Avatar
CTI Analyst at @ActiveFence
Forensic at @World Wide Flags
Operator at @Cookie Han Hoan

BITSCTF 2025 - DFIR

Writeup BITSCTF Forensic Virustotal Blue Team CTFtime
Published on 09 Feb 2025

Hi guys, this time I played BITSCTF 2025 and I felt a bit disappointed this year since DFIR was easier than the previous year. Btw, those are very suitable for newbies, so I will write solutions for them. Let’s go

virus-camp-1

In this challenge we have the .ad1 file which is an image file and we can open it by using FTK imager:

image

I searched a bit and found the suspicious VScode extension:

image

There’s a comment in the file, decode base64 and I got the 1st flag:

image

Flag: BITSCTF{H0w_c4n_vS_c0d3_l3t_y0u_publ1sh_m4l1cious_ex73nsi0ns_SO_easily??_5a7b336c}

virus-camp-2

Now with the extension we found, we can see that it will decode another base64 string, I decoded it and got the malware:

image

$password = "MyS3cr3tP4ssw0rd"
$salt = [Byte[]](0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08)
$iterations = 10000
$keySize = 32   
$ivSize = 16 

$deriveBytes = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
$key = $deriveBytes.GetBytes($keySize)
$iv = $deriveBytes.GetBytes($ivSize)

$inputFile = "C:\\Users\\vboxuser\\Desktop\\flag.png"
$outputFile = "C:\\Users\\vboxuser\\Desktop\\flag.enc"

$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Key = $key
$aes.IV = $iv
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7

$encryptor = $aes.CreateEncryptor()

$plainBytes = [System.IO.File]::ReadAllBytes($inputFile)

$outStream = New-Object System.IO.FileStream($outputFile, [System.IO.FileMode]::Create)
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($outStream, $encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)

$cryptoStream.Write($plainBytes, 0, $plainBytes.Length)
$cryptoStream.FlushFinalBlock()

$cryptoStream.Close()
$outStream.Close()

Remove-Item $inputFile -Force

We can see that it will encrypt flag.png by using AES algorithm. Very simple we can write a small script to decrypt it:

import hashlib
import os
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2

password = b"MyS3cr3tP4ssw0rd"
salt = bytes([0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08])
iterations = 10000
key_size = 32
iv_size = 16

key_iv = PBKDF2(password, salt, dkLen=key_size + iv_size, count=iterations)
key = key_iv[:key_size]
iv = key_iv[key_size:]

input_file = "C:\\Users\\Admin\\Downloads\\flag.enc"
output_file = "C:\\Users\\Admin\\Downloads\\flag.png"

with open(input_file, "rb") as f:
    encrypted_data = f.read()
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_data = cipher.decrypt(encrypted_data)

pad_length = decrypted_data[-1]
decrypted_data = decrypted_data[:-pad_length]

with open(output_file, "wb") as f:
    f.write(decrypted_data)

Run it and you will get the flag:

image

Flag: BITSCTF{h0pe_y0u_enj0yed_th1s_145e3f1a}

That’s all! I hope that my writeup could help someone who’s feeling new about DFIR. Thank you very much and see you in the next post. Bye 💙💙💙

related posts

all tags

AES Decrypt AKASEC BITSCTF BYUCTF Blue Team CTFtime Command and Control DES3 decrypt DFIR DUCTF Email forensic FlareVM Forensic Git log HackTheBox ILSpy ImaginaryCTF JavaScript KCSC Macros Malware Memory Forensic MireaCTF Network Forensic OSCTF OSINT Powershell PyInstaller Python Real Case Redis Reverse Engineering Stealer Telegram TheCyberCoopCTF Threat Hunting TrueCrypt UIUCTF Vidar Virustotal Volatility WWF WaniCTF WannaGame Wireshark Word Writeup dnSpy