Forensic at @World Wide Flags
Operator at @Cookie Han Hoan
HCMUS CTF 2025 - Forensic
Hi guys, I just joined HCMUS CTF 2025 with my team: L3_u3th and we got 30th rank, although it’s not the good rank, but we tried our best, so we are chill guys. This is my writeup for some challenges in Forensic. Let’s go!
TLS Challenge
Basically we have 2 files: a network capture file and keylog file. Based on the title I could guess easily that this challenge will focus on decrypting TLS traffic. The configuration is very easy, you just import keylog file to Wireshark, reload the wireshark and you will see decrypted traffic:
By navigating to Edit -> Preference -> Protocol -> TLS, then importing keylog file, finally you will have the same result above. Follow TLS traffic, you will get the flag:
Trashbin
For this challenge we have another network capture file. I checked the file and found SMB traffic:
Basically we will extract all of them by going to File -> Export Objects -> SMB and we will save all of them to your own somewhere:
You can see that there are so many zip files, so I wrote a simple Python script for extracting automatically:
import os
import zipfile
zip_folder = './'
extract_folder = './extracted_files'
os.makedirs(extract_folder, exist_ok=True)
for filename in os.listdir(zip_folder):
if filename.endswith('.zip'):
file_path = os.path.join(zip_folder, filename)
try:
with zipfile.ZipFile(file_path, 'r') as zip_ref:
# Extract to a subfolder named after the zip file (without .zip)
subfolder_name = os.path.splitext(filename)[0]
subfolder_path = os.path.join(extract_folder, subfolder_name)
os.makedirs(subfolder_path, exist_ok=True)
zip_ref.extractall(subfolder_path)
print(f"Extracted: {filename} to {subfolder_path}")
except zipfile.BadZipFile:
print(f"Bad zip file: {filename}")
You can see there are so many directories, and when I checked I found inside each directory would have a txt file, so I just modified code a little bit to read all contents in one time:
with open(combined_txt, 'w', encoding='utf-8') as outfile:
for root, dirs, files in os.walk(extract_folder):
for file in files:
if file.endswith('.txt'):
txt_path = os.path.join(root, file)
try:
with open(txt_path, 'r', encoding='utf-8') as infile:
content = infile.read()
outfile.write(f"===== {txt_path} =====\n")
outfile.write(content + "\n")
print(f"Added: {txt_path}")
except Exception as e:
print(f"Failed to read {txt_path}: {e}")
print(f"All .txt files combined into: {combined_txt}")
Then I searched on file and found the flag:
File Hidden
For this challenge, it’s steganography, not forensic but yeah if I don’t solve it I will feel sad so yeah, enjoy it! We were given a wav file. At first, I tried to search for spectrogram on Audacity but I had no result:
Now it’s the most terrible part in my life: trying all tools I knew until a guy brings me result. After used script from many articles, tried tools on Github, finally I found a tool that gave me the result: HiddenWave. I installed it, ran and I found zip file inside wav file:
You can see the header of zip file and flag.txt inside, in this part I saved the result to a file, went to CyberChef, deleted every part not essential:
Disk Partition
For this challenge we have img file and we will have 2 choices: FTK imager or Autopsy, but I love FTK imager more so I chose this guy (this is not advertisement). Simply open the file, I searched on MacOS partition and found the flag:
That’s all. I wonder whether they lacked forensic guys or not, btw I hope they will have Steganography category particularly! Thank you for reading my writeup, see you in the next post. Bye 💙💙💙