Skip to main content

HireMe

πŸ“… Published: 2026-04-23 11:52 | πŸ”„ Last Updated: 2026-05-15 16:31


https://cyberdefenders.org/blueteam-ctf-challenges/hireme/

Scenario​

Karen is a security professional looking for a new job. A company called "TAAUSAI" offered her a position and asked her to complete a couple of tasks to prove her technical competency. As a soc analyst Analyze the provided disk image and answer the questions based on your understanding of the cases she was assigned to investigate.

Questions​

Q1 What is the administrator's username?​

Initial inspection of the evidence image reveals only one user profile: Karen.

I also used regripper to check the SAM hive:

We can see here that Karen was added to Administrators group. So the answer is:

karen

Q2 What is the OS's build number?​

The build number can be identified by navigating to the registry path:Microsoft\Windows NT\CurrentVersion

16299

Q3 What is the hostname of the computer?​

The hostname is located within the SYSTEM hive under: ControlSet001\Control\ComputerName\ComputerName

TOTALLYNOTAHACK

Q4 A messaging application was used to communicate with a fellow Alpaca enthusiest. What is the name of the software?​

Inspecting the user’s chrome history reveals that she installed Skype and also accessed Outlook

Skype is a messaging app, so the answer is:

Skype

Q5 What is the zip code of the administrator's post?​

The Chrome browser's Autofill feature frequently stores user information, including names, addresses, phone numbers, and zip codes. Navigating to the Web Data file located in the same directory as the Chrome history database and browsingthe autofill table via DB Browser for SQLite, we can see the saved zip code.

19709

Q6 What are the initials of the person who contacted the admin user from TAAUSAI?​

Follow the prior findings, we already know that Karen also used Outlook. By heading to C\Users\Karen\AppData\Local\Microsoft\Outlook , we can retrieve klovespizza@outlook.com.ost

Using Outlook forensics tool to open the ost file. In this case, i used Kernel OST viewer and skimmed through the inbox.

MS

Q7 How much money was TAAUSAI willing to pay upfront?​

Returning to the email discovered in the .ost file, the offer terms are explicitly stated.

150000

Q8 What country is the admin user meeting the hacker group in?​

The coordinate is: 27Β°22'50.10"N, 33Β°37'54.62"E. I did a gogle search and get the result: These coordinates point to the Desert Breath, a massive 1-million-square-foot land art installation located in the Red Sea Governorate of the Eastern Egyptian Desert, near Hurghada.

Desert BreathΒ is a land art project created by the D.A.ST. Arteam. The team was founded in 1995 by Danae Stratou (installation artist), Alexandra Stratou (industrial designer & architect) and Stella Constantinides (architect) for the purpose of creating this specific project.

Egypt

Q9 What is the machine's timezone? (Use the three-letter abbreviation)​

The timezone configuration can be identified by inspecting the TimeZoneInformation key within the SYSTEM registry hive.

UTC

Q10 When was AlpacaCare.docx last accessed?​

I extracted the $MFT file and used mftEcmd.exe to parse it and retrieve the result:

2019-03-17 21:52

Q11 There was a second partition on the drive. What is the letter assigned to it?​

The evidence image is known to consist of 2 primary partitions:

  • Multi
  • PacaLady

I scoured through the drive and finally headed toC:\Usres\Karen\AppData\Roaming\Microsoft\Office\Recent and found the answer:

Alternative method: navigating to SYSTEM\MountedDevices” also reveals the answer:

A

Q12 What is the answer to the question Company's manager asked Karen?​

Back to Outlook we go:

TheCardCriesNoMore

Q13 What is the job position offered to Karen? (3 words, 2 spaces in between)​

The exact job title is explicitly stated within the recruiter's email confirming Karen's correct answer.

Cyber Security Analyst

Q14 When was the admin user password last changed?​

In registry explorer: navigating to SAM > Domains > Account > Users.

03/21/2019 19:13:09

Q15 What version of Chrome is installed on the machine?​

By reviewing the [root]\Users\Karen\AppData\Local\Google\Chrome\User Data\LastVersion

We can also get the answer by checkuing the Uninstall key within SOFTWARE hive.

72.0.3626.121

Q16 What is the URL used to download Skype?​

When a file is downloaded from the internet, Windows generates an Alternate Data Stream (ADS) named Zone.Identifier to flag the file's origin. Examining the contents of the Zone.Identifier stream attached to the Skype installer exposes the direct download URL.

https://download.skype.com/s4l/download/win/Skype-8.41.0.54.exe

Q17 What is the domain name of the website Karen browsed on Alpaca care that the file AlpacaCare.docx is based on?​

Modern Office documents (.docx, .xlsx, .pptx) are effectively ZIP archives containing structured XML and media files. Using a utility like 7-Zip to extract the document's contents allows for the inspection of its internal structure.

Scouring through the folder and finally heading to \word_rels

I found the answer

Or just hover in the header of the docx file and you’ll find the answer:

http://palominoalpacafarm.com/"