BlackHat MEA 2025 - Multiverse

Hi guys, I was known about BlackHat MEA 2025 from my brother from PTIT and since I did not register, my brother sent me sample in onder to solve. After solving this is my solution.

First, I had a sample which contains some files and directories inside a Windows system, so I opened it on Autopsy:

Based on the sample, I checked in Recent first since I could know which file and how many file were opened:

I scrolled down and I found a zip file which name was in base64 format:

Decoded it and I got the first part of the flag:

Next, in the Email field I found a suspicious email: cattheflag@gmail.com, I clicked on to see where the email was from and I found inside MFT file there was a config file for rclone:

In short, rclone is an open-source command-line program to manage cloud storages and if you want to manage any type of cloud storage, you just create a config file like this:

And in our case it will be like this:

And when you have rclone.conf you can access cloud storage remotely, however in this challenge the connection was corrupted by somehow. My intended solution is accessing cloud storage, investigate to find out whether there has any file or not, but after read other solutions I knew this is a guessy challenge 💀. OK so it will be like this: the rclone password always be encrypted and to reveal the original password, it’s so simple that we use this command: rclone reveal:

Decode from base64 and you get another part:

Combine with the part we found before, decrypt from RC4 and you get the flag 💀💀💀 (it’s even more guessy than FUSecathon 2025 💀):

In my opinion, if they can fix the mega connection, then this challenge will be very great but sadly, they failed. Thank you for reading this article, bye!