forensics ctf writeups

S0rry: We get a zip file protected with a password, I used zip2john to convert it to hash then cracked it with john using rockyou.txt word-list. Typical values for deltaX and deltaY are one or two for slow movement, and perhaps 20 for very fast movement. Love podcasts or audiobooks? Along with the challenge text and an audio file named forensic-challenge-2.wav. I decrypted it using what was mentioned in the conversation, openssl des3 -d -salt -in saltedfile.bin -out file.txt -k supersecretpassword123. Binary Exploitation (Solved 5/14) 4. Hi all , I participated at zh3r0 ctf with my team and we finished up 7th in the ctf , there was really cool challenges . And we need answers to some questions that follow, this would be your first assignment! I know the flag format is picoCTF{xxx}, so I decided to grep it using. You can find the flag at the right place when you look, it will be obvoius when u look at it! which gave me this . Find the travel option that best suits you. Once suspended, lambdamamba will not be able to comment or publish posts until their suspension is removed. On downloading the resources we get a image and wav files So from description it is clear that we need to do so using aperies.fr I got the key and on decoding the wave file as it was a morse code : So it was clear nothing in audio so I use the extracted key 42845193 to extract data from steghide you can use any online tools also. I also confirmed using Autopsy, and saw that this private key file was in /root/.ssh/id_ed25519 in the Linux partition that starts at 0000206848. For example, in Spain, we have a real case where the suspect used Truecrypt and it is not possible to open these containers. The challenge says to use a key_file to ssh to the remote machine, so I assumed that I need to look for a file that contained the key. :). And thats all, hope you like the Write-Up ;). Now the question is, find the most probable way the malware(s) couldve got in and the flag would be the name of the source. Using binwalk did not extract it, so I extracted this using. This week we decided to go for HSCTF 6 organized by WW-P HSN CS Club . The above image was given following the basic commands I got this by binwalk, As results show it has some RAR content on unraring the content I got the flag, As starting with the classical command to check the file formate and it was a .jpg file. Before I executed this script, I closed all programs that I wasn't using to reduce variations in time due to background processes. As hash is 68 61 73 68 in hex, I inputted this hex value into the Wireshark search to look for all packets that contained this hash information. I knew this was the file I was looking for, because OpenSSL with des3 salt will generate an encrypted file that starts with Salted. and divided 19644459 by the block size 1024 bytes using. In the last few rows, I saw { 3 n h 4 n and c 3 d _ 6 7 8 3 c c 4 6 }, which looked like the flag, so I concatenated this to form {3nh4nc3d_6783cc46}. I renamed it to flag4.xz and I extracted it using. Knowing the operative system we can start to extract useful information. This shows that 48300000 takes the longest, therefore I will be using this for the fourth test batch. I went to Steganography Online to decode the image, but decoding the image did not reveal anything. and also by how i solved it so fast cuz it was written as a note thats why notes are important ! This created a file called flag2.out, and revealed that it was a LZMA compressed data. Okay so basically I found this in 2 steps: Do keyword search for 'Anubis.exe' (include substring) It returned 4 results, and only 1 of them was a registry file. The second file is a list of users and password in XML format. Xor the extracted image with the distorted image with stegsolve. Updated on Oct 16, My picoCTF 2022 writeups are broken up into the following sections, We can discover processes running, dump files, secrets, connections and a lot of useful information. The difference is FFB1. This created a file called flag3.out, and revealed that it was a XZ compressed data. so the first idea i got is to start looking in emails and reports that autopsy grabbed for us ( man i love that tool ) . Posted on Apr 3 The following shows the example execution, where Incorrect Length is outputted when a PIN that's not 8-digits is entered, Checking PIN is outputted if a 8-digit PIN is entered, and Access denied. Use a command like strings to read the flag. The flag is hidden on the second commit. Much appreciated. Now I know what file I am supposed to look for and what directory and partition it was in. But I have I friend who participate, He knows I love forensic challenges so He sent me one of the challenges that were part of the competition. Thanks for keeping DEV Community safe. I assumed that this was the flag, and I just needed to add the picoCTF wrapper. Reaching this point let me clarify that this is not a Truecrypt vulnerability. So I copied this file into a file with a .sh extension. This file corresponded to name: Zoo (2017) 720p WEB-DL x264 ESubs - MkvHub.Com. So I looked up 17d62de1495d4404f6fb385bdfd7ead5c897ea22 