Tzion

CTF / Reverse Engineering / Malware Analysis / Threat Intelligence / Threat Hunting

1 minute read

Tasks source:

https://github.com/Tzion0/CTF/tree/master/DCTF/2022/Forensics

This writeup contains all Forensics category challenges in DCTF 2022 that i solved.

Secure Creds

Description

With the connection to the victim’s computer you managed to dump the lsass.exe process. Can you get the password from the dump file?

This challenge provided a zip file, unzip it we will get lsass.DMP file.

From the description we know that we are dealing with lsass.exe, a bit of research shows that we can dump the content using Mimikatz. I use pypykatz, which is the Python implementation of Mimikatz to dump it:

pypykatz lsa minidump lsass.DMP

IMG

Flag:

dctf{n0_ant1v1ru5_l0l}

Hidden Fox

Description

I let Firefox save some of my stuff while browsing, it should be written somewhere in it’s directory, can you find it? Flag is in two parts.

This challenge provided a zip file, unzip it we will get a folder called Firefox.

From the description we know that we need to somehow dump the Firefox saved contents.

I use dumpzilla in this case and we just need to provide the profile location which stated in the help menu of this tool. The profile location is:

Firefox/Profiles/b4873ssv.default-release/

Full command:

python3 dumpzilla.py ./Firefox/Profiles/br873ssy.default-release/

From the output we will see some interesting data and few parts of the flag:

IMG IMG IMG

Combine the parts of flag and we will get:

4nd_v151t3d__th15_p455w0rd}

So what’s next? Chances are we can decrypt the credentials! I use firefox_decrypt to decrypt it. Again, we just need to provide the profile location:

python3 firefox_decrypt.py ./Firefox/Profiles/br873ssy.default-release/

Output:

Website:   https://dctf.dragonsec.si
Username: 'dragonflag'
Password: 'dctf{1_b00km4rk3d_'

Combine it we will get the flag:

dctf{1_b00km4rk3d_4nd_v151t3d__th15_p455w0rd}'

Looks promising, huh? Unfortunately it wasn’t the correct flag, turns out that from the description it stated “Flag is in two parts” and our combination consists of 3 parts. Notice that extra ‘_’ in the flag above, it indicates that part was unnecessary, so the final flag should be:

dctf{1_b00km4rk3d_th15_p455w0rd}

You may also enjoy

[MALWARE] Lumma Stealer Loader Analysis

2 minute read

On September 19, 2024, I received an email regarding a GitHub Scanner result for my public repository. Initially, the email was not flagged as malicious or s...

[HITCONCTF-QUALS] Antivirus

14 minute read

I played HITCON Quals CTF 2024 with merger team World Wide Union. This challenge provided a run.sh and print_flag.cbc file.

[MATRIXCUP] My Journey & Experience

4 minute read

I am thrilled to participate in MatrixCup 2024 in QingDao, China with my team, 打个没五分钟充电三小时, humorously named after M53. Before we begin, I would like to tha...

[HACKTHEON] My Journey & Experience

2 minute read

Hackathon 2024 Adventure I am honored to participate in Hacktheon 2024 held in Sejong, South Korea with team Kopi Cincau consisting of M53 members Kelzin (@m...