HOLA 1

 

Hackers of the Lost Ark Winning Answers

By: Kenneth Mazie

Questions:

1) What was the purpose of the attacker's "dir" and "find" commands?
2) What was the purpose of the attacker's "strings" command?
3) What was the purpose of the attacker's "lads" command?
4) What was the purpose of the attacker's "dd" command?
5) Where else might the file be hidden on the system, and how would the attacker (as well as New Jersey Jones) find it? Be creative!

Answers:

1-a) The DIR command is pulling up a directory listing of the C: drive. It will list file and directory names but leave out those that are tagged as read-only, hidden, and system files. It displays all files and folders meeting the criteria starting in the C:\ folder as well as all subfolders and then pipes the output to a file named "file.txt" in the current folder (c:\)

1-b) The find searches "file.txt" for any occurrence of "LostArk" and outputs the line number when it is located within the file.

2) The strings command is from SysInternals. It starts at C:\ and scans all files in all folder and pipes the output to a find command to look for the existence of an ASCII string named "9906753".

3) The lads utility is from Frank Heyne. As typed the command starts at C:\ and searches all files for an alternate data stream named "LostArk".

4) The DD command is a win32 port of a Unix command. The command is typed incorrectly. No output file is specified. As typed it will read the system RAM and pad unreadable areas with zeros. The result has nowhere to go. The attacker attempted to copy the system RAM to a file but failed.

5) There are a number of hidden folders where the file may reside. The system startup script folders for example. Also, once the access has been adjusted the file could be store in the "system volume information" folder. Simple cipher encryption could be used to mask the file name and or/file contents. Probably the best place to put the file would be to use a steganography utility to add the file as the payload for one of the default Windows system bitmaps. Another alternative is to Uuencode the file and create a custom registry key and then add the encoded file as the key value.

Some of these techniques would be extremely hard or impossible to find. I would use stegonography detection utilities to scan the files. I would use batch file sorting to reverse the names of all files and search for identifiable strings. I'd also try using the same techniques the attackers used but I'd correct their commands so they functioned properly.

Thanks for the hunt.

Ken Mazie