CyberDefender - CorporateSecrets (Part 4)

• Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/33
• Part 1
• Part 2
• Part 3

Tools:

• FTK Imager
• Registry Explorer
• RegRipper
• HxD
• DB Browser for SQLite
• HindSight
• Event Log Explorer
• MFTDump

Q28

What cloud service was a Startup item for the user admin?

Recon

直接看admin的NTUSER.DAT中的./Software/Microsoft/Windows/CurrentVersion/Run就可以了

Exploit

Flag: OneDrive

Q29

Which Firefox prefetch file has the most runtimes? (Flag format is )

Exploit

直接export出和firefox有關的prefetch file，再用PECmd去parse他就可以看到各個執行檔執行的次數

1 2 3 4 5 6 7 8 9 10

$ ./PECmd.exe -f FIREFOX\ INSTALLER.EXE-71BB164E.pf | grep "Run count" Run count: 1 $ ./PECmd.exe -f FIREFOX.EXE-20153F0F.pf | grep "Run count" Run count: 10 $ ./PECmd.exe -f FIREFOX.EXE-A606B53C.pf | grep "Run count" Run count: 21 $ ./PECmd.exe -f FIREFOX.EXE-B4420372.pf | grep "Run count" Run count: 4 $ ./PECmd.exe -f FIRSTLOGONANIM.EXE-674CDAB9.pf | grep "Run count" Run count: 1

Flag: FIREFOX.EXE-A606B53C.pf/21

Q30

What was the last IP address the machine was connected to?

Exploit

直接看SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/

Flag: 192.168.2.242

Q31

Which user had the most items pinned to their taskbar?

Recon

這一題也是新的觀念，taskbar items會在C:\Users\USERNAME\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

Exploit

• admin
• jim.tomato
• hansel.apricot
• miriam.grapes
• suzy.strawberry

Flag: admin

Q32

What was the last run date of the executable with an MFT record number of 164885? (Format: MM/DD/YYYY HH:MM:SS (UTC).)

Recon

直覺會看第26題用mftdump的結果，然後去看164885的offset address，再去看 $MFT 的 timestamp

不過後來想想，$MFT的timestamp所記錄的是Creat Time + Modified Time + $MFT Modified Time + Access Time，並不是最後執行的timestamp，所以應該是去看是哪一個檔案，然後去看他的prefetch file

Exploit

1. Record No. 164885 → 0x0a105400
2. 7zG.exe
3. Export Prefetch
4. Parse Prefetch File

   1 2	$ ./PECmd.exe -f 7ZG.EXE-0F8C4081.pf | grep "Last run" Last run: 2020-04-12 02:32:09

Flag: 04/12/2020 02:32:09

Q33

What is the log file sequence number for the file “fruit_Assortment.jpg”?

Recon

這也是一個新觀念，log file sequence number就是在$MFT的magic header(FILE0)的後面(SO=8, LE=8)，並且倒著看再轉換成十進制就可以了，當然也可以直接用像MFTEcmd這樣的parser

Exploit

1 2 3

>>> num = '60 BA 1A 4C 00 00 00 00' >>> int("".join(num.split(' ')[::-1]), 16) 1276820064

Flag: 1276820064

Q34

Jim has some dirt on the company stored in a docx file. Find it, the flag is the fourth secret, in the format of <”The flag is a sentence you put in quotes”>. (Secrets, secrets are no fun)

Recon

這一題很複雜，一開始想說是類似docx forensics的這種CTF類型，所以找了一下其他的.docx files

Exploit

1. Search .docx Files 從recycle bin中可以看到Jim的SID(1003)有丟棄一些docx file的痕跡，直接把這些file export出來
2. 一番操作之後都沒有甚麼結果，所以就參考¹的作法，和之前的經驗，先把extension改成zip，然後解壓縮他
3. 再把./Document1/Content.xml用Microsoft Word開啟，就可以看到主要的內容了，這神奇的操作也是第一次看到

Flag: Customer data is not stored securely

Q35

In the company Slack, what is threatened to be deactivated if the user gets their email deactivated?

Exploit

我覺得¹解法比較有效率，不然慢慢找真的會瘋掉

1. 先找到有誰使用slack這套軟體，因為之前在寫前面的東西的時候就翻到了，所以可以參考就好

   1 2	$ find . -type d -name 'Slack' ./Users/hansel.apricot/AppData/Roaming/Slack

2. 接著看有沒有和題目相關的字眼

   1	$ grep -r -i 'deactivate' ./Users/hansel.apricot/AppData/Roaming/Slack > grep_deactivate.txt

3. 看哪一個file有和deactivate有關係，前面一大段是Cache就不用理他 可以看到應該是./Users/hansel.apricot/AppData/Roaming/Slack/IndexedDB/https_app.slack.com_0.indexeddb.leveldb/000003.log matches比較符合
4. 直接strings search

   1	$ strings ./Users/hansel.apricot/AppData/Roaming/Slack/IndexedDB/https_app.slack.com_0.indexeddb.leveldb/000003.log | grep text > log_dump.txt

5. 仔細看其中的內容，看來看去kneecaps應該就是答案，但我不確定這一題到底在幹嘛，或者說出題意義不明

   1	text"5And so do your kneecaps, well, as much as they do now{

Flag: kneecaps

Reference

1. CyberDefenders: CorporateSecrets ↩ ↩²