TryHackMe || Advent of Cyber 2023 Day 8: Have a Holly, Jolly Byte! || WalkThrough
Today’s task involves ‘Digital Forensics’ and the backdrop of today’s task is McGreedy, a grumpy regional manager, who secretly plans sabotage along with her sidekick and tries a sabotage using USB drives loaded with malware. An employee finds one in the parking and plugs it into her office laptop, inadvertently ending up unleashing a digital disaster crafted by the vengeful McGreedy.
But the sidekick of McGreedy felt guilty and sent a mail about the same to McSkidy. Now, we will find evidence to prove McGreedy guilty.
We will use the FTK Imager tool to find evidence, of this cybercrime, against McGreedy.
We will start the machine by clicking Start Machine. When the machine boots up, click on ‘FTK Imager’ and wait for a few seconds. When FTK Imager opens up, click on File > Add Evidence Item>Physical Drive and then select ‘\\PHYSICALDRIVE2 — Microsoft Virtual Disk [1GB SCSI]’ from the dropdown box. To verify the Drive, we will click File > Verify Drive/Image, and then the app will start verifying the USB drive.
What is the malware C2 server?
Hint: Double-click on the ‘DO_NOT_OPEN’ folder, and double-click on the ‘secretchat.txt’ file. On the bottom right pane, you will see the content of the file and there you find the answer.
Answer: mcgreedysecretc2.thm
What is the file inside the deleted zip archive?
Hint: Double-click on the ‘DO_NOT_OPEN’ folder, and double-click on the ‘JuicyTomaTOY.zip’ file. On the bottom left pane, you will see the file.
Answer: JuicyTomaTOY.exe
What flag is hidden in one of the deleted PNG files?
Hint: Select the Physical Drive and move to Hex preview mode(Bottom Right). Click in the Hex preview and click ‘Ctrl + F’ and type ‘THM{’, and you will get the answer.
Answer: THM{byt3-L3vel_@n4Lys15}
What is the SHA1 hash of the physical drive and forensic image?
Hint: To verify the Drive, we will click File > Verify Drive/Image, and then the app will start verifying the USB drive. Then, a dialogue box will appear, it contains the SHA1 value for the image.
Answer: 39f2dea6ffb43bf80d80f19d122076b3682773c2
If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/
Happy Learning