USCG Admin was H@cked

Description

One of the US Cyber Games administrators had their system hacked. There is a malicious startup Application set to run when a user logs in. Can you help find it?

Download: registry.7z

Author: JesseV

Solution

I knew nothing, after quick Google this came up: [Blue Team-System Live Analysis Part 11]- Windows: User Account Forensics- NTUSER.DAT Rules, Tools, Structure, and Dirty Hives!

Download Registry Explorer and open Users/uscgadmin/NTUSER.DAT

Then lookup one of these common locations for startup applications:

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

USCG_Admin_was_H@cked.png

Flag: SVUSCG{uf0undme}

PreviousSilent SignalNextPwn

Last updated