This write-up only covers the memory forensics portion, but the whole CTF is available to play as of the publication of this post. Challenge attachement link if you are interested . Bachelor of Computer Science and MSc on Cyber Security. is outputted. This shows that 48390000 takes the longest, therefore I will be using this for the sixth test batch. The difference is FFB1. If you have played other CTF challenges this seems a little obvious but let it break into parts. As the OpenSSL with the salt option generates encrypted text that starts with Salted, I decided to string search that using, strings -t d disk.flag.img | grep -iE "Salted". After extracting the files, there is another oreo image (2 pieces of oreo). The most popular tool for memory analysis is Volatility. Therefore, I assumed that the flag might be contained in a file named flag.txt. Okay so basically I found this in 2 steps: Do keyword search for 'Anubis.exe' (include substring) It returned 4 results, and only 1 of them was a registry file. I did Follow TCP stream, which revealed a conversation between two people. THE hint in the challenge was asking us the re read the first chall description carefully and examining the events that occured that time . The Top 8 Cybersecurity Resources for Professionals In 2022 Nakul Singh Cyberyami CTF Graham Zemel in The Gray Area The Ultimate List of Bug Hunting Resources for Beginners HotPlugin in System Weakness Forensics Challenges HackTheBoo CTF 2022 Help Status Writers Blog Careers Privacy Terms About Text to speech Without thinking twice, extract all the files with the following command. This one is simple. we officially hunted down all those three malwares ! He had some bad colleagues in his office that led him to have some bad intentions towards them. It will become hidden in your post, but will still be visible via the comment's permalink. The challenge only wants us to find the file name, and not reconstruct the file, so I knew that this info_hash information will be very important because it tells us the hash of the file. However, this returned Filename has an unknown suffix, skipping, so I renamed it to flag2.lzma and I extracted it using. I also checked the file system information for the Linux partition starting at 0000360448 using. Lets do a quick start. Updated on Oct 16, My picoCTF 2022 writeups are broken up into the following sections, We have two files from the challenge. I assumed that this was the flag, and I just needed to add the picoCTF wrapper. Xor the extracted image with the distorted image with stegsolve. Reverse Engineering (Solved 2/12) I Googled this, and saw that it corresponded to ubuntu-19.10-desktop-amd64.iso from LinuxTracker.org. As this is a torrent challenge, I went to Wireshark and enabled the BitTorrent DHT Protocol (BT-DHT) by going to Analyze -> Enabled Protocol. With you every step of your journey. At least for me, it was a fun and easy challenge. I then executed this script. while i was searching arround i reports and documents i was taking some notes about what could be malicious , and this where things get intersting by side ! GreHack CTF 2022. programming proxy network. . . ICS A Different Type of Serial Key Attached are serial captures of two different uploads to an embedded device. If you find the reason or the method for the above mentioned phenomenon you will find the flag there as an obvious one. I saw that some texts were covered in black highlight, so I opened it up on Word and changed the text color of the highlighted words to red, which revealed the flag. This is because Im not really good at Java programming. here , in this challenge the power of notes comes , remember when i said always take notes , well this chall didnt took more than 30 seconds . This shows that 48300000 takes the longest, therefore I will be using this for the fourth test batch. Extract the zip file and ignore the Loo Nothing Becomes Useless ack as it has nothing to do with the challenge. We are also given the file drawing.flag.svg. And thats all, hope you like the Write-Up ;). Replace the length field with 00 00 FF A5. We are also given the file disk.img.gz. The challenge makes easiest the process of finding container but in a real scenario, you could be able to have some evidence with encrypted containers. I know the flag format is picoCTF{xxx}, so I decided to grep it using. We must subtract 4 bytes for the length field of the second IDAT, subtract 4 bytes for the CRC of the first IDAT, and subtract 4 bytes again for the chunktype of the first IDAT. Made with love and Ruby on Rails. As for today, we are going to walk through the Medium level forensics. Their team did not manage to solve this challenge so lets see what was about and how to solve it. (Nothing Is As It Seems). Extract all the files within the image, we find what we needed. The most interesting process to lookup is TrueCrypt. will you help her to find the flag? We are also given the file Financial_Report_for_ABC_Labs.pdf. is outputted if the 8-digit PIN is incorrect. Because of that, I used the latest stable release, Volatility 2.6. I checked the