Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency. Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.
Information
Category Name: HireMe
Files: c44-Hire-ME.zip 327 MB
–> Contains Horcrux.ad1 893MB
Â
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/HireMe && cd Documents/CyberDefenders/HireMeDownload it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c44-Hire-ME.zipSHA1:Â 7f3f175eefdb74110b19ffce7a14398f1ffac0d8
Then extract it with the provided the password
Run it with:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'
Select: Add Evidence item and select Horcrux.ad1. Then, open the “tree” and rich click on ‘[root]’ and select “Export Files” and chose the WD as the export destination.
I recommend to rename the folders to make them more CLI-friendly:
mv 'Horcrux.E01_Partition 2 [32216MB]_NONAME [NTFS]' Part2
mv 'Horcrux.E01_Partition 3 [3122MB]_PacaLady [NTFS]' Part3_PacaLady
mv Part2/['root'] Part2/root
mv Part3_PacaLady/['root'] Part3_PacaLady/root
Walkthrough
1. What is the administrator's username?
The fastest way is to list the Users directory of the Second Partition:
ls -la Part2/root/Users
Answer: Karen
2. What is the OS's build number?
Using RegRipper:
rip.pl -p winver -r Part2/root/Windows/System32/config/SOFTWARE
Answer: 10
3. What is the hostname of the computer?
Using RegRipper:
rip.pl -p compname -r Part2/root/Windows/System32/config/SYSTEM
Answer: TotallyNotAHacker
4. A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?
If we try to list Karen’s AppData to see what kind of softwares she may have installed:
ls -la Part2/root/Users/Karen/AppData/*
There is nothing of interest. In the other Partition, there is an executable for Skype:
ls -la Part3_PacaLady/root
Answer: Skype
5. What is the zip code of the administrator's post?
There are regular expressions that match for Zip codes, but I prefer to grep for ‘zip’ to have an idea of where the information could be found:
grep -r -i -w 'zip' Part2/root/Users/Karen
Displays sooo many Chrome artifacts, so simply copying and opening the History database:
cp 'Part2/root/Users/Karen/AppData/Local/Google/Chrome/User Data/Default/History' History.db
sqlitebrowser History.db
In the urls table, filtering the title with ‘post’ shows that the question might refer to a Craigslist post. Filtering url column with craigslist, the last record (id 74) has a zipcode:
Â
Â
Answer: 19709
6. What are the initials of the person who contacted the admin user from TAAUSAI?
My toxic trait is that I use grep for *everything*.
grep -r -i 'TAAUSAI' *
Returns one match in the Outlook directory. Now, let’s find out if there is an .ost or .pst file in here:
find Part2/root/Users/Karen/ -type f -name "*.ost" -o -name "*.pst"
##returns one match for klovespizza@outlook.com.ost
cp Part2/root/Users/Karen/AppData/Local/Microsoft/Outlook/klovespizza@outlook.com.ost klovespizza.ost
pffexport klovespizza.ost
To print all the pffexported messages as text we can use html2text:
cd 'klovespizza.ost.export/Root - Mailbox'
html2text IPM_SUBTREE/Inbox/*/*.html
The message in Message00007 is an email from M.S. working for TAAUSAI, whom is offering Karen a job!
Answer: MS
7. How much money was TAAUSAI willing to pay upfront?
In the email above, M.S. is offering $150,000 USD upfront.
Answer: 150000
8. What country is the admin user meeting the hacker group in?
html2text IPM_SUBTREE/Inbox/*/*.html | grep "Meet"
To double check, I grep the entire directory for the coordinates, and the email is indeed from taausai!
The coordinates are :“27°22’50.10″N, 33°37’54.62″E”
Answer: Egypt
Â
9. What is the machine's timezone? (Use the three-letter abbreviation)
Using RegRipper:
rip.pl -p timezone -r Part2/root/Windows/System32/config/SYSTEM
Answer: UTC
10. When was AlpacaCare.docx last accessed?
The $MFT is the best source to find filesystem metadata.
python2 analyzeMFT.py -f '/home/remnux/Documents/CyberDefenders/HireMe/Part3_PacaLady/root/$MFT' -o /home/remnux/Documents/CyberDefenders/HireMe/output.csv
cat output.csv | grep 'AlpacaCare'
The 15th entry is the FN Info Access date, which is 2019-03-17 21:52:20.
Answer:Â 03/17/2019 21:52:20
11. There was a second partition on the drive. What is the letter assigned to it?
Using RegRipper:
rip.pl -p mountdev2 -r Part2/root/Windows/System32/config/SYSTEM
The DosDevices\C: is the main partition. The other partition is assigned the drive letter A.
Answer: A
12. What is the answer to the question Company's manager asked Karen?
Back to the emails, searching for question has no meaningful results, but answer does!
cd 'klovespizza.ost.export/Root - Mailbox'
html2text IPM_SUBTREE/Inbox/*/*.html | grep "question"
html2text IPM_SUBTREE/Inbox/*/*.html | grep "answer"
Â
Answer: TheCardCriesNoMore
13. What is the job position offered to Karen? (3 words, 2 spaces in between)
We can look for the word ‘job’ in the exported emails:
html2text IPM_SUBTREE/Inbox/*/*.html | grep "job"
There is a result but it is not printed completely, so it’s best to search for the fragmented string directly.
html2text IPM_SUBTREE/Inbox/*/*.html | grep 'job position we think' -A 1
The job offer is entry level cyber security analysts:
Answer: Cyber Security Analyst
14. When was the admin user password last changed?
Using RegRipper:
rip.pl -p samparse -r Part2/root/Windows/System32/config/SAM | grep 'Karen' -A 20
Answer: 03/21/2019 19:13:09Â
15. What version of Chrome is installed on the machine?
Using RegRipper:
rip.pl -p uninstall -r Part2/root/Windows/System32/config/SOFTWARE | grep -i chrome
Answer: 72.0.3626.121
16. What is the HostUrl of Skype?
If we grep for Skype, we can see that a lot of the matches are from Chrome. We can first check the History database:
sqlitebrowser History.db
In the Downloads Table, it is confirmed that Skype was downloaded from Chrome.
To get the HostUrl, we basically need to find what is the url that has the ‘skype.exe’. In download_url_chains, filter the url with ‘skype’ :
The third url is the HostUrl.
Answer:Â https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe
17. What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?
We can view the file with Libreoffice:
find . -name 'AlpacaCare.docx' -exec cp "{}" . \;
libreoffice AlpacaCare.docx
If you copy/paste the first paragraph into Google, it will return the domain name “alpacasofoklahoma.com”. However, if you scroll down the documents you will see this:
The text was reproduced with permission, and the Copyright at the bottom shows that Karen copied it from Palomino Alpaca Farm. The site doesn’t exist anymore, but the domain name used to be “palominoalapacafarm.com”.
Â
Answer: palominoalapacafarm.com
TLDR
This challenge required good knowledge of the Windows Filesystem. A variety of tools can be used to solve it, such as RegRipper, analysemft.py, pffexport and libreoffice.
