Cyberdefenders Hacked Challenge EWF Mounts
Jul 25, 2021
4 minute read

CyberDefenders is a training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice, validate the skills they have, and acquire the ones they need.

CyberDefenders provides a bunch of hands on practice challenges for people to test out their forensics chops. Each challenge has a downloadable disk image that you’ll need to mount locally in order to snoop aroud and answer the challenge questions. From what I could tell, the tools that were recommended were for Windows. It took me a while to figure out how to get the filesystem all setup on my Mint Linux machine. Hopefully this helps others out there.

I ended up scoring 1430/1850. Used a few hints to get on the right track with some of the harder questions, which took some points away.

Download the challenge

Link to the Hacked challenge https://cyberdefenders.org/labs/71

Download the compressed zip file from the challenge site and use the password cyberdefenders.org. This will extract Webserver.E01 which is an expert witness format. This image will need to be mounted to your filesystem.

Install Command line tools

  • ewf-tools provides tools to work with the EWF file formats
  • sleuthkit provides tools to work with the filesystme images
  • kpartx reads partition tables on specified device and create device maps over partitions segments detected.
$ apt-get install ewf-tools sleuthkit kpartx

You might need additional tools to solve some of the challenge questions, those aren’t listed here ;)

Mount the Image

Initially I didn’t use root with ewfmount which worked fine, but wasn’t compatible with mount later on. Use root to make your life easier.

$ mkdir mnt

$ sudo ewfmount Webserver.E01 mnt
ewfmount 20140807

$ ll mnt
total 0
-r--r--r-- 1 root root 32G Jul 25 00:36 ewf1

Mount the Partitions

View Partition Layout

$ mmls ewf1
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000499711   0000497664   Linux (0x83)
003:  -------   0000499712   0000501759   0000002048   Unallocated
004:  Meta      0000501758   0066064383   0065562626   DOS Extended (0x05)
005:  Meta      0000501758   0000501758   0000000001   Extended Table (#1)
006:  001:000   0000501760   0066064383   0065562624   Linux Logical Volume Manager (0x8e)
007:  -------   0066064384   0066064607   0000000224   Unallocated

You can see it mentions Units are in 512-byte sectors, take that and multiply by the value in the Start column to find the byte offset for the filesystems we’re going to mount.

Linux Boot Partition

$ sudo mount -o offset=$((2048*512)) -v mnt/img/ewf1 mnt/boot

Linux LVM Partition

Note the Linux Logical Volume Manager type in the partition layout. Use kpartx to read partition tables on specified device and create devices on your machine.

$ sudo kpartx -a -v mnt/img/ewf1
add map loop0p1 (253:0): 0 497664 linear 7:0 2048
add map loop0p2 (253:1): 0 2 linear 7:0 501758
add map loop0p5 (253:2): 0 65562624 linear 7:0 501760

# checkout the lvm volumes and get their paths
$ sudo lvscan
/dev/sda: open failed: No medium found
WARNING: PV /dev/mapper/loop0p5 in VG VulnOSv2-vg is using an old PV header, modify the VG to update.
ACTIVE            '/dev/VulnOSv2-vg/root' [30.51 GiB] inherit
ACTIVE            '/dev/VulnOSv2-vg/swap_1' [768.00 MiB] inherit

# mount those volumes to your filesystem
$ sudo mount -o ro,noload /dev/VulnOSv2-vg/root mnt/linux
$ ls -l mnt/linux
total 104K
drwxr-xr-x  21 root       root       4.0K Apr  3  2016 .
drwxrwxr-x   4 bwigginton bwigginton 4.0K Jul 25 01:01 ..
drwxr-xr-x   2 root       root       4.0K Apr 16  2016 bin
drwxr-xr-x   2 root       root       4.0K Apr  3  2016 boot
drwxr-xr-x   4 root       root       4.0K Apr  3  2016 dev
drwxr-xr-x 102 root       root       4.0K Oct  5  2019 etc
drwxr-xr-x   4 root       root       4.0K Apr 16  2016 home
lrwxrwxrwx   1 root       root         33 Apr  3  2016 initrd.img -> boot/initrd.img-3.13.0-24-generic
drwxr-xr-x  21 root       root       4.0K Apr  3  2016 lib
drwx------   2 root       root        16K Apr  3  2016 lost+found
drwxr-xr-x   3 root       root       4.0K Apr  3  2016 media
drwxr-xr-x   2 root       root       4.0K Apr 10  2014 mnt
drwxr-xr-x   2 root       root       4.0K Apr 16  2014 opt
drwxr-xr-x   2 root       root       4.0K Apr 10  2014 proc
drwx------   3 root       root       4.0K Oct  5  2019 root
drwxr-xr-x   2 root       root       4.0K Apr  3  2016 run
drwxr-xr-x   2 root       root        12K Apr  3  2016 sbin
drwxr-xr-x   2 root       root       4.0K Apr 16  2014 srv
drwxr-xr-x   2 root       root       4.0K Mar 12  2014 sys
drwxrwxrwx   2 root       root       4.0K Oct  5  2019 tmp
drwxr-xr-x  11 root       root       4.0K Oct  5  2019 usr
drwxr-xr-x  13 root       root       4.0K Apr  3  2016 var
lrwxrwxrwx   1 root       root         30 Apr  3  2016 vmlinuz -> boot/vmlinuz-3.13.0-24-generic

Now you’re all set! Happy sleuthing!



comments powered by Disqus