forensics challs
This commit is contained in:
39
2026/insomnihack/forensics/usb_exfiltration/main.py
Normal file
39
2026/insomnihack/forensics/usb_exfiltration/main.py
Normal file
@@ -0,0 +1,39 @@
|
||||
import LnkParse3
|
||||
from hashlib import sha1
|
||||
from evtx import PyEvtxParser
|
||||
import json
|
||||
import glob
|
||||
import os
|
||||
|
||||
# Look at strange LNK files (USB Exfiltration screams at opened file)
|
||||
def parse_link():
|
||||
base = "Kape_Acquisition/C/Users/intern/AppData/Roaming/Microsoft/Windows/Recent/"
|
||||
for f in glob.glob(base + '*.lnk'):
|
||||
with open(f, 'rb') as fp:
|
||||
lnk = LnkParse3.lnk_file(fp)
|
||||
print(f'=== {os.path.basename(f)} ===')
|
||||
print(lnk.get_json())
|
||||
|
||||
# Get login time
|
||||
def get_login_events():
|
||||
parser = PyEvtxParser("Kape_Acquisition/C/Windows/System32/winevt/logs/Security.evtx")
|
||||
for record in parser.records_json():
|
||||
data = json.loads(record['data'])
|
||||
event = data.get('Event', {})
|
||||
eid = event.get('System', {}).get('EventID')
|
||||
if str(eid) == '4624':
|
||||
ed = event.get('EventData', {})
|
||||
user = ed.get('TargetUserName', '')
|
||||
logon_type = ed.get('LogonType')
|
||||
time = event.get('System', {}).get('TimeCreated', {}).get('#attributes', {}).get('SystemTime')
|
||||
if 'intern' in user.lower():
|
||||
print(f"Time: {time} | User: {user} | LogonType: {logon_type}")
|
||||
|
||||
def get_flag():
|
||||
logon_time = "2026-03-08T11:33"
|
||||
filename = "Budgets_2025.txt"
|
||||
usb_label = "MyUSBKey2"
|
||||
format = f"{filename};{usb_label};{logon_time}".encode()
|
||||
print(f"INS{{{sha1(format).hexdigest()}}}")
|
||||
|
||||
get_flag()
|
||||
Reference in New Issue
Block a user