Portfolio / Write-Ups / CyberDefenders → CyberDefenders - CyberRange

CyberDefenders - Spotlight

Table of Contents

Scenario

Spotlight is a MAC OS image forensics challenge where you can evaluate your DFIR skills against an OS you usually encounter in today's case investigations as a security blue team member.

Category: Endpoint Forensics

Tools: - Autopsy - mac_apt - SQLite - steghide

Questions

Q1: What version of macOS is running on this image?

c9b2621a4b69cb389672bf31aafbb41d.png

Lets start by finding out clue about this image using text file generated by FTK Imager, which you can see macOS version name Catalina

fab92bc104032bd6f3b943c7db150cd4.png

According to apple support, this major version is 10.15

74a1195d6992ad4e2e230fa1dcb304a3.png

The other way to find out this answer is to read SystemVersion.plist file (Credit to https://www.cyberciti.biz/faq/mac-osx-find-tell-operating-system-version-from-bash-prompt/)

29f520bc4de4dab71ce6e48335b8aa22.png

Open evidence file using FTK Imager then go to the CoreServices directory to export plist file

aba879aa97829c2395eceb720abaef62.png

Open this file with your preferred text editor (preferably with plist editor)

10.15

Q2: What "competitive advantage" did Hansel lie about in the file AnotherExample.jpg? (two words)

3f466bff41825f5c1b43d87177c68b9d.png

You can see that there are 2 users on this machine which are hansel.apricot and sneaky

570f53f073b5368f0e2c2a732003d038.png

But AnotherExample.jpg could be found on Shared directory

96e686877661914b3c406375614266ea.png

Export an image and using strings to find out the secret, you will find that the secret is "flip phone"

546c28e0b4be022a8034a29e56b875e8.png

Another way to obtain this answer is to go to sneaky home directory and read terminal history

flip phone

Q3: How many bookmarks are registered in safari?

31935a5125a3010f5cee3de3a1cfae3a.png

Tools that can help us on this lab is mac_apt which have various plugins for various artifacts and SAFARI plugin is written in safari.py , which you can see the location and artifacts we need to grab to use this plugin

84b44df1996e76015efae131acf70648.png

We're interested in bookmark so we will grab Bookmarks.plist

79e5bb5724cbba30b2988954377d5861.png

Filter by using http, there are 13 bookmarks that were saved.

13

Q4: What's the content of the note titled "Passwords"?

7dad79a4fa5730af404d7b84e31c40f4.png

mac_apt also have NOTES plugin which written in notes.py

9f3778215ec80a321645e69ed42d3936.png

Grab NoteStore.sqlite

395e4f7392219e77ef738dae5fe0b1b0.png

Using mac_apt_artifact_only with NOTES plugin to parse this sqlite file (mac_apt_artifact_only.exe -i NoteStore.sqlite -o . NOTES -c)

d8c8c1ff190013357e8a1d4efdb4e0ee.png

There it is 

Passwords

Q5: Provide the MAC address of the ethernet adapter for this machine.

c728f97216fe42cbf98e53b71006b9be.png

I couldn't find any useful information while researching so I clicked for hint then turn out that in daily.out which I continued my research after this and found this blog explained about this file like this

2128524c5a70973dd33dd188b27e69d1.png

Which make sense why MAC address was also logged on this file

00:0c:29:c4:65:77

Q6: Name the data URL of the quarantined item.

0029a51a8f1635da432dde9b718650ae.png

mac_apt also has a plugin for this which is called QUARANTINE

a774c1a9dadf80f23f62d29dab024a8f.png

96d66d0cfb5929250a481772370271c0.png

You can grab an artifact and open it with DB Browser for SQLite on LSQuarantineEvent table, you will find URL we're looking for

286aff36ef3454c5f99d58dc4de2e6e1.png

Which is a script to encode secret information to an image which gave us a clue about how to solve later question related to steganography

https://futureboy.us/stegano/encode.pl

Q7: What app did the user "sneaky" try to install via a .dmg file? (one word)

754782d6329dc3e2efb01c9b181126d7.png

back to terminal history, you can see that SilentEye was installed

0056fc0f1f2c9dd52c0909e21403f942.png

Which is another steganography tool

SilentEye

Q8: What was the file 'Examplesteg.jpg' renamed to?

