Magnifying glass logo

Hireme

This lab was completed quite some time ago, but we have just been so busy lately we forgot all about it. The lab has since been retired, but knowledge and fun can be had from new-starter or experienced defenders wanting to learn more about the Windows Operating System Registry.

Walkthrough

1) What is the administrator’s username?

Answer:

 Karen

2) What is the OS’s build number?

Hint:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Answer: 
     16299

3) What is the hostname of the computer?

Hint:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName Answer: 
     TOTALLYNOTAHACK

    4) A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?

Hint:

From access-data imageer we can see the installer and app folder or

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

Answer:

 skype

5) What is the zip code of the administrator’s post?

Hint:

From access-data

  • [root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\Web Data

Answer:

 19709

6) What are the initials of the person who contacted the admin user from TAAUSAI?

Hint:

From access-data

  • /[root]/Users/Karen/AppData/Local/Microsoft/Outlook/klovespizza@outlook.com.ost

Answer:

 MS

7) How much money was TAAUSAI willing to pay upfront?

  • From exporting the PST and reading the mail

Answer:

 150,000

8) What country is the admin user meeting the hacker group in?

Hint:

  • 27°22’50.10″N, 33°37’54.62″E =

Answer:

 Egypt

9) What is the machine’s timezone? (Use the three-letter abbreviation)

Answer:

 UTC

10) When was AlpacaCare.docx last accessed?

  • From accessdata (2nd partition/[root]) look at file properties

Answer:

 03/17/2019 09:52 PM

11) There was a second partition on the drive. What is the letter assigned to it?

Hint:

  • HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Answer:

 A

12) What is the answer to the question Company’s manager asked Karen?

  • Back to the exported PST

Answer:

 TheCardCriesNoMore

13) What is the job position offered to Karen? (3 words, 2 spaces in between)

Answer:

 cyber security analyst

14) When was the admin user password last changed?

Hint:

  • Use regripper against the export SAM registry hive

Answer:

 03/21/2019 19:13:09

15) What version of Chrome is installed on the machine?

Either access-data look at the chrome logs or

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows \CurrentVersion\Uninstall\Google Chrome

Answer:

 72.0.3626.121

16) What is the HostUrl of Skype?

Hint:

  • Access-data: [root]\Users\Karen\AppData\Local\Google\Chrome\User Data\Default\History

Answer:

 https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe

17) What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?

Hint:

  • Access-data: export and read the document

Answer:

 palominoalpacafarm.com
Share on: