BlackHatMea 2023 qualifications CTF

Hello there, this is Caesar3, and this is my writeup for all the forensics challenges.

1. USB100 [Easy]:

So first we read the description, also there is a file to download.

After downloading the file and extracting it using (flagyard) password, we find that it is .pcapng file, so we open it with Wireshark to analyze the captured packets.

While analyzing the packets we will figure out that there is a (JFIF) header, which indicates to JPG photo.

So we extract all the files inside the .pcapng file using (binwalk) tool. Afterward, by using the basics forensics tools on the images, we find that all those images are normal images, except for an odd one, (the Microsoft executable portable (AC723)) file.

We can analyze it using Reverse Engineering tools but not recommended we will run it to see the output first, so we run the executable file using a tool called (wine) which allows us to run Windows applications on Linux, and we get our flag.

2. Not supported [Medium]:

Also the same way we read the description, it says notepad process so maybe it refers to memory dump and to use (volatility) tool, and there is a file to download.

After extracting the .zip, we find a url.txt

It is a Windows 11 memory dump, so we download that .zip file and then extract it.

We can use (volatility3) to dump the notepad process and read what is inside of it, but simply we employ (strings & grep) to potentially find the flag. Sometimes, this approach works. And here is our second flag (we remove the spaces).

3. Extend [Hard]:

Is it a normal image?, we download the file and unzip it.

player folder contains an image inside of it will be extracted.

If we use (strings or exiftool) on it, we will find that there is a URL to GitHub.

We open it in a browser, the last line says there is more data somewhere here.

So we try to search for that user in the URL link or using the word BHatCtf on GitHub, and we will find a repository.

Which will has the index.md that we saw previously and fulldata.md.

After opening the fulldata.md file we have (more data here) link to Pastebin website.

It has those links and the user (Jacksmp) and passwords. the odd one was the mega that it is a website to upload things on it, so maybe there is a file to download again.

If we open that URL, it asks for a password to decrypt and be able to download the files, so we try the one beside the link in the Pastebin website (HxzUmwVKEdQqUmWSkm3kptBbv6aYUn6TKD9ViXW6XiQ) and it worked.

Then we download that file.

And extract it.

It appears to be Google Chrome data, so we start searching for something weird or unusual, maybe the flag is also somewhere here.

We find this extension which has service-worker.js file.

Which contains this obfuscated JavaScript.

We deobfuscate it using any website, and after analyzing the code we find a strange strings:

_0x5a2fad = ‘WYwIjYzMTM2sXWHFETGhkQ’,
_0x58999f = ‘1QjY0YGNxEDM1cTMxQ2YjV’,
_0x10e396 = ‘Qf2MjYwAzNyIDOjVTZkJTY’

Trying to combine it and decode it using Cyberchef.

First, we need to reverse it and then decode it from Base64, and finally, here is our flag.

I hope you enjoyed it and found it beneficial.