Wargames 2023 Writeup [Compromised]

uwu

So I participated in a CTF alone??? Yes I did! Ending 2023 off, I participated in Wargames 2023 in the student category! And oh boy for this writeup it was the King of Forensics vs the God of Forensics. However, I did learn something new today from one of the God of Forensics. With that said, let’s get into the writeup!


challenge

The challenge was called “Compromised” and it provided a file called evidence.zip


directory-listing

Unzipping the file, it contains a service account’s file system. However, all that remains is ALOT of lnk and ini files which are useless.


flag.png

One of the noteworthy files in the Desktop folder is flag.png.


store-compression-method

Using the file command on it, shows that the file is actually a zip file with a store compression method. From this point, I went into a rabbit hole thinking that I need to use bkcrack to brute force the keys for the zip file because of the store compression method.

You can watch John Hammond’s video on that here


rdp-details

Going into Documents you can see a Default.rdp file, which means that this machine has been accessed before through RDP.


werid-files

Going all around the file system, I eventually came to this directory:

svc_wgmy/AppData/Local/Microsoft/Terminal Server Client/Cache

hmmmmmmmm

I was wondering what were those files in that directory, those files being bcache24.bmc and Cache0000.bin.


strings

Using the typical Forensics mindset, I used strings and found that it was a bmp file but not?


osint-baby

I decided to look up the file name and miraculously I found a blog post on this file regarding… FORENSICS!!!


parser-tool

Apparently, the file is a cache file of images taken as a result of RDP. The files are cached first and then sent to the client (from my understanding of how RDP works). The blog post then demonstrates using bmc-tools.py to parse the cache file.


cloning-repo

So, just clone this repository:

git clone https://github.com/ANSSI-FR/bmc-tools.git

using-parser

And executing the files with the -s switch for the source of the cache file and -d for the destination of the bmp files.


play-puzzle

So, we got some bmp files, what now? Well, the blog post mentioned there is a GUI tool to piece the puzzle together.


Oooooo

Loading the bmp files into the tool and scrolling through the images, I saw a few images of a user typing in the password for the zip file.


password-baby

Selecting the right images and piecing them together, we get the password!

WGMY_P4ssw0rd_N0t_V3ry_H4rd!!!

unzip-flag

From here it’s just as easy as cake! Unzip flag.zip and cat out the flag!


sheeeshhh

Sheeeeshhhhh I might be good at Forensics but sometimes or most of the times I may not know everything. So, it was a good learning experience from this challenge of the many artifacts you can find from Windows and yea I will totally take note on this challenge. Who knows? I might make a challenge based on this… Anyways, here’s the flag!

Flag: wgmy{d1df8b8811dbe22f3dce67ef2998f21c}

jigsaw's blog

i’m zach and I build labs and create ctf challenges

Write Up for a Digital Forensics challenge for Wargames 2023

By jigsaw, 2023-12-17