Published on

CyberDefenders - Insider

Authors
  • avatar
    Name
    Emma
    Twitter

Cyber Defenders - Insider

Case Overview: After Karen started working for 'TAAUSAI,' she began to do some illegal activities inside the company. 'TAAUSAI' hired you to kick off an investigation on this case. You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen's computer and answer the provided questions.

Link to Challenge

Tools Used:


Verify the hash of the download.

Image file name: FirstHack.ad1

Computed Hash:

  • SHA1 checksum: d820264d825fdaeb2146bf7b4c4e03684e700007

#1: What distribution of Linux is being used on this machine?

A Linux distribution, often called "distro", are different versions of the Linux operating system. Each distribution has its own unique features and strengths, but they all share the same basic components of the Linux operating system.

The distribution of Linux being used can be found in the lsb-release file in root/var/log/installer, hints of the distribution name can also be found in the boot folder.

CD_INSIDER_Q1B
CD_INSIDER_Q1

#2: What is the MD5 hash of the apache access.log?

For Apache web servers, the "access.log" file is typically found in the "logs" directory within the Apache installation directory. The location of the Apache installation directory may vary depending on the operating system and the method of installation.

Location for this machine is: /var/log/apache2/access.log

Once we find the access.log file, highlight it, click view on the menu bar of FTK Imager, then select properties. The properties window will open, which will show us both MD5 and SHA1 hash values for the file.

Note: if you would like the properties window to stay open so you can view the properties of each file as you go, select VIEW (on the top menu bar)> RESET DOCKED WINDOWS. This will pin the properties window under the evidence tree.

CD_INSIDER_Q2

#3: It is believed that a credential dumping tool was downloaded? What is the file name of the download?

Located in the Downloads folder, we see one .zip file which is our answer.

CD_INSIDER_Q3

#4: There was a super-secret file created. What is the absolute path?

An absolute path is a complete path that specifies the location of a file or directory starting from the root directory of the file system.

The contents of the bash_history file, located in /root/bash_history (the home directory of the user) shows us the secret file that was created.

Additional resources on bash_history:

CD_INSIDER_Q4

#5: What program used didyouthinkwedmakeiteasy.jpg during execution?

bash_history shows us what program used didyouthinkwedmakeiteasy.jpg.

CD_INSIDER_Q5

#6: What is the third goal from the checklist Karen created?

Users often keep documents they create on their Desktop. Located on the Desktop of this machine we find a folder titled mimikatz, and the file named "Checklist".

CD_INSIDER_Q6

#7: How many times was apache run?

One way to figure out how many times Apache was run on a system is by analyzing the Apache access log file.

The Apache access log file is located in /var/log/apache2/access.log

#8: It is believed this machine was used to attack another. What file proves this?

Within the root folder there is a screenshot from a Windows machine. This screenshot shows a command prompt open as an Administrator under the "Bob" user account.

CD_INSIDER_Q8

#9: Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?

Located in the Documents folder we can see several files. The answer is located in the firstscript_fixed file.

Location: /Documents/myfirsthack/firstscript_fixed

CD_INSIDER_Q9

#10: A user su'd to root at 11:26 multiple times. Who was it?

"su", which stands for "switch user" is a command used in the Linux command line interface to switch between different users on the operating system.

An example of how to use su:

emma@computer:~$ su anotheruser
password:
anotheruser@computer:~$ pwd
/home/anotheruser

The auth.log file, located in /var/log/auth.log is a system log file in Linux that contains records of authentication-related events on the system, such as login attempts, successful and failed authentication attempts, and user authentication changes.

It is within the auth.log file that we will find the answer. You can search "su" to make it easier to find.

CD_INSIDER_Q10

#11: Based on the bash history, what is the current working directory?

To change directories in Linux, the command cd is used, which stands for, "change directory". In the bash_history file, we see this used several times. Locate the last time it was used to find the answer.

Resources / learning material: