7/27/2019 CSAW 2009 Prelims

1/4

CSAW 2009 High School Forensics Challenge

Qualifying Round Solutions

Efstratios Gavasegavas@isis.poly.edu

Storyline

The NYU-Poly Police (NPP) needs your help to solve a murder. After responding toreports of screaming in the area, the NPP discovered Johnny Muzic dead in his office. JohnnyMuzic was the executive at the newly-founded NYU-Poly ISIS Records, and has been seenhanging out with known criminals.

Our investigation revealed that the company was about to release a new album by rockstar Taylor Shift. During questioning Taylor told the NPP that Johnny had the latest cut ofher new album, but we did not find the album anywhere in the office. Additionally, she toldthe NPP she believes Johnny and his business partner, Vikram Rekorder, have been arguingover her new role in the company.

Vikram can not be found, and is wanted for questioning.Vikrams aid, Efstratios Gavas, was questioned, but only produced some network data.

He knew nothing else. The network data was taken from two separate machines. Therefore,the two times are not synchronized and the relative time between the two is off. However,both datasets are from October 14.

Additional Evidence

The NPP has discovered a Twitter account which is associated with Mr. Muzic (http://twitter.com/jmuzic09). The NPP believes this is important new evidence and shouldbe considered in your final report.

Executive Summary of Challenge

Through the course of the investigation, the team should have discovered that Vikram

was not the killer, but actually had been kidnapped. This was discovered by uncovering thefollowing message steganographically hidden in an online image:

This is Vikram. I have been abducted by some NYU Poly CSAW thugs.

Please contact the authorities. I dont know if I will be able to

communicate again.

1

7/27/2019 CSAW 2009 Prelims

2/4

Related Links

http://www.poly.edu/csaw-forensics

http://www.poly.edu/csaw-forensics#faq

Challenge Solutions

1. Acquire jmuzic account password

Description: Using password cracking tool to get jmuzic account password. The

password is muzic.Difficulty: Medium

2. Gain access to the jmuzic account

Description: Reset password to gain access to the jmuzic account.

Difficulty: Easy

3. Identify msf.pdf as exploited pdf

Description: Identify the msf.pdf file as being exploited and opens listener port whenviewed.

Difficulty: Medium

4. Discover isis.poly.edu/~vrekorder

Description: Using jmuzics history file observe download of the enlight.tgzto discovervrekorder public website at isis.poly.edu/~vrekorder.

Difficulty: Medium

5. Discover isis.poly.edu/~vrekorder

Description: Using jmuzics history file observe download of the enlight.tgzto discovervrekorder public website at isis.poly.edu/~vrekorder.

Difficulty: Medium6. Discover Facebook pages, and parkinglot image

Description: Using jmuzics history file observe download of the enlight.tgzto discovervrekorder public website at isis.poly.edu/~vrekorder. Discover Facebook pages,and parkinglot image.

Difficulty: Medium

7. Find added ssh authorized key for jmuzic account

Description: Find authorized key to allow remote access to the jmuzic account with-out password.

Difficulty: Medium

8. Extract enlight.tgz file

Description: Extract the enlight.tgz.

Difficulty: Easy

2

7/27/2019 CSAW 2009 Prelims

3/4

9. Identify run null exploit.sh used in privilege escalation

Description: Identify exploit code from the enlight.tgz file which allows local rootprivilege excalation.

Difficulty: Medium

10. Find added ssh authorized key for root account

Description: Find authorized key to allow remote access to the root account withoutpassword.

Difficulty: Medium

11. Find .lkl directory

Description: Using roots history file find the .lkl directory in the /root directory.

Difficulty: Easy

12. Identify lkl keylogger

Description: Identify the contains of the /root/ lkl directory as a keylogger.

Difficulty: Medium

13. Decrypt taylor.tc, discover contract and songs

Description: Decrypt /home/jmuzic/taylor.tc using TrueCrypt and password fromtwitter message. The password is TAYLOR. Discover contract and songs.

Difficulty: Medium

14. Decrypt jmuzic.tc, discover gambling spreadsheets

Description: Decrypt /home/jmuzic/taylor.tc using TrueCrypt and password fromtwitter message. The password is thisisagoodpassword. Discover gambling spreadsheets,including account information on sheet2 of Game2.ods.

Difficulty: Medium

15. Discover isis.poly.edu~vrekorder/picture/ directory

Description: From packet #1223 in the pcap.evening evidence file, discover the hid-den directory isis.poly.edu~vrekorder/picture/.

Difficulty: Medium

16. Discover isis.poly.edu~vrekorder/picture/ directory

Description: From packet #1223 in the pcap.evening evidence file, discover the hid-den directory isis.poly.edu~vrekorder/picture/.

Difficulty: Medium

17. Observe successful brute force on vrekorder account

Description: From the pcap.morning evidence file, discover successful brute forceattack on vrekorder account.

Difficulty: Medium

3

7/27/2019 CSAW 2009 Prelims

4/4

18. Gain access to isis.poly.edu~vrekorder/picture/ directory

Description: Gain access to the isis.poly.edu~vrekorder/picture/ directory byusing information gathered from facebook pages. UID:vrekorder PWD:parkinglot

Difficulty: Hard

19. Extract hidden message from isis.poly.edu~vrekorder/picture/2009-10-1415.21.22.jpg

Description: Extract hidden message from isis.poly.edu~vrekorder/picture/2009-10-1415.21.22.jpg file by using information previously gathered. PWD:parkinglot

The message is as follows:

This is Vikram. I have been abducted by some NYU Poly CSAW thugs.

Please contact the authorities. I dont know if I will be able to

communicate again.

VR

Difficulty: Hard

4