We are continuing our write-up. The second part will walk you through the solution of the second set of CTF problems – Misc.
Again, very easy task, but it’s only the beginning. You can find the flag in Timezone Information section of AXIOM, or via manual analysis of TimeZoneInformation key:
As you can see, the flag is Mountain.
VSN – C
Another easy task – finding volume serial number. There are lot’s of tools capable of providing you with this info, but we will you AXIOM again – the flag is 6C19-1B65:
Not difficult at all either. It’s time to analyze browsing history. A good idea is to filter data as we need 3/28/2018. Once it’s filtered, you can search for “youtube”. Bingo! We got the flag – simpsons max power:
Sleuthkit + PowerShell
The system we are analyzing has great logging capabilities, so you can find PowerShell transcripts in the Documents folder. But it’s not all. If you search for “SRUDB.dat”, you’ll quickly find ConsoleHost_history.txt, where you can find the flag – $inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat:
Administrator Logon Count
Extremely easy with AXIOM – look at User Accounts section. The flag is 14:
It’s time to look at Installed Programs list, it’s very easy to find this flag – 2018-04-11:
File Sequence Number
This was the time to test new tool by Eric Zimmerman – MFTEcmd. First you should export $MFT file and parse it with the tool. Next – search for “python.exe”. The flag is 1:
You can use the same CSV, and search for “86280”. The flag is $UsnJrnl:
Again, same CSV. Search for “CMD.EXE-89305D47.pf” and look at Last Access0x10. So the flag is 2018-04-26 15:48:40:
Who Installed Atom?
Let’s look at Installed Programs list again:
So, now we know it’s maxpowers, who installed it. Let’s get SID. Look at User Accounts:
As you can see, the flag is S-1-5-21-2801897208-1878083585-4182000528-1002.
Deletion in LogFile
AXIOM is capable of parsing $LogFile contents, so you can find the flag in $LogFile Analysis section:
As you can see, the deleted file’s name is 7z.dll, and this if the flag.
That’s all for today!