{"id":174,"date":"2019-01-17T04:02:14","date_gmt":"2019-01-17T04:02:14","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=174"},"modified":"2019-01-17T04:02:20","modified_gmt":"2019-01-17T04:02:20","slug":"tangle-coalbox-lethal-forensicelfication-cranberry-pi-terminal","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/tangle-coalbox-lethal-forensicelfication-cranberry-pi-terminal\/","title":{"rendered":"
Tangle Coalbox – Lethal ForensicELFication Cranberry Pi terminal<\/center>"},"content":{"rendered":"\n

As we speak to Tangle Coalbox, they ask if we can help them with an investigation.
“Elf Resources assigned me to look into a case, but it seems to require digital forensic skills.
Do you know anything about Linux terminal editors and digital traces they leave behind?
Editors can leave traces of data behind, but where and how escapes me!”<\/p>\n\n\n\n

Were given a hint to check out this website<\/a> and to be honest, that’s the only hint we need.<\/p>\n\n\n\n

When we start the terminal, we see this.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

So the task here is too “Find the first name of the elf of whom a love poem was written. Complete this challenge by submitting that name to run to answer.”<\/p>\n\n\n\n

First thing I did, as I checked the .bash_history, and we can see there was a folder created called .secrets\/her\/<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Also, if we cd to .secrets\/her\/ we find a file called “poem.txt”<\/a> which is the love poem we need to find out who created it.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

“How sweet\u2026\u2026\u2026\u2026” Let’s get back to the challenge here. Using the hint URL given if we use the command “cat .viminfo”, we get tons of information, but one thing that stands out is this.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

“# Command Line History (newest to oldest):
:wq
|2,0,1536607231,,”wq”
:%s\/Elinore\/NEVERMORE\/g
|2,0,1536607217,,”%s\/Elinore\/NEVERMORE\/g”
:r .secrets\/her\/poem.txt
|2,0,1536607201,,”r .secrets\/her\/poem.txt”
:q”<\/p>\n\n\n\n

Which shows Elinore created the poem.txt. So, the answer is “Elinore” and if we use Elinore with the run to answer\u2026 We get the congratulations!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Thank you for solving this mystery, Slick.
\nReading the .viminfo sure did the trick.
\nLeave it to me; I will handle the rest.
\nThank you for giving this challenge your best.
\n-Tangle Coalbox
\n-ER Investigator
\nCongratulations!<\/p>\n","protected":false},"excerpt":{"rendered":"

As we speak to Tangle Coalbox, they ask if we can help them with an investigation. “Elf Resources assigned me to look into a case, but it seems to require digital forensic skills. Do you…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-174","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-2O","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/174","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":1,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"predecessor-version":[{"id":180,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/174\/revisions\/180"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}