ctfs
  • 👋Hello!
  • 🏴Practice
    • 🌐Cryptohack
      • Introduction
      • General
        • Encoding
        • XOR
        • Mathematics
        • Data Formats
      • Symmetric Ciphers
        • How AES Works
        • Symmetric Starter
        • Block Ciphers 1
        • Stream Ciphers
      • Mathematics
        • Modular Math
        • Lattices
      • RSA
        • Starter
        • Primes Part 1
        • Public Exponent
    • 🌐PortSwigger
      • Path Traversal
      • File Upload
      • SSRF Attacks
    • 🌐TryHackMe
      • Basic Skills
      • Linux
      • Penetration Testing
      • Networking
      • OSINT
  • 🚩Competitions
    • 2025
      • 🇮🇩GKSK#9 Osintathon
        • Mudik Lebaran (100 pts)
        • Foto Patung (100 pts)
        • Kolektor Komik (100 pts)
        • Tolong Aku (100 pts)
        • Kencan Pertama (100 pts)
        • Nama Si Pelaku (100 pts)
        • Cekidot (100 pts)
        • Ledakan! (100 pts)
        • 🎹🎶 (100 pts)
        • Batu Besar (100 pts)
        • Komentar (100 pts)
        • Ini dimana? (100 pts)
        • Koordinat Foto Misterius (100 pts)
        • Bianglalaaa (100 pts)
        • Aku Hacker (100 pts)
        • Anjazzz (100 pts)
        • Dikirim Kakakku (129 pts)
        • Ingfo Loker (154 pts)
        • MISSING 00 (100 pts)
        • MISSING 01 (154 pts)
        • Siapa Aku? (154 pts)
      • 🇮🇩IFEST 13
        • Ququerer (250 pts)
        • Silent Trace (370 pts)
        • Nugas (Solved After Event)
        • Free Flag (280 pts)
        • Brute (Solved After Event)
        • Web V1 (Solved After Event)
        • Bypass (Solved After Event)
        • Orbiter (Solved After Event)
      • 🌐OSINT Combine (Wildlife)
        • Getting Started (100 pts)
        • Proper Poppy (100 pts)
        • Legendary Beasts (200 pts)
        • Shadow Fleet (200 pts)
        • Proper Poppy II (200 pts)
        • Not So Smug Smuggler (200 pts)
        • Icy (200 pts)
        • Forest Pals (200 pts)
        • Safari Time II (200 pts)
        • Sneaky! (200 pts)
        • Hello Friend (300 pts)
        • Busy As A (300 pts)
        • Get Rotated! (300 pts)
        • High Seas (300 pts)
        • Nocturnal (300 pts)
        • Safari Time (400 pts)
        • Peak Weather (400 pts)
        • Singsong (400 pts)
        • Falling Fell (500 pts)
        • Kitty Cats (500 pts)
      • 🇮🇩RECURSION
        • let him cook
        • Basic Math
        • Favourite Number
        • Zarrar Cipher (100 pts)
        • paBlue Team (100 pts)
        • [🩸] I wish I was there on December 21, 2024 (100 pts)
        • Small House (200 pts)
        • [🩸] Mission Difference (456 pts)
    • 2024
      • 🌐Santa Claus CTF
        • Complete Picture
        • Day 1 - Big Bang
        • Day 2 - The Summer Job
        • Day 3 - The Visitors
        • Day 4 - Happy Birthday
        • Day 5 - Say My Name
        • Day 6 - Say "Cheese"
        • Day 7 - Revealing Pixels
        • Day 8 - Connecting The Dots
        • Day 9 - 404 Not Found
        • Day 10 - Breaking News
        • Day 11 - Ayrton Santa
        • Day 12 - Lost and Found
        • Day 13 - Planespotting
