Skills Assessment - Zeek

Hi, little hint for the:
There is a file named neutrinogootkit.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Neutrino exploit kit sending Gootkit malware. Enter the x509.log field name that includes the “MyCompany Ltd.” trace as your answer.

The question is not about something exact again, so after triggering a Zeek query (based on the previous section), a set of .log files will be created in directory.

One of these would be the mentioned log, the output is not clearly the answer, and it doesn’t contain proper answer phrase. Once again students have to discover what lab’s creator had on his mind. So CN= OU= and so on, are related to certain SSL field or part.

Answer format is “xxxxxxxxxxx.xxxxxxx” without quotation marks, separated by dot.

Most likely if someone is familiar with SSL certs he will know how to answer, otherwise it’s not too obvious.

1 Like

iam lost.

i find the 1467993481.526112 value but it s wrong.

can you help me

The thing here is not about the values, it’s related with certificate and its section, so it’s rather word.word, you won’t find the answer in the file.

2 Likes

Thanks, this was helpful.

For those still stuck, try matching up the fields and their corresponding values. Note that fields and values are both separated by spaces. Hint: The first field is ts and corresponds to value 1467993481.526112.

1 Like

Better to vim or nano the x509.log and match the subject that coincides with the " *MyCompany Ltd." data. Here is the file:

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   x509
#open   2024-11-09-01-21-04
#fields ts      fingerprint     certificate.version     certificate.serial      certificate.subject     certificate.issuer      certificate.not_valid_before    certificate.not_valid_after     certificate.key_alg     certificate.sig_alg     certificate.key_type    certificate.key_length  certificate.exponent    certificate.curve       san.dns san.uri san.email       san.ip  basic_constraints.ca    basic_constraints.path_len      host_cert       client_cert
#types  time    string  count   string  string  string  time    time    string  string  string  count   string  string  vector[string]  vector[string]  vector[string]  vector[addr]    bool    count   bool    bool
1467993481.526112       1d43976111c0431412f082a311fcc0a42127553a1d3d570a41191ad6678a0207        1       8DA0C3CDC8F770AA        CN=localhost,OU=IT,O=MyCompany Ltd.,L=York,ST=Yorks,C=GB        CN=localhost,OU=IT,O=MyCompany Ltd.,L=York,ST=Yorks,C=GB        1465891530.000000       1497427530.000000       rsaEncryption   sha1WithRSAEncryption   rsa     2048    65537   -       -       -       -       -       -       -       T       F
#close  2024-11-09-01-21-04

It will be under “#fields