Like many other forensic tool vendors in the past year, we got another capture the flag competition. This one was from Belkasoft in correlation with their BelkaDay Europe virtual conference. The format was a bit different than I'm used to but enjoyed it nonetheless. There were 11 questions total, 3 "baby" (easiest), 3 warmup, 2 tricky, and 3 hard. The harder the question the more points each were worth, up to 1000 for the hardest ones. Dynamic scoring was used which meant the more participants that solved a challenge, the less points it would be for everyone who solved it. The questions were open for 24 hours which allowed me to work on it when I wasn't busy which was nice.
It was interesting as some of the easier questions gave me more trouble than the most difficult ones. I was able to answer 10 of the 11 during the competition to take first place in the "Professional" track. The other "Student" track winner got them all so just inched ahead of me for the overall crown, congrats Hakkı! Regardless, I was impressed overall by the competition.
The plot
Question 1 - Baby
What is the full name of the laptop owner?Format: First name Last name
Looking at the folder structure under C:\Users we can see the old real person account on the machine was for "anit.ghosh" which properly formatted to "Anit Ghosh" was the answer.
 |
| Figure 1: User listing |
Question 2 - Baby
What is the full address of company's office?Full address line incl. country name
 |
| Figure 2: email domain |
 |
| Figure 3: praivacymatrix.com address |
Question 3 - Warmup
On November 16th security department got a signal of unauthorized attempts to obtain company's trade secrets.
When did the suspect first show interest in those? Provide exact timestamp in a common format, e.g. 2021-07-07 17:07:07 UTC
This one I thought I had it in the bag quickly but there was some timezone issues. I found an email from our user Anit to his boss John on November 5th of 2020.
 |
| Figure 4: Email from Anit to John |
Question 4 - Warmup
What 3 employees should be asked questions about unauthorized requests from the suspect?Format: First Last, First Last, First Last
 |
| Figure 5: "Technical documentation" emails |
Question 5 - Baby
What is the SHA256 hash of the product documentation obtained by the suspect?
Using Arsenal Image Mounter I mounted the E01 image and browsed to the users' folder to see what was found in the Downloads folder. One file of interest was found there titled "xraicommend-761263a55b8cfed4bcb8f87cbbb68beaf2ec2423.tar.gz" which looking at the Zone.Identifier was downloaded from an internal Git repo, but this wasn't the proper file (more on this one later).
I then took a peek at the Documents folder and saw a single PDF file that also had a Zone.Identifier. It stuck out with the name of the file too, "Doc_-_13_Feb_2021_-_13-40.pdf". Inside was some confidential product documentation for Project X.
Question 6 - Tricky
What employee has actually provided the suspect with the product documentation?Format: First name Last name Employee ID
Question 7 - Warmup
What URL did the suspect manage to obtain the product source code from?Exact, including file name
Question 8 - Hard
What e-mail address did the suspect's backdoor code send reports to?
This was the only question that I failed to answer during the actual CTF timeframe but I did solve it about an hour afterwards. It was by far the hardest question of the bunch, especially if you weren't working through a Linux environment. Anit had a folder called "adstresser" which had a few references in recents and Powershell history. I couldn't find any evidence specifically in the folder structure but saw that some code was changed.
So what better than to try out some new methods by mounting the E01 using Arsenal Image Mounter and running it as a VM. If you haven't tried it out, it's amazing and also can bypass the password almost instantly. Running Git itself shows that "adstresser" was a recent repository.
Figure 10: Git Gui launched from E01 VM
Figure 11: "adstresser" Git history
Figure 13: Plaintext decode frmo CyberChef
Question 9 - Hard
The suspect left an offshore SIM card in his desk drawer. We suggest it might have been used in exfiltrating the leaked data. Please help us confirm that.
Another very difficult one that I solved very last minute. Both Belkasoft X and my usual tool of choice Magnet AXIOM both carved URLs related to the web version of WhatsApp from the hibernation file (hiberfil.sys). Knowing the computer was running Windows 10 and that memory images are compressed, I exported the hibernation file and ran it through Arsenal's Hibernation Recon to process it. Once it spit out a raw ".bin" file I ran that back through AXIOM to see if any more results could be pulled out and indeed it did, 3 Whatsapp message chats were carved.
Figure 14: Carved WhatsApp messagesFrom my past experience with Whatsapp on mobile I knew that the phone number associated with each account would show as the account name/email address. So we have one number "8562097771657" but what about the other? I ran the ".bin" file through Bulk Extractor to see if I can get any other items related to this number from the hibernation file. Under the "email" parser we can filter using the first number and see a bunch of items, including a new address domain, "@c.us".
Question 10 - Tricky
What is the SHA256 hash of the file exfiltrated? (PHOTOS.7Z)
There were hints of recent usage of this PHOTOS.7z file all over the image but the actual file was no longer found. Going down the path shown from the WhatsApp chats above, there was a file shared using an AnonFiles link (https://anonfiles.com/z3jek3J2p3), which happened to be the file we were looking for.
Question 11 - Hard
What is the suspect's cryptocurrency address they intended to get reward paid to?
The PHOTOS.7z file was naturally password locked but the contents were guaranteed to contain the answer. One nice advantage of using Magnet AXIOM again is the custom artifacts. Yogesh Khatri created one for Powershell history (grab it here) which pulls out information quickly from the file at the following path:
C:\Users\anit.ghosh\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
We can see the PHOTOS.7z was password protection using PowerShell with the password "PQ3Rut8QyxghL8lu2UfF".
Conclusion
This was a fantastic and challenging CTF competition that I thoroughly enjoyed. I am already looking forward to playing in the next one that Belkasoft said they are already planning. Check out there results page (here) as well as their official write-up (here).Tool Listing
Bulk Extractor - https://github.com/simsong/bulk_extractor
Magnet AXIOM - https://www.magnetforensics.com/products/magnet-axiom/