HireMe CyberDefenders
Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency.
Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.
Link : https://cyberdefenders.org/blueteam-ctf-challenges/62
1. What is the administrator's username?
The fastest way is to list the Users directory of the Second Partition
you can also check Registry hives which are located under "\Windows\System32\config"
and Check the "SAM\Domains\Account\Users"
Ans : Karen
2. What is the OS's build number?
Registry hives are located under "\Windows\System32\config"
Export Software hive
Then Check "Microsoft\Windows NT\CurrentVersion" .
click export files
Then import it at registry editor
Check "Microsoft\Windows NT\CurrentVersion"
Ans : 16299
3. What is the hostname of the computer?
we have to export the System registry from FTK Imager & upload it in the Registry editor just like the Software registry
then Check "ControlSet001\Control\ComputerName\ComputerName"
Ans : TOTALLYNOTAHACK
4. A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?
in FTK Imager we find out that the messaging application
another way to find it we can Analyze SOFTWARE registry by loading it in registory editor .
لإhen Check keys listed under the "Microsoft\Windows\CurrentVersion\App Paths" which stores informations about all the installed applications.
Ans : skype
5. What is the zip code of the administrator's post?
To get this informations we have to check the file which stores Browser data and history .
The location of this file is “[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Web Data”.
Ans : 19709
6. What are the initials of the person who contacted the admin user from TAAUSAI?
To get it we can Check outlook artifacts.
in "[root]\Users\Karen\AppData\Local\Microsoft\Outlook\klovespizza@outlook.com.ost"
Export & and open it in Ost veiwer
Micheal Scotch
Ans : MS
7. How much money was TAAUSAI willing to pay upfront?
check more mails
Ans : 150000
8. What country is the admin user meeting the hacker group in?
After check more mails
I found that
The location is “27°22'50.10″N, 33°37'54.62″E ”
I searched for it
Ans : Egypt
9. What is the machine's timezone? (Use the three-letter abbreviation)
We can check System hive again in registry editor
which store in store in the "ControlSet001\Control\TimeZoneInfor
Ans : UTC
10. When was AlpacaCare.docx last accessed?
go to the docx file in FTK Imager then From File access properties
Check the accessed date
Ans : 03/17/2019 09:52 PM
11. There was a second partition on the drive. What is the letter assigned to it?
we find out that the second partition of the drive is store in the “SYSTEM\MountedDevices” registry.
Ans : A
12. What is the answer to the question Company's manager asked Karen?
we can back to mails list
by investigate the mails i found it
Ans : TheCardCriesNoMore
13. What is the job position offered to Karen? (3 words, 2 spaces in between)
check the next mail
Ans : cyber security analyst
14. When was the admin user password last changed?
That's stored in the SAM registry
so we have to analyze the “SAM” registry. that
by saved it ,
and export the SAM registry file in regripper
Ans : 03/21/2019 19:13:09
15. What version of Chrome is installed on the machine?
here we use Software hive
infoormations about last google chrome version is stored in "SOFTWARE\WOW6432Node\Microsoft\Windows \CurrentVersion\Uninstall\Google Chrome".
Ans : 72.0.3626.121
16 : What is the HostUrl of Skype?
location which store download URL is “History”. So, we extract History from the FTK imager
Location of History is: "[root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\History"
Then open it using SQLite3.
Ans : https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe
17. What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?
we can export the AlpacaCare.docx file then analyze it.
Then We can view the file with Libreoffice
The hyperlink used in website is "palominoalapacafarm.com".
Ans: palominoalpacafarm.com
Thaaaaaannnnnkkkk UUUUUUU for reading 🥰
Last updated