Files
ctf/2026/insomnihack/forensics/usb_exfiltration/main.py
2026-03-22 21:54:20 +01:00

40 lines
1.4 KiB
Python

import LnkParse3
from hashlib import sha1
from evtx import PyEvtxParser
import json
import glob
import os
# Look at strange LNK files (USB Exfiltration screams at opened file)
def parse_link():
base = "Kape_Acquisition/C/Users/intern/AppData/Roaming/Microsoft/Windows/Recent/"
for f in glob.glob(base + '*.lnk'):
with open(f, 'rb') as fp:
lnk = LnkParse3.lnk_file(fp)
print(f'=== {os.path.basename(f)} ===')
print(lnk.get_json())
# Get login time
def get_login_events():
parser = PyEvtxParser("Kape_Acquisition/C/Windows/System32/winevt/logs/Security.evtx")
for record in parser.records_json():
data = json.loads(record['data'])
event = data.get('Event', {})
eid = event.get('System', {}).get('EventID')
if str(eid) == '4624':
ed = event.get('EventData', {})
user = ed.get('TargetUserName', '')
logon_type = ed.get('LogonType')
time = event.get('System', {}).get('TimeCreated', {}).get('#attributes', {}).get('SystemTime')
if 'intern' in user.lower():
print(f"Time: {time} | User: {user} | LogonType: {logon_type}")
def get_flag():
logon_time = "2026-03-08T11:33"
filename = "Budgets_2025.txt"
usb_label = "MyUSBKey2"
format = f"{filename};{usb_label};{logon_time}".encode()
print(f"INS{{{sha1(format).hexdigest()}}}")
get_flag()