CRM Snatch Tryhackme

CRM Snatch - a TryHackMe DFIR lab: analyze a Windows disk snapshot, investigate ransomware, data exfiltration, forensic artifacts, and restore evidence. Hands-on incident response & forensic challenge

OFFENSIVE SECURITYDFIR TRAININGINCIDENT RESPONSEMETHODOLOGYLOG ANALYSISWINDOWSPASSWORD DUMPINGTRYHACKME WRITEUPSOFFSECCTFPENETRATION TESTINGEXPLOITATIONTRYHACKME WALKTHROUGHDIGITAL FORENSICSCYBERSECURITY CHALLENGESTRYHACKME ANSWERSCYBERSECURITY LABSCYBERSECURITYETHICAL HACKINGTRYHACKMEOPEN-SOURCE TOOLSHANDS ON SECURITY LABSADVERSARY TECHNIQUESDATA EXFILTRATION

Jawstar

11/7/20251 min read

Task 2 : The Challenge

Which domain account was used to initiate the remote session onto the host?
matthew.collins

For how many seconds did the attacker maintain their PowerShell session active?
3455

What was the attacker’s C2 IP address used for staging and exfiltration?
167.172.41.141

Which well-known tool was used to exfiltrate the collected data?
Rclone

What is the obscured password to the attacker-controlled Mega?
yWKgVA7Rv1iIoG-VWAr7NAFbwKHNiMZGNybJ4QybJHtiFg

What is Lucas’s email address found in the exfiltrated data?
lucas.rivera@deceptitech.thm

If this story was helpful and you wish to show a little support me by subscribing to my website

Connect

Secure your future with expert cybersecurity solutions

Support

Quick Links

© 2025. All rights reserved.

contact@jawstarsec.in

Services
Blog
Contact Us
Homepage