Home Disk Analysis & Autopsy
Post
Cancel

Disk Analysis & Autopsy

Ready for a challenge? Use Autopsy to investigate artifacts from a disk image.

THM Room https://tryhackme.com/room/autopsy2ze0

TASK 1 : Windows 10 Disk Image

What is the MD5 hash of the E01 image?

MD5 Hash MD5 Hash

Answer : 3f08c518adb3b5c1359849657a9b2079

What is the computer account name?

Computer account name Computer account name

Answer : DESKTOP-0R59DJ3

List all the user accounts. (alphabetical order)

User accounts User accounts

You can ethier just rewrite all or export to csv and delete all irrelevelant informations before copy the names :

Answer : H4S4N,joshwa,keshav,sandhya,shreya,sivapriya,srini,suba

Who was the last user to log into the computer?

From above capture, ordered by “date accessed”.

Answer : sivapriya

What was the IP address of the computer?

Found Look@lan program installed so i look inside his .ini file :

Computer IP Computer IP

Answer : 192.168.130.216

What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)

From above capture and adding “-“ after all 2 char from %LANNIC%

Answer : 08-00-27-2c-c4-b9

Name the network cards on this computer.

Searched for keyword “ethernet” :

Network cards Network cards

Answer : Intel(R) PRO/1000 MT Desktop Adapter

What is the name of the network monitoring tool?

From previous investigations.

Answer : look@lan

A user bookmarked a Google Maps location. What are the coordinates of the location?

Google Maps location Google Maps location

Answer : 12°52’23.0”N 80°13’25.0”E

A user has his full name printed on his desktop wallpaper. What is the user’s full name?

Looking around the %AppData%\Microsoft\Windows\Themes directory for all users. Found the answer in Joshwa’s folder :

Desktop wallpaper Desktop wallpaper

Extracted this files then opened it :

Desktop wallpaper Extracted Desktop wallpaper Extracted

Answer : Anto Joshwa

A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

Checked the powershell history for users :

Flag 1 Flag 1

Answer : flag{HarleyQuinnForQueen}

The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

Found the exploit.ps1 on Shreya’s Desktop :

exploit.ps1 exploit.ps1

Flag 2 Flag 2

Answer : Flag{I-hacked-you}

2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)

I used the keyword search to solve this one. Searching for common used tools like wdigest, mimikatz, lazagne etc…

Lazagne and mimikatz was found on the machine :

Lazagne Lazagne

Mimikatz Mimikatz

Answer : lazagne,mimikatz

There is a YARA file on the computer. Inspect the file. What is the name of the author?

Searched for “.yar” keyword and found a shortcut to a file on H4S4N desktop.

Yara file Yara file

So i moved there and found a zip mimikatz_trunk. Extracted this one and unzipped it then it contain a yara file :

Author Author

Answer : Benjamin DELPY (gentilkiwi)

One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)

When i checked the “recent document” from extracted content i found a interesting “zerologon” name :

zerologon zerologon

Answer : 2.2.0 20200918 Zerologon encrypted.zip

This post is licensed under CC BY 4.0 by the author.