After Karen started working for 'TAAUSAI,' she began to do some illegal activities inside the company. 'TAAUSAI' hired you to kick off an investigation on this case.
You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen's computer and answer the provided questions.
Information
Category Name: Insider
Files: c46-FirstHack.zip 83 MB
–> Contains FirstHack.ad1 87.7 MB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/Insider && cd Documents/CyberDefenders/InsiderDownload it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c46-FirstHack.zipSHA1: d820264d825fdaeb2146bf7b4c4e03684e700007
Then extract it with the provided the password
Run it with:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'
Select: Add Evidence item and select FirstHack.ad1.
Them select “File”, and “Export Files”. Chose the Working Directory as the export destination.
Rename the fodlers for Easier CLI Navigation:
mv 'Horcrux.E01_Partition 5 [14304MB]_NONAME [ext4]' part5
mv part5/[root] part5/root
Walkthrough
1. What distribution of Linux is being used on this machine?
There is no release file, so another option is to list the boot directory:
ls -la part5/root/boot/
Answer: kali
2. What is the MD5 hash of the apache access.log?
We can use this pretty one liner:
find . -name "access.log" -exec md5sum "{}" \;
Answer: d41d8cd98f00b204e9800998ecf8427e
3. It is believed that a credential dumping tool was downloaded? What is the file name of the download?
Going straight into the Downloads directory:
ls -la part5/root/root/Downloads
Answer: mimikatz_trunk.zip
4. There was a super-secret file created. What is the absolute path?
Using grep with options:
grep -r -l -i 'secret' *
Returns many files, but bash_history is the best option:
cat part5/root/root/.bash_history | grep -i secret
Answer: /root/Desktop/SuperSecretFile.txt
5. What program used didyouthinkwedmakeiteasy.jpg during execution?
grep -r 'didyouthinkwedmakeiteasy.jpg' *
There is a match in bash_history. The user ‘binwalked’ the jpg.
Answer: binwalk
6. What is the third goal from the checklist Karen created?
First, let’s find matches for checklist:
grep -r -i 'checklist' *
Apparently there is a Checklist file on the Desktop. Let’s print it:
cat part5/root/root/Desktop/Checklist
Answer: Profit
7. How many times was apache run?
We can find this information in the access.log file:
cat part5/root/var/log/apache2/access.log
It’s empty, so it was never run!
Answer: 0
8. It is believed this machine was used to attack another. What file proves this?
Looking at the root directory (which is the one that was used), there .msf4 which is metasploit.
ls -la part5/root/root
If we look at its history file, there is evidence that it was being used to attack Bob:
cat part5/root/root/.msf4/history
There is also evidence in the bash history file:
cat part5/root/root/.bash_history
However, none of these answers are right. In the root directory, there is a jpeg file. This is likely a screenshot of the Victim’s machine:
Answer: irZLAohL.jpeg
9. Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?
ls -la part5/root/root/Documents/
##returns one folder myfirsthack
##printing each file and firstscript_fixed matches:
cat part5/root/root/Documents/myfirsthack/firstscript_fixed
Answer: Young
10. A user su'd to root at 11:26 multiple times. Who was it?
Authorizations are logged in auth.log. To find out if it the user managed to gain root access, we can pipe the print output to grep for ‘Successful’:
cat part5/root/var/log/auth.log | grep '11:26' | grep Successful
Answer: postgres
11. Based on the bash history, what is the current working directory?
cat part5/root/root/.bash_history| grep "cd"
The user cd’d to root/Documents/myfirsthack/ last:
Answer: /root/Documents/myfirsthack/
TLDR
– This is a rather easy Kali Linux forensics challenge which can be entirely solved with grep and cat.
