IEEE Victoris 2.0 CTF Forensics Challenges Writeup
Hello and welcome,
I’m Mohamed Adel and this is my writeup for forensics challenges at IEEE Victoris 2.0 CTF organized by IEEE ManSB and powered by EGCERT.
Let’s start with the first one.
VulnPass:
Category: Memory Forensics
Download the challenge from here and try to solve it.
It’s a memory dump, so I will use my lovely tool Volatility3.
At first, we need to know the processes that were run, so will use the Pslist plugin, and then we will see the last program the user opened KeePass.
python3 vol.py MEMDUMP.mem windows.pslist.PsList
Okay, now when using the cmdline plugin will see this file.
python3 vol.py MEMDUMP.mem windows.cmdline.CmdLine
Need to dump the file, so, use the Filescan plugin and grep for it to get the Virtaddr.
python3 vol.py MEMDUMP.mem windows.filescan.FileScan
Now, dump the second file with the dumpfiles plugin and the Virtaddr is 0xc60007b1b820, and rename the file.
python3 vol.py -f MEMDUMP.mem windows.dumpfiles.DumpFiles --virtaddr 0xc60007b1b820
Move the file on windows and try to open it, it needs a password.
Note:
You need to download and install the KeePass program to open the Database file.
Return to the memory dump to search for the password but nothing.
After more searching, I found this great blog talk about the KeePass Plugin in Volatility3, So I downloaded the Plugin from here and moved it to the path volatility3/plugins/windows/
Now, need to use it with the pid of the KeePass process 8528, and yes, we got the password.
python3 vol.py -f MEMDUMP.mem windows.keepass --pid 8528
When tried to open the Database file the password was wrong.
Ok, keep calm and read the password, you will find it is “ecretpass123”, at first look it seems like “secretpass123”, so the password is missing the letter “s”, but we don’t know whether it is a capital or a small letter, Tried the 2 possibilities and the correct password was in a capital litter which in final is “S3cr3tP4ss123”, then open the Database.
Right-click on the password of C2 and copy it, then paste it into any text editor, and you will get the flag.
Flag: EGCERT{10_P0ints_t0_Gryff1nd0r}
Another Method:
You can solve this challenge with strings.
strings MEMDUMP.mem | grep -i -A 1 egcert
Just remove 0 from the end of the first line.
I hate the challenges that the flag stored in it, I prefer the challenges with questions.
Notepade:
Category: Memory Forensics
It’s a dmp file, so will open it in the WinDbg.
If you don’t know Windows Debugger [WinDbg], It’s a Microsoft-provided tool that allows software developers and researchers to analyze their drivers for bug checking and troubleshooting. While it is typically used to debug code, it can also be used for memory forensics.
Download the challenge from here and try to solve it.
Now, open the Windbg, choose File > Start debugging > open dump file > browse for the challenge file.
When choose the file will open with like this:
Start the analysis with click on !analyze -v
, if you type the !peb
it will display a formatted view of the information in the process environment block.
Now, we need to search in this dump for the flag, type this command.
!address /f:heap /c:"s -u %1 L?%3 \"EGCERT\""
If you don’t know what is this command and what its flags are, type !address -?
We can see the first part of the flag, need to dump the memory contents with the address and the command db
.
The db
command displays individual bytes as well as an ASCII dump, and then use the du
command, we will get the first part of the flag.
Okay, Now return again with the command !address
and search more for the second part of the flag, type this command:
!address /f:heap /c:"s -u %1 L?%3 \"3v3er_\""
And then db
and du
, finally got the flag.
Flag: EGCERT{heap_40r_3v3er_no_strings_anymore}
Another Method:
You can solve this challenge with strings.
strings -e l notepad.DMP | grep -i -B 1 egcert
Again, I hate these types of challenges.
Note:
If you want to learn more about WinDbg, you can read the 4th book from SANS FOR532 [Which was previously called FOR526] or you can watch this YouTube Video.
Encrypted Disk:
Category: Disk Forensics
Download the challenge from here and try to solve it.
I didn’t take a screenshot of the description, but I think it was:
My PC was Hacked, Can you help me know what happened?
It’s an ad1 file, so will open it in the FTK Imager.
When you open FTK Imager, Choose File > Add Evidence Item > Image File and browse for the challenge file, then you will see those files.
The second one interesting.txt contains one word Hacked.
Now, need to Export the challenge1.img file by clicking Right-click on it and Export Files.
Then, If you clicked on interesting.txt you will see those numbers with the file named eff_Dice.
Until now, we don’t know what those numbers are.
Return to the first file and look for it, it’s an encrypted disk, if we tried to mount the driver using cryptsetup utility, it needs a password.
Return to the numbers of eff_Dice file and try them as a password but not working. So, after some search I find this Workdlist with the same name.
Then need to search in the wordlist with each number, copy the word and paste in the side of its number like that:
35644 legacy
15515 childhood
13663 bottom
11123 abnormal
35125 jazz
then tried each word as a password but not working, In the end, after many attempts, the password is all of those words in order, with a space between them.
Password: "legacy childhood bottom abnormal jazz"
Now, mount the driver again with cryptsetup utility with the above command and put the password, you will see this icon on your desktop,
Open it with your administrator password, you will get the flag.
Flag: EGCERT{r0ll_7h3_d1c3_0n3_m0r3_71m3}
Timestomp:
When I downloaded the challenge file and unzipped it, I saw those files.
When opened Details.txt, it contains the Flag and Walkthrough for solving the challenge. also, there is a gif that explains how to solve the challenge. I think this happened by mistake from the author, but you can download the challenge from here and see how to solve it.
Thanks for your time and effort to read this. I hope you liked it and enjoyed reading it.
If you have any comments, edits, or another way to solve them, don’t hesitate to contact me:
https://www.linkedin.com/in/0x4de1