CTF on a Budget - Magnet User Summit 2018 (Part 1)



Last year during the Magnet User Summit, I was able to participate in the excellent CTF from Dave and Matt of G-C Partners. I had so much fun and learned a lot from doing it but I wanted to revisit it before it gets shut down and see if I could answer the questions using only free tools instead of parsing it through AXIOM. The other benefit was to brush up on my knowledge for this year's upcoming challenge.

In this first segment we will take a look at the Miscellaneous category for the CTF.

The first thing I did was use the latest version of KAPE from Eric Zimmerman and fine folks over at Kroll to pull out a bunch of useful files.

Misc

1. Timezone: What is the system's timezone set to?

Using RegistryExplorer, drill down into the SYSTEM registry file and go to:
ControlSet001\Control\TimeZoneInformation\TimeZoneKeyName

Mountain Standard Time is the timezone.

2. File Sequence Number: What is the MFT file sequence number for the Python27\python.exe file? [This is not the MFT entry number]

Parsing the $MFT file with Eric Zimmerman's MFTECmd, and then dropping the output into TimelineExplorer, you can filter on the file name. This shows a sequence number of 1 for python.exe.

3. FileName Lookup: What is the name of the file that has MFT entry of 86280?

Parsing the $MFT file with Eric Zimmerman's MFTECmd, and then dropping the output into TimelineExplorer, you can filter on Entry Number to show the result, $USNJrnl.

4. FileTimestamp: What is the Standard Information Attribute's Access timestamp of the Windows\Prefetch\CMD.EXE-89305D47.pf file? [UTC in YYYY-MM-DD hh:mm:ss format]

With the MFT still loaded into TimelineExplorer you can filter on the file name and look at the LastAccessed field
So putting the date/time into the requested format you get: 2018-04-26 15:48:40.

5. VSN-C: What is the C: volumes' serial number?

You can look at the $Boot file and go to offset hex 0x48-51 (it will be listed in little endian). An easier way to find this is to load the E01 file into FTK Imager, click on the  C: volume and look at the Properties

6. YouTube Search: What term was searched in YouTube on 3/28/2018?

After loading the E01 into Autopsy you can parse for Internet history, sorting on date stamp and looking for YouTube. Parsed from the Firefox history:
img_MaxPowersCDrive.E01/vol_vol2/Users/maxpowers/AppData/Roaming
/Mozilla/Firefox/Profiles/dbwuvf2f.default/places.sqlite

The answer is "simpsons max power".

7. Sleuthkit + PowerShell: Max Powers was playing with ways he could extract files using Sleuthkit and PowerShell. What was the exact command he used in attempting to extract the SRUM database?

PowerShell command history can be found at the following link for user Max Powers:

img_MaxPowersCDrive.E01/vol_vol2/Users/maxpowers/AppData/Roaming
/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt

Searching for SRUM in the text document you see only one line pertaining to it:

$inode = ifind -n /Windows/System32/sru/SRUDB.dat \\.\C: ; icat \\.\C: $inode > SRUDB.dat

8. Administrator Logon Count: How many times did Administrator logon to the system?

We first want to pull out the SAM registry file and parse it with RegRipper. We can run the "samparse" plugin to pull out the information we want

You can see that the login count for Administrator was 14.

9. Install Q: What day was the Go programming language installed on? [Answer format: YYYY-MM-DD

Loading the SOFTWARE registry file into RegistryExplorer, a quick search for "Go programming" lists the install entry for the program. The key value InstallDate shows the date the program was installed.
Autopsy also automatically parses it out nicely too

The answer is 2018-04-11.

10. Who Installed Atom?: Which user installed Atom? [Answer is the complete SID not the username]

When doing a keyword search for Atom, we see hits for the executable downloaded by Max Powers profile. We also see that Atom.exe is loaded into the AppCompatCache found in the NTUSER.DAT file for Max Powers. You can get the SID's for each user parsed from the SOFTWARE registry file.


The answer is "S-1-5-21-2801897208-1878083585-4182000528-1002".

11. Deletion in LogFile: The $LogFile shows at LogFile Sequence Number [LSN] 4433927454 a file is deleted. What is the name of the file that was deleted?

For this, we exported the $LogFile from the root of C: and parsed it using LogFileParser. When looking at the CSV in TimelineExplorer, you can search for the LSN.


As you can see from the screenshot, the LSN previous listed for that entry has a file name of "7z.dll".

And that is all for Part 1, the Miscellaneous category. Look for more write-ups and answers later this week.