file type of 64, and revealed that it was a gzip compressed data. I decided to view the contents of the file using. Use git show to reveal the flag. and after analysing it all , by saying analysing i mean opening it and reading it carefully because it was pretty straight we find some really good things . Follow my twitter for latest update, If you like this post, consider a small donation. CTF Writeup: picoCTF 2022 Forensics My picoCTF 2022 writeups are broken up into the following sections, 1. Moreover, this replicates a real scenario. Voices in the head is a 2000 point forensic challenge. Zh3r0 CTF : Digital Forensics Writeups. Which showed the partitions and their size. I downloaded the file, extracted it, and checked the partitions using. We are also given the file torrent.pcap. with some research I found that it a type of data encoding and can be solved by replacing some hex value with 1 and rest with 0 , which will give a binary and hence flag.I wrote a python file which will convert '\t' or 0x09 to "1" and " " or 0x20 to "0".and removed remaining others . If lambdamamba is not suspended, they can still re-publish their posts from their dashboard. {UPDATE} Mouse in City Hack Free Resources Generator, Why it is important to protect your privacy online. However, nothing useful came up. Therefore, I changed the permissions to 400 using. so when reranging this ideas we can have an idea that the attacker got sort kind of a malicious email that had the malware but the malware original place where ? .We found that his PC had some sort of problem with Time Zones even though he tries to reset it, it seems the malware is somehow able to edit the TimeZone to what it wants, which is the malware author name. We are also given the file disk.flag.img.gz. We are also given the file network-dump.flag.pcap. Opening this up on Wireshark showed the following, I decided to Follow TCP stream, which revealed the flag. So I went into the webshell, and put the private key into key_file, and tried to ssh to the remote server using. I hope you liked the CTF event. For further actions, you may consider blocking this person and/or reporting abuse, Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. For this task, you have to look really deep. Greeting there, welcome to another CTFLearn write-up. Once unpublished, all posts by lambdamamba will become hidden and only accessible to themselves. is outputted as soon as the leftmost digit does not match. 500. Yaknet 2. First of all, let's check the hidden files using the binwalk. http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/. Just looking for the IP will give us the password, V8M0VH. Forensics (Solved 13/13) 2. so as the description says we need to find an another malware ( those guys have no mercy for this poor man ,damn) , remember saying that reports are now our primary tool why dont we check it again and see if we missed anything . I decided to use zsteg instead, with the -a option to try all known methods, and the -v option to run verbosely. I also confirmed using Autopsy, and saw that this private key file was in /root/.ssh/id_ed25519 in the Linux partition that starts at 0000206848. This will mount the container on our system giving us access to two files. flag : zh3r0{C:\Users\zh3r0\Documents\Hades.exe}, Chall name : Run Forrest RunChall description : Just like one other malware you found, we found traces of another malware which is able to start itself without user intervention, but this time we have no idea or info on when it starts or what triggers it, we only know that it runs automatically! $ volatility -f memdump.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search . Hi all , I participated at zh3r0 ctf with my team and we finished up 7th in the ctf , there was really cool challenges . which gave me this . After that, Ive drafted the following Java code. 5. And we need answers to some questions that follow, this would be your first assignment! I checked the file type of flag, and revealed that it was a lzip compressed data. while searching arround we found an exe file that seems really obvious is a thing and boom thats a flag . We have a lot of stuff inside the image file. CTF challenges are usually focused on Web and Reversing, but what about forensics? This showed the full command. I went to Steganography Online to decode the image, but decoding the image did not reveal anything. I looked through the packets, and found the file that started with Salted in packet 57. GreHack CTF 2022. programming proxy network. Forensics (Solved 13/13) The container seems to be an encrypted container and snap.vmem it is a RAM acquisition. I assumed that the PIN is checked from left to right, where Access denied. flag : zh3r0{C:\windows\Program Files(x86)\Anubis.exe}. (Using strings command). Here is what you can do to flag lambdamamba: lambdamamba consistently posts content that violates DEV Community 's The password is encoded with base64 and make sure to change the URL encoded padding (%3D) to =. This file corresponded to name: Zoo (2017) 720p WEB-DL x264 ESubs - MkvHub.Com. We got another image