BlackHat MEA Qualification CTF 2023 Hard Forensics Challenge Write-up

Mohamed Adel
3 min readOct 9, 2023

Hello and welcome,
I’m Mohamed Adel, and this is my write-up for the hard forensics challenge at BlackHat MEA Qualification CTF 2023.

Let’s get started!

Extend:

Points: 300

Download the challenge from here and try to solve it.
Password:
flagyard

It’s a jpg file, so let’s use steganography tools.

What about seeing the metadata of the image?

exiftool chall.jpg

You will see this comment, open the link.

If you look at the source code for this site, you won’t see anything there, so we need some OSINT skills, let’s search with the username justuser-tmpusage on GitHub you will find this repo.

Now, click on BHatCtf.github.io , and you will find 2 files, click on the first one fulldata.md then, click on more data here , it will redirect you to the Pastebin site, and will see this Mega link and its decryption password which is HxzUmwVKEdQqUmWSkm3kptBbv6aYUn6TKD9ViXW6XiQ .

When open the mega link, you will find the file with the name Google .7z, download it then extract.

Now, it’s a part of user data for chrome browser, the first idea that to search in user History, Cache, and Cookie but nothing.

After more searches and read the challenge name, it’s Extend, did he mean Extension? what about investigating in the extensions folder.

You will locate it in Google/Chrome/User Data/Default/Extensions/ , if you open it, you will see these folders.

When open that one from in the previous screenshot, it contains 2 files.

Open the first one, you will see those suspicious words.

Now, open the JavaScript file, it contains those:

Then going to this site to deobfuscate it, you will see this function contains strings like a base64 encode.

function connect(_0x5a2fad = "WYwIjYzMTM2sXWHFETGhkQ", _0x58999f = "1QjY0YGNxEDM1cTMxQ2YjV", _0x10e396 = 'Qf2MjYwAzNyIDOjVTZkJTY') 

By using CyberChef and decode it from base64, but not working.

Then, we know the flag format, I encoded it to the base64 and find that the encoded strings in the javascript function was reversed.

Now, reverse it first then decode with base64, and you will get the flag.

Flag: BHFLAGY{6133b20aeccd11750114f4b45a2de5c822700b36}

Thanks for your time and effort to read this. I hope you liked it and enjoyed reading it.

If you have any comments, edits, or another way to solve this challenge, don’t hesitate to contact me:
https://www.linkedin.com/in/0x4de1

--

--