Solving CorporateSecrets Challenge with ArtiFast Windows
27/10/2021 Wednesday
In this blog post, we will be solving a challenge designed by Cyber
Defenders. Below is the solution to the challenge, solved using ArtiFast Windows.
Artifacts Covered in this Challenge:
- Registry Artifacts → System Information, Wireless Networks, User Accounts, Profiles List, AmCache, UserAssist, RecentDocs MRU and Computer Name.
- OS Artifacts → Windows Recycle Bin and Prefetch.
- Web Activity Artifacts → Chrome, Firefox and Tor Web Browsers.
Q&As:
- What is the current build number on the system?
The answer can be found in System Information artifact under the Registry category. The OS's
build
number is 16299.
- How many users are there?
The answer can be found in User Accounts artifact under the Registry category. The total
number of users is 6.
- What is the CRC64 hash of the file "fruit_apricot.jpg"?
To find "fruit_apricot.jpg", navigate to Known Files, Graphic Files and select jpg.
After that, you can search for "fruit_apricot.jpg" within the displayed entries by typing into the search
bar above the workspace or for more detailed search click on the Timeline Filtering Panel button to
the left of the search bar. After filtering the results, right click on the image and select View
Source.
Then, right click on the source file and select Export Checked File(s)(Zipped).
To get the CRC64 hash of the file, upload the extracted image to Toolkit Bay or any similar website. As seen in
the figure below, the hash of the file is ED865AA6DFD756BF.
- What is the logical size of the file "strawberry.jpg" in bytes?
Similar to the previous question, navigate to Known Files, Graphic Files and select
jpg. Then, utilize the search bar or Timeline Filtering Panel button to find “strawberry.jpg”.
As seen in the figure below, the hash of the file is 72448.
- Which user has a photo of a dog in their recycling bin?
The answer can be found in Windows Recycle Bin artifact under the OS category. The user is
hansel.paricot .
- What is the name of the device?
The answer can be found in Computer Name artifact under the Registry category. The device name
is DESKTOP-3A4NLVQ.
- How many web browsers are present?
There are 5 web browsers. As seen in the figure below, ArtiFast parsed artifacts from Chrome, Edge,
Firefox and Internet Explorer. In addition, as indicated from UserAssit artifact, the user has used
Tor browser as well.
- What was the role of the employee Tim was flirting with?
The answer can be found in Firefox History artifact under the Web Activity category. As seen
in the figure below, the user searched “ Is it ok to flirt with my secretary”.
- What is the SID of the user "suzy.strawberry"?
The answer can be found in Profiles List artifact under the Registry category. The SID of the
user "suzy.strawberry" is 1004.
- List the file path for the install location of the Tor Browser.
The answer can be found in AmCache Application Files artifact under the Registry category. The
path is C:\Program1.
- What was the URL for the Youtube video watched by Jim?
The answer can be found in Chrome History artifact under the OS category. The URL link for the
Youtube video is https://www.youtube.com/watch?v=Y-CsIqTFEyY.
- Which user installed LibreCAD on the system?
The answer can be found in AmCache Application Files artifact. miriam.grapes installed
LibreCAD on the system.
- How many times "admin" logged into the system?
The answer can be found in User Accounts artifact. As can be seen in the figure below,
the admin logged into the system 10 times.
- What is the name of the DHCP domain the device was connected to?
The answer can be found in Wireless Networks artifact under the Registry category. The name of
the DHCP domain is fruitin.xyz.
- How many times did Jim launch the Tor Browser?
The answer can be found in UserAssist artifact under Registry category. Jim launch the Tor
Browser 2 times.
- When was the last time a docx file was opened on the device?
The answer can be found in RecentDocs MRU artifact under Registry category. The last time a
docx file was opened on 2020-04-11 23:23:36.
- Tim wanted to fire an employee because they were ......?(Be careful what you wish for)
The answer can be found in Chrome History artifact under the Web Activity category. As seen in
the figure below, Tim searched "how do I nicely fire my stinky employee”.
- Which Firefox prefetch file has the most runtimes?
The answer can be found in Prefetch artifact under OS category.
FIREFOX.EXE-A606B53C.pf has the most runtimes.
