Staging in 1…2…3

Challenge:

The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken.

There was a suspicious file created during the timeframe of Threat Actor activity: C:\123.tmp. Can you check it out?

Solution:

I used the file command to identify the file-type of the provided file and it was identified as a RAR archive:

$ file 123.tmp

123.tmp: RAR archive data, v5

Using unrar to extract the contents of the archive revealed that flag as a directory name within the archive:

$ unrar x 123.tmp

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal


Extracting from 123.tmp

Creating    MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}        OK
Creating    MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}/Company Secret Notes  OK
Extracting  MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}/Company Secret Notes/priv&conf - ongoing internal investigation.txt  OK
Creating    MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}/Emails  OK
Extracting  MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}/Emails/IMG_3302.PNG  OK
Creating    MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}/Super Secret Research on Moving Everything to the Cloud  OK
Extracting  MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}/Super Secret Research on Moving Everything to the Cloud/IMG_0130.PN  OK  
All OK

The accepted flag was, MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}.