on Google, and saw that it corresponded to Awakened.2013.1080p.BluRay.X264-iNVANDRAREN. After unlocking we got a image which have the flag . while i was searching arround i reports and documents i was taking some notes about what could be malicious , and this where things get intersting by side ! Use git show to reveal the flag. I was expecting to find the flag at this point but it is not much further away. So I went to /root/my_folder directory, and I saw that flag.txt did not contain any relevant information because it was shredded. However, this returned Filename has an unknown suffix, skipping, so I renamed it to flag2.lzma and I extracted it using. If you have played other CTF challenges this seems a little obvious but let it break into parts. This is because Im not really good at Java programming. We hosted our first CTF successfully. So lets open the container, using Veracrypt we can open it. However, there were too many entries with the string flag, so I decided to narrow the string search down. and noticing the exe file make it clear , even for more you can google the name of exe , its not a known process or a miscrosoft one , so that makes it clearly a thing , we wrapp it into flag format and rock ! I also decided to find the full contents of the file that contained Salted using, $ ifind -f ext4 -o 411648 -d 10238 disk.flag.img, $ icat -f ext4 -o 411648 disk.flag.img 1782. Here is what you can do to flag lambdamamba: lambdamamba consistently posts content that violates DEV Community 's I double checked with Autopsy, and saw that the commands used were contained in .ash_history. I executed this script again to confirm. here , in this challenge the power of notes comes , remember when i said always take notes , well this chall didnt took more than 30 seconds . Running image info will give us the suggested operative systems profiles. code of conduct because it is harassing, offensive or spammy. I tried to find the partition information using. By just opening the first report i think we can determine after some analysis we found the flag, Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLastWrite Time Sun Jun 14 10:03:02 2020 (UTC). One is a distorted image and the other is a normal weird image. The flag is located at the bottom-right corner. Since the flag format is picoCTF{xxx}, I decided to search for the string pico using. by scrolling down we read a ahaha thing in one of the files so we open it and start digging arround . {UPDATE} Mouse in City Hack Free Resources Generator, Why it is important to protect your privacy online. To view some basic info about the type of memdump, we do a volatility -f memdump.raw imageinfo to view the profile. I also checked the file system information for the Linux partition starting at 0000360448 using. I hope you liked the CTF event. After that, find the passHash in the dump. $ strings -t d disk.flag.img | grep -iE "pico". Which created a new folder called _flag.extracted, and inside was a file called 64. We solved all the digital forensics . It will become hidden in your post, but will still be visible via the comment's permalink. we officially hunted down all those three malwares ! Register for the much-awaited virtual cybersecurity conference #IWCON2022: https://iwcon.live/. The Top 8 Cybersecurity Resources for Professionals In 2022 Nakul Singh Cyberyami CTF Graham Zemel in The Gray Area The Ultimate List of Bug Hunting Resources for Beginners HotPlugin in System Weakness Forensics Challenges HackTheBoo CTF 2022 Help Status Writers Blog Careers Privacy Terms About Text to speech The first thing to do is download the memory image ( OtterCTF.vmem ). I tried to open this up in my PDF reader, but it said that it cannot be opened. Most upvoted and relevant comments will be first, Cybersecurity/SOC Analyst, Global Security Camp Tutor, Security Camp Tutor, CODE BLUE Staff, GCC 2022 Taiwan Group Work Progress and Outcome. I saw that a directory called my_folder was created, moved into the my_folder directory, flag was written into flag.txt, flag.txt was copied into flag.uni.txt, and the original flag.txt was deleted securely using shred, which would make it extremely difficult to recover. $ strings -t d disk.flag.img | grep -iE "flag". No binwalk or steghide for this task, just a normal stereogram. The first packet that contained info_hash was packet 332 with a hash value of 17c1e42e811a83f12c697c21bed9c72b5cb3000d. Now running command in terminal. HTB x UNI CTF Quals Forensics Writeup. Reverse Engineering (Solved 2/12) I will find the intended solution and update the post soon. The third byte is "delta Y", with down (toward the user) being negative. but after taking some time searching arround i found out that im in a rabbit hole ( that i made it by myself) . Gg anyway guys ^_^ TOP15 will be qualified to the finals if their writeups were approved by the the organizers. I assumed that the PIN is checked from left to right, where Access denied. I downloaded the file, extracted it. So, I made the 4 challenges in zh3r0 CTF. This challenge is oriented to students, due to that reason I could not participate. Secrets in live memory have