🎯 Challenge Overview
Challenge: Echo Trail (OffSec CTF)
Objective: Map the adversary's infiltration, chart their movements, validate forensic evidence, and produce actionable remediation and incident-response guidance.
Artifacts Provided:
Network capture (
network_capture.pcapng)Email artifacts (
*.eml)Azure sign-in logs (
InteractiveSignIns_2025-08-14_2025-08-15.xlsx)Windows event logs (
*.evtx/sysmon.evtx)Mail server logs (
hmailserver_2025-08-15.log)Database dump (
db_dump.sql)Cloud shell history (
cloudshell_session.log)Browser cache (optional)
🔍 Initial Reconnaissance
This section documents the first-pass triage, how artifacts were prioritized, and why certain items were investigated first.
Triage rationale: Phishing is a common initial access vector. Email artifacts and network captures are therefore high priority. Correlating email timestamps to network traffic and authentication logs reduces false positives and helps build a reliable timeline.
Step 1: Analyzing the Phishing Campaign
Objective: Identify phishing indicators, attachments, and any embedded links or artifacts that could lead to credential capture.
Typical commands used:
# Enumerate email files
ls -la *.eml
# Examine email headers and attachments
for f in *.eml; do echo "==== $f ===="; ripmime -i "$f" -d /tmp/eml_extracted/"$f"; munpack -f "$f"; done
# Inspect suspicious attachments
file /tmp/eml_extracted/*.png
exiftool /tmp/eml_extracted/ngo_update.png
strings /tmp/eml_extracted/ngo_update.png | head -n 40
Observed evidence:
Email subject: "Urgent: Updated Access Required"
Sender:
[email protected](spoofed display name)Attachment:
ngo_update.png— image file with suspicious embedded HTML/redirect in body or an image that includes a URL in its metadata.
Analyst reasoning: An image attachment alone is not always malicious — but when an email urges account updates and includes a link or encoded payload, treat it as high risk. The presence of a URL in metadata or the email body pointing to a domain that resembles a trusted provider is a strong indicator of typosquatting. We then pivot to network capture to find actual HTTP requests.
Step 2: Network Traffic Analysis
Objective: Identify connections to external hosts that correlate with email receipt or user activity. Extract HTTP POSTs where credentials may be submitted.
Key commands and rationale:
# Get capture summary to ensure file integrity and timestamps
tshark -r network_capture.pcapng -q
# List HTTP hostnames and URIs to find suspicious domains
tshark -r network_capture.pcapng -Y "http" -T fields -e frame.time -e ip.src -e ip.dst -e http.host -e http.request.uri | sort | uniq -c | sort -nr | head
# Focus on known typo-squatted domain pattern "mcrosoft" (missing 'i')
tshark -r network_capture.pcapng -Y 'http.host contains "mcrosoft"' -T fields -e frame.time -e ip.src -e ip.dst -e http.request.method -e http.request.uri -e http.file_data
Findings:
Domain observed:
login.mcrosoft.com(typosquat — missing 'i')HTTP GET to
/login.htmlfollowed by HTTP POST to/login.phpwith payloads (likely credential submission).POST payloads appear hex-encoded — a common obfuscation technique to avoid simple signature detection.
Technical reasoning: Typosquat domains commonly host credential harvesters. HTTP (not HTTPS) suggests attacker did not obtain a valid certificate, or intentionally used HTTP to intercept traffic (or because victim env allowed insecure redirects). Extract the POST data and decode.
Step 3: Credential Extraction (Decoding & Validation)
Objective: Extract and decode credential material from captured HTTP POSTs and validate against authentication logs.
Commands used:
# Extract http.file_data for the specific POST and save to file
tshark -r network_capture.pcapng -Y 'http.request.method == "POST" and http.host contains "mcrosoft"' -T fields -e frame.time -e ip.src -e ip.dst -e http.request.uri -e http.file_data > post_payloads.txt
# If payload is hex, decode and print readable strings
cat post_payloads.txt | cut -f5 -d$'\t' | tr -d '\r' | sed 's/0x//g' > hex_payload.txt
xxd -r -p hex_payload.txt | strings -n 4 | tee decoded_post.txt
Decoded output (excerpt):
loginfmt=Jopa373424&ps=...&password=Jopa373424...
Validation steps (recommended):
Cross-check the extracted username against Azure sign-in logs (user principal names / usernames) to confirm identity.
Check mail client or browser cache for evidence of the victim clicking the link (User-Agent, referer headers in pcap).
Conclusion:
Username:
Jopa373424Password:
Jopa373424The repetition suggests weak credentials and possibly self-chosen password equal to username. This reduces the attacker's effort to successfully authenticate.
🕵️ Attack Timeline Reconstruction
Goal: Build a consolidated timeline from email delivery → network activity → authentication attempts → successful login → post-compromise activity.
Step 4: Azure Sign-in Log Analysis
We parse the exported Azure interactive sign-in logs to identify events tied to the suspected IP and account.
Commands used:
import pandas as pd
df = pd.read_excel('InteractiveSignIns_2025-08-14_2025-08-15.xlsx')
df.columns = [c.strip() for c in df.columns]
attacker_ip = '203.0.113.10'
attacker_events = df[df['IP address'] == attacker_ip].sort_values('Date (UTC)')
print(attacker_events[['Date (UTC)', 'Status', 'User', 'Failure reason', 'Client IP']])
Extracted timeline (UTC):
Timestamp (UTC) | Event | Notes |
|---|---|---|
2025-08-15T08:02:59Z | Failed authentication attempt | Possibly incorrect password or blocked MFA |
2025-08-15T08:03:35Z | MFA interruption | Push approval not accepted |
2025-08-15T08:05:09Z | Multiple failed attempts | Repeated authentication failures |
2025-08-15T08:08:31Z | MFA interruption | Repeated push challenges |
2025-08-15T08:15:49Z | First successful login | Attacker achieved access |
2025-08-15T08:15:50Z–08:16:31Z | Additional successful logins | Rapid activity post-authentication |
Analyst inference: The pattern of repeated failures then success is consistent with credential stuffing or an attacker retrying with known credentials and waiting for MFA approval (or the user succumbing to push fatigue). Note the short time between successful logins — likely automation or scripted session establishment.
