Open in app

Sign in

Write

Sign in

[SECPlayground Cybersplash 2024] Write-ups

Fnnnr
8 min readApr 14, 2024

--

My write-ups to some of the challenges for SECPlayground Cybersplash 2024 CTF hosted on April 13, 2024 9 AM — April 14, 2024 9 AM

Misc

01 — Not Cloud

Something is gonna be easy when you just try to view it: https://storage.googleapis.com/cybersplash2024/cybersplash2024/not-cloud/src/index.html

Solution

First, I go up the directory to https://storage.googleapis.com/cybersplash2024/ which returns the buckets information:

<?xml version='1.0' encoding='UTF-8'?>
<ListBucketResult xmlns="http://doc.s3.amazonaws.com/2006-03-01">
  <Name>cybersplash2024</Name>
  <Prefix/>
  <Marker/>
  <IsTruncated>false</IsTruncated>
  <Contents>
    <Key>cybersplash2024/</Key>
    <Generation>1711735623114997</Generation>
    <MetaGeneration>1</MetaGeneration>
    <LastModified>2024-03-29T18:07:03.117Z</LastModified>
    <ETag>&quot;d41d8cd98f00b204e9800998ecf8427e&quot;</ETag>
    <Size>0</Size>
  </Contents>
  <Contents>
    <Key>cybersplash2024/not-cloud/</Key>
    <Generation>1711735645616020</Generation>
    <MetaGeneration>1</MetaGeneration>
    <LastModified>2024-03-29T18:07:25.617Z</LastModified>
    <ETag>&quot;d41d8cd98f00b204e9800998ecf8427e&quot;</ETag>
    <Size>0</Size>
  </Contents>
  <Contents>
    <Key>cybersplash2024/not-cloud/soooooooooocloud</Key>
    <Generation>1711735659312484</Generation>
    <MetaGeneration>1</MetaGeneration>
    <LastModified>2024-03-29T18:07:39.314Z</LastModified>
    <ETag>&quot;3c7969a2163c55085fe188a371bf08fa&quot;</ETag>
    <Size>37</Size>
  </Contents>
  <Contents>
    <Key>cybersplash2024/not-cloud/src/</Key>
    <Generation>1711735653412276</Generation>
    <MetaGeneration>1</MetaGeneration>
    <LastModified>2024-03-29T18:07:33.413Z</LastModified>
    <ETag>&quot;d41d8cd98f00b204e9800998ecf8427e&quot;</ETag>
    <Size>0</Size>
  </Contents>
  <Contents>
    <Key>cybersplash2024/not-cloud/src/index.html</Key>
    <Generation>1711735665812632</Generation>
    <MetaGeneration>1</MetaGeneration>
    <LastModified>2024-03-29T18:07:45.814Z</LastModified>
    <ETag>&quot;d6851dce07b32348c0e66030000dfac1&quot;</ETag>
    <Size>2416</Size>
  </Contents>
</ListBucketResult>

Then, I use to curl to get the flag:

curl -k https://storage.googleapis.com/cybersplash2024/cybersplash2024/not-cloud/soooooooooocloud

The flag is misc{N0t_cl0uD_Ch@773ng3}

02 — APT

What is suspect account who commit backdoor to xz-utils 5.6.1

Solution

From this medium:

https://medium.com/@JoeChrist/reflecting-on-jiat75-4bae049e88e7

In the picture, it shows that git commit has email address: jiat0218[at]gmail.com. The flag is

misc{jiat0218@gmail.com}

03 — Echoes of The Playground

In the realm of digital whispers, words are more than they appear. Each word hides in plain sight, bearing a secret in binary. Some say that translating them unveils the key to the playground of the cyberguards. Can you uncover the message encoded in the linguistic binary and find the key to the playground?

