Tasks source:

https://github.com/Tzion0/CTF/tree/master/DCTF/2022/Forensics

This writeup contains all Forensics category challenges in DCTF 2022 that i solved.

Secure Creds

Description

With the connection to the victim’s computer you managed to dump the lsass.exe process. Can you get the password from the dump file?

This challenge provided a zip file, unzip it we will get lsass.DMP file.

From the description we know that we are dealing with lsass.exe, a bit of research shows that we can dump the content using Mimikatz. I use pypykatz, which is the Python implementation of Mimikatz to dump it:

pypykatz lsa minidump lsass.DMP

IMG

Flag:

dctf{n0_ant1v1ru5_l0l}

Hidden Fox

Description

I let Firefox save some of my stuff while browsing, it should be written somewhere in it’s directory, can you find it? Flag is in two parts.

This challenge provided a zip file, unzip it we will get a folder called Firefox.

From the description we know that we need to somehow dump the Firefox saved contents.

I use dumpzilla in this case and we just need to provide the profile location which stated in the help menu of this tool. The profile location is:

Firefox/Profiles/b4873ssv.default-release/

Full command:

python3 dumpzilla.py ./Firefox/Profiles/br873ssy.default-release/

From the output we will see some interesting data and few parts of the flag:

IMG IMG IMG

Combine the parts of flag and we will get:

4nd_v151t3d__th15_p455w0rd}

So what’s next? Chances are we can decrypt the credentials! I use firefox_decrypt to decrypt it. Again, we just need to provide the profile location:

python3 firefox_decrypt.py ./Firefox/Profiles/br873ssy.default-release/

Output:

Website:   https://dctf.dragonsec.si
Username: 'dragonflag'
Password: 'dctf{1_b00km4rk3d_'

Combine it we will get the flag:

dctf{1_b00km4rk3d_4nd_v151t3d__th15_p455w0rd}'

Looks promising, huh? Unfortunately it wasn’t the correct flag, turns out that from the description it stated “Flag is in two parts” and our combination consists of 3 parts. Notice that extra ‘_’ in the flag above, it indicates that part was unnecessary, so the final flag should be:

dctf{1_b00km4rk3d_th15_p455w0rd}