Description
By Photubias / Team Howest CCCP
Introduction:
Answers for all the first round questions (7 questions) should be found in these files:
gcl_round1.7z (https://www.dropbox.com/s/vbt9wwadgtgolcx/gcl_round1.7z?dl=1, password Sup3rS3cr3tP@$$w0rd4Y0u)
Users.7z (https://www.dropbox.com/s/em6mv37vd107unz/Users.7z?dl=1)
Greetings HOWEST CCCP,
One of our operatives was on a mission and a Government Organization that wishes to remain un-named took him into custody. However, we have eyes and ears everywhere and deep within this organization we have an insider. The forensic group apparently took the laptop and a few other articles into possession and our insider is sending you a copy of the material.
Why would we send it to you? We are recruiting another team. We have to assume this one taken into custody is now compromised.
We need to know what the organization is going to find out about us and how we operate. A list of questions that are going to be asked has been provided to you as well. With that being said, we already know many of these answers, so we can tell you right away whether you are right or wrong. Those that measure up to the task will be invited to Round 2 of this recruiting effort.
~ warl0ck ~
Write-Up for the first level of the first round:
- IDK
-
zfq...dszqup ujnf...eje zpv fyqfdu bozuijoh mftt? uif u0l3o zpv t33l gps uijt dibmmfohf jt: egJt!dszqu0
ROT25:
yep...crypto time...did you expect anything less? the t0k3n you s33k for this challenge is: dfIs!crypt0
FLAG: dfIs!crypt0 - Guidelines:
-
A message was intercepted from the operations team regarding the deployment of exploits. What was the significance of this
Users.7z: Users\tang0\Documents\tang0_Live_Labs_Emails.pst
recover PST password with Nirsoft PSTrecovery (NKv3fH) and open with Outlook
Email "Guideline for Deployment of Exploits" from TeamOps on 2015-07-28 19:51 has this sentence at bottom:
If you are looking for a -- t 0 k 3 n -- you found it here. Submit the following: 9696a6a68ac6b87
FLAG: 9696a6a68ac6b87 - Impossible
-
When we intercepted tang0 he was on a mission assigned by 'live labs' and we need to know what the name of that mission is
Users.7z: Users\tang0\Documents\tang0_Live_Labs_Emails.pst
recover PST password with Nirsoft PSTrecovery (NKv3fH) and open with Outlook
Email "RE: Your Live Labs System" from DarkLord on 2015-08-01 8:22 has this sentence:
n1tr0n is getting your system ready. Operation Mark83a is coming soon make sure you get you ...
FLAG: Mark83a - Find It
-
PPID 1744 has a process listening on what port number?
gcl_round1.7z: Is a memory dump
Get info: python vol.py -f /root/gcl_round1.dd imageinfo
"python vol.py -f /root/gcl_round1.dd --profile=Win7SP1x86 pslist" shows tor.exe with PID 1628 and PPID 1744 (firefox process)
"python vol.py -f /root/gcl_round1.dd --profile=Win7SP1x86 netscan" shows tor.exe with PID 1628 listening on port 9151
FLAG: 9151 - Easy
-
What was the IP address of the system?
gcl_round1.7z: same command as previous flag shows local IP
"python vol.py -f /root/gcl_round1.dd --profile=Win7SP1x86 netscan" shows System listening on 192.168.1.5:138
FLAG: 192.168.1.5 - Sleeping?
-
tang0 left a ZZZ t0k3n on the system. Can you find it?
gcl_round1.7z
"python vol.py -f /root/gcl_round1.dd --profile=Win7SP1x86 clipboard" shows clipboard contents:
th3 ZZZ t.0.k.3.n is: Aw3s0m3J0b!
FLAG: Aw3s0m3J0b! - nuf said
-
There is an XXX t0k3n on the system for you to find (NOT that kind!)
gcl_round1.7z: as seen with "python vol.py -f /root/gcl_round1.dd --profile=Win7SP1x86 pslist" there is a cmd.exe
We can recover command history:
"python vol.py -f /root/gcl_round1.dd --profile=Win7SP1x86 consoles"
shows C:\Users\tang0>th3 XXX t 0 k 3 n y0u s 3 3 k is: cmd$cAn-n!C3
FLAG: cmd$cAn-n!C3