CyberDefender - CorporateSecrets (Part 1)

Posted on | Post modified | In |

CyberDefender - CorporateSecrets (Part 1)

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/33 Part 2: https://hackmd.io/@SBK6401/ByFhEE8X6 Part 3: https://hackmd.io/@SBK6401/HyHp4NLQT Part 4: https://hackmd.io/@SBK6401/H1rAEV87p

:::spoiler TOC [TOC] :::

Tools:

  • FTK Imager
  • Registry Explorer
  • RegRipper
  • HxD
  • DB Browser for SQLite
  • HindSight
  • Event Log Explorer
  • MFTDump

==Q1==

What is the current build number on the system?

Exploit

直接把Software hive從root/Windows/System32/config/ export出來後找Microsoft/Windows NT/CurrentVersion中就有紀錄CurrentBuild number 圖片.png :::spoiler Result 圖片.png :::

:::spoiler Flag Flag: 16299 :::

==Q2==

How many users are there?

Exploit

直接看Microsoft/Windows NT/CurrentVersion/ProfileList有幾個SID就知道了 圖片.png

:::spoiler Flag Flag: 6 :::

==Q3==

What is the CRC64 hash of the file “fruit_apricot.jpg”?

Exploit

root/Users/hansel.apricot/Pictures/Saved Pictures可以找到,再用線上工具,記得選擇CRC-64-ECMA的演算法才會是對的 圖片.png

:::spoiler Flag Flag: ED865AA6DFD756BF :::

==Q4==

What is the logical size of the file “strawberry.jpg” in bytes?

Recon

root/Users/suzy.strawberry/Pictures/可以找到,右鍵看他的內容就知道了 圖片.png

:::spoiler Flag Flag: 72448 :::

==Q5==

What is the processor architecture of the system? (one word)

Exploit

這是新的知識,processor architecture就在SYSTEM/ControlSet001/Control/Session Manager/Environment/ 圖片.png

:::spoiler Flag Flag: amd64 :::

==Q6==

Which user has a photo of a dog in their recycling bin?

Recon

首先進入recycle bin看到底是哪一個SID丟棄這張圖片,發現是S-1-5-21-2446097003-76624807-2828106174-1005,回到registry去看他的username是甚麼

Exploit

圖片.png

:::spoiler Flag Flag: hansel.apricot :::

==Q7==

What type of file is “vegetable”? Provide the extension without a dot.

Recon

root/Users/miriam.grapes/Pictures/就可以找到vegetable,看到前面的file signature就可以知道是7z的壓縮檔

Exploit

圖片.png

:::spoiler Flag Flag: 7z :::

==Q8==

What type of girls does Miriam Grapes design phones for (Target audience)?

Recon

這一題是全部解完才回來解的,因為當初真的一點想法都沒有,不過仔細看Miriam Grapes的folder,發現他是使用firefox當作browser,所以沒想法的時候就看瀏覽紀錄就對了(firefox的artifact就在./Users/miriam.grapes/AppData/Roaming/Mozilla/Firefox/Profiles/9far2v52.default-release/places.sqlite) 圖片.png

Exploit

果然發現一點東西,他設計的這個手機就是面向VSCO女性族群而設計的 圖片.png What is VSCO?

有一種意思是指VSCO是一種修圖(濾淨)的APP,全名叫做(Visual Supply Company),但另一種意思是指一種女性的穿著與生活風格。VSCO Girl幾乎是連在一起的字詞。這種風格的女性穿搭是簡單風,Tshirt 搭配短褲,或是簡單的襯衫與牛仔褲的組合,反正一看就是輕鬆、簡單的穿搭就符合VSCO

:::spoiler Flag Flag: VSCO :::

==Q9==

What is the name of the device?

Exploit

直接看SYSTEM/ControlSet001/Control/ComputerName/ComputerName

:::spoiler Flag Flag: DESKTOP-3A4NLVQ :::

Reference