Writeup: Magnet User Summit DFIR CTF 2019-Secret Project
The recent Magnet User Summit DFIR CTF Challenge was released to the public. I also took this opportunity to get familiar with the Magnet AXIOM software.
If you’ve had a look around on the desktop image, you may have noticed the user Selma’s desktop.
The 2 virtual hd files looked like they were a good lead. SecretStuff.vhd has been deleted but EvenMoreSecretStuff.vhd could be extracted but appears its encrypted.
We also have a bitlocker password from HOLY COW BATMAN! in the Mobile part. You can either use AXOIM to add another evidence source, or mount it through diskpart or diskmgmt.
Putting in the bit locker password, “protectedbyjubjub” and mounting the disk, we get some folders and what looks like a zip file in the recycle bin.
If you’ve had any experience with recycle bin forensics, the $IXXXXXX file contains the file name for the corresponding $RXXXXXX file.
Seems like we’ve found something good!
This binary appears to be what is referenced in the “secret project” which gives us enough to start the challenges.
Which Language 5
What language was used to create the secret projects executable?
When I ran strings on the exe to see if there were any hints, there where references to a lot of python modules. I grep-ed ‘py’ to find some more info.
Which Version 5
Which version of Python is used for the compiled binary? (format: N.N)
It appears to load a dll file with reference to the common python version 2.7.
Which Compiler Tool 5
Which tool was used to create the compiled executable?
See strings output above.
Processor Architecture 5
What is the Processor Architecture of the compiled binary?
at-5000.exe: PE32+ executable (console) x86–64, for MS Windows
With a bit of searching for decompiling PyInstaller executables, I found that one favourite reverse engineers, @hasherezade, had posted an article on a similar scenario: https://hshrzd.wordpress.com/2018/01/26/solving-a-pyinstaller-compiled-crackme/.
Following the steps, I decompiled the exe to its original python code.
Now we have the source code, the rest of the questions were relatively easy!
What number does the at-5000 redial?
The loop in the code checks if the number belongs to Ned Flanders, if true, then it skips the increment number function and recalls.
Redialed Association 10
Who is associated with the number that gets redialed?
Answer: Ned Flanders
Call Time 10
How much time (in seconds) does the AT-5000 wait between dialing numbers?
What two libraries does at-5000 import?
Answer: time random
Max Calling 15
What is the max number of calls the AT-5000 can make?
Have to make a huge show out to @hasherezade who made this section a piece of cake with her awesome reverse engineering tutorials.