THM — Disk Analysis & Autopsy

My notes on THM Room.

What is the MD5 hash of the E01 image?

What is the computer account name?

List all the user accounts. (alphabetical order)

Who was the last user to log into the computer?

What was the IP address of the computer?

To find the IP address we can check program files and check the irunin.ini file.

What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)

In screenshot above.

Name the network cards on this computer.

Intel(R) PRO/1000 MT Desktop Adapter

What is the name of the network monitoring tool?

Checking Installed Programs

A user bookmarked a Google Maps location. What are the coordinates of the location?

Searching through Web History we can look for searches and we find the google maps search

A user has his full name printed on his desktop wallpaper. What is the user’s full name?

Switching over to the images/videos we can search for User’s Directories and extract the image. If we extract the image in the user joshwa. We see the full name.

A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

Within each user we search for powershell files. In Shreya’s files we find files under AppData/Roaming/Microsoft/Windows/PowerShell

The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

Searching around in Shreya’s files we find a file in Desktop

2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order)

Windows Defender is our friend for this task. Accessing the scan history we can find two .exe files

There is a YARA file on the computer. Inspect the file. What is the name of the author?

Utilizing a .yar keyword search, we can find a kiwi_passwords.yar.lnk file in the user H4S4N. Checking the downloads we find the .yar file

One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)

Checking recent documents we find an interesting file with the keyword Zerologon which is an exploit.

cyber enthusiast