Hello and welcome,
I’m Mohamed Adel, and I’m honored to get 3rd place at the CyberTalents Blue Team Scholarship 2023 CTF Assessment.
This is my writeup to the hard forensics challenge in detail.
Let’s get started!
Category: Windows Forensics
Download the challenge from here and try to solve it.
It’s a file with .001 extension, so will open it in the FTK Imager.
When you open FTK Imager, Choose File > Add Evidence Item > Image File and browse for the challenge .001 file.
Now, for part no.1: To get the MD5 hash of the malicious file, check the Download Folder to see what was the files that the user downloaded.
Move to [root] > Users > xElessaway > Downloads. and you will see this zip file contains this exe.
Export the zip file by clicking Right-click on it and Export Files.
Move it into your Kali machine to extract and get the md5sum to it, or you can use the Hashcalc program on Windows, the 2 ways are the same.
Now, for the part no.2: We need to get the IP address from the site ad, so if you return to read the challenge name, it’s history, but history for what? We solved the first question from the downloads folder, Is this history for the browser? but which browser, there are many like Chrome, Firefox, Edge, ..etc.
After some searching in the user folders, we will know that the user was using Microsoft Edge browser because of the edge folder at the path xElessaway > AppData > Microsoft > Edge.
Then, you need to get the history file, if you don’t know where it is, you can ask your friend Google and you will locate it in the path:
[root] > Users > xElessaway > AppData > Local > Microsoft > Edge > Uder Data > Default > History.
And you will see it is a SQLite format.
Export the history file by clicking Right-click on it and Export Files.
Now, need to download the SQLite Database to open the file.
When you open SQLite DB, Choose File > Open Database > choose All Files(*) and browse for the history file, it will open like this.
Right-click on the urls and choose Browse table then scroll down you will get the IP.
For part no.3: It requires some basic reverse engineering, after we extracted the malicious exe file, will use IDA for analysis of the exe.
When you open IDA Freeware, Choose New > Browse the exe file, then OK, Yes.
Then click on View > Open subviews > Strings or you can click Shift +F12
you will see those, now double click on
From this point, we will know that there is a value of a name
secr3t stored in the registry hive
Software at the path
Then need to go back and return to the FTK Imager to Export the hive.
If you don’t know the path of the registry hives, you can ask Google, and they are in the path
C:\Windows\Windows32\Configbut if you go there, you won’t find anything. I didn’t know why, so I searched in the folders and find the
SOFTWARE hive in
[root] > windows > Windows32 > winevt
Now, export it, and you can use RECmd.exe a CLI tool that can parse the data in the hive into a CSV formatted file, or you can use Registry Explorer a GUI tool, the 2 tools from Eric Zimmerman and the result are the same, in this case, I used Registry Explorer.
Open it and choose File > Load hive > Browse for the
Then go to the Path that was known from basic reverse engineering
SOFTWARE\Microsoft\Windows NT\CurrentVersion you will see this value.
Copy it and go to CyberChef , then use the Magic operation it attempts to detect various prosperities of the input data and suggests which operation could help you to make more sense of it.
Use intensive mode and scroll down, you will get the part no.3 of the flag.
If you don’t know the Magic operation, how can you decode that? I asked the author and he said that you can know from the disassembler that it was encoded using the xor with the key 87.
If you want to learn more about Windows Forensics, you can study SANS FOR500.