Information
Category Name: Triage VM
Files: Triage-VM.7z 9.11 GB
My Recommendations
Download it from the CTF and verify the file with md5sum:
md5sum /path/to/Triage-VM.7z
MD5: bbe242e1ba3bb1dc9d67c087b3eb8517
After verification, extract the archive with 7z and share the folder where Triage-VM is, with your VM.
This my cheatsheet to mount .vmdk files in Linux. If you follow this tutorial, I created the mountpoint /mnt/triage for this CTF.
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/defcon19/triage && cd Documents/defcon19/triage
A question asks for a MD5 hash, so it’s best to create a hashset database in advance, as the process takes a long time. You can leave it running in the background and work through the questions while it runs.
sudo tsk_loaddb -h -d triage.db /mnt/vmdk/DFA_CTF_Triage.vmdk.rawI prefer to copy files/directories that I will be working on a lot. Like this, if I mess it up, I can delete it and copy it again.
cp /mnt/triage/Windows/System32/config . These four tools are all you need to solve this challenge, make sure they are installed and running properly.
##sleuthkit test with:mmls -h
##regripper test with:rip.pl -h
##pffexportpffexport -h##html2texthtml2text -help
Walkthrough
1. Who's That User? - 1 pts
What is the name of the user?
Listing the Users Directory:
ls -la /mnt/triage/Users
The only user is Bob!
Answer: flag<Bob>
2. Thee who logged in last - 5 pts
Which time was the most recent logon? Submit in UTC as MM/DD/YYYY HH:MM:SS in 24 format.
Using RegRipper:
rip.pl -p lastloggedon -r config/SOFTWARE
Bob was the last logged on user!
Answer: flag<03/22/2019 20:50:51>
3. Down Time? More like Frown Time - 5 pts
When was the machine last turned off? Submit in UTC as MM/DD/YYYY HH:MM:SS in 24 format.
Using RegRipper:
rip.pl -p shutdown -r config/SYSTEM
Answer: flag<03/22/2019 21:11:14>
4. No one's ever really gone... *Palpatine Laugh* - 5 pts
A 7z archive was deleted, what is the CRC32 hash of the file inside?
Listing the contents of the RecycleBin:
ls -la '/mnt/triage/$Recycle.Bin/S-1-5-21-1497316740-357279761-3945674337-1000'
cp '/mnt/triage/$Recycle.Bin/S-1-5-21-1497316740-357279761-3945674337-1000/$RATGMO5.7z' archive.7z
7z x archive.7z
The file is a gif named ‘giphy.gif’, to calculate its hash I use 7z again:
7z h -scrcCRC32 giphy.gif
Answer: flag<AD96120c>
5. Now, is no time at all - 7 pts
What is the current timezone on the machine? (Submit in UTC format)
Using RegRipper:
rip.pl -p timezone -r config/SYSTEM
Answer: flag<UTC-5>
6. IT'S OVER 1000 - 7 pts
How many users have an RID of 1000 or above on the machine?
Using RegRipper and redirecting the output to grep, so it only displays the RIDs:
rip.pl -p samparse -r config/SAM | grep "RID"
Answer: flag<1>
7. Go Go Gadget Google Extension - 7 pts
What is the ID of the chrome extension installed?
Listing the Extensions Directory:
ls -la '/mnt/triage/Users/Bob/AppData/Local/Google/Chrome/User Data/Default/Extensions'
There are two Extensions that were potentially user installed.
To make sure, copy the History database to my WD and check for artifacts:
cp '/mnt/triage/Users/Bob/AppData/Local/Google/Chrome/User Data/Default/History' History.db && sqlitebrowser History.db
Answer: flag<hnbmfljfohghaepamnfokgggaejlmfol>
8. Run, Adobe, Run! - 7 pts
How many times was adobe reader run?
Using RegRipper:
rip.pl -p userassist -r NTUSER.DAT | grep "Adobe"
The actual .exe file of Adobe Reader, AcroRd32.exe was executed 7 times:
Answer: flag<7>
9. Should I use my invisibility to fight crime or for evil? - 10 pts
A hidden executable is on the desktop. What is the name of the file (extension included)?
ls -l /mnt/triage/Users/Bob/Desktop
Since the partition is mounted, the hidden files appear when listing the contents. With Sleuth-Kit, you check which of the to executable is hidden:
sudo ifind -n /Users/Bob/Desktop/hfs.exe -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw
##Returns inode 16123
sudo istat -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw 16123
Next, we can check the other executable howudoin.exe:
sudo ifind -n /Users/Bob/Desktop/howudoin.exe -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw
##Returns inode 57997
sudo istat -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw 57997
howudoin.exe’s metadata has a flag for Hidden.
