I hope to find you well.
This is Ali Alaa and this is Insider writeup for CyberDefenders platform’s challenge.
This is a Linux forensics challenge and if you wanna find more about this topic you can try Insider.
But before makes your hands dirty without knowledge about Linux forensics you can’t solve please, try this room Linux forensics (paid) but you can find any walkthrough about this room learn then play. It will give you good foundation.
So, lets start….
First Question : What distribution of Linux is being used on this machine?
After I navigate to /root/boot I found a file called config-4.13 in additional to kali so, this is config’s file for kali.
Here we go, the answer is : kali
Second Question : What is the MD5 hash of the apache access.log?
I found this log file under /var/log/apache2 after this I selected the file and I exported hash for access.log
Here we go, the answer is : d41d8cd98f00b204e9800998ecf8427e
Third Question : It is believed that a credential dumping tool was downloaded? What is the file name of the download?
I got attention to downloads the default place for downloaded files. so, I go directly to it under root directory and here what I found ..
Here we go, the answer is : mimikatz_trunk.zip
Forth Question : There was a super-secret file created. What is the absolute path?
I got attention about a didyouthinkwedmakeiteasy.png image and its name in /documents/myfirsthack/ and I exported it and try to open it but I found it’s not an image I tried to explore it in hex editor and here what I found ..
At the end of file I noticed he export all history to history.txt
So, insider may be altered the history after export it and make this image to distract attention of investigator. Let’s search for real bash history file under ~/.bash_history so, here we have home directory for root user and file is here
After I opened this file I found all commands ..
Here I found there are 2 commands not found in altered file and I see secret files with their absolute path.
Here we go, the answer is : /root/Desktop/SuperSecretFile.txt
Fifth Question : What program used didyouthinkwedmakeiteasy.jpg during execution?
We got real bash history file and I browsed it I found this command belongs to didyouthinkwedmakeiteasy.jpg
So, command is binwalk didyouthinkwedmakeiteasy.jpg
Here we go, the answer is : binwalk
Sixth Question : What is the third goal from the checklist Karen created?
During investigate all default directories like Desktop,Documents and etc ….
So, I found a file called Checklist under Desktop directory.
Here we go, the answer is : profit
Seventh Question : How many times was apache run?
We run apache2 by using command line but when I saw bash history I didn’t found and command related to apache2 but postgresql.
Here we go, the answer is : 0
Eighth Question : It is believed this machine was used to attack another. What file proves this?
Under home directory for root I found this image so, this image proves that this machine was used to attack another as you see it’s windows based victim.
Here we go, the answer is : irZLAohL.jpeg
Ninth Question : Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?
Here from question I go directly to Documents directory I found another directory called myfirsthack so, I found
He said he used bash script so, I must investigate all bash files
and I found this bash script called firstscript_fixed
Here we go, the answer is : Young
Tenth Questions : A user su’d to root at 11:26 multiple times. Who was it?
At this question you must aware about a log file called “auth.log” which logs all authentication mechanisms like the mechanisms for authorizing users which prompt for user passwords , the sudo command and remote logins to ssh.
Here user need to switch to root so, he must prompt password and this log in auth.log file.
Here we go, the answer is : postgres
Eleventh Question : Based on the bash history, what is the current working directory?
This is last directory user visited and still there
Here we go, the answer is : /root/Documents/myfirsthack/
At the end ,
I hope you enjoyed this writeup ❤️.