ITI CTF 2023 — Round 1 Forensics Challenges Writeup

Mohamed Adel
5 min readSep 10, 2023

Hello and welcome,
I’m Mohamed Adel, My team secured 1st place at ITI CTF 2023 — Round 1 powered by Cyber Talents.

This is my writeup for the forensics challenges.

Let’s start with the first one.

F1sher:

Category: Network Forensics
Level: Easy
Points: 50

Description:
It seems missey inside. find the correct one :D.

It’s a pcapng file, let’s open it in Wireshark.

the file contains 4043 packets, when checking Statistics > Protocol Hierarchy you will see that HTTP statistics.

filtering the HTTP traffic to see the packets and those are interesting.

Now we need to extract all the HTTP requests in the GET URIs, so we will use the Tshark tool to do this easily and quickly in one command line.

tshark -r Fisher.pcapng -e "http.request.uri" -Y "ip.src==192.168.245.128" -Tfields | grep -o "?f.." | cut -d "=" -f 2 | xxd -ps -r
Flag: Flag{F1Lt3R_TH3_P4rAmE7er$}

C010R:

Category: Steganography
Level: medium
Points: 100

Description:
Find the flag inside this wierd red image.

It’s a png file, so we need to check if any files are hidden in it and see those files.

now, extract them.

binwalk -e C010R.png

move into the folder and unzip the zip file, it needs a password, I tried to crack it with John the Ripper tool but not working, so let’s check if the password is hidden in the image, Back to the description he said that the flag inside the wired red and the image is just a red line, so let’s check RGB Values.

This python script written by Eng. Ahmed Elessaway and will get the data hidden in the pixels values:

import numpy as np
from PIL import Image

img = Image.open('C010R.png')
pix = img.load()
w, h = img.size
flag = ''

for i in range(w):
for c in range(h):
r,g,b,a = img.getpixel((i,c))
if r == 255 and g == 255 and b == 255:
pass
else:
if flag.endswith("}"):
break
else:
flag += chr(r)
print(flag)

This script opens the image, processes its pixels, and extracts data from non-white pixels into the flag variable, which is then printed at the end. The specific data extraction logic appears to depend on the red channel values of the non-white pixels.

And we got the password.

Back to the zip file and unzip it, when cat the txt file we got the flag.

Flag: Flag{H3L1O_R_G_B_CH4NNELS_ARE_GO0D_FOR_DATA_H1D3}

Mallaw:

Category: Memory Forensics
Level: Hard
Points: 200

Description:
You have been tasked with investigating a suspected ransomware attack. The scenario involves a harmful operation that initiated the execution of a ransomware program on a target's computer system. Our objective is to gather evidence pertaining to the incident.



Question 1: Could you provide the MD5 hash value of the malicious file?

Question 2: Which external domain is associated with the malicious files?

Question 3: Is it possible for you to locate the additional file that was dropped by the malicious file?



Flag Format:Flag{md5_xxx://xxxxxxxxxxx.xx/xxx/_xxxx.xxx}

It’s a memory raw dump file, so I will use volatility3.

Q1: To get the MD5 hash value of the malicious file, we need to determine and dump it.

First, need to list all the processes to know what is suspicious.

python3 vol.py -f Mallaw.raw windows.pslist.PsList

The last program the user was opened Microsoft Word, so what about the file he opened? let’s check the user files on the Desktop, Download, Documents, …etc.

python3 vol.py -f Mallaw.raw windows.filescan.FileScan | grep '\Desktop'

Now, need to dump the doc file using the dumpfiles plugin and the virtaddr is 0x990291e69cb0.

python3 vol.py -f Mallaw.raw windows.dumpfiles.DumpFiles --virtaddr 0x990291e69cb0

then rename the file and run the md5sum:

Q2: To get the domain will upload the malware file on VirusTotal to see it’s relations, and we got the second question.

You can check the report here.

Q3: Now, we need to locate the additional file that was dropped by the malicious file, let’s try to check the Temp files with the filescan plugin and grep about it.

python3 vol.py -f Mallaw.raw windows.filescan.FileScan | grep -i '\Temp'

And finally, we got the file.

Flag: Flag{32b2cd58d760959799a9b02246dcd97d_http://dumnissus20.de/KrB_15590.exe} 

Thanks for your time and effort to read this. I hope you liked it and enjoyed reading it.

If you have any comments, edits, or another way to solve them, don’t hesitate to contact me:
https://www.linkedin.com/in/0x4de1

--

--