Scenario

After Karen started working for ‘TAAUSAI,’ she began doing illegal activities inside the company. ‘TAAUSAI’ hired you as a soc analyst to kick off an investigation on this case.

You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

Provided Files

FirstHack.ad1 Content

Created By AccessData® FTK® Imager 4.5.0.3 

Case Information: 
Acquired using: ADI4.5.0.3
Case Number: 
Evidence Number: 
Unique Description: 
Examiner: 
Notes: 

--------------------------------------------------------------

Information for D:\Users\Mawso3a\Desktop\FirstHack.ad1:
[Custom Content Sources]
 Horcrux.E01:Partition 5 [14304MB]:NONAME [ext4]|[root]|boot|*(Wildcard,Consider Case,Include Subdirectories)
 Horcrux.E01:Partition 5 [14304MB]:NONAME [ext4]|[root]|var|log|*(Wildcard,Consider Case,Include Subdirectories)
 Horcrux.E01:Partition 5 [14304MB]:NONAME [ext4]|[root]|root|*(Wildcard,Consider Case,Include Subdirectories)
[Computed Hashes]
 MD5 checksum:    f7c4fab05c3a7473ed59b549eef5a509
 SHA1 checksum:   8875899aa4c6498b410250d48503f64e283528e9

Image information:
 Acquisition started:   Tue May 25 15:33:49 2021
 Acquisition finished:  Tue May 25 15:34:32 2021
 Segment list:
  D:\Users\0xMohammed\Desktop\FirstHack.ad1

Image Verification Results:
 Verification started:  Tue May 25 15:34:33 2021
 Verification finished: Tue May 25 15:34:39 2021
 MD5 checksum:    f7c4fab05c3a7473ed59b549eef5a509 : verified
 SHA1 checksum:   8875899aa4c6498b410250d48503f64e283528e9 : verified

Questions

1. Which Linux distribution is being used on this machine?

I opened the .ad1 file using FTK Imager:

Looking inside boot, we find she was using kali linux:

2. What is the MD5 hash of the Apache access.log file?

access.log is in /var/log/apache2:

We can right click on the file and export file hash list:

Opening the file we find the MD5:

3. It is suspected that a credential dumping tool was downloaded. What is the name of the downloaded file?

In root/Downloads we find Mimikatz:

4. A super-secret file was created. What is the absolute path to this file?

In root there is .bash_history:

msfconsole
systemctl status postgresql
systemctl enable postgresql
systemctl start postgresql
msfconsole
msfdb init
msfconsole
shutdown now
touch snky snky > /root/Desktop/SuperSecretFile.txt
cat snky snky > /root/Desktop/SuperSecretFile.txt 
msfconsole 
clear
history
clear
history
whoami
hack
do hack
do hack please
i am a hacker
how to hack
pwd
ls
ls -la
touch delete-me.txt
rm delete-me.txt 
ls
cd Documents/
mkdir myfirsthack
cd myfirsthack/
touch hellworld.sh
vim hellworld.sh 
chmod +x hellworld.sh 
./hellworld.sh 
touch firstscript
vim firstscript 
chmod +x firstscript 
./firstscript 
vim firstscript 
cp firstscript firstscript_fixed
ls
vim firstscript
vim firstscript_fixed 
./firstscript_fixed 
flag<this is a flag>
ifconfig
cd ..
cd..
cd ..
cd /var/log/
ls
cd ..
cd ~
ls
pwf
pwd
top
wall -h
wall yolo
ls
pwd
cd ..
ls
cd home/
ls
cd /root
ls
cd ../root
cd ../root/Documents/myfirsthack/../../Desktop/
sl
ls
cd ../Documents/myfirsthack/
netstat
echo bob.txt
touch bob.txt 
echo "If you're still reading this file, scream cake."
echo "Seriously, we'll give you a hint to answer question if you scream cake."
sudo visudo
ls
sudo ifng
ifconfi
apt get moo
sudo apt get moo
sudo apt install moo
sudo apt-install moo
sudo apt-get install moo
lol Castro just failed at all these commands. Someone pat him on the back. 
I tried okay
history > history.txt
binwalk didyouthinkwedmakeiteasy.jpg 
clear
history
exit
touch keys.txt
pwd

So the path of the super-secret file is :

/root/Desktop/SuperSecretFile.txt

5. What program used the file didyouthinkwedmakeiteasy.jpg during its execution?

Looking also in .bash_history, we find:

binwalk didyouthinkwedmakeiteasy.jpg 

6. What is the third goal from the checklist Karen created?

In Desktop folder, there is a file called Checklist. Exporting the file, we find:

7. How many times was Apache run?

/var/log/apache2/ is empty which suggests that Apache was not run:

8. This machine was used to launch an attack on another. Which file contains the evidence for this?

There is a picture called irZLAohL.jpeg:

There is a picture called irZLAohL.jpeg:

9. It is believed that Karen was taunting a fellow computer expert through a bash script within the Documents directory. Who was the expert that Karen was taunting?

Looking inside firstscript_fixed in documents:

The expert is Young

10. A user executed the su command to gain root access multiple times at 11:26. Who was the user?

Looking in auth.log:

11. Based on the bash history, what is the current working directory?

The last directory change was to myfirsthack: