Arab Regional Cybersecurity CTF 2023 Hard Forensics Challenge Writeup

Mohamed Adel
4 min readOct 21, 2023

Hello and welcome,
I’m Mohamed Adel, and this is my write-up for the hard forensics challenge at Arab Regional Cybersecurity CTF 2023.

Let’s get started!

Stolen:

Category: Memory Forensics
Points:
200

Download the challenge from here and try to solve it.

Description:
An attacker attacke someone important but luckly the attack couldn't find the password of his accounts. so can you?

It’s a vmem file, so as usual I will use my lovely tool Volatility3.

At first, we need to know the processes that were run so that we can use the Pslist plugin, we will see that the user opened the CMD and Microsoft Edge Browser.

python3 vol.py -f Stolen.vmem windows.pslist.PsList

Now, start with the first one cmd.exe process, which will use the Cmdline plugin, and you will see this base64 encode.

python3 vol.py -f Stolen.vmem windows.cmdline.CmdLine

Then, decode it from base64.

echo "UmVnYXJkcyBmcm9tIHhlbGVzc2F3YXkgdXNlIHRoZSBiYXNlIGFzIHBhc3N3b3Jk" | base64 -d

Ok, we know now it’s a password for something.

Let’s go to the second process which was Microsoft Edge, what about seeing the history that the user was browsing?

We need to find the History file which is in the path Users\%USERNAME%\AppData\Local\Microsoft\Edge\Uder Data\Default\History.

So, we need to use the Filescan plugin and grep for the history file to dump it using its virtaddr.

python3 vol.py -f Stolen.vmem windows.filescan.FileScan | grep History

Dump the file using the Dumpfiles plugin and the virtaddr is 0xa68243fc3cc0 then rename the file.

python3 vol.py -f Stolen.vmem windows.dumpfiles.DumpFiles --virtaddr 0xa68243fc3cc0

Now, move it to your Windows machine, then open it with SQLite Database.

Note:
You need to download and install the SQLite Database program to open the History file.

When you open SQLite DB, Choose File > Open Database > choose All Files(*) and browse for the history file.

Then Right-click on the urls and choose the Browse table, you will see those Pastebin and mega links.

Open the Pastebin link first, it needs a password.

Try the password that was found from the cmdline plugin which was UmVnYXJkcyBmcm9tIHhlbGVzc2F3YXkgdXNlIHRoZSBiYXNlIGFzIHBhc3N3b3Jk

We will see those are a dictionary of passwords.

Save it as a wordlist.txt, then move to the second link from the history urls which is a mega link and download this file.

After unzipping it, you will see that it’s a file with the extension .kdbx which is for the KeePass program.

Note:
You need to download and install the KeePass program to open the Database file.

After downloading and opening the file, it needs a password.

Now, we have a wordlist and an encrypted file with a password, in your opinion what can we do with them???

Yes, brute force it.

I searched for how to brute force it and found this blog.

By using John the Ripper and the wordlist that we found on the Pastebin link.

We will get the password which is icanfindthishiddenpasswordforcrack

Finally, the last step, open the kdbx file with that password.

Using CyberChef, decode it from base64, and you will get the flag.

Flag: Flag{Bru73_F0RC3_TH3_KDBX_P45$W0RD}

Thanks for your time and effort to read this. I hope you liked and enjoyed reading it.

If you have any comments, edits, or another way to solve them, don’t hesitate to contact me:
https://www.linkedin.com/in/0x4de1

--

--