- Published on
BYUCTF 2024 Forensic Write-Up
- Authors
- Name
- Serikat Newbie Indonesia
- Default Post Author
BYUCTF 2024 - Forensics Write-Up
- k.eii
- Archive: GitHub Repository
- 6/7 solved
Who am I
Right-click -> properties
Steak (The description is too long)
first of all i was tryin to do it by finding way to read the corrupted image. but i got an idea why didnt i try to search on the image's hex. so the logic will be:
find the header and eof chunk of the example, and find it on the corrupted image to extract it.
header:
EOF:
Header is: 13 37 BE EF F2 : 00E00000
EOF is: 4D 6F 6F 6F : 00E8F8A0
Search it on MadCow.001 and extract it.
Decrypt using the given script. Got the flag as png.
Did Nobody See?
the chall asked us to find IP of the DNS registered on the Registry keys [check at the screenshot]
Not Again! I've been BitLockered out of my own computer!
Given memory dump, I tried using Volatility3 and found nothing. The challenge mentioned FVEK, and I found a plugin for Volatility (old) to dump the FVEK (Source). However, I couldn't do it because the image profile was unknown (GitHub).
Used Memprocfs to parse the memory dump as files:
Found the image profile, tried again but got nothing. Copied memory.dmp and used Volatility (old) on it and got the FVEKs:
Not Sure I'll Recover From This
Because the challenge asked for the user’s credential, we’ll check the SAM registry that contains user account data: documentation, check here
The Worst Challenge
Given file .txt that seems to have null bytes. But it wasn't; there are 01’s, maybe it was the flag written in bytes.
solv.py
