First Shift CTF

This guide contains the answer and steps necessary to get to them for the First Shift CTF room.

Table of contents

• Meet ProbablyFine
• Probably Just Fine
• Phishing Books
• Portal Drop
• Zero Tolerance
• The Crown Jewel
• Promotion Night

Meet ProbablyFine

1. Let's go! Your flag is: THM{first_shift_check_in!}

   Click for answer

   THM{first_shift_check_in!}

Probably Just Fine

1. What is the ASN number related to the IP?

   Click for answer

   212238

2. Which service is offered from this IP?

   Click for answer

   vpn

3. What is the filename of the file related to the hash?

   Click for answer

   zY9sqWs.exe

4. What is the threat signature that Microsoft assigned to the file?

   Click for answer

   Trojan:Win32/LummaStealer.PM!MTB

5. One of the contacted domains is part of a large malicious infrastructure cluster. Based on its HTTPS certificate, how many domains are linked to the same campaign?

   Click for answer

   151

6. The file matches one of the YARA rules made by "kevoreilly". What line is present in the rule's "condition" field?

   Click for answer

   uint16(0) == 0x5a4d and any of them

7. The file is also mentioned in one of the TI reports. What is the title of the report mentioning this hash?

   Click for answer

   Behind the Curtain: How Lumma Affiliates Operate

8. Which team did the author of the malware start collaborating with in early 2024?

   Click for answer

   GhostSocks

9. A Mexican-based affiliate related to the malware family also uses other infostealers. Which mentioned infostealer targets Android systems?

   Click for answer

   CraxsRAT

10. The report states that the affiliates behind the malware use the services of AnonRDP. Which MITRE ATT&CK sub-technique does this align with?

><details><summary>Click for answer</summary>T1583.003</details>

Phishing Books

1. Which specific check within the headers explains the bypass of email filters? Answer Example: "CHECK=value"

   After opening the email analysis report, we can see which headers are not active in the "arc-authentication-results" section.

   HEADER

   Click for answer

   DMARC=none

2. What technique did the attacker use to make the message seem legitimate?

   Click for answer

3. Which MITRE technique and sub-technique ID best fit this sender address trick?

   Click for answer

4. What is the file extension of the attached file?

   If we open the email in the mail client, we can see the attached file.

   EXTENSIONS

   Click for answer

   .HTML

5. What is the MD5 hash of the .HTML file?

   This we can find by downloading the attachment and running md5sum library-invoice.pdf.html.

   MD5

   Click for answer

   442f2965cb6e9147da7908bb4eb73a72

6. What is the landing page of the phishing attack?

   Since it is an html file, we can open it in a browser. Here we see the landing page.

   LANDING

   Click for answer

   http://lib-service.com:8083

7. Which MITRE technique ID was used inside the attached file?

   When opening the attachment, we can see some kind of obfuscation is used. Looking for techniques related to this under "Defense Evasion" yields us the answer.

   OBFUSCATION

   Click for answer

   T1027

8. What is the hidden message the attacker left in the file?

   We can back track the javascript commands used to compile the message. First it joins the entire array, then it splits the characters, reverses them and joins them again.

   MESSAGE

   Click for answer

   I love to phish books from libraries ^^

9. Which line in the attached file is responsible for decoding the URL redirect?

   This is the line that uses the "xanthium".

   Click for answer

   var src = reversed.split("").reverse().join("");

10. What is the first URL in the redirect chain?

    The decoded url redirects us to different urls. To find the first one, we can navigate to the url in firefox and enable persistant logs in the network tab.

    The first entry we see is the first url in the redirect chain.

    REDIRECT

><details><summary>Click for answer</summary>http://xn--librarytlu-13cwe32432-kwr.com:8082</details>

1. What is the Threat Actor associated with this malicious file and/or URL?

   We can lookup the landing page url in "trydetectme". Be sure to remove the port number and the protocol (lib-service.com).

   ADVERSARY

><details><summary>Click for answer</summary>Cobalt Dickens | Silent Librarian</details>

1. What is the main target of this Threat Actor according to MITRE?

   We can look for this adversarey on the MITRE website to find their ptrimary target.

