Forensics

Forensic Odyssey 1: A Message in the Mist

First, we downlaod and unzip the Artifact.zip file with the password given by the challenge.
Inspect what inside the file.
- There is only a file name CyberX_CTF.E01 file.
Look closer, it is a E01 extension file, as we know, E01file is a file extension for Encase Disk Image or (Encase Evidence Files or Expert Witness Format (EWF) files) Google ^_^!
To open this file, we need to download Auotspy(https://www.autopsy.com/) or Eterro FTK Imager(https://www.exterro.com/digital-forensics-software/ftk-imager)
After that, open Autospy(for this time I use Autospy), but before others flag, we need to find the first flag, i have mount the image to local disk E and I can see there is a Welcome.txt file in the disk.
And you will get the flag in the txt file.

CONTINUE to the Forensics Odyssey 1.
Open the autospy and open the disk image.
Before started, we should think where is the data normally will be hidden.
- Recycle bin etc…
We can see there is the flag, but opps, it is not the correct flag after I tried. Lets have a check for others flag.
After few searching we can see there is a hidden named file in user/plssk/download/
there is a txt file name flag2.txt and when we press in, there is a sentences
Where is the flag??
When we highlights it, we can see there is different size of space in there
Copy it and go to white space decoder()

Continue Forensics Odyssey 2.
We can see there is something hidding in here
After we take the encrypted code from txt and put into CyberChef to decode the base64 text.
Here this is the flag!

Download the attachment given by the challenge.
Open the pcap file using wireshark(https://www.wireshark.org/#downloadLink)
We can see theres only TCP Protocol this time, but hey look at the down-right corner, its at there again.
OK lets try different port. And we can see there is a different character but the same as flag CyberX{ word.
So just follow and record it one by one and we can get the flag for this challenge.
Hooray there goess the flag!

Download the attachment given by the challenge.
Open the pcap file using wireshark(https://www.wireshark.org/#downloadLink)
Choose one port of http and right click, follow the http stream.
You can see there is a C in front of the HTTP/1.1.
Looks like there is a flag there maybe, so lets try increase the stream.
Looks like there is a y, so lets record it (flag type = CyberX{})
- Record the flag one bye one by increasing the stream.
And there is it the flag!

Download the Runme.zip file from the attachment.
Unzip the file
Inspect what inside the file.
- It contains only runme.ps1
I try edit the file with notepad and inside we can see this code
powershell -EncodedCommand ZQBjAGgAbwAgAEMAeQBiAGUAcgBYAHsAdwBoADQAdABfADEAbgBfAHQAaAA0AF8AYgBhAHMAZQA2ADQAXwAxAHMAXwBUAGgAMQBzACEAIQB9AA==
ZQBjAGgAbwAgAEMAeQBiAGUAcg…. is smoehow look like a encryted words.
Use CyberChef(https://cyberchef.net/)
And there is it the Flag!

First download the attachment given by the challenge.
It is a file call santa_scan.pcap.
Open the file using wireshark(https://www.wireshark.org/#downloadLink)
The hint given by the challenge is TCP, so let us type TCP in the seach box.
As you can see there is a lot of port with TCP Protocol.
Now lets find where is the flag, but hey see, there is something at the down-right corner (highlighted)
After pressing few TCP Ports and we can sure that it is the Flag for us (TCP Stream with port length 60)
Thats the flag!! Hooray, Happy Christmas HoHoHo!!!

Download the zip file from the attachment.
unzip the file, but hemm, look like normally unzip is not suitable(see the attach picture)
So use command 7z e flag.zip 7zip is a better unzip tools in this case. But ohno there is a password.
So i try to bruteforce it using John The Ripper .
- because it is a zipfile, we need to use command zip2john flag.zip > hash.txt to make the zip file a hash text then we can use to bruteforce finding the same hash to find out the password.
Use this command john -w usr/share/wordlists/rockyou.txt hash.txt
And we will found out that the password for this file is rainbow1
And now let use use the password to go inside and take a look of the flag.txt file
Thats it!! the flag for this question!!

this make me frustrated and at the end just found out a word in upper case causing fail …..

First download the attachment for the challenge.
Same as the last question it need to use 7z to unzip. But this time, hint is using the LOL Champions name.
Im not a LOL player so, i go online search what is champion and blablabla~, and found out champions is a character of the LOL Games.
Ok now have the hint, i try go GPT to let it list it our for me all champions name 100+ and make it a wordlist (.txt)
Last, use john to bruteforce the zipfile answer using the command

zip2john champion.zip > hash_flag2.txt
john --wordlist=lol_wordlist.txt hash_flag2.txt
And we found out the password for this file is
- Credit to my teammates Ching Yang to find out, as my wordlist is with uppercase in the first character…….
use 7z to unzip it and we can see the flag is inside Yay!
There you go the flag!!