Answer: flag<howudoin.exe>
10. It's all in the timing - 10 pts
What time did the user access content on placeholder.com? Submit answer in HH:MM format.
Opening the History.db with SqliteBrowser:
sqlitebrowser History.db
Open the urls table, and filter url with placeholder:
This timestamp is in WebKit format, this site converts them to human date:
Answer: flag<01:12>
11. The Hostess with the Mostest - 10 pts
What is the hostname of the Triage machine?
Using RegRipper:
rip.pl -p compname -r config/SYSTEM
Answer: flag<im-a-compoota>
12. These messages aren't gonna message themselves! - 10 pts
What messaging application was downloaded onto this machine?
ls -la /mnt/triage/Users/Bob/Downloads | grep ".exe"
Bob downloaded a lot of files and executables, but the only messaging one is Skype!
Answer: flag<Skype>
13. Dang it Bobby - 15 pts
How many times did Bob visit Outlook.com?
sqlitebrowser History.db
Open the urls table, and filter url with outlook.com:
Answer: flag<3>
14. Damnit Bobby! - 15 pts
It appears that Bob may have been playing the role of HR. Can you find the Social Security Number for someone with the initials R.C.?
Looking at various directories, there is a “EmployeeDocuments” folder in Bob’s Documents directory:
ls -la /mnt/triage/Users/Bob/Documents
In the “EmployeeDocuments” folder, there a single Excel spreadsheet, to read it, I use “xlsx2csv”
ls -la /mnt/triage/Users/Bob/Documents/EmployeeDocuments
xlsx2csv /mnt/triage/Users/Bob/Documents/EmployeeDocuments/EmployeeInformation.xlsx
Answer: flag<601-25-0735>
15. Get back to work Sponge Bob me boy - 18 pts
Bob was watching youtube videos at work. The network capture showed the video ID to be N9NCyGaxoDY. What is the title of the video?
sqlitebrowser History.db
Open the urls table, and filter url with youtube.com, then scroll until you find that ID:
Answer: flag<Rowan Atkinson Toby the Devil – Welcome to Hell>
16. *Laughs in Hidden* - 25 pts
Bob has a hidden powerpoint presentation. What is the file’s CRC32 hash?
Bob’s Desktop has a lot of weird files, so I wouldn’t be surprised if it’s hidden in there.
binwalk /mnt/triage/Users/Bob/Desktop
This returns nothing. Maybe Bob deleted the file, or renamed it. The best way is to look at the Desktop using Sleuth-Kit. First, we must find the inode number of the Desktop directory:
sudo ifind -n /Users/Bob/Desktop -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw
Then, we list the directory to see potential differences:
sudo fls -a -p -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw 466
kidgoatthing.jpg:howudoin does not exist in the mounted VM! Given its inode number, I’m assuming it was changed/renamed. To get more information about what’s in there, run istat:
sudo istat -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw 62143-128-9
The output shows a “Non-Resident” $DATA attribute named howudoin. To check if this is it, we can recover the attribute and look at the file header using xxd:
sudo icat -f ntfs -o 206848 /mnt/vmdk/DFA_CTF_Triage.vmdk.raw 62143-128-9 > recovered.bin
xxd recovered.bin | head -n 5
It’s a PowerPoint! Using 7z to calculate its hash and *praying for the best*:
7z h -scrcCRC32 recovered.bin
Answer: flag<076A3AF5>
17. Desktop Flag 1: Just the start of the fun - 25 pts
What is the flag in C:\Users\Bob\Desktop\WABBIT\1 ?