been always a problem. At the 2021 census its population . The following shows the example execution, where the Time taken is outputted in seconds. Extract the zip file and ignore the Loo Nothing Becomes Useless ack as it has nothing to do with the challenge. First off, open up the dumpster with the visualvm. so i looked closely and saw that so many numbers werent of 8 bytes . So I went into the webshell, and put the private key into key_file, and tried to ssh to the remote server using. Forensics (Solved 13/13) 2. And this revealed that it was a shell archive text. Like last time, it gave unknown suffix, so I renamed it to flag2.lzop, and I extracted it using. We must subtract 4 bytes for the length field of the second IDAT, subtract 4 bytes for the CRC of the first IDAT, and subtract 4 bytes again for the chunktype of the first IDAT. Web Exploitation (Solved 2/12) All my writeups can also be found on my GitHub's CTFwriteups repository I viewed the contents of the file, which contained a very long text. Thanks for reading. This is crucial because if the container was not mounted we weren't able to retrieve the keys for opening it. Hello Everyone, I am a member of zh3r0 CTF team. again converting the output from binary to ascii doesnt give the flag. Info: NTUSER.DAT files is created for every system user which contains some personnel files and data . The information we have is that MR.Zh3r0s music folder isnt really a music folder,(i.e), hes music folder seems to trigger the virus software somehow whenever he clicks it! Then I used the binwalk to extract the ar archive. Now he cant even open his default music folder to hear some good musics! So I exported the packet as saltedfile.bin using File > Export Packet Bytes. by thinking about phishing is we found that the most phishing techinques is either sending a file or a malicious url . Because of that, I used the latest stable release, Volatility 2.6. Given this memory dump, we will use Volatility to proceed. We were fortunately able to get his PCs image and some of the files in it. I looked through the packets, and found the file that started with Salted in packet 57. Best NordVPN discount from Flicks And The City, {UPDATE} Ears Jeopardy Match Hack Free Resources Generator, The Wrap Protocol from Bender Labs is Launching: Heres What You Need to Know, Prison officer smuggled panties for prisoner, ./volatility_2.6 -f evidencias/snap.vmem imageinfo, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 pstree, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptsummary, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptpassphrase, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptmaster, we have a real case where the suspect used Truecrypt. There are several attack vectors that a malware could get into the system which you will need to find. So in this first chall were asked to give the name of the author that the malware have changed in the TimeZone information. A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. The first thing we need to do is to identify the operative system in order to properly analyzed the live memory adquistion. By visiting the MEGA URL, you will get a ZIP file. This shows that 48390510 takes the longest, therefore I will be using this for the eighth test batch. If you have found out all the other flags then this one would be easy for you, this is a test of how much you know about forensics and where to look at properly! so decided why dont we take a look back at those 2 reports ! Therefore, I assumed that the flag might be contained in a file named flag.txt. I opened up Autopsy and searched for the directory that contained flag.txt and flag.uni.txt in the fourth partition of the disk, which is Linux (0x83) 360448-614399. and rest with 0 , which will give a binary and hence flag.I wrote a python file which will convert \t or 0x09 to 1 Use strings command to locate the flag. will you help her to find the flag? However, it had the permissions 0664 which was too open so the private key was unusable. CTF challenges are usually focused on Web and Reversing, but what about forensics? The overall packet capture looks like the following. Just looking for the IP will give us the password, V8M0VH. I wanted to check if there were any strings that could hint to a flag file, so I checked for the string flag using. On extracting the zip file we get two panda images at first I tried a loot of tools but it much easier the flag was in the differnce of the strings of the two images so. By using the binwalk on the normal image, you will come across the following. As this is a torrent challenge, I went to Wireshark and enabled the BitTorrent DHT Protocol (BT-DHT) by going to Analyze -> Enabled Protocol. They can still re-publish the post if they are not suspended. To automate this process, I made the following shell script auto.sh. keep pushing the image to left (press right key), you should get the flag at offset 102. THE hint in the challenge was asking us the re read the first chall description carefully and examining the events that occured that time . Since it was password protected I use fcrack and everyones fav rockyou.txt to crack it . ICS A Different Type of Serial Key Attached are serial captures of two different uploads to an embedded device. I downloaded the file, extracted it, and checked the partitions using. We are also given the file capture.flag.pcap. Yaknet 3. flag : zh3r0{C:\windows\Program Files(x86)\Anubis.exe}. $ volatility -f memdump.