0a919528d4e867261191a2443e2b94b0.png

All file system events happened on Mac will be stored inside .fseventsd

e91b5e68375c5876d3d1c87bee41a5d4.png

Luckily, mac_apt also has a plugin for this 83faed0479ce5a99a6bd0d4a75e3d977.png

Export whole directory out 472e94e7ecf036fa95ce33326dac646c.png

Parse those events out (mac_apt_artifact_only.exe -i .fseventsd -o . -c FSEVENTS)

355aa5296f3dea622ca14c9e663ad4de.png

Find for 'Examplesteg.jpg', you can see that it will be renamed to GoodExample.jpg

GoodExample.jpg

Q9: How much time was spent on mail.zoho.com on 4/20/2020?

251fbf871ca25b59072227f3d0dc8bfd.png

mac_apt has a plugin for SCREENTIME

db597ccf005ec20916d763614cdfb88f.png

Export an artifact from ScreenTimeAgent 631b72a144fd579181398d003ad2b491.png Parse the artifact with mac_apt (mac_apt_artifact_only.exe -i RMAdminStore-Local.sqlite -o . -c SCREENTIME)

995a195faeae561b7d8562be6da23a01.png

Search for "mail.zoho.com" on 4/20/2020 which you can see that there are 2 events there so lets sum up -> 04:34 + 16:24 = 20:58

20:58

Q10: What's hansel.apricot's password hint? (two words)

42e1d9f9569f4111a0db68b6896cd3b2.png

Most of user information on a system will be stored in username.plist at private/var/db/dslocal/node/Default/users

I used this PList Editor to open plist file

77f96e4c2498e3fca51acc03db60a122.png

After scrolling for a while (or filter for "hint"), you will find password hint of this user

Family Opinion

Q11: The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change?

5c12fa8ca5227ecbb593c5bc105ff47d.png

I went to mac_apt imessage.py to find where to get an artifact for this question

eb8362716a95839d8aaa4cbd3be9d8b2.png

But it was not available here but we still have file system event that we just parsed using mac_apt

5039ffa48395fdee5bae7e8613720973.png

Find for directory that store imessage artifact, you can see the pattern to filter

c913a59f2b78afe70b38d3bd61a9a1bb.png

Using this filter, it narrows down to 7 permission changes to this file

7

Q12: What's the UID of the user who is responsible for connecting mobile devices?

I did some research because I never used Mac and IPhone before which I found this blog explain what happened what MAC and mobile from apple connect to each other.

74e08709fdb7274b3cc594b7f724a52c.png

And the artifact that will be needed is _usbmuxd.plist

07a00ebe499d58c08ecad1e9d7f4d3bb.png

213

Q13: Find the flag in the GoodExample.jpg image. It's hidden with better tools.

693785c3a37a108058e3e42b8a7549ce.png

From File System Event, we know that this image was renamed and located in Shared directory

e2c7d177b19cac41dacc175230cce9e1.png

Using website that was quarantined we can upload this image and unreveal it secret for us

0d8df0c1efa3e7c2ddba917a44139ab6.png

There it is

5de4499d348337407fc453218cf952b2.png

Another way to solve this question is to use steghide (steghide.exe extract -sf GoodExample.jpg)

helicopter

Q14: What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48

Spotlight is the Windows Search but on Mac

8b4aa62f8865ca2012f8c85001f103b3.png

Which our best friend mac_apt has 2 plugins for this feature

676bd3bdfa1d570ab21d94129aec12b7.png

I didn't find any artifact from spotlight.py so I went to spotlightshorcuts.py to find more artifacts

bb7d953f1699e7a095ff26b5933b2936.png

Luckily, it still there and without exporting we can still see an answer

term

Q15: What is hansel.apricot's Open Directory user UUID?

c871d4e7f6cbf6a5ce6c34aaf8becc26.png

Back to hansel.apricot.plist, find for generateduid 

5BB00259-4F58-4FDE-BC67-C2659BA0A5A4

https://cyberdefenders.org/blueteam-ctf-challenges/achievements/Chicken_0248/spotlight/