Skip to content

First Shift CTF Banner

First Shift CTF Logo

image First Shift CTF

This guide contains the answer and steps necessary to get to them for the First Shift CTF room.

Table of contents

Meet ProbablyFine

  1. Let's go! Your flag is: THM{first_shift_check_in!}

    Click for answerTHM{first_shift_check_in!}

Probably Just Fine

  1. What is the ASN number related to the IP?

    Click for answer212238

  2. Which service is offered from this IP?

    Click for answervpn

  3. What is the filename of the file related to the hash?

    Click for answerzY9sqWs.exe

  4. What is the threat signature that Microsoft assigned to the file?

    Click for answerTrojan:Win32/LummaStealer.PM!MTB

  5. One of the contacted domains is part of a large malicious infrastructure cluster. Based on its HTTPS certificate, how many domains are linked to the same campaign?

    Click for answer151

  6. The file matches one of the YARA rules made by "kevoreilly". What line is present in the rule's "condition" field?

    Click for answeruint16(0) == 0x5a4d and any of them

  7. The file is also mentioned in one of the TI reports. What is the title of the report mentioning this hash?

    Click for answerBehind the Curtain: How Lumma Affiliates Operate

  8. Which team did the author of the malware start collaborating with in early 2024?

    Click for answerGhostSocks

  9. A Mexican-based affiliate related to the malware family also uses other infostealers. Which mentioned infostealer targets Android systems?

    Click for answerCraxsRAT

  10. The report states that the affiliates behind the malware use the services of AnonRDP. Which MITRE ATT&CK sub-technique does this align with?

    Click for answerT1583.003

Phishing Books

  1. Which specific check within the headers explains the bypass of email filters? Answer Example: "CHECK=value"

    After opening the email analysis report, we can see which headers are not active in the "arc-authentication-results" section.

    HEADER

    Click for answerDMARC=none

  2. What technique did the attacker use to make the message seem legitimate?

    Click for answer

  3. Which MITRE technique and sub-technique ID best fit this sender address trick?

    Click for answer

  4. What is the file extension of the attached file?

    If we open the email in the mail client, we can see the attached file.

    EXTENSIONS

    Click for answer.HTML

  5. What is the MD5 hash of the .HTML file?

    This we can find by downloading the attachment and running md5sum library-invoice.pdf.html.

    MD5

    Click for answer442f2965cb6e9147da7908bb4eb73a72

  6. What is the landing page of the phishing attack?

    Since it is an html file, we can open it in a browser. Here we see the landing page.

    LANDING

    Click for answerhttp://lib-service.com:8083

  7. Which MITRE technique ID was used inside the attached file?

    When opening the attachment, we can see some kind of obfuscation is used. Looking for techniques related to this under "Defense Evasion" yields us the answer.

    OBFUSCATION

    Click for answerT1027

  8. What is the hidden message the attacker left in the file?

    We can back track the javascript commands used to compile the message. First it joins the entire array, then it splits the characters, reverses them and joins them again.

    MESSAGE

    Click for answerI love to phish books from libraries ^^

  9. Which line in the attached file is responsible for decoding the URL redirect?

    This is the line that uses the "xanthium".

    Click for answervar src = reversed.split("").reverse().join("");

  10. What is the first URL in the redirect chain?

    The decoded url redirects us to different urls. To find the first one, we can navigate to the url in firefox and enable persistant logs in the network tab.

    The first entry we see is the first url in the redirect chain.

    REDIRECT

    Click for answerhttp://xn--librarytlu-13cwe32432-kwr.com:8082

  11. What is the Threat Actor associated with this malicious file and/or URL?

    We can lookup the landing page url in "trydetectme". Be sure to remove the port number and the protocol (lib-service.com).

    ADVERSARY

    Click for answerCobalt Dickens | Silent Librarian

  12. What is the main target of this Threat Actor according to MITRE?

    We can look for this adversarey on the MITRE website to find their ptrimary target.