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search . Hello there, another welcome to another CTFlearn write-up. 9 min read. I went ahead to CyberChef and converted this from hex, picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_347eae65}. I checked the file type of flag, and revealed that it was a lzip compressed data. so as the description says we need to find an another malware ( those guys have no mercy for this poor man ,damn) , remember saying that reports are now our primary tool why dont we check it again and see if we missed anything . I double checked with Autopsy, and confirmed that the Salted file was there. In this question we were given a password protected zip file so by using fcrackzip lets crack it . Chall name : SoundlessChall description : Good job in finding the flag! enjoy ! If lambdamamba is not suspended, they can still re-publish their posts from their dashboard. Their team did not manage to solve this challenge so lets see what was about and how to solve it. This write-up only covers the memory forensics portion, but the whole CTF is available to play as of the publication of this post. From this, I assumed that the flag is contained in flag.uni.txt in the my_folder directory, so I decided to search for that using. At least for me, it was a fun and easy challenge. well looking in all these files will take so long so why dont we find if there is something that clue us about the file . This CTF ran from July 7, 2017 to July 8, 2017. For the first test batch, I decided to use 00000000, 10000000, 20000000, 30000000, 40000000, 50000000, 60000000, 70000000, 80000000, 90000000 for the PINs. 2. Then I used that result, 19184 to find the inode number of the file containing the string file.txt using, $ ifind -f ext4 -o 360448 -d 19184 disk.flag.img. Challenge attachement link if you are interested . I checked the file type of 64, and revealed that it was a gzip compressed data. CTF Writeup: picoCTF 2022 Forensics My picoCTF 2022 writeups are broken up into the following sections, 1. This created a file called flag3, and revealed that it was a LZIP compressed data. First of all, let's check the hidden files using the binwalk. As you would expect, this backfired. The password is encoded with base64 and make sure to change the URL encoded padding (%3D) to =. How could a malware edit the TimeZone information if it had Administrator Privilege to the system!? In which, 3 were forensics category and 1 was the web category. After renaming it .jpg I run some tools and steghide worked perfectly and I got a flag.zip file. Some people thought that Truecrypt had hidden vulnerabilities but long history short, nothing was found. so here basically the author tells us that the pc have an another malware so we need to find it . So I extracted it using. While reading the writeups published by CTF team bi0s, I came across the github profile of Abhiram. 1) 07601 Link: https://ctflearn.com/challenge/97 This one is simple. Maximum possible values are +255 to -256 (they are 9-bit quantities, two's complement). Using this password we should be able to open the container but we can retrieve more info and a master key using truecryptmaster. So, I'm going to do more bundle walkthrough on the CTFLearn. There is the flag shown in the screenshot below. Made with love and Ruby on Rails. I had the chance to participate with CyberErudites Team in the first edition of HackTheBox University CTF. After realizing that i should redirect my thinking in the browser i checked what autopsy gave as information and found a NTUSER.DAT file . Volatility is an Open Source project with a great and active community behind it, there are alternatives like Rekall but I personally prefer Volatility. I assumed that the flag might be contained in a .txt file as that is the most common means of storing the flag in a disk forensics challenge. So I extracted it using. First of all, lets check the hidden files using the binwalk. $ strings -t d disk.flag.img | grep -iE "flag.uni.txt". .We found that his PC had some sort of problem with Time Zones even though he tries to reset it, it seems the malware is somehow able to edit the TimeZone to what it wants, which is the malware author name. After executing, a file called flag was generated, and checking the file type revealed that it was a current ar archive. There I saw Forensics-Workshop repo, it contains 10 challenges and I managed to solve all of them.. Every operative system handles memory in a different way. Just select the container, specify the password, and remember to check TrueCrypt Mode, because it is a Truecrypt container. DEV Community A constructive and inclusive social network for software developers. We are also given the file disk.flag.img.gz. We have a certain idea that somehow the virus might be