ZeroBeginIgniteNoneOpenActivateNeglectEngageNullInitiateOperateOffOnEmptyAbsentBeginVoidIgniteOpenActivateIdleZeroEngageInitiateNoneOperateOnNeglectNullOffBeginIgniteEmptyOpenActivateEngageInitiateAbsentOperateOnVoidBeginIgniteOpenZeroNoneActivateEngageNeglectNullInitiateOperateOffEmptyOnBeginAbsentIgniteOpenVoidIdleZeroActivateEngageNoneInitiateNeglectOperateNullOffEmptyAbsentVoidZeroOnBeginNoneIgniteOpenActivateNeglectEngageNullOffEmptyAbsentVoidInitiateIdleOperateOnBeginIgniteZeroNoneOpenNeglectActivateEngageNullOffInitiateOperateOnEmptyBeginIgniteOpenAbsentVoidActivateZeroNoneNeglectEngageInitiateNullOffEmptyAbsentVoidOperateOnBeginIdleIgniteZeroOpenNoneActivateEngageNeglectInitiateOperateOnNullOffBeginEmptyAbsentVoidIgniteZeroNoneNeglectOpenActivateEngageInitiateOperateNullOn

Solution

To solve, we need to replace any word that is “zero-related” to 0 and other to 1.

With ChatGPT, I got the script:

import re
from chepy import Chepy
text = "ZeroBeginIgniteNoneOpenActivateNeglectEngageNullInitiateOperateOffOnEmptyAbsentBeginVoidIgniteOpenActivateIdleZeroEngageInitiateNoneOperateOnNeglectNullOffBeginIgniteEmptyOpenActivateEngageInitiateAbsentOperateOnVoidBeginIgniteOpenZeroNoneActivateEngageNeglectNullInitiateOperateOffEmptyOnBeginAbsentIgniteOpenVoidIdleZeroActivateEngageNoneInitiateNeglectOperateNullOffEmptyAbsentVoidZeroOnBeginNoneIgniteOpenActivateNeglectEngageNullOffEmptyAbsentVoidInitiateIdleOperateOnBeginIgniteZeroNoneOpenNeglectActivateEngageNullOffInitiateOperateOnEmptyBeginIgniteOpenAbsentVoidActivateZeroNoneNeglectEngageInitiateNullOffEmptyAbsentVoidOperateOnBeginIdleIgniteZeroOpenNoneActivateEngageNeglectInitiateOperateOnNullOffBeginEmptyAbsentVoidIgniteZeroNoneNeglectOpenActivateEngageInitiateOperateNullOn"

# Split the text into words based on capital letters
words = re.findall('[A-Z][^A-Z]*', text)

# Count letters in each word, divide by 2, and concatenate the results
res = ''
zero_related = ['Zero','None','Neglect','Null','Off','Empty','Absent','Void','Idle']
for word in words:
    if word in zero_related: 
        res += '0'
    else:
        res += '1'

# result = ''.join(str(len(word) % 2) for word in words)

print(res)

flag = str(Chepy(res).from_binary())
print(flag)

By running the script, I got the flag:

01101101011010010111001101100011011110110111001100110011011000110101000000110111010000010111100101100111011100100011000001110101011011100100010001111101
misc{s3cP7Aygr0unD}

Cryptography

01 — Something Behind

In the image there is a flag.txt file. In the file there is a flag answer inside. Can you find it?

steganography_secplayground.jpg

Solution

Since it is a picture, I tried stegseek immidietly.

stegseek steganography_secplayground.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "flag.txt".
[i] Extracting to "steganography_secplayground.jpg.out".

Then, I read the file:

$ cat steganography_secplayground.jpg.out                  

forensic{oPc8oN29N8}

Network Security

01 — Encrypt/Decrypt

Can you find the hidden flag in the captured PCAP file. The flag pattern is network{[flag]}.

Solution

The given zip gives us 2 files: PCAP and textfile ?

When I opened PCAP file, I found that all packets are encrypted (TLS).

