Writeup: Magnet User Summit DFIR CTF 2019-Secret Project

The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.

Link to CTF: https://mus2019.ctfd.io/
Other Parts:
- Mobile
- Activity
- Desktop

Secret Project

If you’ve had a look around on the desktop image, you may have noticed the user Selma’s desktop.

The 2 virtual hd files looked like they were a good lead. SecretStuff.vhd has been deleted but EvenMoreSecretStuff.vhd could be extracted but appears its encrypted.

We also have a bitlocker password from HOLY COW BATMAN! in the Mobile part. You can either use AXOIM to add another evidence source, or mount it through diskpart or diskmgmt.

Putting in the bit locker password, “protectedbyjubjub” and mounting the disk, we get some folders and what looks like a zip file in the recycle bin.

If you’ve had any experience with recycle bin forensics, the $IXXXXXX file contains the file name for the corresponding $RXXXXXX file.

Seems like we’ve found something good!

This binary appears to be what is referenced in the “secret project” which gives us enough to start the challenges.

Which Language 5

What language was used to create the secret projects executable?

Answer: Python

When I ran strings on the exe to see if there were any hints, there where references to a lot of python modules. I grep-ed ‘py’ to find some more info.

Which Version 5

Which version of Python is used for the compiled binary? (format: N.N)

Answer: 2.7

It appears to load a dll file with reference to the common python version 2.7.

Which Compiler Tool 5

Which tool was used to create the compiled executable?

Answer: PyInstaller

See strings output above.

Processor Architecture 5

What is the Processor Architecture of the compiled binary?

Answer: amd64

file at-5000.exe
at-5000.exe: PE32+ executable (console) x86–64, for MS Windows

With a bit of searching for decompiling PyInstaller executables, I found that one favourite reverse engineers, @hasherezade, had posted an article on a similar scenario: https://hshrzd.wordpress.com/2018/01/26/solving-a-pyinstaller-compiled-crackme/.

Following the steps, I decompiled the exe to its original python code.

Now we have the source code, the rest of the questions were relatively easy!

Redial 10

What number does the at-5000 redial?

Answer: 5558904

The loop in the code checks if the number belongs to Ned Flanders, if true, then it skips the increment number function and recalls.

Redialed Association 10

Who is associated with the number that gets redialed?

Answer: Ned Flanders

See above.

Call Time 10

How much time (in seconds) does the AT-5000 wait between dialing numbers?

Answer: 0.01

Imports 15

What two libraries does at-5000 import?

Answer: time random

Max Calling 15

What is the max number of calls the AT-5000 can make?

Answer: 10000000

Have to make a huge show out to @hasherezade who made this section a piece of cake with her awesome reverse engineering tutorials.