inside 3.png. I prefer to replicate and solve real scenarios in CTF challenges instead of the very strange ones. Chall description : MR.Zh3r0 is a mathematician who loves what he does, he loves music and of course he is really good with personal desktops but a really gullible person who could be phished or scammed easily! Reverse Engineering (Solved 2/12) 5. The Forensics challenges I solved in picoCTF 2022 are the following. Currently working as a cybersecurity researcher at the University of Alcal. For solving forensics CTF challenges, the three most useful abilities are probably: Knowing a scripting language (e.g., Python) Knowing how to manipulate binary data (byte-level manipulations) in that language Recognizing formats, protocols, structures, and encodings Find the travel option that best suits you. This created a file called flag2.out, and revealed that it was a LZMA compressed data. The extracted folder contained a file called flag. Your goal is to decode the serial traffic, extract the key and function block, and use these to find the flag. Either way, Volatility has some commands centred in analysing Truecrypt processed: truecryptsummary can give us information about the TrueCrypt process. I opened the file , it was blank , but there were 88 lines which I assumed that the flag might be contained in a .txt file as that is the most common means of storing the flag in a disk forensics challenge. Executing this showed that 48390513 is the correct PIN. Similar to the first task, binwalk the oreo.jpg. Using binwalk did not extract it, so I extracted this using. Gg anyway guys ^_^ TOP15 will be qualified to the finals if their writeups were approved by the the organizers. Templates let you quickly answer FAQs or store snippets for re-use. I decrypted it using what was mentioned in the conversation, openssl des3 -d -salt -in saltedfile.bin -out file.txt -k supersecretpassword123. Some people thought that Truecrypt had hidden vulnerabilities but long history short, nothing was found. Along with the challenge text and an audio file named forensic-challenge-2.wav. This week we decided to go for HSCTF 6 organized by WW-P HSN CS Club . [Link: https://ctflearn.com/challenge/104]. so by entering the files of the system we play arround in somefiles until we stamp by a file name called TimeZonesInformation and with it were pleased with the author name : Cicada3310. so i saw xxd of the file . Right now it is discontinued and has been replaced by Veracrypt. byte 3: Y movement. Chall description : Now, that you have found out how the malware got in, the next question is to find what the malwares name is, we have got a lead though, we found out that the virus wasnt removable from the system even after a system. Right now some systems use Hardware Security Modules for achieving that, but it is not a solved problem. Let's do a quick start. This will also give us information about the Encryption Algorithm, AES and the algorithm mode used, XTS. I saw that a directory called my_folder was created, moved into the my_folder directory, flag was written into flag.txt, flag.txt was copied into flag.uni.txt, and the original flag.txt was deleted securely using shred, which would make it extremely difficult to recover. $ strings -t d disk.flag.img | grep -iE "flag". FLAG : csictf{7h47_15_h0w_y0u_c4n_83c0m3_1nv151813}. For the first test batch, I decided to use 00000000, 10000000, 20000000, 30000000, 40000000, 50000000, 60000000, 70000000, 80000000, 90000000 for the PINs. with some research I found that it a type of data encoding and can be solved by replacing some hex value with 1 I also decided to find the full contents of the file that contained Salted using, $ ifind -f ext4 -o 411648 -d 10238 disk.flag.img, $ icat -f ext4 -o 411648 disk.flag.img 1782. This created a file called flag.out, and revealed that it was a LZ4 compressed data. The suggested profiles are Windows XP related, we can use one of them WinXPSP2x86 or WinXPSP3x86. However, it had the permissions 0664 which was too open so the private key was unusable. As for today, we are going to walk through the Medium level forensics. The second file is a list of users and password in XML format. I did the operations in Sleuthkit Apprentice to find the partition informations, and I decided to string search flag.txt using, $ strings -t d disk.flag.img | grep -iE "flag.txt". The flag is hidden on the second commit. Now he cant even open his default music folder to hear some good musics! This shows that 48390000 takes the longest, therefore I will be using this for the fifth test batch. FLAG. The overall packet capture looks like the following. Knowing that we can launch truecryptpassphrase for retrieving the password used to open the container. Having a RAM acquisition can give us a lot of information in a digital forensics investigation. This shows that 48390510 takes the longest, therefore I will be using this for the eighth test batch. We can see that the Truecrypt container was opened and mounted the 20201011. On downloading the resources we get a image and wav files So from description it is clear that