HireMe Blue Team Lab ==================== Category: Endpoint Forensics https://cyberdefenders.org/blueteam-ctf-challenges/hireme/#nav-questions > Tools: - [FTK Imager](https://accessdata.com/product-download/ftk-imager-version-4-5) - [Autopsy](https://www.autopsy.com/download/) - [RegistryExplorer](https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip) - [LEcmd](https://f001.backblazeb2.com/file/EricZimmermanTools/LECmd.zip) - [Regripper](https://github.com/keydet89/RegRipper3.0) - [OST Viewer](https://www.sysinfotools.com/recovery/ost-file-viewer.php) - (...) Đầu tiên mình sẽ dump file bằng FTK imager, sau đó load một số hives quan trọng vào Registry Explorer: - SAM  - SECURITY  - SOFTWARE  - SYSTEM  `/root/Windows/System32/config`  # Q1: What is the administrator's username? - SAM > Domains > Account > Users :  - Hoặc là root/user :  => Karen Hoặc username trong windows có thể lưu ở HKEY\LOCAL\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList # Q2: What is the OS's build number? - SOFTWARE > Microsoft > Windows NT > CurrentVersion  => 16299 # Q3: What is the hostname of the computer? - SYSTEM > ControlSet001 > Control > ComputerName  => TOTALLYNOTAHACK # Q4: A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software? Tìm cái message app: - Software > Microsoft > Windows > CurrentVersion > App Paths  => Skype # Q5 - What is the zip code of the administrator's post? Ở FTK imager, root > Users > Karen > AppData > Local > Google > Chrome > User Data > Default > Web Data  => 19709 # Q6 - What are the initials of the person who contacted the admin user from TAAUSAI?   => MS # Q7 - How much money was TAAUSAI willing to pay upfront   => 150000 # Q8 - What country is the admin user meeting the hacker group in? “**27**°**22**'**50.10**″**N**, **33**°**37**'**54.62**″**E** ” => Egypt # Q9 - What is the machine’s timezone? (Use the three-letter abbreviation) SYSTEM > ControlSet001 > Control > TimeZoneInformation  => UTC # Q10 - When was AlpacaCare.docx last accessed? root > AlpacaCare.docx  => 03/17/2019 09:52 PM # Q11 - There was a second partition on the drive. What is the letter assigned to it? System > MountedDevices=> A  => A # Q12 - What is the answer to the question Company’s manager asked Karen?  => TheCardCriesNoMore # Q13 - What is the job position offered to Karen? (3 words, 2 spaces in between)  => Cyber Security Analyst # Q14 - When was the admin user password last changed?   => 03/21/2019 19:13:09 # Q15 - What version of Chrome is installed on the machine? **SOFTWARE\\WOW6432Node\\Microsoft\\Windows \\CurrentVersion\\Uninstall\\Google Chrome**  => 72.0.3626.121 # Q16 - What is the HostUrl of Skype? Go to root > SkypeXXX > Zone.Identifer  => https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe # Q17 - What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?   => palominoalpacafarm.com # Further Readings https://ahmed-naser.medium.com/hireme-blue-team-challenge-write-up-95345d52965f https://0xmedhat.gitbook.io/whoami/hireme-cyberdefenders https://medium.com/@sshekhar01/cyberdefenders-hireme-bcccd052d905