        • Day 14 - Santa Surveillance
        • Day 15 - Shaken, Not Stirred
        • Day 16 - Status Update
        • Day 17 - Waste ...of Time
        • Day 18 - Lost in Translation
        • Day 19 - Santa's Clones
        • Day 20 - Losing Tracks
        • Day 21 - Sing my Song
        • Day 22 - Eagle Eye
        • Day 23 - Distances Matters
        • Day 24 - Mastermind
      • 🌐Cyber Jawara International
        • Stone Game (100 pts)
        • prepare the tools (176 pts)
        • Persona (484 pts)
      • 🌐OSMOSIS Precon CTF
        • 1 The art of espionage
        • # 2 The Hack
        • # 3 The rabbit hole
        • # 4 The Association
        • # 6 Where is number 5
        • # 5 Who is it
        • Too many Layers
        • The prize
      • 🇮🇩Intechfest
        • Sanity Check (100 pts)
        • Alin (113 pts)
        • GerakSendiri (106 pts)
        • Details (100 pts)
      • 🇮🇩COMPFEST 16
        • Let's Help John! (100 pts)
        • money gone, wallet also gone (100 pts)
        • head’s up! (493 pts)
        • CaRd (304 pts)
        • Sanity Check (100 pts)
      • 🇮🇩Gemastik
        • Baby AES (451 pts)
        • Baby Structured (100 pts)
      • 🇮🇩Technofair 11
        • Kenangan
        • Xorban
        • Marsha
        • Siap Tempur!!
        • eftipi
        • kurang berarti
        • DUMPling
        • Malicious
      • 🌐DIVER OSINT
        • chiban
      • 🇮🇩GKSK#8 Osintathon
        • Sport Location
        • Meklaren lu warna apa boss ?
        • Postcode
        • Rumah Minang
        • Latihan
        • Anak Misterius
        • Travelling Anywhere
        • The Thief
        • Danger Watch
        • Misteri Ruang Angkasa
        • Fun Walk
        • I am Late
        • My Oshi
        • Wellcome to my Youtube Channel
        • Pesan Tersembunyi Wingdings
        • Salah Fokus
        • Apa itu GKSK?
        • Foto Bersejarah
        • Picture
        • Nostalgia Child
        • oldschool
        • Summer Olympic
      • 🇮🇩Techcomfest
        • pemanasan
        • crackable
        • Kuli-ah forensik
    • 2023
      • 🇮🇩Cyber Jawara
        • daruma
      • 🇮🇩NCW
        • Simple (220 pts)
        • wangsaf (320 pts)
        • Sillyville Saga (220 pts)
        • Freminhelp (Solved after event)
      • 🇮🇩Hology 6
      • 🇮🇩SlashRoot 7
        • Summary (441 pts)
        • eeee (480 pts)
        • Zebra Cross (409 pts)
        • Waka Waka eh eh (185 pts)
        • ANABUL (250 pts)
      • 🇮🇩COMPFEST 15
        • not simply corrupted (316 pts)
        • Artificial secret (356 pts)
      • 🇮🇩Gemastik
        • easy AES
        • k-1
        • Gen Z
      • 🇮🇩TechnoFair 10
        • RSA Bwang
        • Marsah
        • rapsodi
        • Pengen Merch JKT 😢
        • space mono
        • file pemberian fans
        • bantu aku mencari sebuah rahasia
    • 2022
      • 🇮🇩NCW
        • sabeb64 (331 pts)
        • cakemath (451 pts)
        • Downloader (244 pts)
        • 199 passcode (Solved after event)
      • 🇮🇩TEDCTF
      • 🇮🇩Gemastik
      • 🇮🇩OSCCTF
      • 🇮🇩ARA
  • 🪦Old Hello
Powered by GitBook
On this page
  1. Competitions
  2. 2023
  3. NCW

