my feedback when i took the exam
First found out Router(victim) and Attacker IPs.
a. http.request.method==GET (source IP in GET request is Victim's IP)
In my case: Victim: 10.1.1.2, Attacker: 10.1.1.1
Q1: Select 4 options:
Selected these options:
1. TCP connection from router to 10.1.1.1
2. TCP connection from remote host to router's IP 10.1.1.2 on port 1337.
3. Download of script in memory via HTTP
4. Installment of ransomware via backdoor.
Q2. Select command which can cause system meltdown:
In my case answer was "r" letter (not sudo poweroff)
Method to check the command:
1. IN packet capture, use filter tcp.port==1337
2. select first SYN packet and select option 'follow stream' in analysis tab in top right corner in cloudshark (not using right click option like wireshark )
3. In the stream, select flow from 10.1.1.1 to 10.1.1.2 --> multiple commands were seen (c,r,q). Note this keywords.
4. Now again changed filter in capture to http.request.method==GET and followed the tcp stream like step 2.
5. In the GET response from 10.1.1.1 to 10.1.1.2, there was a script having above keywords with description (or banner message) next to each keyword)
6. In this script, r keyword had some description like this (dont remember exact description): Your router is compromised. you had your chance to Pay 100 bitcoins to get back your access now you face meltdown hope you saved your config
7. Hence selected "r" keyword/command for second question.
Q3. Command used by attacker to run script ?
--> tclsh [Hidden Content]
Note: name of script is bd2.tcl which can be seen in GET request packet.