BlackHat MEA CTF Qualifications 2024 | Forensics writeup

Mohamed Elmasry
4 min readSep 2, 2024

--

Hi People :D

This is a writeup for two forensics challenges that were in BlackHat MEA CTF 2024 Qualifications phase.

let’s go :D

[*] Artifact (Easy — 90pts)

==============================

The attached file is a Registry Hive. Typically, I begin my investigation by using the RegRipper tool to extract important data.

Once the tool has completed its work, I searched for all .exe files until I locate a suspicious file named DeadPotato-NET4.exe, found in \ControlSet001\Control\Session Manager\AppCompatCache. The execution date is also included.

Flag is: BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}

[*] NotFS (Medium— 180pts)

==============================

The attached file is an Raw Disk Image (.img) named Chall.img.

I used the strings tool to examine the content of this image file, and it appears to be a file system.

I tried several tools, including Autopsy, FTK Imager, and Foremost, to extract data from this image file. However, all the tools I tested were only able to extract 6 WEBP images, which contained no significant information.

The final tool I used was TestDisk, which is primarily designed to recover lost partitions and make non-booting disks bootable again — precisely what we need for this challenge. To use it, simply download the tool from the official website, run it, and provide the path to the image file to get started.

The tool identified the partition table type as Intel, so let’s select that option.

Then choose Analyse.

Now select Quick Search.

The tool detected two partitions. Hover over the first partition and press the ‘P’ key on the keyboard to list the files within it.

TestDisk was able to find the six images that the other tools extracted, as well as an additional image and a file without an extension. Press ‘a’ to select all files, then ‘Shift + c’ to extract them.

The six WEBP images doesn’t contain any useful data, and the file without an extension is simply a text file with some dummy text.

The remaining file is the seventh image that TestDisk found. It is a PNG image, but Windows is unable to display a thumbnail for it, indicating that the image is corrupted.

It appears there is a problem with the file format, which indicates that the magic bytes of the file are corrupted.

By opening the file in any hex editor, you’ll see that the first byte is nulled.

To repair this image, you’ll need to find the correct magic bytes. This list from Wikipedia includes most of the necessary file magic bytes. The correct magic bytes for PNG images is 89 50 4E 47 0D 0A 1A 0A.

Let’s return to our hex editor, paste the correct magic bytes, and save the fixed image.

Finally, this image contains the flag! :D

Flag is: BHFlagY{8bd8dc3ea7636c5fb8aeb}

Thanks for reading and I hope you love this writeup ❤.

Facebook TwitterLinkedIn Discord

--

--

Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter