CyberDefender - CorporateSecrets (Part 2)

Posted on 2024-01-31 | Post modified | In Security｜Practice｜CyberDefender｜Endpoint Forensic｜CorporateSecrets - Medium |

CyberDefender - CorporateSecrets (Part 2)

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/33 Part 1: https://hackmd.io/@SBK6401/r18z7VIm6 Part 3: https://hackmd.io/@SBK6401/HyHp4NLQT Part 4: https://hackmd.io/@SBK6401/H1rAEV87p

:::spoiler TOC [TOC] :::

Tools:

FTK Imager
Registry Explorer
RegRipper
HxD
DB Browser for SQLite
HindSight
Event Log Explorer
MFTDump

==Q10==

What is the SID of the machine?

Exploit

直接看SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList就知道了

:::spoiler Flag Flag: S-1-5-21-2446097003-76624807-2828106174 :::

==Q11==

How many web browsers are present?

Recon

直接搜索一下所有user的AppData或是program1，可以發現有五個瀏覽器(Firefox / Internet Explorer / Chrome / Edge / Tor)

:::spoiler Flag Flag: 5 :::

==Q12==

How many super secret CEO plans does Tim have? (Dr. Doofenshmirtz Type Beat)

Recon

這一題有一點像Enlightened 2023 - Jack的flag

Exploit

先從tim的document中看有沒有甚麼特別的file

發現secret.odt其中的內容，最後一個部分被隱藏起來了，要複製到其他editor才會發現圖片.png

 Super secret CEO plans:
 •	Take over the world
 •	Destroy Google
 •	Release the new Fruit Phone
 •	Fire Jim Tomato

:::spoiler Flag Flag: 4 :::

==Q13==

Which employee does Tim plan to fire? (He’s Dead, Tim. Enter the full name - two words - space separated)

Recon

呈上題

:::spoiler Flag Flag: Jim Tomato :::

==Q14==

What was the last used username? (I didn’t start this conversation, but I’m ending it!)

Recon

我覺得這一題出的不好，應該說題目出到有點看不懂，也可能是我的英文很爛，但反正他要探討的是最後一個使用電腦的帳號為何，所以直覺就是export Security.evtx，然後轉成CSV檔案，接著用timeline explorer找最後一個成功登入者

Exploit

方法一
方法二在SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon可以找到

:::spoiler Flag Flag: jim.tomato :::

==Q15==

What was the role of the employee Tim was flirting with?

Recon

這一題完全沒有想法，所以解題過程參考¹

Exploit

主要是export出他在browser上的history database file，並看他的瀏覽紀錄

:::spoiler Flag Flag: secretary :::

==Q16==

What is the SID of the user “suzy.strawberry”?

Exploit

同第十題，suzy.strawberry的SID是S-1-5-21-2446097003-76624807-2828106174-1004

:::spoiler Flag Flag: 1004 :::

==Q17==

List the file path for the install location of the Tor Browser.

Exploit

呈第11題

:::spoiler Flag Flag: C:\Program1 :::

==Q18==

What was the URL for the Youtube video watched by Jim?

Recon

這個是有點新的舊觀念，先看Jim的瀏覽器是用哪一個$\to$Chrome，所以可以查一下Chrome的樓覽紀錄在哪邊$\to$root/Users/jim.tomato/AppData/Local/Google/Chrome/UserData/Default/中可以找到History這個database file，接著就是用db browser parse這個file

Exploit

:::spoiler Flag Flag: https://www.youtube.com/watch?v=Y-CsIqTFEyY :::

Reference

CyberDefenders: CorporateSecrets ↩

Post author: SBK6401
Post link: https://bernie6401.github.io/CyberDefender-CorporateSecrets-(Part-2)/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.