Information
Category Name: Linux Forensics
Files: Laptop-Deadbox.zip 5.0 GB
My Recommendations
Download it from the CTF and verify the file with md5:
md5 /path/to/Laptop-Deadbox.zip
MD5: 5e35e01cfb14bd3762e7e3e5228cbb37
After verification, extract the zip archive and share the folder with your VM.
This my cheatsheet to mount Linux E01 images in Linux.
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/defcon19/linux && cd Documents/defcon19/linux
Walkthrough
1. red star - 10 pts
What distribution of Linux is being used on this machine?
We can find this by displaying the release file:
cat /mnt/Linux/etc/*release
Answer: flag<kali>
2. abc123 - 10 pts
What is the MD5 hash of the apache access.log?
sudo find /mnt/Linux -type f -name "access.log"
md5sum /mnt/Linux/var/log/apache2/access.log
First, find the file, then execute md5sum:
Answer: flag<d41d8cd98f00b204e9800998ecf8427e>
3. Radiohead - No Surprises - 10 pts
It is believed that a credential dumping tool was downloaded? What is the file name of the download?
Going straight into the Downloads directory:
ls -la /mnt/Linux/root/Downloads
Answer: flag<mimikatz_trunk.zip>
4. super duper secret - 15 pts
There was a super secret file created, what is the absolute path?
In the Bash History, Karen appended “snky snky” to /root/Desktop/SuperSecretFile.txt
The file doesn’t exit in the partition anymore, so this must be its “absolute path”.
Answer: flag</root/Desktop/SuperSecretFile.txt>
5. this is a hard one - 15 pts
What program used didyouthinkwedmakeiteasy.jpg during execution?
Looking at the bash_history:
sudo cat /mnt/Linux/root/.bash_history | grep "didyouthinkwedmakeiteasy.jpg"
The only time a program used didyouthinkwedmakeiteasy.jpg is binwalk:
Answer: flag<binwalk>
6. overachiever - 15 pts
What is the third goal from the checklist Karen created?
The checklist is on the Desktop:
sudo cat /mnt/Linux/root/Desktop/Checklist
Answer: flag<Profit>
7. attack helicopter - 20 pts
How many times was apache run?
sudo cat /mnt/Linux/var/log/apache2/access.log
It’s empty, so it was never run!
Answer: flag<0>
8. oh no some1 call ic3 - 25 pts
It is believed this machine was used to attack another, what file proves this?
Looking at the root directory (which is the one that was used), there .msf4 which is metasploit.
ls -la /mnt/Linux/root
If we look at its history file, there is evidence that it was being used to attack Bob:
cat /mnt/Linux/root/.msf4/history
There is also evidence in the bash history file:
sudo cat /mnt/Linux/root/.bash_history
Answer: flag<.bash_history>
9. scripters prevail - 25 pts
Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?
cat /mnt/Linux/root/Documents/myfirsthack/firstscript
cat /mnt/Linux/root/Documents/myfirsthack/firstscript_fixed
cat /mnt/Linux/root/Documents/myfirsthack/hellworld.sh
Answer: flag<Young>
10. the who - 30 pts
A user su’d to root at 11:26 multiple times. Who was it?
cat /mnt/Linux/var/log/auth.log | grep '11:26'
Redirecting the output to grep for the time, postgres is the culprit:
Answer: flag<postgres>
11. / - 30 pts
Based on the bash history, what is the current working directory?
sudo cat /mnt/Linux/root/.bash_history | grep "cd"
The user cd’d to root/Documents/myfirsthack/ last:
Answer: flag< root/Documents/myfirsthack/>
