BlackHat MEA CTF Qualifications 2022 | Forensics writeup

Mohamed Elmasry
4 min readOct 1, 2022

--

Hi People :D

This is a writeup for all forensics challenges that were in BlackHat MEA CTF Qualifications phase, there were only two challenges which was kinda frustrating for me.

Enough talking, let’s get started :D

[*] Bus (150 pts)

====================

The attachment file was a PCAP file (bus.pcap), so let’s open it in Wireshark and see what’s going on.

You can see that we have some Modbus queries and responses, there’s nothing interesting in this protocol except the Data section.

Right click on Data then choose Apply as Column to see the data in an easier and faster way.

All queries data are either 0000 or ff00 and this makes it clear that 0000 is represents 0 and ff00 represents 1 (on and off signals)

Now we can use tshark to extract all Data in the same order using this command:

tshark -r bus.pcap -T fields -e modbus.data -Y "modbus.data != 0 and tcp.dstport == 502" > out.txt

(we check if “tcp.dstport == 502” so that we only get queries without responses to avoid duplication of data)

The rest is so easy, just make some find & replace things like that:

replace 0000 with 0, ff00 with 1 and the newlines with nothing.

Now we have a ‘ready to convert’ binary data, convert it to text using any online tool such as CyberChef and you got the flag :D

Flag: Modbus_is_easy_after_all!

[*] Mem (250 pts)

======================

The attachment file was a RAW file (mem.raw), it’s just a memory dump file

So let’s start by knowing the profile using Volatility with this command:

vol -f mem.raw imageinfo (Win7SP1x64)

From challenge description we know that we are seeking for a file and a password, so let’s scan for files first with command:

vol -f mem.raw --profile=Win7SP1x64 filescan > files.txt

I found a file named flag.rar, copy it’s offset to dump it.

let’s dump it using this command:

vol -f mem.raw --profile=Win7SP1x64 dumpfiles -n --dump-dir=./ -Q 0x000000001bbff9c0

Change the name of the output file to chall.rar (for example) and try to extract it, it’s a RAR file contains flag.txt but it needs password to extract

From challenge description, you can see that they add “but I saved it locally” so I thought it might be in the Environment Variables and i was right :D

You can dump the environment variables using:

vol -f mem.raw --profile=Win7SP1x64 envars > envars.txt

By looking for any sus things in the output, I found this and it was the password (Ittm1Fc7hcuFrLZIQmxs).

Just extract the previous RAR archive with this password and we got the flag :D

Flag: Password_hints_are_the_retrievable

Thanks for reading and I hope you love this writeup ❤.

Facebook TwitterLinkedIn Discord

--

--

Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter