Harpocrat3s

My ethical hacking journey

banner tryhackme room autopsy

TryHackMe – Disk Analysis & Autopsy writeup

In Blue team, THM

This was an engaging room for me. I’ve used Autopsy in the past but never in a more structured format like this type of investigation that’s in this TryHackMe room. It’s closer to a real-life type of investigation and definitely a good way to practice windows forensics.

Table of Contents

Scenario

There wasn’t a proper scenario introduction in this room, but the idea I got while answering the questions was that it was an investigation of a computer with different users/employees, one of which was into hacking and that tried to install some tools to harvest credentials on the computer.

Investigation

The first few questions were about finding out more on the affected computer, and you could quickly find the answers thanks to the Autopsy GUI which makes some information easily accessible:

  • What is the MD5 hash of the E01 image?

  • What is the computer account name?

  • List all the user accounts. (alphabetical order)
  • Who was the last user to log into the computer?

  • What was the IP address of the computer?
  • What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)
  • What is the name of the network card on this computer?

For this set of questions I thought the answer would be in the Windows Registry, a place like: SYSTEM\CurrentControlSet\Services\Tcpip \Parameters\Interfaces (that on a disk image is found inC:\Windows\System32\Config along with other important hives).

But only the Network Card name was found in the registry, specifically in: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

The other two questions, where found in a configuration file of a software that a naughty user installed on the machine, a network utility tool that it’s not malicious per seĀ but that considering the rest of the findings about this user it seemed to be installed for malicious purposes: Look@Lan

The next question was already answered above:

  • What is the name of the network monitoring tool?

Then there was this question:

  • A user bookmarked a Google Maps location. What are the coordinates of the location?

And again it quickly answered by using the great Autopsy GUI and built-in functionalities which by default give an easy access to useful system information:

  • A user has his full name printed on his desktop wallpaper. What is the user’s full name?

To answer this question, one needs to know where in the Windows Registry it’s possible to find the wallpaper set for a User (HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper, which in a disk image is in the NTUSER.DAT hive):

Then one could see all the user’s wallpaper files, check the corresponding images and see which one had the name in it.

I saw that some people resolved this challenge by looking at the pictures via Images’/Videos section of Autopsy, but I think that for a live investigation it’s not feasable as a system can easily have numerous pictures, and also you won’t be able to know which one is actually used as a wallpaper simply by looking at the images themselves.

  • A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

To find the answer to this question I needed to search for the Powershell history log file, ConsoleHost_history.txt, for the affected user, and for that it was very useful the Keyword Search feature in Autopsy.

Inside the file I found the Powershell command used to change the file:

  • The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

For this answer it was a simple matter to see the inside of a powershell script in one of the user’s Desktop.

  • 2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)

This one was tougher than expected. The two tools were Lazagne and Mimikatz. I found Mimikatz very easily, because I already knew the tool (having it used in some previous challenges, when rooting the Ice box in TryHackMe), so I quickly recognized the name while watching one of the users’ folders when looking for an of the previous answers.

It took me a while to find out that one way a system flags hacking tools is via antivirus/windows defender.

In this case, the solution was in the Windows Defender history, located at /ProgramData/Microsoft/Windows Defender/Scans/History/Service/DetectionHistory/

I didn’t know Lazagne, so I had to look up the tool name (and others in the Detection history):

  • There is a YARA file on the computer. Inspect the file. What is the name of the author?

Again, Keyword Search quickly helps in finding the answer, looking for .yar files.

  • One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)

For this one, I looked up online for vulnerabilitie affecting MS-NRPC, and after finding out ZeroLogon, I searched for that keyword and after some digging I found the correct information in the system’s logs.

Conclusion

The story you could see was that this user, H4S4N, downloaded (or tried to download before windows defender blocked them) some tools and scripts for password stealing, exploitation, priv esc and a network monitoring tool and tried to use them. Also, his wallpaper was a Mr. Robot wallpaper (with the text are you a 0 or a 1), which was a big hint on who could be the malicous user on that machine.

This was fun, I like investigations and forensics, and I was looking for experiences with Autopsy so I enjoyed doing this challenge.

# # # # # # # # # # #

Related Posts

OSINT – Gary Ruddell Challenge #1

TryHackMe – Redline writeup

TryHackMe – Warzone 1 writeup

Malware Analysis – WannaCry