[CTF] PatriotCTF 2022 - Forensics

Hello FR13ND5, this is the writeups for the Forensics challenges i solved in Patriot CTF 2022 last weekend. I solved 13/18 challenges and my team TamilCTF secured 14th place.


We are given a firefox user profile and we have to extract saved passwords from it. There is a cool tool to do this job.

firefox_decrypt , clone it and pass the profile directory location as the arguement to the program.


Sticky Note

Here we got a windows User Profile and need to find the picture of password.

I did find . -name *.jpg and checked through images in the result. The second image had the flag.



The file is an ADB Backup file.

Extract the ADB backup file using ( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 metro.ab ) | tar xfvz -

We add the magic bytes (header) of gzip to ADB backup file after first 25 bytes (tail -c +25) , then extract it using tar

I looked for sqlite databases in the directory with find . -name *.db , found ./apps/com.citymapper.app.release/db/citymapper.db which have location data. Open it and check locationhistoryentry table , then looked up each locations in google. Found Twinbrook Metro Station.



This one was a really interesting challenge , we have to recover data from an sqlite database. I am entirely new to this topic , i have no prior experience with sqlite data artifacts but thanks to this challenge , i researched and gained valuable knowledge.

We are given with the sqlite db , an shm file and wal file. I checked the db file for any flag entries but couldn’t find any so checked the other files and the wpndatabase.db-wal had CTF entries.

Hmm , interesting , WAL stands for Write Ahead Logging.

The write-ahead log or “wal” file is a roll-forward journal that records transactions that have been committed but not yet applied to the main database.

I couldn’t extract the Handler ID by doing strings on the wal file , so we need another solution to get the Handler ID. After some googling found a cool tool called walitean.

$ python2 walitean.py -f wpndatabase.db-wal -x updated.db -m wpndatabase.db 

I have already noted the rows name in the main database.

Now i opened the recovered wal database and cross checked row names to find the Handler ID.

Handler ID was in the place of unknown1 row in main database.



The zip had system and ntds.dit Active Directory Database.

Using impacket-secretsdump script, we can easily extract contents from the ntds.dit.

$ pip3 install impacket 
$ impacket-secretsdump -system system -ntds ntds.dit LOCAL


Vrai Crypt

We are given a memory dump file. I looked at the pslist of this memory dump and found TrueCrypt running , great as the description suggests the SecretBoy file is encrypted using truecrypt.

We can extract the truecrypt master key using volatility plugin truecryptmaster.

Master Key : 616dba8467f706ba40793d700946fd1c85515c641a2c35c3fb37c195ae1f488465b960750fb87ce3e0629d3157d588ed955483bb857cd2e0ae96fcabb4d7297d

Now to decrypt the encrypted file we can use MKDecrypt tool.



Description : Someone broke into our systems and managed to exfiltrate some data, but we don’t know how. Can you find out what data they stole?

We are given a pcapng file. Initially i opened it in wireshark and looked through packets , didn’t find any sus packets among TCP and UDP. But when i filtered the ICMP packets , got some strange result.

I noticed the data:7:39 tells pieces of data sent through, as i checked the remaining packets it made clear. Now we have to extract these pieces and append together.

I made a python script to extract the data.

from scapy.all import *
from binascii import unhexlify
import re 

def append(x):
    result = ''
    for str in x:
        start = str.rfind(':') + 1 
        result += str[start:]
    return result

pkts = rdpcap("exfil.pcapng")

data = []

i = 0

for pkt in pkts:
    if 'ICMP' in pkt and pkt['IP'].dst == '':
        i = i+1 
        if i == 40:

decoded = unhexlify(append(data).encode()).decode()


Android 1

We are given a vmdk (VMWare virtual machine disk) file of an Android System. This challenge can be easily solved with Autopsy for windows, but i am using Linux. I will be using sleuthkit to solve this challenge. First of all we need to identify partitions and their offsets , we can use mmls utility for this. Then we need to recover the deleted files with tsk_recover.

$ mmls android-disk002.vmdk
$ mkdir recovered 
$ tsk_recover -o 0000000063 android-disk002.vmdk recovered/

Great , now lets find the deleted dog image file in the recovered folder. Checking each file will be tiring. So i did loop through all files and opened them with feh. It will open image files and skip other files.

$ for f in $(find .); do feh $f; done

Finally found the dog picture at org.mozilla.firefox/cache/mozac_browser_thumbnails/thumbnails/d19775c3-4a77-4159-9799-b69d31619ae5.0.tmp. Check its md5sum and thats the flag. PCTF{863c2bf4685527570255417b3301aebf}

Android 2

We need to find stored contacts in this disk file. With fls utility we can easily list all files present in the partition.

$ fls -r -o 0000000063 android-disk002.vmdk | grep contacts  

Found contacts2.db at inode 131413.

Extract it from the disk using icat -o 0000000063 android-disk002.vmdk 131413 > contacts2.db.

Opened it in sqlitedb browser and found the phone number of the contact.


Android 3

This challenge is really easy , we can solve it by checking the previous contacts database or simply greping “gmail” in file listing. I will show the result of the later method.


Android 4

We have to find the build id of facebook installed in this disk image. I went through different inodes to facebook data folder.

Then chose a random database from the databases folder.

Opened it in sqlitedb browser and boom we can see the app build number.


Android 5

We have to find the facebook user-id of the owner. I randomly checked files in the facebook data folder and found a file having USER_ID entry inside shared_prefs (inode : 139328) folder.

The intented method was to check the composer_db we saw in the previous challenge file listing.