THM : Secret Recipe
Difficulty : Medium
Room link : https://tryhackme.com/room/registry4n6
- Introduction
- Question 1
- Question 2
- Question 3
- Question 4
- Question 5
- Question 6
- Question 7
- Question 8
- Question 9
- Question 10
- Question 11
- Question 12
- Question 13
- Question 14
- Question 15
- Question 16
- Question 17
- Question 18
Jasmine owns a famous New York coffee shop Coffely which is famous city-wide for its unique taste. Only Jasmine keeps the original copy of the recipe, and she only keeps it on her work laptop. Last week, James from the IT department was consulted to fix Jasmine's laptop. But it is suspected he may have copied the secret recipes from Jasmine's machine and is keeping them on his machine.Image showing a Laptop with a magnifying glass His machine has been confiscated and examined, but no traces could be found. The security department has pulled some important registry artifacts from his device and has tasked you to examine these artifacts and determine the presence of secret files on his machine.
How many files are available in the Artifacts
folder on the Desktop ?
Answer : 6
What is the Computer Name of the Machine found in the registry ?
Answer in SYSTEM\ControlSet001\Control\ComputerName\ComputerName
Answer : JAMES
When was the Administrator account created on this machine ? (Format: yyyy-mm-dd hh:mm:ss)
Answer in SAM\SAM\Domains\Account\Users
Answer : 2021-03-17 14:58:48
What is the RID associated with the Administrator account ?
Answer in SAM\SAM\Domains\Account\Users
Answer : 500
How many User accounts were observed on this machine ?
Answer in SAM\SAM\Domains\Account\Users\Names
Answer : 7
There seems to be a suspicious account created as a backdoor with RID 1013. What is the Account Name ?
Answer in SAM\SAM\Domains\Account\Users
Answer : bdoor
What is the VPN connection this host connected to ?
Answer in SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-1966530601-318510712-10604624-500
Answer : ProtonVPN
When was the first VPN connection observed ? (Format: YYYY-MM-DD HH:MM:SS)
Answer in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
Answer : 2022-10-12 19:52:36
There were three shared folders observed on his machine. What is the path of the third share ?
Answer in SYSTEM\ControlSet001\Services\LanmanServer\Shares
Answer : C:\RESTRICTED FILES
What is the Last DHCP IP assigned to this host ?
Answer in SYSTEM\ControlSet002\Services\Tcpip\Interfaces
Answer : 172.31.2.197
The suspect seems to have accessed a file containing the secret coffee recipe. What is the name of the file ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\pdf
Answer : secret-recipe.pdf
The suspect ran multiple commands in the run windows. What command was run to enumerate the network interfaces ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Answer : pnputil /enum-interfaces
In the file explorer, the user searched for a network utility to transfer files. What is the name of that tool ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Answer : netcat
What is the recent text file opened by the suspect ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Answer : secret-code.txt
How many times was Powershell executed on this host ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Answer : 3
The suspect also executed a network monitoring tool. What is the name of the tool ?
Answer in SYSTEM\ControlSet001\Sercices\bam\State\UserSettings\S-1-5-21-1966530601-3185510712-10604624-500
Answer : wireshark
Registry Hives also notes the amount of time a process is in focus. Examine the Hives. For how many seconds was ProtonVPN executed ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Answer : 343 (5 minutes x 60 + 43)
Everything.exe is a utility used to search for files in a Windows machine. What is the full path from which everything.exe was executed ?
Answer in NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Answer : C:\Users\Administrator\Downloads\tools\Everything\Everything.exe