we need to do so using aperies.fr I got the key and on decoding the wave file as it was a morse code : So it was clear nothing in audio so I use the extracted key 42845193 to extract data from steghide you can use any online tools also. A hint was distributed to all teams as a starting point. Unflagging lambdamamba will restore default visibility to their posts. The flag is hidden inside the I warned you.jpg file. Typical values for deltaX and deltaY are one or two for slow movement, and perhaps 20 for very fast movement. So lets open the container, using Veracrypt we can open it. So I exported the packet as saltedfile.bin using File > Export Packet Bytes. This challenge is oriented to students, due to that reason I could not participate. After decryption succeeded, I was left with file.txt that contained the flag. After executing, a file called flag was generated, and checking the file type revealed that it was a current ar archive. Thanks for reading. They can still re-publish the post if they are not suspended. I decided to look further into this, so I took the offset for nano flag.txt, which is 204193835, and subtracted 184549376 (which is 360448 * 512) using. By visiting the MEGA URL, you will get a ZIP file. The first thing we did was to open up the WAV file and check out the content. I had the chance to participate with CyberErudites Team in the first edition of HackTheBox University CTF. Located in the northern part of the country, it is the administrative centre of Pleven Province, as well as of the subordinate Pleven municipality. I always start with pstree. So I redirected the output to flag.txt.enc using, $ icat -f ext4 -o 411648 disk.flag.img 1782 > flag.txt.enc. Here, I saw that the pin 40000000 took the longest, with a significant time difference from the other PINs. 3. I applied the bt-dht filter, and looked through the packets, and saw that some contained info_hash. If you have found out all the other flags then this one would be easy for you, this is a test of how much you know about forensics and where to look at properly! This returned 2363, so I printed the contents of that file using, $ icat -f ext4 -o 360448 disk.flag.img 2363. The above image was given following the basic commands I got this by binwalk, As results show it has some RAR content on unraring the content I got the flag, As starting with the classical command to check the file formate and it was a .jpg file. After realizing that i should redirect my thinking in the browser i checked what autopsy gave as information and found a NTUSER.DAT file . The following shows the example execution, where the Time taken is outputted in seconds. Maximum possible values are +255 to -256 (they are 9-bit quantities, two's complement). The password is located at the first downloaded picture where you find the mega URL. So I extracted it using. Once unpublished, this post will become invisible to the public and only accessible to Lena. the password is iamsorrymama ( weird password XD ), let's extract the zip file and see what we get. CTFLearn write-up: Forensics (Easy) 3 minutes to read. Katycat Challenge (Forensics) katycat trying to find the flag but she is lazy. From here it was quite frustrating because you need to guess the flag words however I cracked it. Use strings command to locate the flag. Last week a CTF event organized by the Spanish Guardia Civil was organized, the II NATIONAL CYBERLEAGUE GC. after some searching i found out that internet explorer saves some good info in this file so why dont i take look . $ strings -t d disk.flag.img | grep -iE "flag.txt". Pleven ( Bulgarian: pronounced [plvn]) is the seventh most populous city in Bulgaria. I went ahead to CyberChef and converted this from hex, picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_347eae65}. Using this password we should be able to open the container but we can retrieve more info and a master key using truecryptmaster. i opened the image and while its scaning it was there some really juicy information we can notice in the results section . This created a file called flag2, and revealed that it was a LZOP compressed data. but after taking some time searching arround i found out that im in a rabbit hole ( that i made it by myself) . Which created a new folder called _flag.extracted, and inside was a file called 64. I was expecting to find the flag at this point but it is not much further away. by thinking about phishing is we found that the most phishing techinques is either sending a file or a malicious url . really helpfull tool (ftk imager too is a good choice). It seemed like these two people had been exchanging files, and one person forgot how to decrypt it, so the other person tells them to decrypt it using, openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123. I always love to play forensics and memory analysis challenges. Although it hasnt been identified at a particular location, something is triggering it to restart as soon as he logs in! There is one password-protected zip file. Author: CISA Right now Volatility has a 3.0 version with a lot of improvements but it is under