Hello FR13ND5, this is the writeups for the Forensics challenges i solved in Patriot CTF 2022 last weekend. I solved 13/18 challenges and my team TamilCTF secured 14th place.
We are given a firefox user profile and we have to extract saved passwords from it. There is a cool tool to do this job.
firefox_decrypt , clone it and pass the profile directory location as the arguement to the program.
PCTF{Br0ws3rs_ar3_th3_b3st_P@ssw0rd_R3p0s}
Here we got a windows User Profile and need to find the picture of password.
I did find . -name *.jpg and checked through images in the result. The second image had the flag.
PCTF{cant_h4ck_a_st1cky_n0te}
The file is an ADB Backup file.
Extract the ADB backup file using ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 metro.ab ) | tar xfvz -
We add the magic bytes (header) of gzip to ADB backup file after first 25 bytes (tail -c +25) , then extract it using tar
I looked for sqlite databases in the directory with find . -name *.db , found ./apps/com.citymapper.app.release/db/citymapper.db which have location data. Open it and check locationhistoryentry table , then looked up each locations in google. Found Twinbrook Metro Station.
pctf{Twinbrook}
This one was a really interesting challenge , we have to recover data from an sqlite database. I am entirely new to this topic , i have no prior experience with sqlite data artifacts but thanks to this challenge , i researched and gained valuable knowledge.
We are given with the sqlite db , an shm file and wal file. I checked the db file for any flag entries but couldn’t find any so checked the other files and the wpndatabase.db-wal had CTF entries.
Hmm , interesting , WAL stands for Write Ahead Logging.
The write-ahead log or “wal” file is a roll-forward journal that records transactions that have been committed but not yet applied to the main database.
I couldn’t extract the Handler ID by doing strings on the wal file , so we need another solution to get the Handler ID. After some googling found a cool tool called walitean.
$ python2 walitean.py -f wpndatabase.db-wal -x updated.db -m wpndatabase.db I have already noted the rows name in the main database.
Now i opened the recovered wal database and cross checked row names to find the Handler ID.
Handler ID was in the place of unknown1 row in main database.
PCTF{114}
The zip had system and ntds.dit Active Directory Database.
Using impacket-secretsdump script, we can easily extract contents from the ntds.dit.
$ pip3 install impacket
$ impacket-secretsdump -system system -ntds ntds.dit LOCALPCTF{CL34rT3xt_N3v3r_F3lt_S0_Gud}
We are given a memory dump file. I looked at the pslist of this memory dump and found TrueCrypt running , great as the description suggests the SecretBoy file is encrypted using truecrypt.
We can extract the truecrypt master key using volatility plugin truecryptmaster.
Master Key : 616dba8467f706ba40793d700946fd1c85515c641a2c35c3fb37c195ae1f488465b960750fb87ce3e0629d3157d588ed955483bb857cd2e0ae96fcabb4d7297d
Now to decrypt the encrypted file we can use MKDecrypt tool.
pctf{r1P_7rU3CrPY7}
Description : Someone broke into our systems and managed to exfiltrate some data, but we don’t know how. Can you find out what data they stole?
We are given a pcapng file. Initially i opened it in wireshark and looked through packets , didn’t find any sus packets among TCP and UDP. But when i filtered the ICMP packets , got some strange result.
I noticed the data:7:39 tells pieces of data sent through, as i checked the remaining packets it made clear. Now we have to extract these pieces and append together.
I made a python script to extract the data.
from scapy.all import *
from binascii import unhexlify
import re
def append(x):
result = ''
for str in x:
start = str.rfind(':') + 1
result += str[start:]
return result
pkts = rdpcap("exfil.pcapng")
data = []
i = 0
for pkt in pkts:
if 'ICMP' in pkt and pkt['IP'].dst == '192.168.18.1':
i = i+1
if i == 40:
continue
else:
data.append(pkt['ICMP'].load.decode())
decoded = unhexlify(append(data).encode()).decode()
print(decoded)PCTF{n0t_4_v3ry_sn34ky_3xf1l}
We are given a vmdk (VMWare virtual machine disk) file of an Android System. This challenge can be easily solved with Autopsy for windows, but i am using Linux. I will be using sleuthkit to solve this challenge. First of all we need to identify partitions and their offsets , we can use mmls utility for this. Then we need to recover the deleted files with tsk_recover.
$ mmls android-disk002.vmdk
$ mkdir recovered
$ tsk_recover -o 0000000063 android-disk002.vmdk recovered/Great , now lets find the deleted dog image file in the recovered folder. Checking each file will be tiring. So i did loop through all files and opened them with feh. It will open image files and skip other files.
$ for f in $(find .); do feh $f; done
Finally found the dog picture at org.mozilla.firefox/cache/mozac_browser_thumbnails/thumbnails/d19775c3-4a77-4159-9799-b69d31619ae5.0.tmp. Check its md5sum and thats the flag. PCTF{863c2bf4685527570255417b3301aebf}
We need to find stored contacts in this disk file. With fls utility we can easily list all files present in the partition.
$ fls -r -o 0000000063 android-disk002.vmdk | grep contacts Found contacts2.db at inode 131413.
Extract it from the disk using icat -o 0000000063 android-disk002.vmdk 131413 > contacts2.db.
Opened it in sqlitedb browser and found the phone number of the contact.
PCTF{662-364-5944}
This challenge is really easy , we can solve it by checking the previous contacts database or simply greping “gmail” in file listing. I will show the result of the later method.
PCTF{bensmith1995masoncc@gmail.com}
We have to find the build id of facebook installed in this disk image. I went through different inodes to facebook data folder.
Then chose a random database from the databases folder.
Opened it in sqlitedb browser and boom we can see the app build number.
PCTF{https://i.imgur.com/WABjYc2.png}
We have to find the facebook user-id of the owner. I randomly checked files in the facebook data folder and found a file having USER_ID entry inside shared_prefs (inode : 139328) folder.
The intented method was to check the
composer_dbwe saw in the previous challenge file listing.
PCTF{https://www.facebook.com/profile.php?id=100079925037491}