Insider writeup using volatility3 - cyberdefenders

Instructions:
• Uncompress the lab (pass: cyberdefenders.org)
• Load the AD1 image in FTK imager latest Windows version.

Scenario: After Karen started working for 'TAAUSAI,' she began to do some illegal activities inside the company. 'TAAUSAI' hired you as a soc analyst to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen's computer and answer the provided questions.

Tools: FTK Imager

Download and install the FTK imager tool. Extract the provided file in the challenge. Now open FTK Imager go to File >> Add Evidence Item ... >> Image File >> Next >> Browse >> Finish

Question 1/11 What distribution of Linux is being used on this machine?

After expending the tree , some files within the root directory reveals the linux distribution.

Answer - kali

Question 2/11 What is the MD5 hash of the apache access.log?

As we know that apache access.log file usually stored in /var/apache directory. Select the access.log file then View >> Properties will reveals some data about the file.

Answer - d41d8cd98f00b204e9800998ecf8427e

Question 3/11 It is believed that a credential dumping tool was downloaded? What is the file name of the download?

A tool was downloaded , huhh .. as we know the location where the downloaded files are usually stored. Which is in username/Downloads directory .

Answer - mimikatz_trunk.zip

Question 4/11 There was a super-secret file created. What is the absolute path?

A file was created, which means a command executed. So its time to check the history of commands. History of are commonly stored within the home directory of the user in a file bash_history.

Answer - /root/Desktop/SuperSecretFile.txt

Question 5/11 What program used didyouthinkwedmakeiteasy.jpg during execution?

In history file we can see that which program is used with jpg file .

Answer - binwalk

Question 6/11 What is the third goal from the checklist Karen created?

After some recon I find a checklist file in the Desktop directory of root user.

Answer - profit

Question 7/11 How many times was apache run?

In /var/log/apache2 directory , each log file is empty with size of 0. Which indicates that server wasn't started.

Answer - 0

Question 8/11 It is believed this machine was used to attack another. What file proves this?

There is an unusual image into the home directory of root. Which contein some screenshot of an infected computer.

Answer - irZLAohL.jpeg

Question 9/11 Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?

From the question we can see that there is a script into the Documents directory. Which is used for taunting.

Answer - Young

Question 10/11 A user su'd to root at 11:26 multiple times. Who was it?

In linux the log of su are commanly stored into the log file /var/log/auth.log . With the given timestamp into the question we can identify the potential user.

Answer - postgres

Question 11/11 Based on the bash history, what is the current working directory?

In bash history file , we can follow the cd command to find the current working directory.

Answer - /root/Documents/myfirsthack/

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell