ICMTC CTF 2024 Qualifications Forensics Challenges Writeup

12 min readJun 27, 2024

Welcome back again with a new writeup,

This year, we have a lot of amazing challenges including Windows, Network, and Linux Forensics, we have 27 challenges which are only 7 challenges, and the others are questions related to them. I need you to take a long breath and deep. and without any further due, let’s get into things.

First Category: [Windows Forensics]

Triage_Q1:

Download the challenge from here and try to solve it.

We deal with a part of the C:\ partition, Pcapng, and some text Log files.

Ok, we need to know what is the Name and PID of the malicious executable, so we need to take a look at the Log Files in the path C\Windows\System32\winevt\logs you will see the Sysmon log file which the name is Microsoft-Windows-Sysmon%4Operational.evtx

The first idea is to open the Sysmon log and search with Event ID 1 which is for Process Creation and you will detect the malicious process.

However I prefer to use tools to be fast, so I will use the Chainsaw tool.

./chainsaw/chainsaw search . --json | gron | grep -E '\.ProcessId|\.CommandLine'

You will see the process Firefox.exe with the green rectangular was executed from the suspicious path, we have also suspicious things and will investigate them later.

Flag: EGCERT{Firefox.exe:6172}

Triage_Q2:

We knew that the malicious executable was Firefox.exe, so let’s get its Parent Process.

./chainsaw/chainsaw search Firefox.exe --json | gron | grep -E '\.ParentCommandLine'

Flag: EGCERT{explorer.exe}

Triage_Q3:

We can investigate with the Sysmon Event ID 11 which is for file creation.

./chainsaw/chainsaw search Firefox.exe --json | gron | grep -E '\.EventID = 11|\.CommandLine'

We will see that the process Firefox.exe dropped the Autopatch.exe, In the question he needs two files, so let's search with the first dropped file maybe it dropped any files.

Flag: EGCERT{Autopatch.exe:xJX.exe}

Triage_Q4:

Search with one of the two dropped files as he said, and you will get the command.

./chainsaw/chainsaw search xJX.exe --json | gron | grep -E '\.CommandLine'

Flag: EGCERT{C:\Windows\system32\cmd.exe /c "C:\Users\memsh\AppData\Local\Temp\3a5e6da9.bat"}

Triage_Q5:

We can solve it from the Triage_Q4, but to be sure that this is the right path we will search with the cmd.exe and see what its Parent.

./chainsaw/chainsaw search cmd.exe . --json | gron | grep -E '\.ParentImage'

Flag: EGCERT{C:\Users\memsh\AppData\Local\Temp\xJX.exe}

Triage_Q6:

Now, we will move into the Pcapng file, Open it in Wireshark, you will see that the captured file contains 443 packets, going to Statistics > Conversation > IPv4 you will see many IPs, So I go to View > Coloring Rules then Apply the filter tcp.flags.reset eq 1 and will see the IP 51.222.173.101 used Reset flag.

Searching with that IP on AbuseIPDB, The IP was found on their database, and there was a report about it.

Return to the Wireshark to get the port.

Flag: EGCERT{51.222.173.101:50256}

Decoy_Q1:

Download the challenge from here and try to solve it.

In this challenge, we have also the Sysmon Logs, so, we can go toMicrosoft-Windows-Sysmon%4Operational.evtx and use the same previous tool.

./chainsaw/chainsaw search . --json | gron | grep -E '\.EventID = 1|\.CommandLine' | grep '\.exe'

We will see the malicious process.

Flag: EGCERT{mimikatz.exe}

Decoy_Q2:

In this question he needs the command the attacker used, so to run any command that will be done through CMD or PowerShell, we can search with cmd.exe

./chainsaw/chainsaw search cmd.exe . --json | gron | grep -E '\.CommandLine'

Flag: EGCERT{reg  add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t reg_dword /d 0}

Decoy_Q3:

On MITRE ATT@CK there are 20 techniques for persistence, but which one the attacker used to launch the attack?

In the path C\Windows\System32, we will get the Tasks Folder, which is for Schedule tasks, when displaying the content of the file Microsoft_Update we will see this suspicious PowerShell Script, So we know now that there was a Schedule tasks persistence technique, get the ID from Mitre.

Flag: EGCERT{T1053}

Decoy_Q4:

From the Decoy_Q3, we knew the script name but to be sure we can check the Recent Folder to see what recent files are used which in the path C\Users\The_Lab\AppData\Roaming\Microsoft\Windows\Recent, I opened it on FTK Imager, and we will see same script file.

Flag: EGCERT{totheroots.ps1}

Decoy_Q5:

While browsing files in the FTK Imager, there is an interesting file in the Recycle Bin that contains base64 encoded.

Just decode it from CyberChef.

Flag: EGCERT{craaaack.zip}

Decoy_Q6:

For this question, I used the MFT Browser tool to parse the content of $MFT file, Once open it, and searched for the file he told us All_Is_Fine.txt which was locate on the desktop, when I saw the Last Accessed Time it was 30-May-2024 11:37:37.8912856 and its $MFT Record Number was 101270, So I compared these data with the files in the Recent Folder.

I saw that the file Hacked_Lab.txt has a Resident Data Content, and its path was the Desktop, then the File Created: 30-May-2024 11:38:15.8448207 and its $MFT Record Number was 101273, The time and record number of two files are close to each other, So I submitted it as the flag, and it was correct.

Flag: EGCERT{Hacked_Lab.txt}

Decoy_Q7:

We knew from Q6 that the file name was Hacked_Lab.txt, and we saw it from the Q4 in the Recent Folder, so another file he wants is:

Flag: EGCERT{violent.txt}

3xpl0t_Q1:

Download the challenge from here and try to solve it.

In this challenge we deal with two text log files.

We need to get the IP, so we can grep with it, but this isn’t the IP that we want, then search with another word like from, and yes, we can see the attacker’s IP because of more wrong attempts.

Flag: EGCERT{37.53.132.10}

We knew it from 3xpl0t_Q1

Flag: EGCERT{madoushi}

3xpl0t_Q3:

Now, we need to search for the flag, on the CTFs the flag is some words between them ‘_’ so let’s search using it, and we will see this base64 encoded.

cat * | grep '_'

Just decode it, and we will get the flag.

echo NmYgNzAgNjUgNmUgNzMgNzMgNjggNWYgNDMgNTYgNDUgMmQgMzIgMzAgMzIgMzM= | base64 -d | xxd -r -p

Flag: EGCERT{openssh_CVE-2023}

3xpl0t_Q4:

From 3xpl0t_Q3 we saw the python code with the name exploit.py stored in the tmp directory.

Flag: EGCERT{/tmp/exploit.py}

3xpl0t_Q5:

From 3xpl0t_Q3 you can search with it on google and you will get the CVE

Flag: EGCERT{CVE-2023-38408}

3xpl0t_Q6:

Also, you can use google search for that, and you will get the Mitre ID

Flag: EGCERT{T1059.006}

3xpl0t_Q7:

For this question, I searched with success but there are many logs, so between the log I saw this word session_open and search with it and get that

That username successfully logged in, so I tried 1 as a flag but it was wrong, so tried 2 and it was correct, I don’t know why, if you know tell me.

Flag: EGCERT{2}

Second Category: [Network Forensics]

Prodigal

Download the challenge from here and try to solve it.

It’s a Pcapng file, so will open it with Wireshark

The file contains 514 packets, and when see Statistics > Protocol Hierarchy there is HTTP traffic, so we can Export all objects through HTTP from File > Export Objects > HTTP you will see this text file with the name Write_.txt there is ‘_’ in the name It like as a flag, but we don’t know, save it until now and continue.

When you open the text file, it contains base64 encoded, once decoded, it gives up the OneDrive link, it will download a PDF file with the name Your_.txt it contains ‘_’also, Ok, lets continue.

When you open the PDF file, you will see this

Now, search on Facebook for that profile and you will get another OneDrive link.

It contains a ZIP file, when you download and unzip, it contains 3 pictures, using the steghide tool to extract any hidden files in them, without any password from 1.jpg and 3.jpg, there are two text files. when displaying the content, you will get 2 parts of the flag and the Pastebin link which contains the 3rd part.

steghide extract -sf 1.jpg

There was a hint that the Flag has more than three parts and yes, the 2 parts that we saw while continuing were a parts of the flag, then concatenate all together.

Flag: EGCERT{Write_Your_Long_Lost_Idea}

A needle in a haystack:

Download the challenge from here and try to solve it.

It’s a Pcapng file, so will open it with Wireshark, the file contains 5218 packets, and when see Statistics > Protocol Hierarchy there is an FTP traffic

Select FTP data as a selected filter, then from the first packet Right-click > Follow > TCP Stream and see the streams, when you reach stream No. 10 you will see this header which is for a JPG picture, then click on the Show data in the green rectangular then convert in from ASCII to Raw then save it with any name.

Then from the description we need to get the Camera Model, so will use the Exiftool to show the metadata of the image.

Flag: EGCERT{ip13}

Syring_Q1:

Download the challenge from here and try to solve it.

It’s a Pcapng file, so will open it with Wireshark and this time we can use Network miner for more details, On Wireshark the file contains a huge number of packets88862 packets, and when see Statistics > Protocol Hierarchy there is many HTTP traffic.

For the first question we need to go to the Statistics > Conversations > IPv4

we will see that there are 2 external connections to the online bookstore, One of the two external IPs that connected with the online store has a large number of packets compared with the other IP.

In Network Miner you will see the host details and will find that the attacker used malicious tools that appeared in the user agent such as gobuster and sqlmap.