><details><summary>Click for answer</summary>research and proprietary data</details>

Portal Drop

1. What is the IP address that initiated the brute force on the CRM web portal?

   Click for answer

2. How many successful and failed logins are seen in the logs? Answer Example: 42, 56

   Click for answer

3. Following the brute force, which user-agent was used for the file upload?

   Click for answer

4. What was the name of the suspicious file uploaded by the attacker?

   Click for answer

5. At what time did the attacker first invoke the uploaded script? Answer Example: 2025-10-24 15:35:50

   Click for answer

6. What is the first decoded command the attacker ran on the CRM?

   Click for answer

7. Based on the attacker’s activity on the CRM, which MITRE ATT&CK Persistence sub-technique ID is most applicable?

   Click for answer

8. Which process image executes attacker commands received from the web?

   Click for answer

9. What command allowed the attacker to open a bash reverse shell?

   Click for answer

10. Which Linux user executes the entered malicious commands?

><details><summary>Click for answer</summary></details>

1. What sensitive CRM configuration file did the attacker access? 

><details><summary>Click for answer</summary></details>

1. Which domain was used to exfiltrate the CRM portal database?

><details><summary>Click for answer</summary></details>

1. What flag do you get after completing all 12 EDR response actions?

><details><summary>Click for answer</summary></details>

Zero Tolerance

1. What is the hostname where the Initial Access occurred?

   Click for answer

2. What MITRE subtechnique ID describes the initial code execution on the beachhead?

   Click for answer

3. What is the full path of the malicious file that led to Initial Access?

   Click for answer

4. What is the full path to the LOLBin abused by the attacker for Initial Access?

   Click for answer

5. What is the IP address of the attacker's Command & Control server?

   Click for answer

6. What is the full path of the process responsible for the C2 beaconing?

   Click for answer

7. What is the full path, modified for Persistence on the beachhead host?

   Click for answer

8. What tool and parameter did the threat actor use for credential dumping?

   Click for answer

9. The threat actor executed a command to evade defenses. What security parameter did they attempt to change?

   Click for answer

10. The threat actor used a tool to execute remote commands on other machines. What is the process ID (PID) that executed the remote command?

><details><summary>Click for answer</summary></details>

1. At what time did the threat actor pivot from the beachhead to another system? Answer format: YYYY-MM-DD HH:MM:SS

><details><summary>Click for answer</summary></details>

1. What is the full path of the PowerShell script used by the threat actor to collect data?

><details><summary>Click for answer</summary></details>

1. What are the first 4 file extensions targeted by this script for exfiltration? Answer format: Chronological, comma-separated

><details><summary>Click for answer</summary></details>

1. What is the full path to the staged file containing collected files?

><details><summary>Click for answer</summary></details>

The Crown Jewel

1. From which internal IP did the suspicious connection originate?

   Click for answer

2. What outbound connection was detected as a C2 channel? (Answer example: 1.2.3.4:9996)

   Click for answer

3. Which MAC address is impersonating the gateway 10.10.10.1?

   Click for answer

4. What is the non-standard User-Agent hitting the Jira instance?

   Click for answer

5. How many ARP spoofing attacks were observed in the PCAP?

   Click for answer

6. What's the payload containing the plaintext creds found in the POST request?

   Click for answer

7. What domain, owned by the attacker, was used for data exfiltration?

   Click for answer

8. After examining the logs, which protocol was used for data exfiltration?

   Click for answer

Promotion Night

1. What was the network share path where ransomware was placed?

   Click for answer

2. What is the value ransomware created to persist on reboot?

   Click for answer

3. What was the most likely extension of the encrypted files?

   Click for answer

4. Which MITRE technique ID was used to deploy ransomware?

   Click for answer

5. What ports of SRV-ITFS did the adversary successfully scan?

   Click for answer

6. What is the full path to the malware that performed the Discovery?

   Click for answer

7. Which artifact did the adversary create to persist on the beachhead?

   Click for answer

8. What is the MD5 hash of the embedded initial shellcode?

   Click for answer

9. Which C2 framework was used by the adversary in the intrusion?

   Click for answer

10. What hostname did the adversary log in from on the beachhead?

><details><summary>Click for answer</summary></details>

1. What was the UNC path that likely contained AWS credentials?

><details><summary>Click for answer</summary></details>

1. From which IP address did the adversary access AWS?

><details><summary>Click for answer</summary></details>

1. Which two sensitive files did the adversary exfiltrate from AWS?

><details><summary>Click for answer</summary></details>

1. What file did the adversary upload to S3 in place of the wiped ones?

><details><summary>Click for answer</summary></details>