[CTF] CrewCTF 2022 - Forensics

Hello Folks , its been a while. Well this time i played CrewCTF 2022 with my crew TamilCTF. We secured rank 36 out of 758. It was an amazing experience , i learned lots of new things in Digital Forensics.


Policy Violation Pt.1

The given file is a ewf disk image , i found a cool article about mounting this disk image in linux.

$ mkdir rawimage
$ sudo ewfmount Image.E01 ./rawimage/
$ mkdir mountpoint
$ sudo mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows
$ sudo cd mountpoint
$ sudo ls -la

Challenge description point out that suspect deleted the file. The disk image $RECYCLE.BIN folder. I went there and found two PDF files $ID5UESN.pdf and $RD5UESN.pdf. First file is safe doesn’t contain any suspicious things. Second was suspicious , i renamed the pdf to sus2.pdf , when i did strings on it saw some memory adresses.

I opened it in peepdf and boom it shows the CVE.

CVE-2008-2992 , its release date : 11/4/2008.

crew{CVE-2008-2992_Date:11.4.08}


Policy Violation Pt.2

This is my favourite in this CTF. I followed this awesome article to solve this challenge. It involves extracting Javascript , shellcode and debugging shellcode to malicious activities.

We saw Javascript in sus2.pdf , it has to be the script to execute payload. Let’s extract the JS.

$ echo "extract js > mal.js" > script.txt
$ peepdf.py -l -f -s script.txt sus2.pdf

mal.js have shellcode , copy the the value of first variable and save it to shellcode.txt and run the python script , python2 shell2bin.py shell.txt

#!/usr/bin/python2
import os, sys
import re

if os.path.isfile(sys.argv[1]):
        sc = open(sys.argv[1]).read()
else:
        sc = sys.argv[1]

# translate to binary
bin_sc = re.sub('%u(..)(..)',lambda x: chr(int(x.group(2),16))+chr(int(x.group(1),16)), sc)

# save to disk
try:
        FILE = open("shellcode.bin", "wb")
        FILE.write(bin_sc)
        FILE.close()
except Exception, e:
        print 'Cannot save binary to disk: %s' % e

Got the shellcode.bin file.

Now we need to IP Address by running this shellcode , libemu is an awesome library to emulate shellcodes.

Unfortunately it failed to build in my system. I searched for other tools and found out SCDBG , its a cool shellcode debugger.

$ git clone https://github.com/dzzie/SCDBG
$ cd SCDBG; autoreconf -v -i; ./configure; make; cd tools/sctest

copy shellcode.bin to current folder and

$ ./scdbg -f shellcode.bin

Find the sha1sum of IP Address 192.168.1.30

crew{265180387f1642217973f8cfda2ca6cc92d48e60}


Screenshot Pt.1

On extracting zip we get ScreenShot.ad1 file. I tried volatility , sleuthkit and foremost for file carving, but didn’t got any results. At this point i have no idea what the file is.

Later i googled and got this cool article about .ad1 files. AD1 (AccessData Logial Image) files are propreitary image format generated by FTK Imager. Nice , this article also covers the tools which can be used to extract this file. I am using windows so i installed Forensic7z 7zip plugin and extracted the AD1 image.

Then i searched for all PNG files exist in the extracted folder.

find . -type f -name *}.png

Found a interesting location ScreenShot\Users\0xSh3rl0ck\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState.

ScreenSketch is a screenshot utility , so this must be the place also all png files had {} name pattern. I opened each images.

File {19422F1B-6C19-4190-9674-0D1C5AEC5451}.png had a base64 string inside it , so this is the file we lookin for.

crew{{19422F1B-6C19-4190-9674-0D1C5AEC5451}}


Screenshot Pt.2

For this challenge i searched for all .lnk files , find . -type f -name *.lnk.

ScreenShot\Users\0xSh3rl0ck\AppData\Roaming\Microsoft\Windows\Recent location had shortcuts connected to ScreenSketch program.

I did md5 on all files and tried each result.

for f in $(ls); do md5sum $f;done

ms-screensketcheditisTemporary=true&source=screenclip&sharedAccessToken=7776FC76-E7CE-4D04-855F-D9CF8A821270&secondarySharedAccessToken=06E0D4CA-235D-4ACB-910B-006280BEA450&viewId=-525411.lnk

This is the shortcut associated to our previous image.

crew{fd483445cf5e5b0e2b061f4b1defa841}


Screenshot Pt.3

Decode the base64 Y3Jld3tUcjRjazFuZ19zY3IzM25zaDB0c193MXRoX0xOS19mMWwzc30= in the png image we found earlier.

crew{Tr4ck1ng_scr33nsh0ts_w1th_LNK_f1l3s}