the card

A great introductory challenge into forensics. All you need is a browser, a text editor and ability to read. (I mean...that is pretty important)

• Difficulty: Easy

• Narrative:

Holmes receives a breadcrumb from Dr. Nicole Vale - fragments from a string of cyber incidents across Cogwork-1. Each lead ends the same way: a digital calling card signed JM.

tldr;

#	question	flag	tldr
1	Analyze the provided logs and identify what is the first User-Agent used by the attacker against Nicole Vale's honeypot. (string)	Lilnunc/4A4D - SpecterEye	First line of access.log - initial recon user-agent
2	It appears the threat actor deployed a web shell after bypassing the WAF. What is the file name? (filename.ext)	temp_4A4D.php	Found in application.log and waf.log - web shell deployment logs
3	The threat actor also managed to exfiltrate some data. What is the name of the database that was exfiltrated? (filename.ext)	database_dump_4A4D.sql	Found in waf.log and access.log - large file download with database pattern
4	During the attack, a seemingly meaningless string seems to be recurring. Which one is it? (string)	4A4D	Appears in user-agents, filenames, beacon IDs - threat actor's signature
5	OmniYard-3 (formerly Scotland Yard) has granted you access to its CTI platform. Browse to the first IP:port address and count how many campaigns appear to be linked to the honeypot attack.	5	CTI Graph portal - search honeypot indicators, count connected campaign nodes
6	How many tools and malware in total are linked to the previously identified campaigns? (number)	9	CTI Graph - count tools + malware across all 5 campaigns (2+1+2+2+2)
7	It appears that the threat actor has always used the same malware in their campaigns. What is its SHA-256 hash? (sha-256 hash)	7477c4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d17477	CTI Graph - most frequent malware hash across campaigns
8	Browse to the second IP:port address and use the CogWork Security Platform to look for the hash and locate the IP address to which the malware connects. (Credentials: nvale/CogworkBurning!)	74.77.74.77	Security Platform - search hash, check Network section for C2 IP
9	What is the full path of the file that the malware created to ensure its persistence on systems? (/path/filename.ext)	/opt/lilnunc/implant/4a4d_persistence.sh	Security Platform - same malware page, check persistence details
10	Finally, browse to the third IP:port address and use the CogNet Scanner Platform to discover additional details about the TA's infrastructure. How many open ports does the server have?	11	CogNet Scanner - search C2 IP, count open services in device card
11	Which organization does the previously identified IP belong to? (string)	SenseShield MSP	CogNet Scanner - same device page, check WHOIS/ownership info
12	One of the exposed services displays a banner containing a cryptic message. What is it? (string)	He's a ghost I carry, not to haunt me, but to hold me together - NULLINC REVENGE	CogNet Scanner - check service banners for cryptic message

what we have?

We were given 3 portals for investigation.

Portals

CogWork-Intel Graph (OmniYard-3)

• Features: Graph analysis of threat campaigns, indicators, tools, and malware

• Used for: Mapping attack campaigns and counting linked threats (Flags 5-7)

CogWork Security Platform

CogNet Scanner Platform

Okay lets see what we are provided first before reading the questions.

Logs

access.log

• User-Agent strings (identifies the client making the request to the server.)

• GET/POST requests

• File downloads (like database_dump_4A4D.sql)

• Response codes and file sizes

• Timestamps and source IPs

• i.e,

2025-05-01 08:23:12 121.36.37.224 - - [01/May/2025:08:23:12 +0000] "GET /robots.txt HTTP/1.1" 200 847 "-" "Lilnunc/4A4D - SpecterEye"
2025-05-01 08:23:45 121.36.37.224 - - [01/May/2025:08:23:45 +0000] "GET /sitemap.xml HTTP/1.1" 200 2341 "-" "Lilnunc/4A4D - SpecterEye"
...

waf.log

Contains: Web Application Firewall (WAF) detection and bypass logs

• Web shell deployment detection

• Database download attempts

• Beacon callback activity

• Rule bypasses by the attacker

• i.e,

2025-05-01 08:23:12 [INFO] webapp.security.scanner - Potential reconnaissance detected from 121.36.37.224 - sequential resource enumeration
2025-05-01 08:24:12 [WARN] webapp.auth.handler - Failed login attempt from 121.36.37.224 - invalid endpoint access
...

application.log

Contains: Application-level security events and critical alerts

• Web shell deployment commands

• Backdoor creation events

• Cron job installations

• Debug endpoint abuse

• Critical security violations

• i.e,

2025-05-01 08:23:12 [INFO] waf.scanner - IP 121.36.37.224 - Rule: RECONNAISSANCE_DETECTION - Action: MONITOR - Sequential resource enumeration pattern detected
2025-05-01 08:24:12 [WARN] waf.scanner - IP 121.36.37.224 - Rule: ADMIN_PATH_ACCESS - Action: BLOCK - Attempt to access administrative endpoints
...

