CyCtf Finals 2023 Forensics Writeups

a1l4m
7 min readNov 23, 2023

Hi, this is Khaled Allam, known as “a1l4m”. Recently, we successfully secured 3rd place at the finals of the CyCtf Competition, which was hosted by Cyshield. And I was able to solve all the forensic challenges that were presented there with two first bloods.

background

I’ve decided to approach my writing step by step, beginning with simpler challenges and gradually moving towards more challenging ones.

Challenge Name: partially
Link: Download

partially

We got a pdf file, but it’s corrupted, and from the description, we can say that the solution is just editing the headers with any hex editor tool likeHexedit, but we also got a quick solution for that by usingbinwalk or foremost for better output format to extract anything that is not corrupted inside this pdf file.

binwalk -e partially.pdf
foremost partially.pdf
output of binwalk

We got multiple jpeg files, navigating through them, you will figure that one of them got the flag

flag

Challenge Name: cache conquest
Link: Download

cache conquest

Well, here you have an image file, but it only contains AmCache hive.

“Known as windows file protection cache and it is a hive that is used by the OS to store information about the files that are installed on the system”

Because we don’t have any other artifacts, let’s just extract this folder and parse this hive with AmCacheParser and see what programs are installed on the system.

output

We will get a csv file as result for parsing it, checking the programs there

csv file

When you open the file, you are going to find this one right in front of your eyes. Without any further investigation, it seems pretty suspicious, and also in the description, it says that this file was executed from an external drive, and this is the only one that got a different drive than the others.

Challenge Name: artistic helium
Category: forensics

artistic helium

Also in this challenge, we got an image file for a Windows machine and saw what was inside.

file tree

Local and Roaming data, so it’s probably an application forensics challenge. Let's read the description again.

The challenge name is artistic hellium, and the description is talking about DaVinci, hmmm. So, maybe we have to search for an application related to photos or smth like that, Going around, I can’t see any applications “related to photos” except the windows apps, which is located under Local\Packages

packages tree

Going through the files in Microsoft Paint, we will see a Helium directory which contains local registry hives.

Helium

Opening any of them with registry explorer and going to recent file list, we going to find this file name, which seems like base64 encoded characters.

Decoding that will get us the flag :”

Challenge Name: RCA
Link: Download

rca

Exploring the image file, we only got software and system registry hives.

The description is talking about an application that is vulnerable to privilege escalation, and the attacker took advantage of that. So, I guess we kind of have to check the services in our system, but they are too many.

What I did was first discovering the application on the system by checking this registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

uninstall key

We are going to figure out that we have only two applications, which are WinRAR and OpenVPN Connect. Here, what I did was just search with the version of WinRAR and OpenVPN Connect for public exploits.

exploit db

Opening this report

exploit

We're going to find that this exploit is actually related to services and the vulnerable service name is this agent_ovpnconnect_1559309046710.exe After that, I opened the services again under that key HKLM\System\CurrentControlSet\Services and I filtered for a part of the service name to see if it's actually here or not.

output

And yes, it was there, double click on it, and we going to see the same exact service that is vulnerable to privilege escalation.

Now we just need to construct the flag with all the information that we have.

Challenge Name: Imposter
link: Download

Now the big boy, we have managed to get first blood on that one, and also there is only two solutions and I guess it’s because there were some obstacles that you going to face in the way of solving it.

Simply the description says that the attacker changed the timestamp of the malicious file and modified it to look legitimate among the normal processes.

Let’s open the image file using FTK imager, In this challenges there is NTFS logs which is $logfile, $MFT and $UsnJrnl

files tree

First Problem: how you going to extract these files as FTK imager when it comes to attributes is just doesn’t work and you can’t open the image on autopsy as autopsy doesn’t support ad1 files

We can either convert ad1 to any file format that autopsy understands or using this trick that my teammate (Fathi) found, which is using a plugin called Forensics7z you can find the documentation here.

So after getting $logfile and $mft, now we can start the real work.

Parsing $logfile using NTFS tracker and $mft using MFTECmd by Eric Zimmerman and opening both the csv files.

NOTE "NTFS uses $LogFile to monitor changes to files/folders, but unlike $UsnJrnl it stores detailed low-level changes to provide more resilience to the file system."

let’s start with the logfile, filtering for .exe to see all the executables that got operated, we going to have 92 hits.

Going through them, I have found this.

wow

Hmmm, why would someone rename a txt file to an executable and not any executable, as spoolsvc.exe actually a legit process that you going to find in any window machine, unless he wants to evade detection :”

I couldn’t get any more data from the $logfile attr, that’s when $mft time has come. So now we know we got a pretty suspicious executable spoolsvc.exe So checking MFT to see the MACB of the the executable.

spoolsvc

Filtering for spoolsvc.exe got us only one hit checking it, we going to see that this file got two creation time which is what the attacker did to hide among all other legitimate processes.

So checking the normal processes to see at what time they were operating it was at something like this 2023–10–05 ….

legitimate processes timestamp

and spoolsvc got a time among legitimate processes which is 2023–10–05 14:51:56 and another time creation which is in 2022–05–07 05:19:49.

From here you can tell that the actual creation time of the process is the latest one which is 2023, and the stomped is the one that is old 2022.

Now you just need to construct what you got and that is the flag :”
cyctf{dolphin.txt_2023–10–05_14:51:56_spoolsvc.exe_2022–05–07_05:19:49}

Playing CTFs is fun innit :”
That’s it for now.
Cya geeks

--

--