Published on

BYUCTF 2024 Forensic Write-Up

Authors
  • avatar
    Name
    Serikat Newbie Indonesia
    Twitter
    Default Post Author

BYUCTF 2024 - Forensics Write-Up


Who am I

Who am I

Right-click -> properties

Steak (The description is too long)

first of all i was tryin to do it by finding way to read the corrupted image. but i got an idea why didnt i try to search on the image's hex. so the logic will be: find the header and eof chunk of the example, and find it on the corrupted image to extract it. header: image EOF: image

Steak

Header is: 13 37 BE EF F2 : 00E00000
EOF is: 4D 6F 6F 6F : 00E8F8A0
Search it on MadCow.001 and extract it.

Decrypt using the given script. Got the flag as png.

Did Nobody See?

Did Nobody See?

the chall asked us to find IP of the DNS registered on the Registry keys [check at the screenshot]

Did Nobody See? Did Nobody See?

Not Again! I've been BitLockered out of my own computer!

BitLocker

Given memory dump, I tried using Volatility3 and found nothing. The challenge mentioned FVEK, and I found a plugin for Volatility (old) to dump the FVEK (Source). However, I couldn't do it because the image profile was unknown (GitHub).

BitLocker Plugin

Used Memprocfs to parse the memory dump as files:

Memprocfs Memprocfs

Found the image profile, tried again but got nothing. Copied memory.dmp and used Volatility (old) on it and got the FVEKs:

FVEKs

Not Sure I'll Recover From This

Recovery

Because the challenge asked for the user’s credential, we’ll check the SAM registry that contains user account data: documentation, check here

SAM Registry

The Worst Challenge

Worst Challenge

Given file .txt that seems to have null bytes. But it wasn't; there are 01’s, maybe it was the flag written in bytes.

Null Bytes

solv.py

solv.py