When I read the textfile, I guessed that it is a TLS log file used to decrypt it:

$head encrypt_decrypt/textfile

CLIENT_HANDSHAKE_TRAFFIC_SECRET 215849a4d6623d854914c78307f46111fda7e1f3133232c7eb6d0995d3b8ef5b 7bb5167fe0d88bb1e87be86e14e704d57c5ad6dde3d68d583a6416f5e99b19d4
SERVER_HANDSHAKE_TRAFFIC_SECRET 215849a4d6623d854914c78307f46111fda7e1f3133232c7eb6d0995d3b8ef5b 110ce2e5fc1608b68570acea7296aab568957e86df8f007aa2dc4452830312b5
CLIENT_HANDSHAKE_TRAFFIC_SECRET eab02438fac788832e066a3df143c95c7191c931d7aa11ae2219a5d3a934eba0 37257b7d2d29a34c73e8bcd66bf77ff2b18f33c1b3270ed74fce905e25e7c01c
SERVER_HANDSHAKE_TRAFFIC_SECRET eab02438fac788832e066a3df143c95c7191c931d7aa11ae2219a5d3a934eba0 76d4b8eebb0927cef055a1b38881d565941a5bb9beaf02639541b67216bc9912
CLIENT_TRAFFIC_SECRET_0 eab02438fac788832e066a3df143c95c7191c931d7aa11ae2219a5d3a934eba0 a1dc1af6161e380bf83e51452edf6162f73a5eba4c57fdef89480211a501bf94
SERVER_TRAFFIC_SECRET_0 eab02438fac788832e066a3df143c95c7191c931d7aa11ae2219a5d3a934eba0 7f50f53ad47c4aff01d41ed6ae3aa46ccf12be146bd517c84b5bf4c8e0099fcd
EXPORTER_SECRET eab02438fac788832e066a3df143c95c7191c931d7aa11ae2219a5d3a934eba0 14f65a230a565fef5de41d0b7658b3a336cb8e6c49db6a9d4e1801af51b65cbb
CLIENT_TRAFFIC_SECRET_0 215849a4d6623d854914c78307f46111fda7e1f3133232c7eb6d0995d3b8ef5b cc121c23308fa2849fc9facad0b86f3653fe5576f22177f6b2205cf4dc793329
SERVER_TRAFFIC_SECRET_0 215849a4d6623d854914c78307f46111fda7e1f3133232c7eb6d0995d3b8ef5b 45ba0ec9804d79177fa55c521d6c3442cb5ea99d1ff804633faaff11baef8b4f
EXPORTER_SECRET 215849a4d6623d854914c78307f46111fda7e1f3133232c7eb6d0995d3b8ef5b 2cacf8c690affc7ebbe706b10194b18e1920ec61f3570a084ee2930fa053a3c2

Import it into wireshark

Import textfile to TLS preference in Wireshark

After importing it to Wireshark, the messages becomes HTTP.

Then, I used tshark to solve it (actually, I used wireshark but I just find the equivalent tshark command so it is easier to write a write-up):

$ tshark -r ./encrypt_decrypt/TLSLab.pcapng -o tls.keylog_file:./encrypt_decrypt/textfile -Y 'http' -T fields -e urlencoded-form.value


admin,123

admin,3424244132

admin,dfsgsdfg

admin,twertwetrwet

admin,ytrhehtrtwertwetrwet

admin,network{t1sd3crypt}

admin,asetaet

admin,436tt2grteegsg

admin,r432f4rf242f

admin,f24rggf24g

The flag:

network{t1sd3crypt}

02 — Unraveling The Tunneling

Can you find the hidden flag in the captured PCAP file. The flag pattern is network{[flag]}.

Solution

The file name already give enough clue (file name is DNSLab ). With my knowledge from previous CTF, first thing comes to my mind is exfiltration through DNS query.

The following command will get only the name of the dns query.

tshark -n -r DNSLab.pcap -Y 'dns && ip.src==192.168.92.129' -T fields -e dns.qry.name  | grep -i 'oast.me' | uniq > dns.txt

I already investigated that the IP of the attacker who query some weird domain is from 192.168.92.129 and the xxx.oast.me is probably the domain used to exfiltrated through its sub domain:

The file contains some hex-looking like domain name:

ab3103454800000000a4e6b596634fd169940894b75329c69d0e180a13fa.8ef404791791d71b27c50a3dbe3691fc123c0ec3cdf18c3d3929524ff618.248945c3405ff8bceacd56fc97.oast.me
0b6303454800000000a4e6b596634fd169940894b75329c69d0e180a13fa.8ef404791791d71b27c50a3dbe3691fc123c0ec3cdf18c3d3929524ff618.248945c3405ff8bceacd56fc97.oast.me
e5d703454800000000a4e6b596634fd169940894b75329c69d0e180a13fa.8ef404791791d71b27c50a3dbe3691fc123c0ec3cdf18c3d3929524ff618.248945c3405ff8bceacd56fc97.oast.me
[...]
b70c03bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
c45b03bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
048d03bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
7dad03bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
330303bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
6fda03bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
bde103bd6300000000262a769773abcb2be8099c7cb9e2279a6de17ca656.ac3b18f128c2d3f23e869359d5c45fd0639f8742bc0ce97662b3e5103ef5.bdea5f1d3628a4b496b7526289.666c6167.oast.me
5
[...]

With couple of trial-and-error, I found that the message is hidden in the 4th position of the dot-separated value. So, I used awk to get the data:

$ awk -F '.' '{print $4}' dns.txt | uniq

oast
666c6167
20697320
6e6574776f726b7b
68347070796e3377793334727d
oast

Lastly, unhex it:

chepy '666c6167206973206e6574776f726b7b68347070796e3377793334727d'
>>> from_hex
flag is network{h4ppyn3wy34r}

03 — Infra Attack#1 [Chain Challenge]

We got some attack and we lost all of our databases. Please investigate what is the attack that they used from pcap evidence. The flag format: network{[[MD5 of attack name]]} such as network{[[MD5 of “brute force”]]} => network{d46a39281709f338686345a762267d41}

Solution

TBH, I guessed this answer but my answer based on this TCP message specifically:

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4768
EventType=0
Type=Information
ComputerName=win-dc-557.attackrange.local
TaskCategory=Kerberos Authentication Service
OpCode=Info
RecordNumber=280381
Keywords=Audit Success
Message=A Kerberos authentication ticket (TGT) was requested.

Account Information:
 Account Name:  webadmin
 Supplied Realm Name: ATTACKRANGE.LOCAL
 User ID:   ATTACKRANGE\webadmin

Service Information:
 Service Name:  krbtgt
 Service ID:  ATTACKRANGE\krbtgt

Network Information:
 Client Address:  ::ffff:10.0.1.7
 Client Port:  52874

Additional Information:
 Ticket Options:  0x50800000
 Result Code:  0x0
 Ticket Encryption Type: 0x17
 Pre-Authentication Type: 2

Certificate Information:
 Certificate Issuer Name:  
 Certificate Serial Number: 
 Certificate Thumbprint:

Since there is TGT request involved, I just guessed that it is kerberoasting .

I found out later on from the chained challenge that there is more obvious message:

$ tshark -n -r infraattack_secplayground.pcapng  -Y 'kerberos'

  710  20.751289     10.0.1.7 → 10.0.1.14    KRB5 261  AS-REQ
  711  20.751626    10.0.1.14 → 10.0.1.7     KRB5 260  KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
  719  20.757876     10.0.1.7 → 10.0.1.14    KRB5 337  AS-REQ
  720  20.758451    10.0.1.14 → 10.0.1.7     KRB5 1546  AS-REP
  728  20.764669     10.0.1.7 → 10.0.1.14    KRB5 1501  TGS-REQ
  729  20.765443    10.0.1.14 → 10.0.1.7     KRB5 1628  TGS-REP

There is a TGS-REQ in the PCAP. This could be kerberoasting attack.