First, copy the folder to your WD in case you mess it up.
cp -r /mnt/triage/Users/Bob/Desktop/WABBIT wabbit
cd wabbit
strings 1 | grep "flag"
Answer: flag<program cannot be run in DOS>
18. Desktop Flag 2: Electric Boogaloo - 25 pts
What is the flag in C:\Users\Bob\Desktop\WABBIT\2 ?
strings 2
With strings, NETSCAPE.2.0 is the first line, meaning it’s a gif! Luckily, a gif was extracted for question 4. Open both giphy.gif (from question 4) and 2 in a Hex Viewer. Copy everything before NETSCAPE.2.0 in giphy.gif and paste it into everything before NETSCAPE.2.0 in 2. Save the output as 2.gif:
display 2.gif
Answer: flag<taco_bout>
19. Desktop Flag 3: Need for Speed - 25 pts
What is the flag in C:\Users\Bob\Desktop\WABBIT\3 ?
If you open the file in a Hex Viewer, it shows that the file was downloaded from the web.
To compare the files, open the link in a web browser and download the original into the WD
firefox https://commons.wikimedia.org/wiki/File:DragonForce_-_Wacken_Open_Air_2016-AL8703.jpg
Open the downloaded file into the Hex Editor. The Issue is with the headers. Copy/Paste the contents of “3” into a new array. Then, copy the header from the downloaded file (everything before https://) . Go back to the New array you created, and paste by replacing the incorrect header:
Save the file as “repaired3.jpg”, and open it:
Answer: flag<dragonforce>
20. Desktop Flag 4: Want some more? - 25 pts
What is the flag in C:\Users\Bob\Desktop\WABBIT\4 ?
Using strings, the header is a “JFIF” file, but it doesn’t open. Opening it in a Hex Viewer, the header is FFD9, for a JFIF file, it should be FFD8.
Change the 9 to 8, save as 4.jpg and open it to find the flag:
display 4.jpg
Answer: flag<wof_on_champ>
21. Now watch me youuuuuuuu - 25 pts
A device with the drive letter “U” was connected. What was the label of the volume?
Using RegRipper and redirecting the output to grep:
rip.pl -p volinfocache -r config/SOFTWARE | grep 'U:' -B 5 -A 5
Answer: flag<ZOOM>
22. Desktop Flag 5: No, you can't have more time - 30 pts
What is the flag in C:\Users\Bob\Desktop\WABBIT\5 ?
Although the file command recognizes it as a “jpeg” it is most definitely not true! Using strings, it looks a lot more like a pdf. Open it in a hex editor and replace the first 4 bytes FF D8 FF E0 with 25 50 44 46. Save as 5.pdf and open it to view the flag:
xdg-open 5.pdf
Answer: flag<pdf_LOLZ>
23. I will look for you, I will find you... and I will hash you - 30 pts
A file with MD5 981FACC75E052A981519ABB48E2144EC is on the box… somewhere. What is the name of the file? (with ext)
If you followed my recommendations, then you should have a database of the files and their hashes.
sqlitebrowser triage.db
Go to the tsk_files table and filter the md5 column with the value:
Answer: flag<sleepy.png>
24. Easy Peasy Lemon Squeezy - 40 pts
So DFA leadership got tired…what’s the flag ON the desktop?
There is nothing in the Desktop files, but given the phrasing of the question, it could be in the Background image. The background image is located at /Users/Bob/AppData/Roaming/Microsoft/Windows/Themes.
display /mnt/triage/Users/Bob/AppData/Roaming/Microsoft/Windows/Themes/*.jpg
Answer: flag<Holla>
25. Can you like... not? - 50 pts
It looks like Bob was going a little crazy with hiding files within different files. Can you find a flag within a powerpoint about sales pitches? Copy flag exactly how its found (i.e. not in normal flag format).
Previously, I saw a file related to sales in the Bob’s Documents. Copy it to the WD:
cp /mnt/triage/Users/Bob/Documents/salespitch.pptx salespitch.pptx
Like most Office Documents in CTF, it’s best to first unzip the salespitch.pptx file, and grep for flag:
unzip salespitch.pptx -d sales
grep -r "flag" sales
Answer: flag<“welikeslidestoo”>
26. KA-CHOW - 100 pts
jerry was a racecar driver
There is a file named ‘jerry was a racecar driver’ in Bob’s Desktop, copy it to your WD. Then, strings it and grep for flag:
cp '/mnt/triage/Users/Bob/Desktop/jerry was a race car driver' jerry
strings jerry | grep "flag"
Answer: flag<nascar_murica>