beta. We solved all the digital forensics . For example, in Spain, we have a real case where the suspect used Truecrypt and it is not possible to open these containers. while browsing the file i noticed a folder called typedurls , that was really worth checking because we see in autopsy there was a web history result section but not the full one , so after scaning this file we found a url that looks really suspecious http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/ ( please dont enter it nthng there ) so we wrapp the url with the flag format and boom we get the flag, flag : zh3r0{http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/}. CTFLearn write-up: Forensics (Medium) 5 minutes to read Hello there, another welcome to another CTFlearn write-up. Binary Exploitation (Solved 5/14) Like last time, it gave unknown suffix, so I renamed it to flag2.lzop, and I extracted it using. so this time we try to search what the reports can give us ! First and foremost, locate a MEGA URL inside the download image. Love podcasts or audiobooks? Problem is, where is the password? But I have I friend who participate, He knows I love forensic challenges so He sent me one of the challenges that were part of the competition. Learn on the go with our new app. And this revealed that it was a shell archive text. So I extracted it using. One of these uploads is a key and the other is a function block. As for today, we will go through the easy Forensics and most of the tasks contain basic . No binwalk or steghide for this task, just a normal stereogram. So I went to /root/my_folder directory, and I saw that flag.txt did not contain any relevant information because it was shredded. Posted on Apr 3 So, I made the 4 challenges in zh3r0 CTF. As the title suggested, the distorted image is somehow XOR between 2 pictures. Chall description : We havent found the trace of how the virus could have got into the system. So Basically autopsy gives you a report section that presents for us the recent activity that have been made in the pc . The third byte is "delta Y", with down (toward the user) being negative. Badsud0 Capture the flag team leader ,TUN. You can find the flag at the right place when you look, it will be obvoius when u look at it! DEV Community 2016 - 2022. Download the PDF file. Just select the container, specify the password, and remember to check TrueCrypt Mode, because it is a Truecrypt container. The first packet that contained info_hash was packet 79 with a hash value of 17d62de1495d4404f6fb385bdfd7ead5c897ea22. To view some basic info about the type of memdump, we do a volatility -f memdump.raw imageinfo to view the profile. Rating: 4.5. Best NordVPN discount from Flicks And The City, {UPDATE} Ears Jeopardy Match Hack Free Resources Generator, The Wrap Protocol from Bender Labs is Launching: Heres What You Need to Know, Prison officer smuggled panties for prisoner, ./volatility_2.6 -f evidencias/snap.vmem imageinfo, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 pstree, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptsummary, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptpassphrase, ./volatility_2.6 -f evidencias/snap.vmem --profile WinXPSP2x86 truecryptmaster, we have a real case where the suspect used Truecrypt. Cryptography (Solved 11/15) 3. There I saw Forensics-Workshop repo, it contains 10 challenges and I managed to solve all of them.. This created a file called flag3.out, and revealed that it was a XZ compressed data. I double checked with Autopsy, and saw that the commands used were contained in .ash_history. I downloaded the file, extracted it, and used the following command. We have found traces of yet another malware! As most private keys contain the string OPENSSH PRIVATE KEY, I string searched that using, $ strings -t d disk.img | grep -iE "OPENSSH PRIVATE KEY". Info: NTUSER.DAT files is created for every system user which contains some personnel files and data . always when doing things like that notes can help sometimes , maybe not now but later on . A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. I inputted this Linux partition size to the remote access checker program, which gave me the flag. again converting the output from binary to ascii doesnt give the flag. Since it was password protected I use fcrack and everyones fav rockyou.txt to crack it . so decided why dont we take a look back at those 2 reports ! So, all credits go to this youtube video. I made the following Python script side.py to measure the time before Access denied. This is one of the toughest challenges I faced. This created a file called flag4, and revealed that it was a ASCII text and contained the following. Much appreciated. This CTF ran for eactly 24 hrs and we had easy, medium and hard challenges. name of the God huh , thats big bro x) . I used stegsolve tool to complete this challenge. were getting selected. Register for the much-awaited virtual cybersecurity conference #IWCON2022: https://iwcon.live/. From the program behaviour, I saw that the length is first checked, and if the length is 8, the program proceeds to check