CyberDefender - Hunter (Part 2)

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/32 Part 1: https://hackmd.io/@SBK6401/By1BpZIf6 Part 3: https://hackmd.io/@SBK6401/HylP8ixQp

:::spoiler TOC [TOC] :::

Tools

• PST Viewer
• xml parser
• DB Browser for SQLlite

==Q11==

How many ports were scanned?

Exploit

呈上題

:::spoiler Flag Flag: 1000 :::

==Q12==

What ports were found “open”?(comma-separated, ascending)

Exploit

呈上題

:::spoiler Flag Flag: 22,80,9929,31337 :::

==Q13==

What was the version of the network scanner running on this computer?

Exploit

呈上題

:::spoiler Flag Flag: 7.12 :::

==Q14==

The employee engaged in a Skype conversation with someone. What is the skype username of the other party?

Recon

直覺要先找到skype相關的文件放在哪邊，看了¹的說明才知道是放在\root\Users\Hunter\AppData\Roaming\Skype\hunterehpt，而所有和對話、帳戶等訊息都放在main.db這個檔案中

Exploit

又是使用新工具的時候(DB Browser for SQLlite)，直接看Message這個table，一開始就講到了兩個名字$\to$linux-rul3z和hunterehpt

:::spoiler Flag Flag: linux-rul3z :::

==Q15==

What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?

Exploit

呈上題 觀察兩者的對話紀錄就知道是teamviewer

:::spoiler Flag Flag: teamviewer :::

==Q16==

What is the Gmail email address of the suspect employee?

Exploit

呈上題 直覺會從其他的table撈資料，我找到一個Contacts的table，裡面就有hunter自己本身的gmail address

:::spoiler Flag Flag: ehptmsgs@gmail.com :::

==Q17==

It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?

Recon

這一題完全沒有想法，也是看了¹才知道，他先找到了outlook的backup file，在\root\Users\Hunter\Documents\Outlook Files中有一個pst file，可以用線上工具去parse，然後就可以看到email之間的通訊紀錄

Exploit

在important的folder中可以發現一張網路架構圖，應該就是這一題的答案，回推原本在skype上的時間，兩人互相道別的時候是2016/06/21 08:48:56，接著就轉而用email互相通訊，包含附上network design和制訂如何洩漏檔案出去之類的事情

:::spoiler Flag Flag: home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg :::

==Q18==

The user Documents’ directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?

Recon

Exploit

仔細看一下Document裡面的一些pdf，會看到有一個叫做Ryan_VanAntwerp_thesis.pdf就是答案 :::spoiler Flag Flag: Ryan_VanAntwerp_thesis.pdf :::

==Q19==

What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)

Recon

題目要求找出磁碟加密的軟體名稱是甚麼，看到的第一直覺是想要找出駭客在受害者電腦安裝的軟體有哪些，首先看到BCWipe，根據軟體王的介紹

這個軟體提供了許多種的安全級別來讓你選擇所要清除的文件文件。 別認為把 Windows 的資源回收筒清掉就算將文件都刪除了而放心？然而這些文件大多仍然存在你的電腦的硬碟中，隨時都可能被有心人士給取走。 而這個幫你把硬碟清的一乾二淨、絲毫不留痕。對於一些存有重要敏感文件的電腦，該軟體會是你一個強力而有力的文件清除工具。

