The misterious case of the "Cocido Balls" recipe

Intro

The owners of CenaEnCasa, an hyperdimensionally famous recipe website call desperately at your door pleading for help. Some nefarious intruder has breached into their network, stealing their cookbook for next quarter! In this cookbook is the extremely secret "Bolas de Cocido" recipe (based on the world known spanish dish "Cocido MadrileƱo"), the favourite recipe in next year's "Royal Glutton" awards.

All they can show you in this email sent by the presumed attacker:

From: hacked@cenaencasa.es
To: info@cenaencasa.es
Subject: All your recipes belong to us

Hey yo CenaEnCasa!!

Your infosec sucks, yo! I've pwned all of your servers and got all your tasty recipes, including the "Bolas de Cocido" recipe.

Evidence for you to take me seriously, morons:

  • Our main file server is called RabanoSRV
  • The "Bolas de Cocido" ... don't have any bechamel in it !

As I'm such a nice guy I'm gonna give you a chance to recover all your data. If you get to find my REAL email (not this sneaky fake one) and tell me what I have done with your network I'll consider as satisfied and keep our secrets safe.

Otherwise I'll give your recipes to ComeEnCasa and DesayunaEnCasa. And to Wikileaks. And to Kimmie. Your call.

Signed:

Nice infosec cook ("in da kitcha, cookin' malware to steal your secrat")

CenaEnCasa owners can verify the information given by the attacker, and ask you for help on their knees. Could you find the intruder and protect the "Cocido Balls" secret ?


Basic info

Interviewing CenaEnCasa owners give you this basic info:

  • CenaEnCasa computers use more or less modern Windows versions. All the network was installed some time ago by a consultant (the owners are cooks, not geeks). There is at least a server, and maybe a "Complain Controller" or something like that.
  • There are no antivirus deployed on the computers. Default Security is as it was when the computers were setup (totally unknown to the owners)
  • Last summer a owners' nephew (a Computer Science student) did an internship on CenaEnCasa and kind of made a security audit, delivering a 90 pages report. The owners read the executive summary, turned it upside down, read it again and didn't understand a thing, leaving in it deep down in the landry. The report was involved in a messy incident with a rebellious tiramisu that damaged it almost irreparably. Only these words can be salvaged: "Monitoring", "...id 5140"... "WMF 5.0" and "ysmon".

You descend on CenaEnCasa computers like a hungry fox-terrier and quickly recover evidence on several computers. Here you have what you think should be enough to crack the case:


[Note: Any IP address from the 10.x.x.x range (just for this CTF) should be considered to be located in Kazakhstan]

Memory dumps have been obtained using Dumpit (save the server that is a copy of the snapshot). Triage info has been collected using Brimor Lab Bambirraptor.

Happy hunting!