Writeup Fword CTF 2021 — ELearning (Memory Forensic)

Forensic — ELearning[953 Pts](23 Solves)

Semah has enrolled new hacking course in order to enhance his skills. He started the first phase of learning, as his friend I wanted to make sure that he is getting lessons from the good people. So i took an image for you and help me figuring it out.

Flag format : FwordCTF{InstructorName_targetIPTested_toolsUsedToReach TheFileandDownloadIt_NameOfFoundFile_Content}

Example :

InstructorName : SemahBA

TargetIPTested : 10.10.10.10

toolsUsedToReachTheFileandDownloadIt : JohnTheRipper ,gobuster, python (submit it in alphabetical order ) [no extension is needed]

NameOfFoundFile : flag.txt

Content : fakefakefake

Flag is : FwordCTF{SemahBA_10.10.10.10_gobuster-JohnTheRipper-python_flag.txt_fakefakefake}

Author : SemahBA
link1

TL;DR

1. Find Chat / Email App
2. Extract Instructor name from database
3. Extract console_history

We are given challenge2.E01 file. E01 or Encase image can be opened with tools like Autopsy. I used Autopsy 4.19.1 to solve this challenge

First import the E01 file and do some setup to let autopsy open and analyze the E01 file

After the Autopsy’s analyze is complete , then we can start to search the flag. The first thing that i check is the Documents folder. I found the file.txt.txt with some string that after i analyze with hash-identifier it seems like a md5 digest

Then we can go to the Download folder and see dirsearch-master folder. Dirsearch is a tools to enumerate directory path of a website

Then i check the Appdata folder . Appdata contains application settings, files, and data unique to the applications. We can check the Local folder first and i found that there’s Mailbirdfolder that maybe there’s some email about the instructor’s name and zenmap.exe.log . Zenmap is an official Nmap Security Scanner GUI. So first i check through the Mailbird’s folder and found that there’s database file Store.db

Simply extract it and open it with sqlite3 (you can use file to check it) or you can just click the file in Autopsy and Autopsy will generate the table for you

$file mailbird-Store.db                                                                                                                                         
mailbird-Store.db: SQLite 3.x database, last written using SQLite version 3032001
$ sqlite3 mailbird-Store.db
# Show all tables
sqlite> .tables
Accounts                        FilterConditions              
Attachments                     Filters                       
CalendarAccounts                Folders                       
CalendarAclRules                Folders_Messages              
CalendarEventAttendees          MessageBodies                 
CalendarEventConferenceEntries  MessageReferences             
CalendarEventConferences        Messages                      
CalendarEventRecurrences        Messages_Contacts             
CalendarEvents                  OAuth2Credentials             
CalendarReminders               Pop3MessageUids               
Calendars                       SchemaInfo                    
Contacts                        SenderIdentities              
FTS_Messages                    UserContactAccounts           
FTS_Messages_config             UserContactFields             
FTS_Messages_content            UserContactGroups             
FTS_Messages_data               UserContactGroups_UserContacts
FTS_Messages_docsize            UserContactLinkGroups         
FTS_Messages_idx                UserContactPostalAddresses    
FilterActions                   UserContacts
# You can select with "where id=3" to see it more clearly
sqlite> select * from FTS_Messages_content;
<snippet>
3|Penetration Testing|Dear fwordctf,
Thanks for subscribing!
The Pentesting course is the best way to discover and enhance your skills.
I'm SBA, and will be your constructor during this course.
First course will be dedicated to reconnaissance, so first things to do is getting used to Nmap and web directories discoveries such as gobuster/dirbuster/dirsearch ... you can use anyone you want.
let's first start with the machine you got with our pack.
Import the VM and start the recon then we will carry on depending on your findings.
BestRegards
Fwordelearn.|Fword CTF fwordelearn@outlook.com|fwordctf@outlook.com fwordctf@outlook.com||

From that message we can see that the instructor name is SBA

InstructorName : SBA

Then i got stuck because i can’t find what IP that’s got tested. The first thing that show up in my mind was where can i get the list of connection that have been made by this file but i got nothing . Then i come up with the second idea that maybe there’s a file that list the console history like in volatility plugin. Then i search again in the AppData and found the ConsoleHost_history.txt

/img_Challenge2.E01/Users/fword/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt

New-Item -ItemType Diretory -Path C:\users\fword\lab01
New-Item -ItemType Directory -Path C:\users\fword\lab01
ls
cd .\lab01\
nmap -sC -sV 192.168.1.9
cd ..\Downloads\dirsearch-master\dirsearch-master\
echo "192.168.1.9          lab01.fword" >> C:\Windows\System32\drivers\etc\hosts
ls
python .\dirsearch.py -u http://lab01.fword -e txt,php 
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\Users\fword\
wget http://lab01.fword/secret/secret.txt
Rename-Item -Path "c:\Users\fword\secret.txt" -NewName "file.txt"

From that file we can get all information that we need to get the final flag

TargetIPTested : 192.168.1.9

toolsUsedToReachTheFileandDownloadIt : nmap , dirsearch , wget ->dirsearch , nmap , wget (alphabetic order)

NameOfFoundFile : secret.txt

Content : <file.txt.txt> 663cd2dfc9418f384d90c89a15319b3d

Combine the flag :

FwordCTF{SBA_192.168.1.9_dirsearch,nmap,wget_secret.txt_663cd2dfc9418f384d90c89a15319b3d}

Thank you for reading , hopefully you learn something from this writeup

Writeup Fword CTF 2021 — Crypt (Memory Forensic)

Writeup Fword CTF 2021 — Listening (Email Forensic)