3f08c518adb3b5c1359849657a9b2079
This is found by clicking on HASAN2.E01 under data sources and navigating to the Summary > Container tab
DESKTOP-0R59DJ3
- Navigate to Operating System Information under the Results > Extracted Content
H4S4N, joshwa, keshav, sandhya, shreya, sivapriya, srini, suba
This is found under Operating System User Account. Look at the path and if they are C:\Users\ then that is your answer.
sivapriya
Same place as the last question
192.168.130.216
We have seen that Look@Lan has been installed on the computer (the installer is in H4S4N'd Downloads) this may provide as with some IP information as this is a network monitoring tool and checking the registry where IP address' are stored resulted with nothing. We can look at the irunin.ini which is a configuration file and see if there is anything in there.
08-00-27-2c-c4-b9
We can find the MAC address in the same file under LANNIC, checking the registry where the NIC MAC address would be also resulted in nothing for this instance.
Intel(R) PRO/1000 MT Desktop Adapter
This can be found in the registry C:\WINDOWS\system32\config\software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
To find this we need to navigate to C:\Windows\System32\Config Once we are in there we can find some registry keys. As our is Software we click on that one which will populate the Application tab. Afterwars we just continue to the pasted registry key path.
look@lan
I stumbled upon this one by accident. It is found under H4S4N's Downloads folder. There is an executable called lalsetup250.exe so I looked it up and found out it was a network monitoring tool.
12°52'23.0"N 80°13'25.0"E
Found under the web bookmarks tab
anto joshwa
I went into recent documents and looked through how had access an image file then went to that directory and loaded the image.
flag{HarleyQuinnForQueen}
Because we know she changed it using powershell we can to see if the powershell history file exists. This is located at %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
As we can see, this file provides us with exactly what we needed.
flag{i-hacked-you}
Because we know that same user has found an exploit we can start looking around on their computer. If we navigate to their desktop we can find a suspicous file called exploit.ps1. Upon opening the script we can find the message.
lazagne, mimikatz
To find this we need to navigate to /img_HASAN2.E01/vol_vol3/ProgramData/Microsoft/Windows/Windows Defender/Scans/History/Service/DetectionHistory/
We can start looking through the files, there are multiple malicious files that have been detected so we will need to do some searching on what those files are.
benjamin delpy gentilkiwi
As we know mimikatz is on H4S4N's Desktop we can navigate there and look at the contents of the zip file. Here we can find the kiwi_password.yar file. Look at the text in the document and we can get the answer.
2.2.0 20200918 Zerologon encrypted.zip
Upon searching what an MS-NRPC based exploit is I found out that it is called ZeroLogon. I remember seeing this file through my searches so I went back to Recent Documents and found it in there.