HireMe CyberDefenders

Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency.

Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.

Link : https://cyberdefenders.org/blueteam-ctf-challenges/62

1. What is the administrator's username?

The fastest way is to list the Users directory of the Second Partition

you can also check Registry hives which are located under "\Windows\System32\config"

and Check the "SAM\Domains\Account\Users"

Ans : Karen

2. What is the OS's build number?

Registry hives are located under "\Windows\System32\config"

Export Software hive

Then Check "Microsoft\Windows NT\CurrentVersion" .

click export files

Then import it at registry editor

Check "Microsoft\Windows NT\CurrentVersion"

Ans : 16299

3. What is the hostname of the computer?

we have to export the System registry from FTK Imager & upload it in the Registry editor just like the Software registry

then Check "ControlSet001\Control\ComputerName\ComputerName"

Ans : TOTALLYNOTAHACK

4. A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?

in FTK Imager we find out that the messaging application

another way to find it we can Analyze SOFTWARE registry by loading it in registory editor .

لإhen Check keys listed under the "Microsoft\Windows\CurrentVersion\App Paths" which stores informations about all the installed applications.

Ans : skype

5. What is the zip code of the administrator's post?

To get this informations we have to check the file which stores Browser data and history .

The location of this file is “[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Web Data”.

Ans : 19709

6. What are the initials of the person who contacted the admin user from TAAUSAI?

To get it we can Check outlook artifacts.

in "[root]\Users\Karen\AppData\Local\Microsoft\Outlook\klovespizza@outlook.com.ost"

Export & and open it in Ost veiwer

Micheal Scotch

Ans : MS

7. How much money was TAAUSAI willing to pay upfront?

check more mails

Ans : 150000

8. What country is the admin user meeting the hacker group in?

After check more mails

I found that

The location is “27°22'50.10″N, 33°37'54.62″E ”

I searched for it

Ans : Egypt

9. What is the machine's timezone? (Use the three-letter abbreviation)

We can check System hive again in registry editor

which store in store in the "ControlSet001\Control\TimeZoneInfor

Ans : UTC

10. When was AlpacaCare.docx last accessed?

go to the docx file in FTK Imager then From File access properties

Check the accessed date

Ans : 03/17/2019 09:52 PM

11. There was a second partition on the drive. What is the letter assigned to it?

we find out that the second partition of the drive is store in the “SYSTEM\MountedDevices” registry.

Ans : A

12. What is the answer to the question Company's manager asked Karen?

we can back to mails list

by investigate the mails i found it

Ans : TheCardCriesNoMore

13. What is the job position offered to Karen? (3 words, 2 spaces in between)

check the next mail

Ans : cyber security analyst

14. When was the admin user password last changed?

That's stored in the SAM registry

so we have to analyze the “SAM” registry. that

by saved it ,

and export the SAM registry file in regripper

Ans : 03/21/2019 19:13:09

15. What version of Chrome is installed on the machine?

here we use Software hive

infoormations about last google chrome version is stored in "SOFTWARE\WOW6432Node\Microsoft\Windows \CurrentVersion\Uninstall\Google Chrome".

Ans : 72.0.3626.121

16 : What is the HostUrl of Skype?

location which store download URL is “History”. So, we extract History from the FTK imager

Location of History is: "[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\History"

Then open it using SQLite3.

Ans : https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe

17. What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?

we can export the AlpacaCare.docx file then analyze it.

Then We can view the file with Libreoffice

The hyperlink used in website is "palominoalapacafarm.com".

Ans: palominoalpacafarm.com

Thaaaaaannnnnkkkk UUUUUUU for reading 🥰

PreviousHacked Cyberdefenders NextSysinternals cyberdefenders

Last updated 1 year ago

hashtag 1. What is the administrator's username?

hashtag2. What is the OS's build number?

hashtag3. What is the hostname of the computer?

hashtag4. A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?

hashtag5. What is the zip code of the administrator's post?

hashtag6. What are the initials of the person who contacted the admin user from TAAUSAI?

hashtag7. How much money was TAAUSAI willing to pay upfront?

hashtag8. What country is the admin user meeting the hacker group in?

hashtag9. What is the machine's timezone? (Use the three-letter abbreviation)

hashtag10. When was AlpacaCare.docx last accessed?

hashtag11. There was a second partition on the drive. What is the letter assigned to it?

hashtag12. What is the answer to the question Company's manager asked Karen?

hashtag13. What is the job position offered to Karen? (3 words, 2 spaces in between)

hashtag14. When was the admin user password last changed?

hashtag15. What version of Chrome is installed on the machine?

hashtag 16 : What is the HostUrl of Skype?

hashtag17. What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?