ImaginaryCTF 2024 - Writeups
This is a writeup for some forensics challenges from ImaginaryCTF 2024. Sadly, I did not contribute much as the CTF started on 3AM in my timezone. However, my team L3ak still managed to achieved 3rd place!!
bom [Forensics]
Question: 楣瑦筴栴瑟楳渷彣桩渳獥
Flag: ictf{th4t_isn7_chin3se}
We are given a text file to investigate. Within the text file was a string of chinese characters 楣瑦筴栴瑟楳渷彣桩渳獥. The flag can be obtained just by displaying the file content on the terminal. More about BOM can be found here.
1
2
└─$ cat chal.txt
��ictf{th4t_isn7_chin3se}
crash [Forensics]
Question: I didn’t save my work…
Flag: ictf{aa0eb707a41b2ca6}
We are given a memory dump to investigate. Checking the processes, a notepad process can be seen being executed in the machine. The flag is most likely in it as the challenge hinted that the user did not “save his work”.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
└─$ python3 vol.py -f ~/Desktop/sharedfolder/dump.vmem windows.pstree
Volatility 3 Framework 2.7.0
WARNING volatility3.framework.layers.vmware: No metadata file found alongside VMEM file. A VMSS or VMSN file may be required to correctly process a VMEM file. These should be placed in the same directory with the same file name, e.g. dump.vmem and dump.vmss.
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime Audit Cmd Path
---SNIP---
* 1672 1400 fontdrvhost.ex 0xc60c81f47300 5 - 2 False 2024-07-19 00:28:49.000000 N/A \Device\HarddiskVolume3\Windows\System32\fontdrvhost.exe - -
* 4116 1400 dwm.exe 0xc60c81247340 16 - 2 False 2024-07-19 00:28:49.000000 N/A \Device\HarddiskVolume3\Windows\System32\dwm.exe "dwm.exe" C:\Windows\system32\dwm.exe
* 4032 1400 userinit.exe 0xc60c811a8300 0 - 2 False 2024-07-19 00:28:50.000000 2024-07-19 00:29:27.000000 \Device\HarddiskVolume3\Windows\System32\userinit.exe - -
** 4736 4032 explorer.exe 0xc60c80f0d080 64 - 2 False 2024-07-19 00:28:50.000000 N/A \Device\HarddiskVolume3\Windows\explorer.exe C:\Windows\Explorer.EXE C:\Windows\Explorer.EXE
*** 6840 4736 SecurityHealth 0xc60c83a87340 3 - 2 False 2024-07-19 00:30:24.000000 N/A \Device\HarddiskVolume3\Windows\System32\SecurityHealthSystray.exe - -
*** 6676 4736 msedge.exe 0xc60c808a2080 0 - 2 False 2024-07-19 02:01:09.000000 2024-07-19 02:01:48.000000 \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --
**** 5368 6676 msedge.exe 0xc60c80832080 0 - 2 False 2024-07-19 02:01:10.000000 2024-07-19 02:01:48.000000 \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --
**** 3740 6676 msedge.exe 0xc60c831b1080 0 - 2 False 2024-07-19 02:01:29.000000 2024-07-19 02:01:48.000000 \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --
**** 6468 6676 msedge.exe 0xc60c83a04080 0 - 2 False 2024-07-19 02:01:26.000000 2024-07-19 02:01:48.000000 \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe --
*** 2216 4736 notepad.exe 0xc60c81b87080 12 - 2 False 2024-07-19 01:58:24.000000 N/A \Device\HarddiskVolume3\Windows\System32\notepad.exe "C:\Windows\system32\notepad.exe" C:\Windows\system32\notepad.exe
4756 4252 msedge.exe 0xc60c8254f080 0 - 2 False 2024-07-19 00:28:54.000000 2024-07-19 00:30:32.000000 \Device\HarddiskVolume3\Program Files (x86)\Microsoft\Edge\Application\msedge.exe - -
4904 3376 OneDrive.exe 0xc60c831dd080 26 - 2 True 2024-07-19 00:31:15.000000 N/A \Device\HarddiskVolume3\Users\imaginarypc\AppData\Local\Microsoft\OneDrive\OneDrive.exe /updateInstalled /background C:\Users\imaginarypc\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Checking the files in common Windows locations, a flag file can be identified in Documents.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ python3 vol.py -f ~/Desktop/sharedfolder/dump.vmem windows.filescan | egrep 'Documents|Desktop|Downloads'
WARNING volatility3.framework.layers.vmware: No metadata file found alongside VMEM file. A VMSS or VMSN file may be required to correctly process a VMEM file. These should be placed in the same directory with the same file name, e.g. dump.vmem and dump.vmss.
0xc60c810947a0.0\Windows\System32\DispBroker.Desktop.dll 216
0xc60c813ecdf0 \Windows\System32\DesktopShellExt.dll 216
0xc60c8196bc40 \Users\imaginarypc\Desktop 216
0xc60c8196dea0 \Users\imaginarypc\Desktop 216
0xc60c81c70ce0 \Users\imaginarypc\Documents\flag.txt 216
0xc60c81c79e30 \Users\imaginarypc\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms 216
0xc60c822c3ef0 \Users\Public\Desktop 216
0xc60c822c4210 \Users\Public\Desktop 216
0xc60c82768970 \Windows\System32\SettingsEnvironment.Desktop.dll 216
0xc60c8277dc80 \Users\Public\Desktop\desktop.ini 216
0xc60c82cb3a30 \Users\Public\Desktop\Microsoft Edge.lnk 216
0xc60c82cbfd80 \Users\imaginarypc\Desktop\desktop.ini 216
0xc60c82cc3d90 \Users\imaginarypc\Downloads\desktop.ini 216
0xc60c82cc6950 \Users\imaginarypc\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_SkyDrive_Desktop 216
0xc60c82cc6e00 \Users\imaginarypc\Documents\desktop.ini 216
Dumping the file, the encoded flag can be obtained.
1
2
3
4
5
└─$ cat file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat
aWN0ZnthYTBlYjcwN2E0MWIyY2E2fQ==
└─$ echo "aWN0ZnthYTBlYjcwN2E0MWIyY2E2fQ==" | base64 -d
ictf{aa0eb707a41b2ca6}
This post is licensed under CC BY 4.0 by the author.