Forensics

SYSTEM CHECK

Description

My friend David, who is a manager at company XYX, handles all types of calculations and user data on his exceptionally fast computer. Due to its speed and the abundance of data it contains, his computer became a common target for Black hat hackers seeking to compromise high-performance systems with valuable information. As a result, hackers targeted David's computer. However, it wasn't just one hacker involved; there was another hacker aiming to gain physical access to the computer using a rubber ducky.

Both hackers managed to successfully breach the computer's security and install their own software as desired. Upon starting his computer, David noticed TWO unusual pop-ups and experienced a significant decrease in system performance. Worried about the situation, he checked the task manager and observed abnormal resource usage.

In response to David's concern, he informed me, and I conducted some forensic investigation. David provided me with the .ova file to analyze further. With this information, I will thoroughly research the Windows system, identify the extent of the compromise, and recommend appropriate remediation steps to alleviate the effects of the hacking incident. Rest assured, I will do my best to assist my friend David and help him restore his computer's security and normal functionality.

As a White hat hacker Can you please help me to find out some thing?

Config Note: Uncheck additional options: Import Hard drives as VDI And Don't Press any key when It need boot from CD AND DVD

.ova file password: bdsec

Download Link : Link Alternative Download Link: Link

When Last system audit policy was changed?

Flag Format:BDSEC{MM/DD/YEAR_Hour:Minute:Second_Am/PM} Example: BDSEC{01/01/2001_01:01:01_PM}

Author : pmsiam0

Solution

After reading this really long backstory first thing we need to do is open system in virtual box. Import the ova file and let it boot up.

system-check-1

Ah.. Nostalgic D:

Anyway, we need to find when last system audit policy was changed so let's go to Event Viewer. Security logs should have events about audits.

system-check-2

Use Filter to filter for 4719(S): System audit policy was changed. Filter Current Log -> 4719 (Inside <All Event Ids>)

system-check-3

Flag: BDSEC{07/20/2023_07:12:17_AM}

Maintain schedule

Description

My friend highly maintains a schedule and takes regular actions. However, sometimes he forgets to do certain tasks. As a good friend, I want to help him by finding out about his work. Can you please assist me to find his today's work?

Use the first challenge file to solve all the forensics challenges.

Author: Siam

Solution

Since schedule is mentioned we probably should look into Task Scheduler.

maintain-schedule-1

After navigating to tasks we see ctf related tasks. First event is disabled, so other must be what "friend's today's work" is. Go to task properties -> actions -> edit to view task details.

maintain-schedule-2

Flag: BDSEC{You_Are_L3g3nd_#proved}

Hacker destination file

Description

Second hacker who accessed physically he is quit smart but not too much.He set a path destination but file is missing. But it must be noticed that CPU power consume constrantly. You Must need to find that file which is missing from folder.

Author : pmsiam0

Solution

The malicious file must have been put in startup programs. In Windows 7 open MSConfig and navigate to startup.

hacker-destination-file-1

For this challenge we need second startup program, which is located at:

hacker-destination-file-2

The txt file contains a shell object which executes command.

hacker-destination-file-3

The executable being run is hidden, I used cmd to list hidden files/directories.

hacker-destination-file-4

Flag: BDSEC{Y3s#_y0U#_g0T#_F14G}

Hackers username and email

Description

First hacker Much more intelligent.But he somehow mistake something. When I investigate this things. I see something jussy things which is Hackers Username and his Email address. Can you also find this?

Flag Format: BDSEC{username_email}

Author: Siam

Solution

Going back to previous challenge there was second program in Startup Programs. By navigating to that directory we find XMRig Miner (crytocurrency miner). For it to run correctly there should be credentials stored somewhere.

hackers-username-and-email-1

Notepad showed terribly unformatted json so I used cmd command more config.json to get nice output. After scrolling down a bit we see username and email.

hackers-username-and-email-2

Flag: BDSEC{comando1337_blbna@mail2tor.com}

Find Values

Description

Find The SHA 1 value of the Windows 7 ovf and vmdk file

Flag format: BDSEC{value1_value2}

Author: Siam

For this challenge we don't need VM anymore, but we need OVA file. OVA can actually be opened with archive software, like 7z.

find-values-1

I used Powershell to get file hashes.

PS C:\Users\...\Downloads\Windows 7> Get-FileHash -Algorithm SHA1 * | Format-List

Algorithm : SHA1
Hash      : 2A3760CBF758C78BF5EC18A5C547B7DA31E44D35
Path      : C:\Users\...\Downloads\Windows 7\Windows 7-disk001.vmdk

Algorithm : SHA1
Hash      : 639DED7BA3889E627CEC08AEF95C609AF52C18BB
Path      : C:\Users\...\Downloads\Windows 7\Windows 7.mf

Algorithm : SHA1
Hash      : 11BC7CC41D7BA2FD92724500F4CBEC3F6D44108A
Path      : C:\Users\...\Downloads\Windows 7\Windows 7.ovf

Flag: BDSEC{11BC7CC41D7BA2FD92724500F4CBEC3F6D44108A_2A3760CBF758C78BF5EC18A5C547B7DA31E44D35}

PreviousBDSecNextPwn Challenges

Last updated