進到該資料夾可以看到有一個奇怪的log(==UnInstall.log==)，看了一下應該是有關卸載的初步資訊 :::spoiler UnInstall.log

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110

C 0 6/21/2016 4:44 AM 8 0 AdmPrivRequired C 0 6/21/2016 4:44 AM 12 0 C:\Program Files (x86)\Jetico C 0 6/21/2016 4:44 AM 0 0 C:\Program Files (x86)\Jetico\BCWipe C 0 6/21/2016 4:44 AM 6 0 BCWipe 6.0 C 0 6/21/2016 4:44 AM 80000001 0 C:\Windows\system32\drivers\bcswap.sys C 0 6/21/2016 4:44 AM 80000001 0 C:\Windows\system32\drivers\fsh.sys C 0 6/21/2016 4:44 AM 80000001 0 C:\Windows\system32\drivers\MftWipeFilter.sys C 0 6/21/2016 4:44 AM B 0 "C:\Program Files (x86)\Jetico\BCWipe\BCWipeTM.exe" uninstall C 0 6/21/2016 4:44 AM 12 0 C:\Program Files (x86)\Jetico\Shared\ C 0 6/21/2016 4:44 AM 1 0 C:\Program Files (x86)\Jetico\Shared\BCShExt.dll C 0 6/21/2016 4:44 AM 1 0 C:\Program Files (x86)\Jetico\Shared\BCWipe.dll C 0 6/21/2016 4:44 AM 1 0 C:\Program Files (x86)\Jetico\Shared\BCWipeLib2.dll C 0 6/21/2016 4:44 AM 12 0 C:\Program Files (x86)\Jetico\Shared64\ C 0 6/21/2016 4:44 AM 80000001 0 C:\Program Files (x86)\Jetico\Shared64\BCShExt.dll C 0 6/21/2016 4:44 AM 80000001 0 C:\Program Files (x86)\Jetico\Shared64\langfile2.dll C 0 6/21/2016 4:44 AM 1 0 C:\Windows\BCUnInstall.exe C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\BCWipe.exe C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Jetico C 0 6/21/2016 4:44 AM 5 1 SOFTWARE\Jetico C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Jetico\BCWipe C 0 6/21/2016 4:44 AM 5 1 SOFTWARE\Jetico\BCWipe C 0 6/21/2016 4:44 AM 5 0 CLSID\{7850a720-705f-11d0-a9eb-0080488625e5} C 0 6/21/2016 4:44 AM 5 0 *\shellex\ContextMenuHandlers\BCShellMenu C 0 6/21/2016 4:44 AM 5 0 Drive\shellex\ContextMenuHandlers\BCShellMenu C 0 6/21/2016 4:44 AM 5 0 Drive\shellex\PropertySheetHandlers\BCShellPage C 0 6/21/2016 4:44 AM 5 0 Drive\shellex\DragDropHandlers\BCShellMenu C 0 6/21/2016 4:44 AM 5 0 Folder\shellex\ContextMenuHandlers\BCShellMenu C 0 6/21/2016 4:44 AM 5 0 Directory\shellex\DragDropHandlers\BCShellMenu C 0 6/21/2016 4:44 AM 5 0 CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\YBCWipe C 0 6/21/2016 4:44 AM 5 0 CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\YBCWipe\command C 0 6/21/2016 4:44 AM 80000005 0 CLSID\{7850a720-705f-11d0-a9eb-0080488625e5} C 0 6/21/2016 4:44 AM 80000005 0 CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\YBCWipe C 0 6/21/2016 4:44 AM 80000005 0 CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\YBCWipe\command C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BCWipe C 0 6/21/2016 4:44 AM 10 2 SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BCWipeTM Startup C 0 6/21/2016 4:44 AM 8000000A 0 BCSWAP C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Jetico\BCWipe\Service\LogOff C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Jetico\BCWipe\Service\Startup C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Jetico\BCWipe\Service\Terminate C 0 6/21/2016 4:44 AM 5 2 SOFTWARE\Jetico\BCWipe\Service\Startup1 C 0 6/21/2016 4:44 AM A 0 BCWipeSvc C 0 6/21/2016 4:44 AM B 0 "C:\Program Files (x86)\Jetico\BCWipe\BCWipeSvc.exe" -remove C 0 6/21/2016 4:44 AM 19 0 C:\Program Files (x86)\Jetico\BCWipe\bcgpupdt.dll$Remove$C:\Program Files (x86)\Jetico\BCWipe\BCWipeTM.exe C 0 6/21/2016 4:44 AM 8000000A 0 fsh C 0 6/21/2016 4:44 AM 8000000A 0 MftWipeFilter C 0 6/21/2016 4:44 AM 7 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe C 0 6/21/2016 4:44 AM 4 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\ C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\BCWipe Help.lnk C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\ReadMe.lnk C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\About BCWipe.lnk C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\BCWipe.lnk C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\Crypto Swap.lnk C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\BCWipe Task Manager.lnk C 0 6/21/2016 4:44 AM 3 0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BCWipe\Automatic Update.lnk C 0 6/21/2016 4:53 AM C 1 DisableReboot

::: 從這份文件中就可以看到有一個軟體叫做Crypto Swap，就是我們要找的目標

:::spoiler Flag Flag: Crypto Swap :::

==Q20==

What are the serial numbers of the two identified USB storage?

Recon

這一題也是參考²才知道要從registry中撈資訊

Exploit

在SYSTEM/ControlSet001/Enum/USBSTOR/中就有紀錄關於USB完整的資訊

和自己電腦中比較，不知到為甚麼居然沒有USBSTOR

:::spoiler Flag Flag: 07B20C03C80830A9,AAI6UXDKZDV8E9OU(serial number最後沒有&0這兩個字元) :::

Reference

1. Cyberdefenders.org Hunter Walkthrough  ↩ ↩²

2. Cyberdefenders.org Hunter Walkthrough ↩