ICMTC CTF 2023 Final | Forensics writeup

Mohamed Elmasry
5 min readJul 18, 2023

--

Hi People :D

This writeup covers 2 out of 4 forensic challenges and one reverse challenge included in the Finals round of ICMTC CTF 2023 which took place at the Military Technical College.

let’s go :D

[*] Devil Init Persistence (Forensics)

====================================

The ZIP file contains a REG file.

This file represents an exported windows registry, and its content is structured like that:

[<Hive name>\<Key name>\<Subbkey name>]

"Value name"=<Value type>:<Value data>

Sample

Since the challenge description mentions “Persistence”, I began searching for all the keys related to it and looked for anything suspicious among these keys.

Initially, I began my search within commonly known keys such as Run, RunOnce, RunServices, and so on but I didn’t find anything. However, upon realizing that the description mentioned that the key is “less common”, I resumed my search for another keys.

One of these keys is the Winlogon keys, which store information about the programs and services that run when the user logs into the system.

Within the Winlogon key, there are numerous entries, and one of these entries is called “Shell”.

I came across an unusual command within this entry, prompting me to investigate it further.

netsh.exe add helper C:\\Users\\User\\phantom.dll

Based on the outcome of my search, it appears that this command is utilized for persistence by loading a malicious DLL using Netsh tool. This is the command we were specifically searching for.

Flag: EGCERT{netsh.exe add helper C:\\Users\\User\\phantom.dll}

[*] MegaMind (Forensics)

=========================

Out of the entire CTF, this was the most exciting challenge that I thoroughly enjoyed, and we solved it in an unintended way.

The ZIP file contains an APK file and a databases directory.

Inside this databases directory, there are com.google.android.datatransport.events and megapreferences databases

To open these databases, I used DB Browser for SQLite (as SQLite3 is commonly used as the database for Android applications).

The com.google.android.datatransport.events database did not contain anything of interest. However, in the megapreferences database, I discovered an interesting table called “completedtransfers”.

This table contains information about transfers, including the filenames we were searching for. On the other hand, it seems that the filenames are encoded using Base64.

Unfortunately, my decryption attempt was unsuccessful due to the usage of an additional encryption algorithm for the filenames.

Now, let’s decompile the APK using Jadx and examine its contents to understand what is happening. Upon decompiling the APK, numerous lines of packages become visible.

To save time, we looked for any codes that interact with the transferfilename column.

Since all the search results were located within the SqliteDatabaseHandler class, let’s shift our focus to analyzing this specific class.

By scrolling down to the end of the class, you will come across three methods: encrypt, getAesKey, and decrypt.

Our approach to solving this was to understand the decrypt method, convert it to python code, and then pass the encrypted file name to it in order to retrieve the flag directly.

Fortunately, the decryption algorithm turned out to be quite straightforward and works as following:

1- Takes the first 32 bytes of the key returned by the getAesKey method (‘4ndr0!d_3gc3rt8 w4y*(Nc$G*(G($*G’).

2- Decoding the input string using Base64.

3- Decrypting the decoded input with the AES algorithm using the key from step(1)

4- Finally, decoding the resulting string using UTF-8.

With a clear understanding of the decoding algorithm, let’s proceed to convert it into a python script.

The only missing piece is knowing the AES algorithm used for encryption. To obtain this information, I searched for the aes_encrypt function and discovered that it uses the ECB algorithm.

I simply translated the four steps mentioned above into python code (as shown in the following figure).

By passing the value stored in the transferfilename column to this code, we were able to retrieve the flag :).

Flag: EGCERT{W3ll_D0n3_M3g4_M!nd}

[*] Redbull (Reverse)

====================

The EXE file has an icon of the python executable, which immediately led me to consider the possibility that it was created using PyInstaller.

To verify my assumption, I used the strings command and grep for PyInstaller to search for any PyInstaller related parts.

Luckily, the analysis confirmed that the file was indeed created using PyInstaller.

To extract the DLLs and Python Bytecodes, we can use pyinstxtractor tool by executing the following command:

pyinstxtractor.py challenge.exe

After extraction, we can see a PYC file with the identical name as our executable, which represents a compiled bytecode version of the source code.

The final step is to convert this bytecode back to the original source code. To accomplish this, I used uncompyle6 tool as shown below.

The source code includes a flag within its contents :D.

Flag: EGCERT{python_to_3x3cut@bi3_}

At this point, we have reached the end of this write-up. I hope you found it enjoyable and useful ❤.

We secured the 3rd position😎.

--

--

Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter