Cybertalents Digital Forensics CTF — All Challenges Write-up

Mutawkkel Abdulrhman
4 min readSep 3, 2021

--

S0rry :

We get a zip file protected with a password, I used zip2john to convert it to hash then cracked it with john using rockyou.txt word-list.

the password is iamsorrymama ( weird password XD ), let’s extract the zip file and see what we get.

we got an image named S0rry.jpg, I tried steghide but no result then tried binwalk and got a result.

i extracted the zip with binwalk — dd=’.*’ command

found 999 directories each directory contains a .txt file on of these .txt files contain our real flag but the rest contains the fake flag flag{Keep_searching}.

i used the command grep -r -v Keep to exclude all fake flags and only grab the True flag.

new account :

opening the challenge we get a .evtx file after a little bit of googling i found that it is a windows event viewer file, let’s open it in windows event viewer.

the description of the challenge says that this machine got compromised by an attacker and the attacker assigned admin privileges to a user and we must figure out who that user is.

if we filtered by the event number 4738 (User Account Management) and check the first log entry we will find the correct user (Sam).

Jam :

to be honest i couldn’t solve it XD, but this github repo contains a code that automates solving the challenge.

Little Story Boy :

the challenge is an image that contains the flag i tried steghide and binwalk but no result then tried this online steganography tool :

uploaded the image and got the flag.

Runecover :

the challenge is a packet capture file, I tried to open it with wireshark but it doesn’t work.

Then extracted the hidden content with binwalk and i got an image with the flag.

Attacker cmd history :

this is a memdump file, to analyze memdumps use volatility, lets run volatility against the file with the imageinfo plugin to know the profile.

now after we determined the profile, lets try different plugins and hope to have useful information, i tried consoles plugin and got a base64 encoded value

ZmxhZ3tjb25zb2xlc19Gb3JfSW5wdXRfQW5kX091dHB1dH0=

after decoding it you get the flag.

malicious file :

we have a file named Userclass.dat, it is an MS Windows Registry file.

to analyze windows registry files we have many tools one of them is SheelBags Explorer, I opened the file in ShellBag Explorer.

the description says that we have to find the MFT Entry number for a directory that contains a malicious file, that malicious file has some relation with windows crack or windows activation, i immediately thought of Windows Loader by DAZ folder, i googled the name and indeed i found that it is a windows cracking tool, i opened the folder and navigate to the last sub-directory and got the MFT Entry number for it, the flag is the MD5 hash.

--

--

No responses yet