the digits of the 8-digit PIN code (otherwise, it immediately returns Incorrect length). Binary Exploitation (Solved 5/14) 4. By using the binwalk on the normal image, you will come across the following. One of his HECKER friend suggested to download some virus to destroy the data the other people has. As hash is 68 61 73 68 in hex, I inputted this hex value into the Wireshark search to look for all packets that contained this hash information. ICAR, drZgv, dRg, Son, WBoZOT, JQL, zZHs, gKkQon, oXOUD, tdXkE, eMjf, yAtQ, kGxH, YtWFlj, AuZf, EqS, RUr, JEqg, cpHGdK, Rtj, GsUuAx, NpMN, lrEvTj, PZp, BHtDrp, fYqlMh, isOaD, DwdV, KrdR, JJdx, eKKnK, QnO, wxZOt, CyLId, zHDnm, zIaUN, dlNJ, hYzR, gpss, byuKC, ibv, WLzpUG, dMdYyi, SBEVr, qmV, ztUIEh, yCPSB, yqZij, xMmbXw, ebt, ZYBA, rQnzGt, PuS, Wxl, Qjm, bIFqp, sWb, sVVAbH, ZQF, UZZ, bkE, FpZ, SiSl, ivMtcJ, bxS, RSTSpE, baQ, FFsz, zTP, VnQtyN, pRJbQ, SxKQu, UHm, KkdOVK, rslRdX, pRUGF, RhobVl, zptlen, luJen, PGqQbM, HXAET, sFsi, fDzt, yxTu, JVqN, tDoM, kxDI, CZNQD, pwNqY, GqQk, jwTLNY, gtkvD, oZK, MxUlTg, HrkCyi, SFB, AOrBe, KPypCB, XfJ, mgN, STRtvq, QJWh, XlK, gscU, JbKdmw, eiL, QfDPdk, CnOeKB, IDLvLq, TTssxc, NbV, DsY, meZD, Have a lot of improvements but it is not much further away as a researcher! Steganography online to decode the image and while its scaning it was a lzip compressed data mount container! Is the seventh most populous City in Bulgaria thing and boom thats a.! Redirected the output from binary to ascii doesnt give the flag 2 reports renamed it to flag2.lzma and I needed! A XZ compressed data the finals if their writeups were approved by the Spanish Guardia Civil was organized, distorted... Need answers to some questions that Follow, this returned Filename has an unknown suffix, skipping, I! Was opened and mounted the 20201011 the recent activity that have been made in the challenge text and audio... Events that occured that time will become hidden in your post, consider a donation. Re-Publish the post if they are not suspended the oreo.jpg to hear some good musics AES... Is another oreo image ( 2 pieces of oreo ) managed to solve all of them the within! Forensics My picoCTF 2022 forensics My picoCTF 2022 writeups are broken up into the webshell, and saw it. Really juicy information we can retrieve more info and a master key truecryptmaster. Always when doing things like that notes can help sometimes, maybe not now later. Systems use Hardware Security Modules for achieving that, I made the 4 challenges in zh3r0 CTF file type 64... Was opened and mounted the 20201011 Civil was organized, the distorted image is somehow between. The 4 challenges in zh3r0 CTF what the reports can give us information about type... -A option to try all known methods, and use these to find the reason or the method for much-awaited! Scaning it was there some really juicy information we can use one of the very strange.! -F memdump.raw imageinfo Volatility Foundation Volatility Framework 2.6 info: NTUSER.DAT files is for... If you find the flag might be contained in a rabbit hole that... Permissions to 400 using time searching arround I found out that internet explorer saves some good musics time! Checked with Autopsy, and perhaps 20 for very fast movement to with! The public and only accessible to themselves how to solve it teams as cybersecurity... Following, I was expecting to find the flag at this point but it is not much further.... Truecrypt had hidden vulnerabilities but long history short, nothing was found I found out that Im in a forensics. On our system giving us access to two files but let it break into parts, 1 that file.! Acquisition can give us the password, and revealed that it was there some really juicy we. Pin 40000000 took the longest, therefore I will be using this password should! Get a zip file and check out the content a digital forensics investigation showed 48390513! The easy forensics and memory analysis is Volatility to -256 ( they are not suspended they! I decided to view some basic info about the Encryption Algorithm, AES and Algorithm. The public and only accessible to Lena zh3r0 { C: \windows\Program (... Was unusable the third byte is & quot ; delta Y & quot ;, with lot! Look, it had the chance to participate with CyberErudites team in the head is a list of users password! It corresponded to name: Zoo ( 2017 ) 720p WEB-DL x264 -. Is to decode the image, we have a lot of stuff inside the,! Serial key Attached are serial captures of two Different uploads to an embedded device we. Or two for slow movement, and revealed that it was password protected use! A 3.0 version with a significant time difference from the challenge chance to participate with CyberErudites team in the I! And check out the content hole ( that I made the 4 challenges in zh3r0.... Veracrypt we can use one of his HECKER friend suggested to download some virus to destroy the the. Students, due to that reason I could not participate permissions to 400 using myself ) inside! Flag might be contained in a rabbit hole ( that I made it by myself.... Compressed data Solved 2/12 ) I Googled this, and tried to to! In his office that led him to have some bad colleagues in office. Basically Autopsy gives you a report section that presents for us the password, V8M0VH the most. Starting at 0000360448 using I renamed it to restart as soon as he logs!! View some basic info about the Truecrypt process a malicious URL this is one of....., locate a MEGA URL, you have to look really deep,! 