search

Forensics Challenges

hashtag
Thread

Tom had always been curious about programming, and one day he stumbled upon a new coding language that he had never heard of before. Excited to learn more, he asked ChatGPT for some resources to get started. ChatGPT provided a link to a website that had some useful tutorials and code samples. But when Tom tried to download one of the files, his computer started behaving strangely. After running the commands md5sum tutorial.pdf > result.txt and cat result.txt, the following output is received: d0ee6ffc8ce0e7f21cdcbd5e98c2dd4174a5d1b0266ec7f69075a0d9bea14757

Flag Format: aupCTF{popular threat label}

hashtag
Solution

Since computer started behaving strangely, we may be dealing with a virus, to check this hypothesis we can go to VirusTotalarrow-up-right and search with hash.

https://www.virustotal.com/gui/file/d0ee6ffc8ce0e7f21cdcbd5e98c2dd4174a5d1b0266ec7f69075a0d9bea14757arrow-up-right thread-1

circle-check

Flag:aupCTF{trojan.nanocore/msil}

hashtag
I Love Math

Challenge: matharrow-up-right

hashtag
Solution

The challenge file is a pdf, with password.

Crack the password with john

└─$ pdf2john math.pdf > math.hash

└─$ john --wordlist=$rockyou math.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PDF [MD5 SHA2 RC4/AES 32/64])
Cost 1 (revision) is 6 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
naruto           (math.pdf)     
1g 0:00:00:00 DONE (2023-06-26 15:38) 4.347g/s 556.5p/s 556.5c/s 556.5C/s 123456..diamond
Use the "--show --format=PDF" options to display all of the cracked passwords reliably
Session completed.

We open the document, but its empty! I can't see anything here. I tried selecting all text (Ctrl+A) to reveal potentially invisible text.i-love-math-1

Let's remember some math from school D:

2x + 4y = 16 | 3 | 6x + 12y = 48 3x + 7y = 25 | -2 | -6x - 14y = -50

If we add equasions we get: -2y = -2 => y = 1 2x + 4y = 16 => 2x + 4 = 16 => 2x = 12 => x = 6

circle-check

Flag:aupCTF{I_Love_Math_6_1}

hashtag
Password Recovery

We stumble upon a lost smartphone that holds crucial data for an ongoing investigation. Unfortunately, the owner seems to have forgotten the screen lock password, but there is a glimmer of hope. The victim, in an attempt to remember the password, left a clue on the phone's lock screen. use your forensics skills to find the password.

filearrow-up-right

Flag format: aupCTF{password}

Hint: In android lock screen info is saved in a database

hashtag
Solution

Unarchiving can take some time, file inside is ~5.51GB

Unarchiving gives us a DD filearrow-up-right which is a disk image file and replica of a hard disk drive. To view the information on file first list partitions.

The most interesting would be dd3, so let's mount it and explore the filesystem.

circle-info

Multiplyingthe starting sector by the sector size gives you the total number of bytes to skip to reach the beginning of the partition.

password-recovery-1

Looks like Base64...

circle-check

Flag:aupCTF{p4$sw000rdCLU3}

circle-info

Notice'=' (padding) at the end, Base64 encoding always produces a string with a length that is a multiple of 4.

circle-exclamation

Don'tforget to unmount the device sudo umount tmpmount.

hashtag
Kingsman

Welcome to Kingsman, the world's most elite intelligence agency where we pride ourselves on our cutting-edge technology. However, it appears that our highly sophisticated security system has been breached by an unknown hacker. Even our state-of-the-art AI, Merlin, has failed to protect our system against this intrusion. Your mission, if you choose to accept it, is to use your advanced decryption skills to bypass our highly flawed password policy and uncover the secrets that lie within. Get ready for the ultimate test of your intelligence as you embark on this daring mission to decrypt the hidden message that awaits. Only by cracking the code will you be able to claim your victory and prove yourself worthy of becoming a Kingsman agent. So, are you ready to accept this challenge?

The password requirements are as follows:

Remember, Your objective is to crack the encryption and reveal the hidden message. -- John

Challenge file: encrypted.7zarrow-up-right

chevron-rightHint:hashtag

Don't tell anyone that i gave you names of the petsarrow-up-right

hashtag
Solution

First lets get hash to crack and start cracking.

I'll be using hashcat to crack the hash so I'll delete the name portion (text till $7z$) and only leave hash.

Now let's create a wordlist

circle-check

Flag:aupCTF{j0hncr4ck5pa55w0rd5}

circle-info

ZipPassword: 9 + " + roxy + F + k -> 9"roxyFk

hashtag
MemDump

You are investigating a potential security incident within your organization. Malicious activity has been detected on one of the company's servers. To gather more information, you need to analyze a memory image of the affected server. You are provided with a memory image of the infected host.

you need to download the memory image from this link: download filearrow-up-right

Your goal is to find the flag, which consists of the process name of the malicious activity.

Flag format: aupCTF{processname.exe}

hashtag
Solution

I was having trouble opening the file, huge thank you to the author of aupCTFarrow-up-right for recommending Volatilityarrow-up-right

I found a great post demonstrating how to use tool at https://www.varonis.com/blog/how-to-use-volatilityarrow-up-right

windows.malfind displays a list of processes that Volatility suspects may contain injected code based on the header.

DLL injection is a technique that allows code to be inserted into a running process. From pstree we see that first notepad.exe is opened, followed up with cmd.exe. It's unclear whether injection happened via cmd or powershell. I found a postarrow-up-right demonstrating this technique and it's highly likely that powershell was used.

circle-check

Flag:aupCTF{notepad.exe}

PreviousMisc ChallengesNextOSINT Challenges

Last updated