Insider CTF Writeup

Ali Alaa
5 min readJun 2, 2023

Hello dudes,
I hope to find you well.

This is Ali Alaa and this is Insider writeup for CyberDefenders platform’s challenge.

This is a Linux forensics challenge and if you wanna find more about this topic you can try Insider.

But before makes your hands dirty without knowledge about Linux forensics you can’t solve please, try this room Linux forensics (paid) but you can find any walkthrough about this room learn then play. It will give you good foundation.

So, lets start….

First Question : What distribution of Linux is being used on this machine?

After I navigate to /root/boot I found a file called config-4.13 in additional to kali so, this is config’s file for kali.

Kali config file

Here we go, the answer is : kali

Second Question : What is the MD5 hash of the apache access.log?

I found this log file under /var/log/apache2 after this I selected the file and I exported hash for access.log

access.log
MD5 hash

Here we go, the answer is : d41d8cd98f00b204e9800998ecf8427e

Third Question : It is believed that a credential dumping tool was downloaded? What is the file name of the download?

I got attention to downloads the default place for downloaded files. so, I go directly to it under root directory and here what I found ..

Downloads

Here we go, the answer is : mimikatz_trunk.zip

Forth Question : There was a super-secret file created. What is the absolute path?

I got attention about a didyouthinkwedmakeiteasy.png image and its name in /documents/myfirsthack/ and I exported it and try to open it but I found it’s not an image I tried to explore it in hex editor and here what I found ..

Bash history

At the end of file I noticed he export all history to history.txt

Last command

So, insider may be altered the history after export it and make this image to distract attention of investigator. Let’s search for real bash history file under ~/.bash_history so, here we have home directory for root user and file is here

Real bash history

After I opened this file I found all commands ..

Commands

Here I found there are 2 commands not found in altered file and I see secret files with their absolute path.

Here we go, the answer is : /root/Desktop/SuperSecretFile.txt

Fifth Question : What program used didyouthinkwedmakeiteasy.jpg during execution?

We got real bash history file and I browsed it I found this command belongs to didyouthinkwedmakeiteasy.jpg

Bash history

So, command is binwalk didyouthinkwedmakeiteasy.jpg

Here we go, the answer is : binwalk

Sixth Question : What is the third goal from the checklist Karen created?

During investigate all default directories like Desktop,Documents and etc ….

So, I found a file called Checklist under Desktop directory.

Checklist data

Here we go, the answer is : profit

Seventh Question : How many times was apache run?

We run apache2 by using command line but when I saw bash history I didn’t found and command related to apache2 but postgresql.

Only postgresql

Here we go, the answer is : 0

Eighth Question : It is believed this machine was used to attack another. What file proves this?

Under home directory for root I found this image so, this image proves that this machine was used to attack another as you see it’s windows based victim.

Clue about attacking

Here we go, the answer is : irZLAohL.jpeg

Ninth Question : Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?

Here from question I go directly to Documents directory I found another directory called myfirsthack so, I found

All files under myfirsthack

He said he used bash script so, I must investigate all bash files

and I found this bash script called firstscript_fixed

firstscript_fixed bash

Here we go, the answer is : Young

Tenth Questions : A user su’d to root at 11:26 multiple times. Who was it?

At this question you must aware about a log file called “auth.log” which logs all authentication mechanisms like the mechanisms for authorizing users which prompt for user passwords , the sudo command and remote logins to ssh.

Here user need to switch to root so, he must prompt password and this log in auth.log file.

auth.log

Here we go, the answer is : postgres

Eleventh Question : Based on the bash history, what is the current working directory?

This is last directory user visited and still there

Bash history

Here we go, the answer is : /root/Documents/myfirsthack/

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch

LinkedIn

--

--