BlackHat MEA CTF Qualifications 2023 | Forensics writeup

Mohamed Elmasry
6 min readOct 9, 2023

--

Hi People :D

This is a writeup for all forensics challenges that were in BlackHat MEA CTF 2023 Qualifications phase.

let’s go :D

[*] USB100 (easy — 50pts)

==============================

The attachment file was a PCAP file (send.pcapng), so let’s open it in Wireshark and see what’s going on.

As mentioned in the description, we have some USB traffic.

This led me to search for a method to extract files from this data. During my research, I came across This Writeup from another CTF, which showed that the data could be located within the URB_BULK out packets.

I simply sorted the packets by length (because file packets are typically larger than other data packets). Most of the files turned out to be dummy images :/ (you can tell they were JPEG images because they had ‘JFIF’ magic bytes).

To extract data, simply right-click on ‘Leftover Capture Data’, then choose ‘Export Packet Bytes’ and save it with the correct extension.

Among all these images and other data, I found one packet that contained an executable file (again, you can know from the ‘MZ’ magic bytes).

I simply extracted the data using the same method as above, saved the file as ‘bin.exe,’ ran it from the cmd and obtained the flag easily :)

[*] Not supported (medium— 150pts)

=============================================

The attached file was a ZIP file (memory_win11.zip). It’s just a memory dump file, but notice that the ZIP file has ‘win11’, so it’s a memory dump from Windows 11.

I’m aware that Volatility lacks profiles for Windows 11, so there’s no need to spend time trying to identify the profile or using plugins with the standard configuration.

Because of this, I immediately searched for a method to analyze the Windows 11 memory image with Volatility and came across This Article.

Let’s proceed with this guide to generate a suitable profile for our memory image. Simply create the configuration file using this command with Volatility 3 (it takes some time to complete):

python3 vol.py --save-config config.json -f memdump.mem windows.info

With the configuration file now in place, let’s return to our guide to discover how to apply this configuration file and initiate the use of plugins.

We simply include the ‘-c’ parameter followed by our configuration filename and then proceed to use the tool as usual.

As stated in the challenge description, we are searching for the notepad process. Let’s use the ‘pslist’ plugin to find it with the following command:

python3 vol.py -c config.json -f memdump.mem windows.pslist.PsList

The PID of Notepad.exe is ‘6028.’ To dump this process, let’s use the memmap plugin:

python3 vol.py -c config.json -f memdump.mem -o out windows.memmap.Memmap --pid 6028 --dump

The dumped process was approximately 1 GB in size, which is quite large for efficient searching. Therefore, I decided to use strings tool to make it easier to search:

strings pid.6028.dmp > out.txt

The final step is to locate the flag. Since we are already know the flag format (BHFlagY{flag}), we can search for it accordingly.

The flag contains some spaces between its characters, but you can easily remove them to obtain the final flag :).

[*] Extend (Hard— 300pts)

==============================

Note: This challenge was solved by some of my awesome teammates ❤ (zaqk, Black_or_White, riddle)

The attached file was a ZIP file (Extend.zip) that contains a JPEG image.

Let’s start with basic steganography techniques: ‘strings’. In the output, we found a github website link.

After inspecting this link, we acquired some information about the case and obtained a few hints. However, the most crucial element is the concluding sentence: ‘find more data somewhere here’.

This sentence implies that we should investigate the original repository hosted by this site.

So let’s search for the repository on github.

We found it :). Now let’s check its content.

In the ‘fulldata.md’ file, we discovered a link that redirects to a Pastebin page containing the leaked data. Among the contents was a Mega link along with an encryption key.

The Mega link led to a ZIP file named ‘Google.7z.

Upon downloading and extracting the content, it turned out to be data related to the user’s Chrome browser.

At this point, we had spent A LOT of time going through most of the data. We then decided to take a closer look at the Extensions data (as the leaks mostly happen because of malicious extensions).

These Extensions can be found in the folder Google\Chrome\User Data\Default\Extensions, and the suspicious one had the ID ‘mmkhenhkkigaomljmmnkadejchchgoma’.

Extension service workers are an extension’s central event handler. So let’s take a look at the ‘service-worker.js’ file.

it’s an obfuscated JavaScript code. We need to deobfuscate this code first to understand what’s happening.

We came across some suspicious values here that appear to be encoded in Base64.

We attempted to decode the values directly, but that approach didn’t yield any results. In such cases, I prefer to inspect the encoded values of special characters in the flag to gain a better understanding of what’s going on.

The flag begins with the ‘BHFlag’ part, which results in the encoded value ‘QkhGbGFn’. If you examine the three values we discovered earlier in the JavaScript code, you’ll notice that the first four characters of the encoded ‘BHFlag’ value match the first four characters of the first value but in reverse order (‘….GhkQ’). This confirms that the ‘BHF’ part is correct, and the three values are reversed.

To get the flag, we need to reverse the order of the three values for each character and then decode them using Base64. Fortunately, CyberChef provides recipes for accomplishing this.

Thanks for reading and I hope you love this writeup ❤.

Facebook TwitterLinkedIn Discord

--

--

Mohamed Elmasry
Mohamed Elmasry

Written by Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter

No responses yet