The flag:


chepy 'kerberoasting'
>>> md5
4202c867e0eacc4b0595df66151785ca
network{4202c867e0eacc4b0595df66151785ca}

04 — Infra Attack#2 [Chain Challenge]

From Infra Attack#1, What is the target object to impersonate. Format: network{[[object]]}
Format: network{…}

Solution

From the previous challenge, just query the service principal name:

$ tshark -n -r infraattack_secplayground.pcapng  -Y 'kerberos && kerberos.tgs_req_element' -T fields -e kerberos.SNameString

krbtgt,ATTACKRANGE.LOCAL,attackrange.local\webadmin

Flag:

network{attackrange.local\webadmin}

05 — Just another tunneling

There were some secret message inside, please find it.
Format: network{…}

Solution

The file named already give enough information (ICMP). So, I just filter only ping request and check its statistic:

$ tshark -n -r ICMP.pcap -z endpoints,ip,"icmp"

IPv4 Endpoints
Filter:icmp
                       |  Packets  | |  Bytes  | | Tx Packets | | Tx Bytes | | Rx Packets | | Rx Bytes |
192.168.229.128              260         27460        132           12904         128           14556
192.168.229.2                 73          9198         73            9198           0               0
157.240.218.35                60          5880         30            2940          30            2940
216.58.199.229                48          4704         24            2352          24            2352
142.250.199.46                29          2842          0               0          29            2842
216.58.200.14                 24          2352          0               0          24            2352
18.239.134.124                24          2352          0               0          24            2352
1.1.1.1                        2           132          1              66           1              66
================================================================================

With some trial-and-error again, I found that the message is hidden in data packet that is sent to 1.1.1.1 :

$ tshark -n -r ICMP.pcap  -Y 'icmp && ip.dst == 1.1.1.1' -T fields -e data.data

6e6574776f726b7b49434d505f4e706b33313176454b4e7d

The flag is:

chepy '6e6574776f726b7b49434d505f4e706b33313176454b4e7d'
>>> from_hexdump
network{ICMP_Npk311vEKN}

Digital Forensics

01 — Output

(No challenge detail, I forgot to note it)

Solution

I really have no idea about digital forensic. So, I just strings it:

$ strings JOHN-PC-20240402-164218.dmp | grep -i forensic

flag="forensic{cyb3r_spl@sh}"
flag="forensic{cyb3r_spl@sh}"

02 — Something secret inside

During a recent security incident, it was discovered that sensitive information was being exfiltrated from a high-profile server. Before the server was shut down, a quick-thinking security analyst managed to capture a dump of the server’s memory. Preliminary analysis indicates that the memory dump contains remnants of an encryption key used by the attackers to secure communications with the compromised server. Your task is to analyze the memory dump, extract the secret message and revealing the flag.

Solution

With volatility, I performed a file scan:

$ vol -f ./something_secret_inside.dmp windows.filescan.FileScan

0x7e9c7da0 \Users\daenerys\Documents\secret.txt 216

Then, dump it:

$ vol -f ./something_secret_inside.dmp windows.dumpfiles.DumpFiles --physaddr 0x7e9c7da0

Volatility 3 Framework 2.5.0
Progress:  100.00  PDB scanning finished
Cache FileObject FileName Result

DataSectionObject 0x7e9c7da0 secret.txt file.0x7e9c7da0.0xfa8003089450.DataSectionObject.secret.txt.dat

Then, read the file:

cat file.0x7e9c7da0.0xfa8003089450.DataSectionObject.secret.txt.dat | base64 -d

The flag is forensic{r3st0r3_F1l3}%

03 — Ghost of Systems

A suspicious activity was detected on one of our critical systems before it crashed. An adversary managed to access the system, created a file containing sensitive information, and then copy and deleted it in an attempt to cover their tracks. Fortunately, we were able to obtain a memory dump of the system just before the crash. Your task is to analyze the memory dump and recover the deleted file’s contents to find the flag.

Solution

TBH, I just throw it in autopsy and use keyword search for forensic{ :

                 Autopsy ascii Unit Report

----------------------------------------------------------------------
                   GENERAL INFORMATION

Unit: 1201832
Unit Size: 512
MD5 of raw Unit: 7f03c6e8000b72b07dc63be491bc41d2  -
MD5 of ascii output: 89c23ea862c3ef61c09d83d5d65396b5  -

Image: '/var/lib/autopsy/TEST/host1/images/JOHN-PC-20240410-161351.dmp'
Offset: Full image
File System Type: raw

Date Generated: Sat Apr 13 18:10:05 2024
Investigator: unknown
----------------------------------------------------------------------
                        CONTENT

...#Gla80.......i...................................\.c.........................n.s...c...........................#.`.....#.`......................................................................................................................#Uscb........................H...t.h.e. .f.l.a.g. .i.s. .f.o.r.e.n.s.i.c.{.U.n.d.0._.T.h.3._.F.1.1.3.}.... .....#Gla8........k.................................................................................................#.`.....#.`...........................p.......