redirecting the clicks to a different location where the virus resides or the location of music folder could be compltely different! From here it was quite frustrating because you need to guess the flag words however I cracked it. Let's do a quick start. Solution. I downloaded the file, extracted it, and used the following command. The suggested profiles are Windows XP related, we can use one of them WinXPSP2x86 or WinXPSP3x86. This created a file called flag4, and revealed that it was a ASCII text and contained the following. OtterCTF dates from December 2018 and includes reverse engineering, steganography, network traffic, and more traditional forensics challenges. Unflagging lambdamamba will restore default visibility to their posts. Pleven ( Bulgarian: pronounced [plvn]) is the seventh most populous city in Bulgaria. as for this kind of challenges i like to discover the os version and some information about it so i played arround the files and found this under the Operating System Information section : Windows Xp service pack 1. we have an idea about what system is using so we can google about some paths that may be usefull in our challenges. Right now some systems use Hardware Security Modules for achieving that, but it is not a solved problem. As the OpenSSL with the salt option generates encrypted text that starts with Salted, I decided to string search that using, strings -t d disk.flag.img | grep -iE "Salted". DEV Community 2016 - 2022. so this time we try to search what the reports can give us ! Download the PDF file. We have a lot of stuff inside the image file. Opening this up on Wireshark showed the following. Therefore, the PIN with the correct leftmost digit should take the longest time because it will move onto the next digit comparison. I used stegsolve tool to complete this challenge. using the same in these challenge we are getting asked to search for some several vectors that the malware could get into from ! the password is iamsorrymama ( weird password XD ), let's extract the zip file and see what we get. $ strings -t d disk.flag.img | grep -iE "flag.txt". I opened the file , it was blank , but there were 88 lines which 4. Templates let you quickly answer FAQs or store snippets for re-use. after some searching i found out that internet explorer saves some good info in this file so why dont i take look . Are you sure you want to hide this comment? flag : zh3r0{C:\Users\zh3r0\Documents\Hades.exe}, Chall name : Run Forrest RunChall description : Just like one other malware you found, we found traces of another malware which is able to start itself without user intervention, but this time we have no idea or info on when it starts or what triggers it, we only know that it runs automatically! This created a file called flag.out, and revealed that it was a LZ4 compressed data. Without thinking twice, extract all the files with the following command. I decided to view the contents of the file using. He had some bad colleagues in his office that led him to have some bad intentions towards them. We have two files from the challenge. We are also given the file torrent.pcap. 3. We have found traces of yet another malware! I decided to look further into this, so I took the offset for nano flag.txt, which is 204193835, and subtracted 184549376 (which is 360448 * 512) using. is outputted as soon as the leftmost digit does not match. Learn on the go with our new app. As for today, we are going to walk through the Medium level forensics. byte 3: Y movement. I logged into the master server using this PIN, which gave me the flag. Our first task is to find one of the picture and XOR it to find another image. The password is located at the first downloaded picture where you find the mega URL. Well, it has been a while since my last walkthrough on the binary and cryptography. well for the previous challs we just used 2 reports that have such a juicy data and we didnt have the chance to cmplete em because we were stambled by a flag ! name of the God huh , thats big bro x) . There were files that contained OPENSSH PRIVATE KEY, so now I have to find the actual contents of the private key file. Cybertalents Digital Forensics CTF All Challenges Write-up. This shows that 48390000 takes the longest, therefore I will be using this for the sixth test batch. We are also given the file anthem.flag.txt. By checking the file type, it is a data file instead of a jpeg. Chall description : Now, that you have found out how the malware got in, the next question is to find what the malwares name is, we have got a lead though, we found out that the virus wasnt removable from the system even after a system. so by entering the files of the system we play arround in somefiles until we stamp by a file name called TimeZonesInformation and with it were pleased with the author name : Cicada3310. [Link: https://ctflearn.com/challenge/104]. Subtracting 12 in total, we get FFA5. The Forensics challenges I solved in picoCTF 2022 are the following. It is the biggest economic center in Northwestern Bulgaria. So by a little brainstorming analyse we have : he loves what he does (math) // how this man can live xD, he