English [Cybercamp 2015] [Forense 2.3] Write Up

Description

The company of Mr. Garcia has been robbed of 74,300€ from his bank account. The theft was committed without the knowledge of Mr. García or people in charge of IT.

Some of the money has been retrieved thanks to the speed of the bank to block the target account, but Mr. Garcia is determined to know how this unfortunate incident occurred, as he invested in forming security technicians and purchasing a perimeter antivirus solution for workstations.

After the incident, we have been asked to do a forensic analysis of the machine, but unfortunately these devices have been handled incorrectly and have no value for our review. Fortunately the system administrator, before the network failure, (do not know if caused by the incident) got a file with network traffic of the same day as the theft of bank accounts.

Download

Question: What is the name of the victim computer?

Resolution

As seen in Forense 2.1, there’s a dialog between a local host and the hacker.
Source: 172.16.65.129 (172.16.65.129)
Destination: 167.160.169.66 (167.160.169.66)

We just have to find a SMB/NetBIOS session from 172.16.65.129.
WIN-4L7NA3KIOJN

SHA256(WIN-4L7NA3KIOJN) : 80549f7634d1ed46934d69752d25aee7d8af31af9acb75ce54c358f7616f54e6

Flag is 80549f7634d1ed46934d69752d25aee7d8af31af9acb75ce54c358f7616f54e6

Leave a Reply

Your email address will not be published. Required fields are marked *