Freminhelp (Solved after event)

PreviousSillyville Saga (220 pts)NextHology 6

Last updated 1 year ago

Deskripsi

My friend, Freminet, now need your assistance. He once left his lappy alone in a public area. Several months later, he discovered that a keylogger had been installed. Unfortunately, during the period when the keylogger was active, he typed the names of some crucial and confidential files. While Freminet successfully analyzed the situation and confirmed that the keylogger did not send any data elsewhere, he was able to delete the keylogger. He says that the keylogger created a custom key under Software\Microsoft\Windows\CurrentVersion\Explorer registry. However, he is now unable to locate the recorded keystrokes by the keylogger.

The flag is divided into 3 parts

https://1drv.ms/u/s!AobVW-isux9NgRg7wc3TRLk9K792?e=JqJfRe

Author: cipichop

Pada chall ini kita diberikan sebuah memory dump. Menggunakan imageinfo, didapat bahwa profile memori tersebut adalah Win7SP1x86_23418. Berikutnya, kita dapat mulai menganalisis dump memory ini. Berdasarkan deskripsi soal, dikatakan bahwa ada custom key pada registry "Software\Microsoft\Windows\CurrentVersion\Explorer". Maka dari itu langsung saja kita cek menggunakan plugin printkey.

$ vol.py -f freminhelp.mem --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer"

Di sini, terdapat key yang sus, yakni Keylogger. Untuk melihat value dari subkey tersebut, kita bisa menambahkan namanya pada path.

$ vol.py -f freminhelp.mem --profile=Win7SP1x86_23418 printkey -K "Software\Microsoft\Windows\CurrentVersion\Explorer\Keylogger"

Awalnya saya bingung value ini harus diapakan, tapi berdasarkan deskripsi, string ini mungkin mengacu pada nama sebuah file. Oleh karena itu, kita bisa melakukan filescan.

$ vol.py -f freminhelp.mem --profile=Win7SP1x86_23418 filescan | grep -Fi "ce9e7c1ed929e0d3b4590a36da9fa42df5f508f1"

Volatility Foundation Volatility Framework 2.6.1
0x000000003eaab800      8      0 R--rw- \Device\HarddiskVolume1\PerfLogs\Admin\ce9e7c1ed929e0d3b4590a36da9fa42df5f508f1\23da5a4d5d.txt
0x000000003eb81c80      8      0 R--rw- \Device\HarddiskVolume1\PerfLogs\Admin\ce9e7c1ed929e0d3b4590a36da9fa42df5f508f1\fc1f24fe27.txt
0x000000003fc6ab28      8      0 R--rw- \Device\HarddiskVolume1\PerfLogs\Admin\ce9e7c1ed929e0d3b4590a36da9fa42df5f508f1\1f22cfa57c.txt

Nah, di sini kita mendapatkan 3 text file. Cukup mencurigakan karena menurut deskripsi, flagnya dibagi menjadi 3 bagian. Bagaimanapun, kita bisa meng-extract ketiga file ini menggunakan dumpfiles.

$ vol.py -f freminhelp.mem --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003eb81c80 -D . --unsafe
...

Jika kita mencoba melihat isi dari ketiga text file tersebut, kita akan melihat apa yang tampak seperti hasil dari sebuah key logger.

$ mv file.None.0x8425c218.23da5a4d5d.txt.dat one.txt
$ cat one.txt
20a86f5ecb6b850cacc73c280d579c60 64a7e258 2
20a86f5ecb6b850cacc73c280d579c60 64a7e259 5
20a86f5ecb6b850cacc73c280d579c60 64a7e259 5
20a86f5ecb6b850cacc73c280d579c60 64a7e25a 3
20a86f5ecb6b850cacc73c280d579c60 64a7e25c c
20a86f5ecb6b850cacc73c280d579c60 64a7e25c 2
20a86f5ecb6b850cacc73c280d579c60 64a7e25c b
20a86f5ecb6b850cacc73c280d579c60 64a7e25e 1
20a86f5ecb6b850cacc73c280d579c60 64a7e25f 7
20a86f5ecb6b850cacc73c280d579c60 64a7e25f 8
20a86f5ecb6b850cacc73c280d579c60 64a7e260 2
...

Saya merapikan hasilnya dengan sedikit terminal-fu sebagai berikut.

$ cat one.txt | tr -d '\000'| cut -d ' ' -f 3 | tr -d '\n' | xargs echo
2553c2b1782faabba3a3d1a8bfd3a2137e2015cd
$ cat two.txt | tr -d '\000'| cut -d ' ' -f 3 | tr -d '\n' | xargs echo
54c59856cc065b7b07101b36d01988eac07e89fd
$ cat three.txt | tr -d '\000'| cut -d ' ' -f 3 | tr -d '\n' | xargs echo
e92629adecd08ecc2e0b2ae053cce7eee20b9f63

Berikutnya, karena pada deskripsi ada hint "typed the names of some crucial and confidential files" maka dapat dikatakan bahwa ketiga string ini merujuk pada nama file. Lagi-lagi, kita gunakan filescan dan dumpfiles.

Setelah meng-extract file, kita cek apa hasilnya. Rupanya, ketiga file yag didapatkan merupakan file .jpg.

$ file file.None.0x8543a380.dat 
file.None.0x8543a380.dat: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], comment: "Compressed by jpeg-recompress", baseline, precision 8, 1920x927, components 3

Setelah itu kita buka saja ketiganya, dan... flag pun didapatkan :)

Flag: NCW23{for_art_is_never_perfect,_the_work_of_an_artist_is_never_done}

🚩
🇮🇩