    Click for answerresearch and proprietary data

Portal Drop

  1. What is the IP address that initiated the brute force on the CRM web portal?

    Click for answer

  2. How many successful and failed logins are seen in the logs? Answer Example: 42, 56

    Click for answer

  3. Following the brute force, which user-agent was used for the file upload?

    Click for answer

  4. What was the name of the suspicious file uploaded by the attacker?

    Click for answer

  5. At what time did the attacker first invoke the uploaded script? Answer Example: 2025-10-24 15:35:50

    Click for answer

  6. What is the first decoded command the attacker ran on the CRM?

    Click for answer

  7. Based on the attacker’s activity on the CRM, which MITRE ATT&CK Persistence sub-technique ID is most applicable?

    Click for answer

  8. Which process image executes attacker commands received from the web?

    Click for answer

  9. What command allowed the attacker to open a bash reverse shell?

    Click for answer

  10. Which Linux user executes the entered malicious commands?

    Click for answer

  11. What sensitive CRM configuration file did the attacker access? 

    Click for answer

  12. Which domain was used to exfiltrate the CRM portal database?

    Click for answer

  13. What flag do you get after completing all 12 EDR response actions?

    Click for answer

Zero Tolerance

  1. What is the hostname where the Initial Access occurred?

    Click for answer

  2. What MITRE subtechnique ID describes the initial code execution on the beachhead?

    Click for answer

  3. What is the full path of the malicious file that led to Initial Access?

    Click for answer

  4. What is the full path to the LOLBin abused by the attacker for Initial Access?

    Click for answer

  5. What is the IP address of the attacker's Command & Control server?

    Click for answer

  6. What is the full path of the process responsible for the C2 beaconing?

    Click for answer

  7. What is the full path, modified for Persistence on the beachhead host?

    Click for answer

  8. What tool and parameter did the threat actor use for credential dumping?

    Click for answer

  9. The threat actor executed a command to evade defenses. What security parameter did they attempt to change?

    Click for answer

  10. The threat actor used a tool to execute remote commands on other machines. What is the process ID (PID) that executed the remote command?

    Click for answer

  11. At what time did the threat actor pivot from the beachhead to another system? Answer format: YYYY-MM-DD HH:MM:SS

    Click for answer

  12. What is the full path of the PowerShell script used by the threat actor to collect data?

    Click for answer

  13. What are the first 4 file extensions targeted by this script for exfiltration? Answer format: Chronological, comma-separated

    Click for answer

  14. What is the full path to the staged file containing collected files?

    Click for answer

The Crown Jewel

  1. From which internal IP did the suspicious connection originate?

    Click for answer

  2. What outbound connection was detected as a C2 channel? (Answer example: 1.2.3.4:9996)

    Click for answer

  3. Which MAC address is impersonating the gateway 10.10.10.1?

    Click for answer

  4. What is the non-standard User-Agent hitting the Jira instance?

    Click for answer

  5. How many ARP spoofing attacks were observed in the PCAP?

    Click for answer

  6. What's the payload containing the plaintext creds found in the POST request?

    Click for answer

  7. What domain, owned by the attacker, was used for data exfiltration?

    Click for answer

  8. After examining the logs, which protocol was used for data exfiltration?

    Click for answer

Promotion Night

  1. What was the network share path where ransomware was placed?

    Click for answer

  2. What is the value ransomware created to persist on reboot?

    Click for answer

  3. What was the most likely extension of the encrypted files?

    Click for answer

  4. Which MITRE technique ID was used to deploy ransomware?

    Click for answer

  5. What ports of SRV-ITFS did the adversary successfully scan?

    Click for answer

  6. What is the full path to the malware that performed the Discovery?

    Click for answer

  7. Which artifact did the adversary create to persist on the beachhead?

    Click for answer

  8. What is the MD5 hash of the embedded initial shellcode?

    Click for answer

  9. Which C2 framework was used by the adversary in the intrusion?

    Click for answer

  10. What hostname did the adversary log in from on the beachhead?

    Click for answer

  11. What was the UNC path that likely contained AWS credentials?

    Click for answer

  12. From which IP address did the adversary access AWS?

    Click for answer

  13. Which two sensitive files did the adversary exfiltrate from AWS?

    Click for answer

  14. What file did the adversary upload to S3 in place of the wiped ones?

    Click for answer