The given data is VM image of VMWare.
We started up the image and found “flag” file on Desktop. The task is to find password of flag file.
Why they give live VM ? Is it impossible to solve this task without Windows environment ? (ex. KeyLogger)
We analyzed MFT, evtx, tasks, and found following fact.
\Users\M\Hello.rar exists
flag.7z and Hello.rar is transfered using vmware’s function (drag’n’drop)
there is no reason using keylogger because flag.7z has been encrypted at first
suspcious description in \Windows\System32\Tasks\Microsoft\Windows\Sharing\UpdateLibary
cmd /c "vssadmin > %userprofile%\m"
according to UsnJrnl, \Users\M\m is created in a moment
We got lost and ruined about a day.
Dumping Hello.rar with xxd after a while,
Zone.Identifer!!! We doubt that there is ADS (Alternate Data Stream).
extracting Hello.rar, We found Hello.txt:Zone.Identifer:$DATA.
This data seems to be a Rar file.
ADS have to be extracted in NTFS, We used ADSManager.
There is more ADS
We got Word flie from Zone.Identifer:Zone.Identifer:$DATA
Opening this file with MS Word, and found VBA macro! But the macro cannnot be edited because it is encrypted with password.
We took install.log from VM (\Users\M\install.log) and executing this script, It says “No such file or directory ‘M’”. So we recovered ‘M’ using description of Tasks.
Executing the script, we got 0zillaFirefoxInstallationStarted:2015-09-0715:18:16vssadmin.
Decrypted flag.7z using the password, and got flag.