x8627cb10 UDPv6 ::1 1900 * 0 1456 svchost.exe 2021-04-19 17:19:34.000000
0x87d07240 UDPv4 10.0.2.15 1900 * 0 1456 svchost.exe 2021-04-19 17:19:34.000000
0x86294aa0 UDPv4 127.0.0.1 1900 * 0 1456 svchost.exe 2021-04-19 17:19:34.000000
0x862c9c68 UDPv4 0.0.0.0 3702 * 0 1456 svchost.exe 2021-04-19 17:17:44.000000
0x862c9c68 UDPv6 :: 3702 * 0 1456 svchost.exe 2021-04-19 17:17:44.000000
0x8625a660 UDPv4 0.0.0.0 3702 * 0 1456 svchost.exe 2021-04-19 17:17:44.000000
0x8625a660 UDPv6 :: 3702 * 0 1456 svchost.exe 2021-04-19 17:17:44.000000
0x8628bd10 UDPv4 0.0.0.0 3702 * 0 1456 svchost.exe 2021-04-19 17:17:44.000000
0x8615b008 UDPv4 0.0.0.0 3702 * 0 1456 svchost.exe 2021-04-19 17:17:44.000000
0x86095d78 UDPv4 0.0.0.0 5355 * 0 1188 svchost.exe 2021-04-19 17:17:42.000000
0x86095d78 UDPv6 :: 5355 * 0 1188 svchost.exe 2021-04-19 17:17:42.000000
0x862be550 UDPv4 0.0.0.0 5355 * 0 1188 svchost.exe 2021-04-19 17:17:42.000000
0x919fff50 UDPv6 ::1 51920 * 0 1456 svchost.exe 2021-04-19 17:19:34.000000
0x86078008 UDPv4 127.0.0.1 51921 * 0 1456 svchost.exe 2021-04-19 17:19:34.000000
0x861d2a00 UDPv4 0.0.0.0 56556 * 0 1456 svchost.exe 2021-04-19 17:17:35.000000
0x861d23e8 UDPv4 0.0.0.0 56557 * 0 1456 svchost.exe 2021-04-19 17:17:35.000000
0x861d23e8 UDPv6 :: 56557 * 0 1456 svchost.exe 2021-04-19 17:17:35.000000
0x8658d5a0 UDPv4 127.0.0.1 61225 * 0 3504 iexplore.exe 2021-04-19 17:23:25.000000
0x852277f0 UDPv4 127.0.0.1 62647 * 0 3404 iexplore.exe 2021-04-19 17:23:26.000000
The most suspicious tcp connection was made by netcat to 146.59.156.82:4444.
Flag
Hero{146.59.156.82:4444}