ISITDTU CTF 2024 (Quals) - Writeups
This is a writeup for some forensics and OSINT challenges from ISITDTU CTF 2024 (Quals). Unfortunately, L3ak did not manage to proceed to the final round. However, we did manage to full clear every forensics challenges which were unique and high quality.
Corrupted Hard Drive [Forensics]
Question: You’ve come across a damaged disk image retrieved from my friend’s laptop, he downloaded some good stuff then went to bathroom, but when came, he found that he can’t access the disk. The file system appears to be corrupted, but hidden deep inside the broken structure lies critical information that could unlock the next step in your investigation.
Flag: ISITDTU{https://www.youtube.com/watch?v=yqp61_Wqm-A}
We are given a corrupted disk to investigate and several questions to answer.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ nc 152.69.210.130 1411
Welcome to the FORENSIC challenge!
Answer all the questions correctly to get the flag!
[1]. What is the starting address of the LBA address? Format (0xXXXXX)
0x10000
[+] Correct!
[2]. What is the tampered OEM ID? Format (0xXXXXXXXXXXXXXXXX)
0x4E54460020202020
[+] Correct!
[3]. After Fixing the disk, my friend downloaded a file from Google, what is the exact time when he clicked to download that file? Eg: 2024-01-01 01:01:01
2024-10-22 21:51:13
[+] Correct!
[4]. How much time did that file take to for download (in seconds)?? Format (XXX)
126
[+] Correct!
[5]. The first directory he moved this file to?
best
[+] Correct!
[6]. Last directory the suspicious move the file to?
MustRead
[+] Correct!
[7]. The time he of the deletion?? Eg: 2024-01-01 01:01:01
2024-10-22 22:20:28
[+] Correct!
[+] Congrats! You have successfully completed the test.
Here's your reward: ISITDTU{https://www.youtube.com/watch?v=yqp61_Wqm-A}
Question 1: What is the starting address of the LBA address? Format (0xXXXXX)
Question 2: What is the tampered OEM ID? Format (0xXXXXXXXXXXXXXXXX)
Question 3: After Fixing the disk, my friend downloaded a file from Google, what is the exact time when he clicked to download that file? Eg: 2024-01-01 01:01:01
Question 4: How much time did that file take to for download (in seconds)?? Format (XXX)
Question 5: The first directory he moved this file to?
Question 6: Last directory the suspicious move the file to?
Question 7: The time he of the deletion?? Eg: 2024-01-01 01:01:01
unexpected [Forensics]
Question: Aquanman Investigation Company is currently recruiting for the role of Digital Forensics Investigator. As part of the application process, candidates are required to complete a challenge designed to assess their skills in digital forensics. Applicants will need to investigate a simulated attack, analyze the provided evidence, and submit the flag. The flag is divided into three different parts!
Flag: ``
We are given a corrupted disk to investigate and several questions to answer.
CPUsage [Forensics]
Question: My friend noticed a high usage of CPU after he opened his laptop, I just take a memory dump of his laptop, and needs you to investigate it. Q1- What is the name of the malicious process, full path of the process, parent process id? Q2- what is the ip that process communicate with, family name of the malware? Format flag: ISITDTU{processName-FullPath-ID_ip-FamilyName} Eg: ISITDTU{Spotify.exe-Path-141_192.168.1.1-isitdtu}
Flag: ``
We are given a corrupted disk to investigate and several questions to answer.
swatted [Forensics]
Question: San Andreas PD recently conducted a raid on a suspect’s residence, discovering that their laptop contains crucial evidence. As a Digital Forensics Investigator, it is now your responsibility to analyze the evidence and answer the related questions.
Flag: ISITDTU{https://www.youtube.com/watch?v=H3d26v9TciI}
We are given a virtual disk image to investigate and several questions to answer.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
└─$ nc 152.69.210.130 1259
Welcome to ISITDTU CTF 2024 - Forensics Challenge!
Most of the answers are case-insensitive. If not, it will be mentioned in the question.
You have to answer 10/10 questions correctly to get the flag. Good Luck!
[1]. What is the credential used to login to the machine?
Format: username:password
==> imsadboi:qwerty
CORRECT!
[2]. The criminal used a messaging app to communicate with his partner. What is the name of the app?
Format: AppName
==> Wire
CORRECT!
[3]. What is the username of the criminal (The app username)?
Format: username
==> anonymous69420
CORRECT!
[4]. What is his partner's username?
Format: username
==> clowncz123
CORRECT!
[5]. His partner sent him a file. What is the URL used to download the file?
Format: URL
==> https://file.io/lIPzLAvhF5n4
CORRECT!
[6]. What is the timestamp of the file sent by his partner (UTC)?
Format: YYYY-MM-DD HH:MM:SS
==> 2024-10-24 09:59:12
CORRECT!
[7]. What is the timestamp when the criminal downloaded the file (UTC)?
Format: YYYY-MM-DD HH:MM:SS
==> 2024-10-24 10:01:12
CORRECT!
[8]. His partner accidentally leaked his email. What is the email address?
Format: email@domain.com
==> theclownz723@gmail.com
CORRECT!
[9]. Luckily, we caught the criminal before he could send the sensitive information. How many credentials did he manage to steal?
Format: XX. Example 1: 01. Example 2: 42.
==> 23
CORRECT!
[10]. What is the email address and the password of user 'blistery'?
Format: email:password
==> blistery@yahoo.com:HDTSy0C7ZBCj
CORRECT!
Congrats! Here is your flag: ISITDTU{https://www.youtube.com/watch?v=H3d26v9TciI}
Initial [Forensics]
Question: A Windows environment has been compromised .The attacker used a known feature in windows which served as the initial vector of the attack. Your task is to investigate & SEARCH how the attacker get the initial access.
Flag: ``
We are given a corrupted disk to investigate and several questions to answer.
Two Steps Ahead [OSINT]
Question: An elusive individual using the alias “arlenzxje” has stolen highly sensitive information from a major company. From our initial investigation, we’ve discovered that he is addicted to social media. Your mission is to track his online footprint and recover the stolen information.
Flag: ``