CSAW 2009 Prelims
-
Upload
manas-george -
Category
Documents
-
view
217 -
download
0
Transcript of CSAW 2009 Prelims
-
7/27/2019 CSAW 2009 Prelims
1/4
CSAW 2009 High School Forensics Challenge
Qualifying Round Solutions
Efstratios [email protected]
Storyline
The NYU-Poly Police (NPP) needs your help to solve a murder. After responding toreports of screaming in the area, the NPP discovered Johnny Muzic dead in his office. JohnnyMuzic was the executive at the newly-founded NYU-Poly ISIS Records, and has been seenhanging out with known criminals.
Our investigation revealed that the company was about to release a new album by rockstar Taylor Shift. During questioning Taylor told the NPP that Johnny had the latest cut ofher new album, but we did not find the album anywhere in the office. Additionally, she toldthe NPP she believes Johnny and his business partner, Vikram Rekorder, have been arguingover her new role in the company.
Vikram can not be found, and is wanted for questioning.Vikrams aid, Efstratios Gavas, was questioned, but only produced some network data.
He knew nothing else. The network data was taken from two separate machines. Therefore,the two times are not synchronized and the relative time between the two is off. However,both datasets are from October 14.
Additional Evidence
The NPP has discovered a Twitter account which is associated with Mr. Muzic (http://twitter.com/jmuzic09). The NPP believes this is important new evidence and shouldbe considered in your final report.
Executive Summary of Challenge
Through the course of the investigation, the team should have discovered that Vikram
was not the killer, but actually had been kidnapped. This was discovered by uncovering thefollowing message steganographically hidden in an online image:
This is Vikram. I have been abducted by some NYU Poly CSAW thugs.
Please contact the authorities. I dont know if I will be able to
communicate again.
1
-
7/27/2019 CSAW 2009 Prelims
2/4
Related Links
http://www.poly.edu/csaw-forensics
http://www.poly.edu/csaw-forensics#faq
Challenge Solutions
1. Acquire jmuzic account password
Description: Using password cracking tool to get jmuzic account password. The
password is muzic.Difficulty: Medium
2. Gain access to the jmuzic account
Description: Reset password to gain access to the jmuzic account.
Difficulty: Easy
3. Identify msf.pdf as exploited pdf
Description: Identify the msf.pdf file as being exploited and opens listener port whenviewed.
Difficulty: Medium
4. Discover isis.poly.edu/~vrekorder
Description: Using jmuzics history file observe download of the enlight.tgzto discovervrekorder public website at isis.poly.edu/~vrekorder.
Difficulty: Medium
5. Discover isis.poly.edu/~vrekorder
Description: Using jmuzics history file observe download of the enlight.tgzto discovervrekorder public website at isis.poly.edu/~vrekorder.
Difficulty: Medium6. Discover Facebook pages, and parkinglot image
Description: Using jmuzics history file observe download of the enlight.tgzto discovervrekorder public website at isis.poly.edu/~vrekorder. Discover Facebook pages,and parkinglot image.
Difficulty: Medium
7. Find added ssh authorized key for jmuzic account
Description: Find authorized key to allow remote access to the jmuzic account with-out password.
Difficulty: Medium
8. Extract enlight.tgz file
Description: Extract the enlight.tgz.
Difficulty: Easy
2
-
7/27/2019 CSAW 2009 Prelims
3/4
9. Identify run null exploit.sh used in privilege escalation
Description: Identify exploit code from the enlight.tgz file which allows local rootprivilege excalation.
Difficulty: Medium
10. Find added ssh authorized key for root account
Description: Find authorized key to allow remote access to the root account withoutpassword.
Difficulty: Medium
11. Find .lkl directory
Description: Using roots history file find the .lkl directory in the /root directory.
Difficulty: Easy
12. Identify lkl keylogger
Description: Identify the contains of the /root/ lkl directory as a keylogger.
Difficulty: Medium
13. Decrypt taylor.tc, discover contract and songs
Description: Decrypt /home/jmuzic/taylor.tc using TrueCrypt and password fromtwitter message. The password is TAYLOR. Discover contract and songs.
Difficulty: Medium
14. Decrypt jmuzic.tc, discover gambling spreadsheets
Description: Decrypt /home/jmuzic/taylor.tc using TrueCrypt and password fromtwitter message. The password is thisisagoodpassword. Discover gambling spreadsheets,including account information on sheet2 of Game2.ods.
Difficulty: Medium
15. Discover isis.poly.edu~vrekorder/picture/ directory
Description: From packet #1223 in the pcap.evening evidence file, discover the hid-den directory isis.poly.edu~vrekorder/picture/.
Difficulty: Medium
16. Discover isis.poly.edu~vrekorder/picture/ directory
Description: From packet #1223 in the pcap.evening evidence file, discover the hid-den directory isis.poly.edu~vrekorder/picture/.
Difficulty: Medium
17. Observe successful brute force on vrekorder account
Description: From the pcap.morning evidence file, discover successful brute forceattack on vrekorder account.
Difficulty: Medium
3
-
7/27/2019 CSAW 2009 Prelims
4/4
18. Gain access to isis.poly.edu~vrekorder/picture/ directory
Description: Gain access to the isis.poly.edu~vrekorder/picture/ directory byusing information gathered from facebook pages. UID:vrekorder PWD:parkinglot
Difficulty: Hard
19. Extract hidden message from isis.poly.edu~vrekorder/picture/2009-10-1415.21.22.jpg
Description: Extract hidden message from isis.poly.edu~vrekorder/picture/2009-10-1415.21.22.jpg file by using information previously gathered. PWD:parkinglot
The message is as follows:
This is Vikram. I have been abducted by some NYU Poly CSAW thugs.
Please contact the authorities. I dont know if I will be able to
communicate again.
VR
Difficulty: Hard
4