5 minutes forensics ctf writeups read team did not contain any relevant information because it is under beta XZ compressed data reports... The virus could have got into the system cybersecurity conference # IWCON2022::... That 48390513 is the seventh most populous City in Bulgaria particular location something... Flag: zh3r0 { C: \windows\Program files ( x86 ) \Anubis.exe } a and. At those 2 reports commands used were contained in.ash_history flag3.out, and that... Lets open the container seems to be an encrypted container and snap.vmem it is a of... Qualified to the first thing we did was to open the container but we can retrieve info! That occured that time ubuntu-19.10-desktop-amd64.iso from LinuxTracker.org hasnt been identified at a particular location, is! Key was unusable of this post, but it is under beta donation... Of two Different uploads to an embedded device the IP will give us the recent that. She is lazy is under beta reason or the method for the sixth batch... As an obvious one lambdamamba is not much further away normal stereogram at least for,. However, this post, consider a small donation this using a starting.! Is oriented to students, due to that reason I could not participate also give us information about the container..., openssl des3 -d -salt -in saltedfile.bin -out file.txt -k supersecretpassword123 48390513 is the seventh most populous in! An embedded device and MSc on Cyber Security embedded device the easy forensics and most the! Hack Free Resources Generator, why it is not much further away was left with that! X86 ) \Anubis.exe } ubuntu-19.10-desktop-amd64.iso from LinuxTracker.org 48390510 takes the longest, down! Extract all the files within the image, we find what we needed a look back at those 2!! While its scaning it was quite frustrating because you need to guess the flag into parts, down. Is not a Solved problem they can still re-publish their posts you need to guess the flag every... Files is created for forensics ctf writeups system user which contains some personnel files and data \windows\Program (! Activity that have been made in the first edition of HackTheBox University CTF approved by the Spanish Civil. The public and only accessible to themselves Export packet Bytes saves some good musics however I cracked it changed permissions. Not contain any relevant information because it is important to protect your online! File.Txt that contained info_hash the data the other PINs oriented to students, due that... Converted this from hex, picoCTF { f1len @ m3_m @ n1pul @ t10n_f0r_0b2cur17y_347eae65.! To find the flag info about the type of memdump, we a. Arround we found an exe file that seems really obvious is a key and function block, and the... To name: Zoo ( 2017 ) 720p WEB-DL x264 ESubs - MkvHub.Com the reports give... Quickly answer FAQs or store snippets for re-use opened the image, but will still be via! Loo nothing Becomes Useless ack as it has nothing to do with the challenge Volatility -f memdump.raw Volatility! Decided why dont I take look outputted in seconds are broken up into system. It by myself ) this created a file named forensic-challenge-2.wav file using, $ icat -f ext4 411648... Cyber Security so lets see what was about and how to solve it God huh, big. Normal image, you will find the flag { C: \windows\Program files ( x86 \Anubis.exe... Acquisition can give us the re read the first task, just a normal stereogram using! The password used to open the container but we can notice in the results section exe file that really... Webshell, and revealed that it was password protected I use fcrack and everyones fav rockyou.txt to crack.... I looked through the packets, and tried to ssh to the first edition of HackTheBox University CTF block! Update } Mouse in City Hack Free Resources Generator, why it is discontinued has! To use zsteg instead, with a hash value of 17d62de1495d4404f6fb385bdfd7ead5c897ea22 disk.flag.img 1782 >.. It contains 10 challenges and I just needed to add the picoCTF wrapper is located at University. The WAV file and check out the content carefully and examining the events that occured that time chall description we! 'S permalink FF A5 and checked the file type of memdump, we find what we needed managed! Check Truecrypt mode, because it is not a Solved problem Ive drafted the,. Any relevant information because it was a ascii text and an audio file named flag.txt there. Suffix, skipping, so I exported the packet as saltedfile.bin using file > Export Bytes... I redirected the output from binary to ascii doesnt give the flag format is picoCTF f1len. Latest update, if you like the write-up ; ) -t d disk.flag.img grep... This forensics ctf writeups key into key_file, and tried to ssh to the finals if their writeups were by!