WaniCTF 2024 - Forensic

Hi everyone, this time I joined WaniCTF 2024 and fortunately we got 2nd place, this is a big victory for us. Now it’s my writeup for forensic category. Let’s go!

tiny_usb

In this challenge they gave us a ISO file, I was sure that flag would be inside this ISO. To analyse ISO file, there’s a script in github will help us analyse it. First, I listed all files inside ISO file:

You can see that there’s a PNG file name FLAG.PNG, and we just extract it to our machine:

Open file and enjoy the result:

Flag: FLAG{hey_i_just_bought_a_usb}

Surveillance_of_sus

In this challenge they gave us a cached file, and we need to analyse it. First, I checked file signature to know which type of cached file was:

Very clear, it’s RDP8bmp file and we can analyse it by a tool on github

By this way you can extract all cache datas inside this file:

I will open it in File Manager to avoid wasting time. Search a bit and I found somes that when we combine them together, we will get the flag:

Flag: FLAG{RDP_is_useful_yipeee}

I_wanna_be_a_streamer

I have to say this must be the best challenge when I solved forensic. Go with me to see how interesting it is. In this challenge we had a pcap file, let’s open it in Wireshark and analyse it:

There’re so many RTP and RTSP packets, these packets are very common in transfering video and sound through Internet, normally you can see it in VoiP, streaming media, camera…

RTSP and HTTP functions are the same, However, RTSP depends on a dedicated server for streaming and relies on RTP to transmit multimedia content. Therefore, this protocol does not support content encryption or retransmission of lost packets. That means we can extract all the datas that transfered through Internet.

Read challenge carefully, you can see they noted about H.264 video encoding, after searching I found plugins for extracting H.264 data inside RTP packets. And now it’s how to extract data step-by-step:

• Copy plugins to /home//.local/lib/wireshark/plugins/
• Restart Wireshark to load plugins
• Go to Edit -> Preference -> Protocol -> H.264, set RTP payload type to 96 (if you look packets carefully you can see that it’s RTP-Type-96)
• Go to Tools -> Extract h264 stream from RTP

After these steps you will get h264 data:

To convert from h264 to mp4, you can use ffmpeg to process it:

Open video and enjoy your result:

Flag: FLAG{Th4nk_y0u_f0r_W4tching}

mem_search

I don’t know why organizers marked this challenge as Hard, I solved it about 2-3 minutes, nevermind, let’s start. For this challenge we had a full dump memory file, and I used volatility to analyse it. Check processes list, I noticed that notepad.exe and tabtip.exe were running.

Maybe they tried to type something, so I decided to use filescan plugin to extract all files inside the memory file:

You can see that there’re two files read_this_as_admin in Desktop and Downloads. Let’s extract and read content inside them:

• In read_this_as_admin.download it will download .lnk file from 192.168.0.16:8282:

• In read_this_as_admin.lnknload it will decode a base64 string and execute it, let’s decode it:

You will see that when you combine it together, you will get a link that downloaded a file named chall_mem_search.exe, created WaniTemp directory inside Temp directory, saved chall_mem_search.exe to msedge.exe (that’s why you got msedge.exe process at first). Look at the link carefully, you will see B64_dec…, you can know easily that they wanted us to decode that string, decode it and you will get the flag:

Flag: FLAG{Dayum_this_is_secret_file}

tiny_10px

This challenge will help understand deeper about jpg structure, idea for solving this challenge is changing size of the image by following this blog:

In that blog they noticed about image height and width information:

Apply it to our case, we can easily find it:

After a long time tried, I finally found correct dimension and got the flag (change ff c0 00 11 08 00 0a 00 0a to ff c0 00 11 08 00 a0 00 a0):

Thank you for reading my writeup. See you next time, bye!!!! ❤️❤️❤️