Home CTF Forensic Write-up | The Cyber Grabs CTF 0x02.

Forensic Write-up | The Cyber Grabs CTF 0x02.

by Nihal Umar

The Cyber Grabs CTF 0x02.

Jasper

I like to play with images. Do you?

Flag format: cybergrabs{}

Solution:

This was the easiest one. Just Use exif tool to get the flag.

cybergrabs{Y0U_4re_g00d_4t_m3ta_DaT4}

Password

Link

We have suspected Mr.Wolf and for investigation purposes we have created a backup of his data. 
The task for you is to find the password of Mr.Wolf PC.

Format: cybergrabs{password}

Author: White Wolf 🐺

Solution:

For this challenge we have to find Wolf-PC password if you notice there’s some note saying I dumped some process but i forgot it

so Mr.Wolf dumped lsass process and whenever you dump a process it goes in users/wolf-pc/Appdata/local/temp visit that directory and you will find lsass.dmp.

Just export lsass.DMP and install mimikatz i suggest trying this on your virtual box.

After setting up mimikatz just use the below commands.

privilege::debug
sekurlsa::minidump lsass.DMP
sekurlsa::logonpasswords

now you we will get a hash just use crackstation or any other hash cracking tool of your choice.

cybergrabs{4hacking}

Secret

After further investigation we have found out that Mr.Wolf is hiding something on the internet can you find it?

Note: Use the Same file shared in First Challenge(Password).

Format : Flag in flag format.

Author: White Wolf 🐺

Solution:

According to description he’s hiding something on the internet so time to checkout web history.

C:\Users\wolf-pc\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>

we can find it in the above path.

export places.sqlite

open it using sqlite

now just read the history and we can find there’s a cryptobin.co link https://cryptobin.co/a1o8e8f7 and if you analyzed the text files he mentioned that he uses the same password everywhere so let’s use 4hacking (which we cracked in first challenge) and we will get base64 let’s convert it into a file we will get gif just use `exiftool` and we will get the flag.

cybergrabs{dammm_y0u_f0und_p3p3_h3cker}

Stargazer

Mr.Wolf was using some application for his secret Communications find the application and his secret too.

Note: Use the Same file shared in First Challenge(Password).

Format: Flag in flag format.

Author: White Wolf 🐺

Solution:

According to Description Wolf was using some application so let’s check it out visit C:\users\wolf-pc\appdata\roaming we can see hexchat is installed just analyze every file in the `hexchat` folder from spam file we got some long

string maybethisthingwillbeusefull ok in likes we can see that he likes stargazer lets search for stargazer we can find stargazer.jpg in Pictures now when you have some string and a jpg image just do steghide and we will get the flag.

cybergrabs{d0_y0u_like_stargazer_l1ly???}

Thanks for being till here. Stay updated for more blogs & contents.

Special Credit: White Wolf

You may also like

Leave a Comment