Secureworks® Counter Threat Unit™ (CTU) researchers created a capture-the-flag (CTF) cyber competition for the 2020 Secureworks Threat Intelligence Summit. Three forensics and open-source intelligence (OSINT) challenges revealed the story of a threat actor compromising a fictitious 1980s rock promotion company named 8Es_Rock. Solving the technical puzzles required beginner to intermediate analysis skills.
Challenge #1: Find the high-value coupon code
“A threat actor compromised an important server at a company called 8Es_Rock. They were after a high-value coupon code. Using the following proxy logs, can you determine what that coupon code was?”
CTU™ researchers provided challenge participants with a file named access.log, which includes proxy logs from the fictitious 8Es_Rock breach. The competitors needed to analyze the web server logs to determine what actions the threat actor took and identify the high-value ‘coupon code’ the actor sought. The proxy logs contain not only the forensic data necessary for this challenge but also data that is useful for solving the other challenges in this series.
The logs show a sequence of sixteen HTTP GET events to the webserver hosted at l00t . tazerup . tk. The URIs end with an encoded string. The last log event in the sequence finishes with a character that signifies the end of Base64-encoded text (see Figure 1).
Figure 1. Challenge #1 logs contained a series of encoded text chunks. (Source: Secureworks)
Concatenating and Base64-decoding the strings reveals a message from 8Es_Rock management to their staff. The note contained coupon codes for an upcoming tour by the band Wang Chung (see Figure 2).
Figure 2. The Base64-decoded text reveals a note and the flag for Challenge ..