A walk outside the sandbox

Home Blog Cheat Sheets MacOS Tips Area 51 About

[CTF] BoE 2 - "Go with the (net)flow"




Recently Bank of England published a series of challenges on the CyberSecurityChallenge UK website. The first two of them are more interesting and realistic. I’ll post the description and short answers below. Please avoid looking at the solutions and first analyse the artefacts and find the clues yourself!


A third party claims to have observed communication from your network to a known Command and Control server. Use your traffic analysis skills to determine if a web server on your network has been compromised.

You work in the security team for an Internet hosting company, offering colocation services for customers to install their own devices in your data centre.

You receive notification that following an Interpol operation to takedown a C2 server based in Eastern Europe, an IP address within a range allocated to one such customer has been observed in the C2 server’s log files.

The IP address in the logs ( is allocated to a single customer’s server in the data centre. It is not under your direct control, and as such system logs are not available. However, PCAP data from network taps is available.

The C2 server’s address was not disclosed, but the notification states that traffic is now being blackholed. The takedown occurred just before 1300 GMT on February 13th 2018.

Traffic capture:


Question 1

What evidence exists to confirm C2 communication took place?

  • There is no evidence of C2 communication.
  • Multiple inbound connections from a common source.
  • Multiple outbound sessions to a common destination.
  • Foreign IP addresses accessing the server


Multiple outbound sessions to a common destination

Question 2

How was the host initially compromised?

  • Default passwords were not changed.
  • A web root kit has been deployed.
  • Remote Desktop Services were exploited.
  • SSH service was bruteforced.


SSH service was bruteforced

Question 3

Once the attackers gain access, what happens next?

  • A well known web server exploit.
  • Unexpected outbound HTTP GET request.
  • DoS attack resulting in kernel panic.
  • Use of sudo –i command to escalate privilege.


Unexpected outbound HTTP GET request

Question 4

What can you determine about the file downloaded to the web server?

  • The filename is “svchostt.exe”.
  • The file is obfuscated to evade anti-virus.
  • The file is a 32-bit binary executable.
  • The filename is “”.


The filename is “”

Question 5

To what extent is the host compromised?

  • The host has vulnerable UDP interfaces.
  • The host can be accessed from the internet.
  • The host has been used to upload confidential data.
  • The host can be controlled by the attacker.


The host can be controlled by the attacker

Question 6

What is your recommended next step?

  • Restore configuration from backup.
  • Install a firewall at the network boundary.
  • Run an anti-virus scan.
  • Reset all administrator accounts.
  • Isolate the device.


Isolate the device