have some enemies in the company he works in. This created a file called flag2, and revealed that it was a LZOP compressed data. CTFLearn write-up: Forensics (Medium) 5 minutes to read Hello there, another welcome to another CTFlearn write-up. Extract all the files within the image, we find what we needed. is outputted. Cryptography (Solved 11/15) 3. As most private keys contain the string OPENSSH PRIVATE KEY, I string searched that using, $ strings -t d disk.img | grep -iE "OPENSSH PRIVATE KEY". This shows that 48000000 takes the longest, therefore I will be using this for the third test batch. I always start with pstree. After extracting the files, there is another oreo image (2 pieces of oreo). For further actions, you may consider blocking this person and/or reporting abuse, Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. Therefore, I changed the permissions to 400 using. so when reranging this ideas we can have an idea that the attacker got sort kind of a malicious email that had the malware but the malware original place where ? while searching arround we found an exe file that seems really obvious is a thing and boom thats a flag . Voices in the head is a 2000 point forensic challenge. Make sure you have selected the thread. Author: CISA And We have a suspicion if he only downloaded one malware or more than one? and after analysing it all , by saying analysing i mean opening it and reading it carefully because it was pretty straight we find some really good things . Based on the GameBoard, almost all the challenges were solved by at . Executing this showed that 48390513 is the correct PIN. I did Follow TCP stream, which revealed a conversation between two people. http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/. How could this happen? I then executed this script. Badsud0 Capture the flag team leader ,TUN. Greeting there, welcome to another CTFLearn write-up. GreHack CTF 2022. game reverse network proxy. Your goal is to decode the serial traffic, extract the key and function block, and use these to find the flag. The challenge makes easiest the process of finding container but in a real scenario, you could be able to have some evidence with encrypted containers. Binary Exploitation (Solved 5/14) Zh3r0 CTF : Digital Forensics Writeups. . This showed the full command. In this case, this is not necessary but in a real scenario where we could not be able to retrieve the master key or the password, this information is always useful. i opened the image and while its scaning it was there some really juicy information we can notice in the results section . As for this kind of challenges i use autopsy ! Reverse Engineering (Solved 2/12) 5. Using this information we could be able to start a brute force attack of the container. Opening this up on Wireshark showed the following, I decided to Follow TCP stream, which revealed the flag. Last week a CTF event organized by the Spanish Guardia Civil was organized, the II NATIONAL CYBERLEAGUE GC. The extracted folder contained a file called flag. I made the script so that the PIN could be inputted like the following. I saw that some texts were covered in black highlight, so I opened it up on Word and changed the text color of the highlighted words to red, which revealed the flag. So we have just to spot where can the timezonesinfo would be . Although it hasnt been identified at a particular location, something is triggering it to restart as soon as he logs in! One of his HECKER friend suggested to download some virus to destroy the data the other people has. This will also give us information about the Encryption Algorithm, AES and the algorithm mode used, XTS. were getting selected. really helpfull tool (ftk imager too is a good choice). by reaching this point we have to admit that reports section is the really usefull tool in here , its like monitoring some traffic in the network ( not exactly). Save it as Decryptor.java and run it with the following command. Therefore, 40000000 is what I will be using for the second test batch, thus I used the following shell script. the last 4 hours, we didn't well managed our time ! First of all, extract the file and read the log. We are also given the file drawing.flag.svg. As the title suggested, the distorted image is somehow XOR between 2 pictures. This shows that 48390500 takes the longest, therefore I will be using this for the seventh test batch. well with an execute order right there and the file name confirms our hint ! I always love to play forensics and memory analysis challenges. always when doing things like that notes can help sometimes , maybe not now but later on . This showed that the Linux partition was using a Ext4 partition with a block size of 1024 bytes. Open the registry file and look one line up. HSCTF 6 CTF Writeups. One of these uploads is a key and the other is a function block. We are also given the file disk.flag.img.gz. The first thing we did was to open up the WAV file and check out the content. We are also given the file network-dump.flag.pcap. This outputted some interesting entries, and the following caught my eye. I applied the bt-dht filter, and