During the investigation of a compromised machine, it was discovered that an impersonation tool had been executed. The Digital Forensics and Incident Response (DFIR) team provided a specific registry hive for analysis. Your objective is to identify the name of the executable associated with the impersonation tool and determine its earliest suspected execution time.
Flag format/example: BHFlagY{cmd.exe_29/12/1992 22:33:13}
The provided file, named execution, was identified as:
| # Send prefix | |
| set-option -g prefix C-d | |
| unbind-key C-b | |
| bind-key C-d send-prefix | |
| set -g default-terminal "xterm-256color" | |
| setw -g xterm-keys on | |
| set -s escape-time 10 # faster command sequences |
Follow the instructions to install WSA with Megisk and GooglePlay services. MagiskOnWSALocal
Download following modules for Magisk.
For Windows (Powershell)
aws sts get-session-token --duration-seconds (Read-Host -Prompt "Session Duration") --serial-number (Read-Host -Prompt "Serial Number") --token-code (Read-Host -Prompt "MFA code") | ConvertFrom-Json | %{$_.Credentials} | %{@{aws_access_key_id=$_.AccessKeyId;aws_secret_access_key=$_.SecretAccessKey;aws_session_token=$_.SessionToken}} | ConvertTo-Json -Compress | %{$_ -replace "{","`n`n[profile-name]`n"} | %{$_ -replace "}",""} | %{$_ -replace ":"," = "} | %{$_ -replace '"',""} | %{$_ -replace",","`n"} | %{$_ -replace "profile-name", (Read-Host -Prompt "Profile Name")} | tee -Variable _ | Add-Content $HOME\.aws\credentials
For Linux (bash)