Xpand CTF Forensics Writeups

5 min readOct 14, 2023

Hi, this is a1l4m, and that is all the forensics challenge writeups for Xpand CTF competition.


Challenge Name: MEM1
Category: forensics
Difficulty: easy

We got a memory file, and after looking around, I noticed an image named flag.png in the desktop folder.

0x0000000003a5a050      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\Desktop\flag.PNG

Trying this command to dump it. You will get an image, open it, and you will see the flag.

vol2 -f core.elf --profile=WinXPSP1x64 dumpfiles -Q 0x0000000003a5a050 -D .

Challenge Name: MEM 2
Category: forensics
Difficulty: idk :”

I didn’t take long while solving this; just do strings on the flag format you will get it..

strings -el core.elf | grep -i "xpand{"


If you want to solve it properly, you can see mspaint process running Just dump it, open it with Gimp, and try to change the offset until you get the flag.

Challenge Name: Image1
Category: forensics
Difficulty: hard "first blood"


So, we got a file of a Windows image. By doing normal things like checking the most common directories, we can see that the attacker encrypted a file called secret on the desktop folder.

encrypted secret

Searching with the extension and checking the downloads folder, we can figure that he used a tool called PSRansom that is published publicly on GitHub. Just reading the source code, you will notice that you have two conditions. Either the C2 server exist then exfiltrate the key to C2 server or if the script can’t reach the C2 server will just create a readme.txt that contains the key that we going to use for decryption.

ransomware code

But checking readme.txt the author deleted it :”


So we have to find the key somehow. Looking more around, in the documents folder, you will notice a Default.rdp file, which simply connects to a remote server and establishes an RDP connection with it.


So, i just got a theory, that the attacker after decrypting the file and got the key in readme.txt he just deleted it and made an rdp connection to the C2 server which is in our case is that, you can get either from powershell histroy which is located here C:\Users[USERNAME]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine Or you just check the rdp file


Tracing the theory we need to check RDPChache file which is located here C:\Users\<USER>\AppData\Local\Microsoft\Terminal Server Client\Cache

rdp cache file

So this file is quite fun to play with as it contains an image of the desk when the rdp connection established but the thing is, you don’t get just one image but tons of bmp image file.

We have a tool to generate these images for us called BMC-tools and you can run it on the file using this command

python3 bmc-tools.py -s cache0000 -d /mnt/c/Users/AAA/Desktop/rdpcahe

it will generate like 211 bmp images inside that folder.

bmp images

Now you have to reconstruct the images to see the whole page I used a tool named RDPCacheStitcher for that after opening all the images, you have to rebuild the photo which will take a while (be patient buddy) to get both the flag and the key for the next challenge.

Image after reconstructing

This is the flag for the first Image 1 challenge.

Challenge name: Image 2
Category: forensics
Difficulty: hard

Challenge details

Well, we got the key from the previous one, all we need to do is follow the documentation of the PS Ransom tool to decrypt the secret.ps1 file.


We need to do this.

psransom command

And now you just did the attacker bad and got your files back, let’s take a look at this script.

powershell.exe -ep bypass -WindowStyle hidden -c (New-Object System.IO.StreamReader(New-Object System.IO.Compression.GZipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAAAAAAA'+'E'+'AFMuKs3LTe{0}lCi5JLCrRDSjKT04tLlbIKCk{1}KLbS1y8v'+'L9erzC8tKU1K1UvOz'+'9UvTyxJzrAvs00JLDc{1}twxPj0gO5OWKK'+'EjMS6{3}m5QowKE8tMs1Izc'+'mJ{4}wsJV6wFACK{2}NRVbAAAA')-f 'X', 'p','a','n','d','{')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()

this is the whole script, and don’t try to run you will get trolled by the author “Rick Rolled lmao”.

Trying to understand what is going on you will notice that we got base64 string and place holders that we should replace with what is after -f like for example {0} = X, {1] = p, {2} = a and so one after doing that we will get a base64 then script load what is after decoding as gzip file.

let’s fire cyberchef, and download the result.


we will get a gz file extracting the content. We will get the flag.

second flag

That’s it for now
Cya geeks.
You can reach me on discord, linkedin, telegram, anything with this username a1l4m