----------------------------------------------------------------------
                   VERSION INFORMATION

Autopsy Version: 2.24
The Sleuth Kit Version: 4.12.1

autopsy

The flag:

forensic{Und0_Th3_F113}

If anyone know any other way to solve this, please tell me. I want to learn more about forensics :)

Malware Analysis #1

01 — Simple trick, Simple click#1

Please beware that the provided file is a suspicious file. Be careful. We got an suspicious file that used by threat actor to attack our client, please analysis and answer our questions.
Question: What is MD5 hash of suspicious file

Solution

> md5sum unknown
02e4f1732d0f27cb23a6f2da0330543a  unknown

02 — Simple trick, Simple click#2

Question: What is the name of suspicious zip file

Solution

https://www.virustotal.com/gui/file/478561ce618b96e97bd08d6b8ccb197ec106b8c7adc6b8bde399100d0db4fbcf/behavior

C:\Users\user\Downloads\PO-New.rar (copy)
C:\Users\user\Downloads\PO-New.rar.crdownload (copy)

The flag:

forensic{PO-New.rar}

Malware Analysis #2

01 — DG Malware#1

Question: What is Sha256 hash of suspicious file?
Format: forensic{[[SHA256]]}

Solution

$ sha256sum dg
597de2c1eb2198699acd36d40f5187a0bd97d39d266d23ec543d036f7e694426  dg

flag:

forensic{597de2c1eb2198699acd36d40f5187a0bd97d39d266d23ec543d036f7e694426}

02 — Malware#2

What is the name of phishing IP?

Solution

https://vtbehaviour.commondatastorage.googleapis.com/597de2c1eb2198699acd36d40f5187a0bd97d39d266d23ec543d036f7e694426_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1713026996&Signature=IjDSoJ9CjFA65fPDAl28%2BV1s6LbrihVHvLK7v3%2BjtfY4G3q%2B%2B%2B1ObYZ51wRpcDIAhHi8sSQbaVa82R9fPmIsVhJL%2FhXq0J%2Bz728n03nU73%2B6UF69vCDLXhDzV5xxR3%2BZ%2BNAaarvNndwcYdfBG9xLIjVFjouIdpTUco9f59UoOGNPixr8z6MdYwc5KGvemKHcEnpwNfFxJm5wkElmD9UDn8cQARHR06uwwNhXra16GisAW5u%2F%2BUmU45shrGENbK0JZtffOennITE8pn6a8C5mvvv5katdJ0X9wSTc3FHD04xqbk92Cug2Bi%2BILFGVzA%2F50rFF0kxpNkRZTiL1mLOMmQ%3D%3D&response-content-type=text%2Fhtml

 "relationships": [
            {
                "external": true,
                "iocs": [],
                "target": "file:///44.80.52.181/s/AZURE_OPEN_DOCUMENT.vbs....",
                "type": "hyperlink"
            },

The flag:

forensic{44.80.52.181}

03 — DG Malware#3

What the process will spawn if vbs script was open?

Solution

From https://www.joesandbox.com/analysis/692503/0/html

wscript.exe (PID: 3500 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\dg.vbs" MD5: 0639B0A6F69B3265C1E42227D650B7D1)

The flag:

forensic{wscript.exe}

That is it for my part!

Together with my part and BXDMAN for web security challenges, my team got 6th place with 270 pts!

Ctf
Ctf Writeup
Secplayground
Cybersplash2024

--

--

Fnnnr

Written by Fnnnr

50 Followers

Currently a penetration tester. Interested in binary exploit and RE.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams