Tryhackme Secret Recipe Walkthrough Guide

Task 1: Introduction

Storyline

Jasmine owns a famous New York coffee shop Coffely which is famous city-wide for its unique taste. Only Jasmine keeps the original copy of the recipe, and she only keeps it on her work laptop. Last week, James from the IT department was consulted to fix Jasmine's laptop. But it is suspected he may have copied the secret recipes from Jasmine's machine and is keeping them on his machine.

His machine has been confiscated and examined, but no traces could be found. The security department has pulled some important registry artifacts from his device and has tasked you to examine these artifacts and determine the presence of secret files on his machine.

On the Desktop, there is a folder named Artifacts, which contains the registry Hives to examine and another folder named EZ tools, which includes all the required tools to analyze the artifacts.

Task 2: Windows Registry Forensics

Registry Recap
Windows Registry is like a database that contains a lot of juicy information about the system, user, user activities, processes executed, the files accessed or deleted, etc.

Following Registry Hives have been pulled from the suspect Host and placed in the C:\Users\Administrator\Desktop\Artifacts folder. All required tools are also placed on the path. C:\Users\Administrator\Desktop\EZ Tools.

Your challenge is to examine the registry hives using the tools provided, observe the user's activities and answer the questions.

Registry Hives

SYSTEM
SECURITY
SOFTWARE
SAM
NTUSER.DAT
UsrClass.dat

Answer the questions below

“Open Registry Explorer and load all provided registry hive files (artifacts) for analysis.

1) What is the computer name of the machine found in the registry?

Ans: JAMES

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

2) When was the Administrator account created on this machine? (Format: yyyy-mm-dd hh:mm:ss)

Ans: 2021-03-17 14:58:48

SAM\Domains\Account\Users

3) What is the RID associated with the Administrator account?

Ans: 500

4) How many user accounts were observed on this machine?

Ans: 7

5) There seems to be a suspicious account created as a backdoor with RID 1013. What is the account name?

Ans: bdoor

6) What is the VPN connection this host connected to?

Ans: ProtonVPN

Look for NetworkList in Software Hive

7) When was the first VPN connection observed? (Format: YYYY-MM-DD HH:MM:SS)

Ans: 2022-10-12 19:52:36

8) There were three shared folders observed on his machine. What is the path of the third share?

Ans: C:\RESTRICTED FILES

search “share”

9) What is the last DHCP IP assigned to this host?

Ans: 172.31.2.197

SYSTEM\CurrentControlSet(001/002)\Services\Tcpip\Parameters\Interfaces

10) The suspect seems to have accessed a file containing the secret coffee recipe. What is the name of the file?

Ans: secret-recipe.pdf

11) The suspect executed multiple commands using the Run window. What command was used to enumerate the network interfaces?

Ans: pnputil /enum-interfaces

12) The user searched for a network utility tool to transfer files using the file explorer. What is the name of that tool?

Ans: netcat

13) What is the recent text file opened by the suspect?

Ans: secret-code.txt

“Perform the same procedure as in Question 10, or navigate to the ‘RecentDocs’ registry key under the ‘.txt’ extension to identify the most recently accessed text file.”

14) How many times was PowerShell executed on this host?

Ans: 3

UserAssist: These keys contain information about the programs launched, the time of their launch, and the number of times they were executed

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count