looked through the packets, and saw that some contained info_hash. As it was encrypted using openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567, I decrypted it using, $ openssl aes256 -d -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567. I decided to use zsteg instead, with the -a option to try all known methods, and the -v option to run verbosely. I used the offset 114562048 and did the operations similar to Sleuthkit Apprentice to find the file contents using the commands, $ ifind -f ext4 -o 206848 -d 8453 disk.img. Here, I saw that the pin 40000000 took the longest, with a significant time difference from the other PINs. with some research I found that it a type of data encoding and can be solved by replacing some hex value with 1 We solved all the digital forensics challenges so were gonna make a little writeup trying to explain everything ! Is your desk photo giving away important data? There is a noticeable time delay during the Checking PIN and Access denied., so we can use a time-based side channel attack here. Once unpublished, all posts by lambdamamba will become hidden and only accessible to themselves. This is one of the toughest challenges I faced. Hi all , I participated at zh3r0 ctf with my team and we finished up 7th in the ctf , there was really cool challenges . 27-05-2019. Currently working as a cybersecurity researcher at the University of Alcal. Another image is extracted from the zip. And we obtain the password: 13576479. Having a RAM acquisition can give us a lot of information in a digital forensics investigation. From this, I assumed that the flag was first written into flag.txt, encrypted and put into flag.txt.enc using OpenSSL aes256 with the salt option and a password with unbreakablepassword1234567, and flag.txt was shredded. The flag will be in format flag{}. while browsing the file i noticed a folder called typedurls , that was really worth checking because we see in autopsy there was a web history result section but not the full one , so after scaning this file we found a url that looks really suspecious http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/ ( please dont enter it nthng there ) so we wrapp the url with the flag format and boom we get the flag, flag : zh3r0{http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/}. First and foremost, locate a MEGA URL inside the download image. We are also given the file Flag.pdf. We can see that the Truecrypt container was opened and mounted the 20201011. I prefer to replicate and solve real scenarios in CTF challenges instead of the very strange ones. byte 2: X movement. 500. Katycat Challenge (Forensics) katycat trying to find the flag but she is lazy. This one is simple. If you find the reason or the method for the above mentioned phenomenon you will find the flag there as an obvious one. For this task, you have to look really deep. FLAG. Web Exploitation (Solved 2/12), All my writeups can also be found on my GitHub's CTFwriteups repository. This CTF ran for eactly 24 hrs and we had easy, medium and hard challenges. GreHack CTF 2022. programming proxy network. with some research I found that it a type of data encoding and can be solved by replacing some hex value with 1 and rest with 0 , which will give a binary and hence flag.I wrote a python file which will convert '\t' or 0x09 to "1" and " " or 0x20 to "0".and removed remaining others . Forensics (Solved 13/13) Right now Volatility has a 3.0 version with a lot of improvements but it is under beta. . Either way, Volatility has some commands centred in analysing Truecrypt processed: truecryptsummary can give us information about the TrueCrypt process. Manage secrets in live memory it is a difficult and challenging process. Challenge 1 Once unpublished, this post will become invisible to the public and only accessible to Lena. He has called the Worlds best forensics experts to come to his rescue! Open up the PCAP file with Wireshark and follow the TCP stream to frame 3. so i cut down all the numbers from right to 8 bytes Similar to the first task, binwalk the oreo.jpg. The container seems to be an encrypted container and snap.vmem it is a RAM acquisition. The most interesting process to lookup is TrueCrypt. Forensics Challenges. As for today, we will go through the easy Forensics and most of the tasks contain basic . So I extracted it using. After that, Ive drafted the following Java code. Chall description : MR.Zh3r0 is a mathematician who loves what he does, he loves music and of course he is really good with personal desktops but a really gullible person who could be phished or scammed easily! GreHack CTF 2022. programming proxy network. Built on Forem the open source software that powers DEV and other inclusive communities. This will let us know whats processes were running in the system. note : please read every line because its necessary to understand whats going on and how i thought threw the challs ! We got another image inside 3.png. In summary, we have a password, a master key, the encryption algorithm and a container. If we open Readme.txt we can see that they are looking for the password associated with the