Now that we know the basics of those log files. Lets go through each question

solulu

flag 1

Analyze the provided logs and identify what is the first User-Agent used by the attacker against Nicole Vale’s honeypot. (string)

• If you read the logs definition above hehe. Our focus should be in the access.log to find the User-Agent, and we quickly confirmed our answer to be at the first line.

Flag: Lilnunc/4A4D - SpecterEye

flag 2

It appears the threat actor deployed a web shell after bypassing the WAF. What is the file name? (filename.ext)

As mentioned, this time we will be reading the web application firewall log (waf.log) when we need to look for a web shell event. And voila, its indeed detected a web shell has been created. And the file name also has been recorded too (how did our system detects it? — magic idk)

• In the application.log

• In the waf.log

Flag: temp_4A4D.php

flag 3

The threat actor also managed to exfiltrate some data. What is the name of the database that was exfiltrated? (filename.ext)

After staging data through the shell, large downloads follow. The WAF and access logs call out the loot:

• In the waf.log

• In the access.log

Flag: database_dump_4A4D.sql

Alternative: a grep command of those logs file of anything related to database.

flag 4

During the attack, a seemingly meaningless string seems to be recurring. Which one is it? (string)

We see the string 4A4D repeated over and over again from flag 1 - 3. This is what make it interesting, I love the reference in this question, the answer simply is hex --> ascii of JM (yea...him). I absolutely choked when I realized the reference

Convert each hex pair to decimal:

• 4A hex = (4 × 16) + (10) = 64 + 10 = 74 (J)

• 4D hex = (4 × 16) + (13) = 64 + 13 = 77 (M)

Flag: 4A4D

flag 5

OmniYard-3 (formerly Scotland Yard) has granted you access to its CTI platform. Browse to the first IP:port address and count how many campaigns appear to be linked to the honeypot attack.

Go to the portal that matches CTI Graph (see portals above). In Graph Analysis, search temp_4A4D.php, 4A4D and open the honeypot indicator node.

• Count connected Campaign nodes.

Flag: 5

flag 6

How many tools and malware in total are linked to the previously identified campaigns? (number)

So 5 campaigns right, we have to check what links them. From the campaigns found in Flag 5, enable Types filter for Tool and Malware and tally them. They have a distinct icon.

• quantum heist: 1 malware (quantumcoin stealer), 1 tool (quantumkeyx)

• transport chaos: 1 malware (vehicle chaos engine),

• civil disruption: 1 tool (1citymap infiltrator), 1 malware (city wide disruption)

• bio breach: 1 tool (medsys probe), 1 malware (biometric falsier)

• operation neutral storm: 1 tool (neuro scan pro), 1 malware (neuro storm implant)

Flag: 9

flag 7

It appears that the threat actor has always used the same malware in their campaigns. What is its SHA-256 hash? (sha-256 hash)

I wasn't clicking the thing so I simply from the shared malware node across campaigns, export to get the json of all. The appreance of this sha is the most frequent

• We will use this hash in Flag 8.

Flag: 7477c4f5e6d7c8b9a0f1e2d3c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d17477

Flag 8

Browse to the second IP:port address and use the CogWork Security Platform to look for the hash and locate the IP address to which the malware connects. (Credentials: nvale/CogworkBurning!) Use the Security Platform to look up the hash and locate the IP to which the malware connects.

• Open the portal that shows the CogWork Security (the 2nd one)

• Log in with nvale / CogworkBurning!.

• Paste the hash from flag 7 into search; open the malware page; in Network Communication , note the IP.

Flag: 74.77.74.77

flag 9

What is the full path of the file that the malware created to ensure its persistence on systems? (/path/filename.ext)

In the same malware page, click to see details.

We found a section on File Operations, well that is pretty much our flag. I mean have you read the name of the shell script lol.

Flag: /opt/lilnunc/implant/4a4d_persistence.sh

flag 10

Finally, browse to the third IP:port address and use the CogNet Scanner Platform to discover additional details about the TA's infrastructure. How many open ports does the server have?

Open the portal CogNet Scanner (the 3rd also the last one we were provided). Use the IP from Flag 8 for investigation. Open "Details" to view the "Open Ports", and count them.

Flag: 11 (open ports)

flag 11

Which organization does the previously identified IP belong to? (string) Which organization does that IP belong to?

In the device detail, read ownership/WHOIS section.

Flag: SenseShield MSP

flag 12

One of the exposed services displays a banner containing a cryptic message. What is it? (string) One exposed service shows a banner with a cryptic message; capture it.

In the service list, click each service and read the banner; copy exact text. Make sure you clicked on the Services tab

Flag (banner): He's a ghost I carry, not to haunt me, but to hold me together - NULLINC REVENGE

case closed.