[CTF] UACTF 2022 - Forensics


In this challenge we are given a Memory dump. I checked the memory dump profile with volatility. I got the flag parts in different order, but in this writeup I will do it in chronological order.

I used WinXPSP2x86 profile, then checked the process tree to find any useful processes.

I noted 2 interesting processes, wordpad.exe and notepad.exe. Since the objective is to find some base64 strings its worth checking these processes and also clipboard.

Hmm, Nothing in clipboard and notepad seems not useful either. So Lets jump into wordpad.exe.

PID of the wordpad process is 1632, I run vol.py -f memories --profile=WinXPSP2x86 memdump --pid=1632 -D . to dump all data related to wordpad.exe.

Then I run strings on the process dump, I saw a meaningful word while checking strings, so filtered it out with grep and got one base64 string.

flag part 1 : VUFDVEZ7aDAwMjR5Xw== --> UACTF{h0024y_

Ok, First part done , what about the rest. Well, I checked cmd history with cmdscan, process arguements with cmdline etc, None had useful data. Then I thought of dumping Active Directory with lsadump module.

Umm, The DefaultPassword looks like a base64 string. Well it is part of the flag.

flag part 2 : eTB1XzVjMDIz --> y0u_5c023

Still flag is incomplete, where else to check !?. We have seen PINBALL.EXE and winmine.exe in pslist. It seems the user was playing games. There is a screenshot module in volatility to capture desktop session. Lets try that and see what active windows are there.

Out of those pictures, the highlighted file had the current Desktop screenshot.

Wow, there is a base64 string.

flag part 3 : ZF81MG0zX1hQfQ --> d_50m3_XP}

Joining all parts we get

flag : UACTF{h0024y_y0u_5c023d_50m3_XP}

HID Table for 0x2

This is a USB pcap challenge, we need to decode keystrokes from USB HID packet capture. Its quiet painful :). Well anyway first step is to extract USB HID data.

With tshark -r keylogger.pcapng -Y 'usbhid.data' -T fields -e usbhid.data > keystrokes.txt I have extracted USB HID data. Next step is to map characters. I obtained a usbkeyboard mapping scripting from this post.

This still doesn’t make much sense, Thanks to my boi JoPraveen, he made the result much more readable and manually obtained keystrokes.

strings = "spaeiomYmgLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowcLeftArrow.RightArrowRightArrowRightArrow/5RightArrowRightArrowLeftArrow4BRightArrowRightArrowmLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrownLeftArrowLeftArrowLeftArrowtRightArrowbLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowhttRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowALeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowsLeftArrowLeftArrowLeftArrowLeftArrowpRightArrow/RightArrowRightArrowLeftArrowLeftArrowLeftArrow:/EnterUnmLeftArrowLeftArrowLeftArrowdLeftArrowgRightArrowyLeftArrowLeftArrowLeftArrowTfPLeftArrowLeftArrowLeftArrowqEnter"

left = strings.replace('LeftArrow',' πŸ‘ˆ ')
right = left.replace('RightArrow',' πŸ‘‰ ')

# link: https://pastebin.com/5Y4BmAgm

# password: qTfPgdyUnm

spaeiomYmg πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ c πŸ‘ˆ . πŸ‘‰  πŸ‘‰  πŸ‘‰ /5 πŸ‘‰  πŸ‘‰  πŸ‘ˆ 4B πŸ‘‰  πŸ‘‰ m πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ n πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ t πŸ‘‰ b πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ htt πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰  πŸ‘‰ A πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ s πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ p πŸ‘‰ / πŸ‘‰  πŸ‘‰  πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ :/EnterUnm πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ d πŸ‘ˆ g πŸ‘‰ y πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ TfP πŸ‘ˆ  πŸ‘ˆ  πŸ‘ˆ qEnter

Finally we got a pastebin link https://pastebin.com/5Y4BmAgm and it required password qTfPgdyUnm.

flag : UACTF{234d_'3m_4nd_w33p}


This challenge gave me headache lol. It wasn’t a hard challenge, but figuring it out was crazy. Anyway we are given with Chrome Login Data which is the saved passwords. They are encrypted with DPAPI. We need mimikatz to extract password.

We have 3 files, Local State --> Contains Profile Info, Login Data --> Contains Saved Passwords and sekurlsa_dpapi.txt --> Contains DPAPI Masterkey.

I followed this post but couldn’t successfully extract the password. On the process I figured it out the 2nd masterkey is the correct one. Anyway still couldn’t recover password.

We haven’t used the Local State file yet. I don’t know whats the use of it either, because all the blogs I checked so far didn’t used this file. Anyway I checked the documentation of mimikatz dpapi::chrome module.

Lol, there is a state arguement. This is why it is highly recommended to read Docs LOL.

flag : UACTF{th1s_1s_why_y0u_use_a_passw0rd_manager}