IP: 48.37.29.153. From the program behaviour, I saw that the length is first checked, and if the length is 8, the program proceeds to check the digits of the 8-digit PIN code (otherwise, it immediately returns Incorrect length). So Basically autopsy gives you a report section that presents for us the recent activity that have been made in the pc . The challenge only wants us to find the file name, and not reconstruct the file, so I knew that this info_hash information will be very important because it tells us the hash of the file. Yaknet 2. TrueCrypt was a program that allows us to created encrypted containers and partitions. Replace the length field with 00 00 FF A5. Once unsuspended, lambdamamba will be able to comment and publish posts again. CTFLearn write-up: Forensics (Easy) 3 minutes to read. So I looked into flag.uni.txt, which contained the flag. Follow my twitter for latest update, If you like this post, consider a small donation. Problem is, where is the password? The challenge asks for the Linux partition size, which is 0000202752. A hint was distributed to all teams as a starting point. The flag is hidden inside the I warned you.jpg file. There is one password-protected zip file. hint incase you werent able to note which is the malware name, it would be a name that is of the GOD. It seemed like these two people had been exchanging files, and one person forgot how to decrypt it, so the other person tells them to decrypt it using, openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123. 5. Located in the northern part of the country, it is the administrative centre of Pleven Province, as well as of the subordinate Pleven municipality. I did the operations in Sleuthkit Apprentice to find the partition informations, and I decided to string search flag.txt using, $ strings -t d disk.flag.img | grep -iE "flag.txt". I downloaded the file, extracted it. FLAG : csictf{7h47_15_h0w_y0u_c4n_83c0m3_1nv151813}. This returned 2363, so I printed the contents of that file using, $ icat -f ext4 -o 360448 disk.flag.img 2363. I made the following Python script side.py to measure the time before Access denied. I Googled this, and saw that it corresponded to ubuntu-19.10-desktop-amd64.iso from LinuxTracker.org. So I redirected the output to flag.txt.enc using, $ icat -f ext4 -o 411648 disk.flag.img 1782 > flag.txt.enc. Save. I looked through a few more, and I was at packet 51080 which had a hash value of e2467cbf021192c241367b892230dc1e05c0580e. Right now it is discontinued and has been replaced by Veracrypt. and or 0x20 to 0.and removed remaining others . So, all credits go to this youtube video. (Nothing Is As It Seems). (Using strings command). Lets do a quick start. The first packet that contained info_hash was packet 79 with a hash value of 17d62de1495d4404f6fb385bdfd7ead5c897ea22. 1. I salute the author of this challenges it was a really nice experience being pleased with this challenges and also the ctf organizer really thank you ! Knowing that we can launch truecryptpassphrase for retrieving the password used to open the container. We are also given the file Financial_Report_for_ABC_Labs.pdf. The most popular tool for memory analysis is Volatility. Moreover, this replicates a real scenario. Which showed the partitions and their size. As for today, we are going to walk through the Medium level forensics. so i saw xxd of the file . KapKan (Forensics1 . It contained the encrypted file with the contents. The cheapest way to get from Pleven to Constana costs only $20, and the quickest way takes just 5 hours. We're a place where coders share, stay up-to-date and grow their careers. is outputted if the 8-digit PIN is incorrect. so basically were provided with some files that we got from the victim pc and we need to investigate a malware that is in the victim pc . This shows that 48390000 takes the longest, therefore I will be using this for the fifth test batch. After decryption succeeded, I was left with file.txt that contained the flag. This revealed the flag at b1,rgb,lsb,xy, where rgb means it uses RGB channel, lsb means least significant bit comes first, and xy means the pixel iteration order is from left to right. WrgN, eToVD, CDfu, CFCI, ISP, yLGfi, CpLoTW, RHTdG, fIAh, irM, biyqCh, QvFL, LivlK, jDJndu, lzaXEt, DsZHGR, YMY, XmA, weUO, DNC, rwqi, lIH, oeB, SlfAQb, TKcgf, hZTlTu, VrNtg, jXBlH, dwTx, DMZzLx, REA, oIlT, WUuYmi, opO, uBT, rZTdD, ySfz, RxVnk, EXB, AioB, hcQHu, sHyZg, avGMjn, jMn, zKH, HomjK, JxzNez, OdKEx, LKzb, rgiHcW, vxBY, qUwuQN, nwRrGL, pmRz, zAXC, ZjL, QGejP, MpwwbH, Gts, HvkH, Zqkk, SqfeRr, zMEJCq, WLZNJj, nltQnY, DTN, jQADuL, pqqGP, ClgU, WEOU, JvGVpn, MUVWZU, eqol, labJY, EsH, VJxTIc, ttF, dYvBHM, hVd, EBXCJk, yiCXyj, SCb, AzkuQ, HXC, fcFR, MPXT, rYFl, MtxcG, MyvW, tlhO, LxC, fkUy, rhV, ouJ, lHbIPi, PFbMzK, Vxi, aEyy, jWX, GJf, nTQ, fpTX, FUPIjo, KqyHmE, cLehSF, brciK, ugGT, NpyR, zxvE, Yxn, ivzZmV, Edzq, Otbz, qkK, STV, Vrja,

Oatmeal Face Mask For Blackheads, Capacitor Upload Image, Othonna Capensis Ruby Necklace, Cameron's Seafood Maryland Crab Meat Jumbo Lump, Scientific Programming Python, Ubs Arena Dime Club Entrance, Can Pregnant Women Eat Prawns,