Wednesday, June 17, 2020

#MVS2020CTF Write-Up (Windows)

Here we have the Windows questions and solutions that were part of the 2020 Magnet Virtual Summit CTF.  Again keeping with the theme of using #OpenSource or free software, I used Autopsy to process the forensic image, and also used UnFurl, IrfanView, StegHide, OpenStego, and CyberChef to help with other questions.  As you will see below I did not find all of the solutions, but I hope the information I provide is helpful to anyone who have never tried a CTF or is new to DFIR. 

  • Begin Exam Try 2
When did the windows image acquisition start?


So initially I believe this question asked who the examiner was, and after 10-15 minutes of digging around for the solution (Expecting to find it in the DFA_Windows.E01.txt), I reloaded my browser and saw the "Try 2".  So looking at the same text file, we find that the "Flag" is 2020-04-22 17:55:30.  This is documented under Image Information, as the Acquisition Started Time Stamp, which needed to be converted from Wed Apr 22 17:55:30 2020 to the Flag Format provided.

  • Call Me Maybe?
What is the user's phone number? (Format: 555-555-5555)

After processing the Windows Image using Autopsy, I looked in the Web Form Autofill results, where the flag of 802-265-5115 was located.

  • Feelin' Lucky?
How many people won Quarterly Drawing 31?


This was a multiple choice question, but I didn't find the solution. 

  • Update the Résumé
When did the user start working in their current position?

(Example: flag<July 1776>)

This was another question that I did not solve, despite going through User Documents, Keyword Searches, Filtering by File Type looking for a CV or Resume.  After reading over the write-up by @KevinPagano3 on, the solution required combining the Chrome Login artifact for a LinkedIn account along with some OSINT to find the flag of July 2014.

  • Another day, another dollar
How many times did Warren sign in to his machine?

This flag was found in the Autopsy Extracted Content, under Operating System User Account, then looking at the Username Warren.  When you scroll down the count with the most recent accessed date can be seen as 24.

  • Hash Crash
What is the earliest created file associated with the following MD5: 3d908e1b40140c1e0167603ffca07701

For this flag, I created a new Hashset within Autopsy and the files with the MD5 hash show up under Hashset Hits under the name of the name of the Hashset.  Flag is AccessMUISet.msi as the created date is the earliest.

  • Sticky Situation
How many dollars does the user CURRENTLY owe from gambling? Format 99,900

I did not find the flag for this question.

  • Money, money, money, Money!
How many dollars to directly buy in to the tournament on Sunday?

This flag was found using a keyword search in Autopsy for "tournament".  A link in the Chrome History shows a website URL for a Poker Tournament.  A quick copy/paste of the URL into a browser brings us to a website where the buy in for Sunday Tournaments is shown as $162.

  • Sorry, eh?
When was the image downloaded from viewed? Format MM/DD/YYYY HH:MM:SS (24 hour clock) ex 05/12/2020 17:45:00

Searching for the URL produced the the data associated with the download, but those times were not accepted as the flag.  I later found again from the write-up by @KevinPagano3 that the time of opening was from the LNK file associated with the downloaded file.  Half Credit doesn't get any points in a CTF.

  • Stay PAWsitive
What is the name of the movie written in the text file within a PNG?

I spent quite a bit of time on this question, as I was certain based on the "PAW" clue that the flag could be found within the /Users/Warren/Documents/Cats directory.  All three files were named with "motivational" phrases, and the actual images were motivational memes, which matched the clue in the question.  Only one of the files was a .PNG and it was also much larger than the other files.  After exporting the file I used Steghide, a steganography tool, but had no luck. I then imported the file into CyberChef and again had no luck.  I then tried Steghide again, using various passwords that were in the E01, which all yielded nothing.

I then started to discuss the CTF with @Evandrix who had completed all of the questions.  He then pointed me towards a tool called OpenStego, which immediately without a password extracted the text file, revealing the flag of Godzilla. 

  • What happens when you text and drive?
Name the bug check code in the most recent Windows crash (Blue Screen)

I did not find the Flag for this question.

  • You're GUIDing, right?
What is the GUID for the application that was last used to access C:\Users\Warren\Documents?

I did not find the Flag for this question.

  • Poker, I don't even...
How many total seconds did the user spend on the page when they searched for quick online poker? format:

At first I thought this would be a straight forward solution.  Using a keyword search in Autopsy for "quick online poker" yielded several results and I focused on the results that were an exact match and couldn't find anything related to the time spent on the page.  As the #MVS2020 sessions continued, I attended the "Ask Us Anything" Session, where there was a discussion about a tool called UnFurl.  I downloaded the tool and setup all of the requirements (there is also a online/web version available).  I continued to focus on the exact match of the term, but still was not able to find the correct flag.  Again I discussed the CTF with @Evandrix who suggested that I look at the other results for the search, which led me to the flag of 6.294. 

Overall a great experience, which tested my knowledge on particular artifacts, and allowed me to add to my toolbox of free and open-source tools. 

No comments:

Post a Comment

#MVS2020CTF Write-Up (iOS)

Here is the last Write-Up for the #MVS2020CTF.  During the live competition, I wasn't aware of any "free" tools to analyze iOS...