Writeup Fword CTF 2021 — ELearning (Memory Forensic)
Forensic — ELearning[953 Pts](23 Solves)
Semah has enrolled new hacking course in order to enhance his skills. He started the first phase of learning, as his friend I wanted to make sure that he is getting lessons from the good people. So i took an image for you and help me figuring it out.
Flag format : FwordCTF{InstructorName_targetIPTested_toolsUsedToReach TheFileandDownloadIt_NameOfFoundFile_Content}
Example :
InstructorName : SemahBA
TargetIPTested : 10.10.10.10
toolsUsedToReachTheFileandDownloadIt : JohnTheRipper ,gobuster, python (submit it in alphabetical order ) [no extension is needed]
NameOfFoundFile : flag.txt
Content : fakefakefake
Flag is : FwordCTF{SemahBA_10.10.10.10_gobuster-JohnTheRipper-python_flag.txt_fakefakefake}
Author : SemahBA
link1
TL;DR
- Find Chat / Email App
- Extract Instructor name from database
- Extract console_history
We are given challenge2.E01
file. E01 or Encase image can be opened with tools like Autopsy. I used Autopsy 4.19.1 to solve this challenge
First import the E01 file and do some setup to let autopsy open and analyze the E01 file
After the Autopsy’s analyze is complete , then we can start to search the flag. The first thing that i check is the Documents folder. I found the file.txt.txt with some string that after i analyze with hash-identifier
it seems like a md5 digest
Then we can go to the Download folder and see dirsearch-master
folder. Dirsearch is a tools to enumerate directory path of a website
Then i check the Appdata folder . Appdata contains application settings, files, and data unique to the applications. We can check the Local folder first and i found that there’s Mailbird
folder that maybe there’s some email about the instructor’s name and zenmap.exe.log
. Zenmap is an official Nmap Security Scanner GUI. So first i check through the Mailbird’s folder and found that there’s database file Store.db
Simply extract it and open it with sqlite3 (you can use file
to check it) or you can just click the file in Autopsy and Autopsy will generate the table for you
$file mailbird-Store.db
mailbird-Store.db: SQLite 3.x database, last written using SQLite version 3032001$ sqlite3 mailbird-Store.db# Show all tables
sqlite> .tables
Accounts FilterConditions
Attachments Filters
CalendarAccounts Folders
CalendarAclRules Folders_Messages
CalendarEventAttendees MessageBodies
CalendarEventConferenceEntries MessageReferences
CalendarEventConferences Messages
CalendarEventRecurrences Messages_Contacts
CalendarEvents OAuth2Credentials
CalendarReminders Pop3MessageUids
Calendars SchemaInfo
Contacts SenderIdentities
FTS_Messages UserContactAccounts
FTS_Messages_config UserContactFields
FTS_Messages_content UserContactGroups
FTS_Messages_data UserContactGroups_UserContacts
FTS_Messages_docsize UserContactLinkGroups
FTS_Messages_idx UserContactPostalAddresses
FilterActions UserContacts# You can select with "where id=3" to see it more clearly
sqlite> select * from FTS_Messages_content;
<snippet>
3|Penetration Testing|Dear fwordctf,
Thanks for subscribing!
The Pentesting course is the best way to discover and enhance your skills.
I'm SBA, and will be your constructor during this course.
First course will be dedicated to reconnaissance, so first things to do is getting used to Nmap and web directories discoveries such as gobuster/dirbuster/dirsearch ... you can use anyone you want.
let's first start with the machine you got with our pack.
Import the VM and start the recon then we will carry on depending on your findings.
BestRegards
Fwordelearn.|Fword CTF fwordelearn@outlook.com|fwordctf@outlook.com fwordctf@outlook.com||
From that message we can see that the instructor name is SBA
InstructorName : SBA
Then i got stuck because i can’t find what IP that’s got tested. The first thing that show up in my mind was where can i get the list of connection that have been made by this file but i got nothing . Then i come up with the second idea that maybe there’s a file that list the console history like in volatility plugin. Then i search again in the AppData and found the ConsoleHost_history.txt
/img_Challenge2.E01/Users/fword/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt
New-Item -ItemType Diretory -Path C:\users\fword\lab01
New-Item -ItemType Directory -Path C:\users\fword\lab01
ls
cd .\lab01\
nmap -sC -sV 192.168.1.9
cd ..\Downloads\dirsearch-master\dirsearch-master\
echo "192.168.1.9 lab01.fword" >> C:\Windows\System32\drivers\etc\hosts
ls
python .\dirsearch.py -u http://lab01.fword -e txt,php
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\
cd
cd C
cd C:\Users\fword\
wget http://lab01.fword/secret/secret.txt
Rename-Item -Path "c:\Users\fword\secret.txt" -NewName "file.txt"
From that file we can get all information that we need to get the final flag
TargetIPTested : 192.168.1.9
toolsUsedToReachTheFileandDownloadIt : nmap , dirsearch , wget ->dirsearch , nmap , wget (alphabetic order)
NameOfFoundFile : secret.txt
Content : <file.txt.txt> 663cd2dfc9418f384d90c89a15319b3d
Combine the flag :
FwordCTF{SBA_192.168.1.9_dirsearch,nmap,wget_secret.txt_663cd2dfc9418f384d90c89a15319b3d}
Thank you for reading , hopefully you learn something from this writeup