Post

BlackHat MEA Qualification CTF 2024 - Writeup

Posted Updated
Preview Image
By Hilmi Ouelhazi
1 min read

Artifact [Forensics]

Description: During the investigation of a compromised machine, it was determined that an impersonation tool had been executed. The Digital Forensics and Incident Response (DFIR) team has provided only a specific hive for analysis. Your objective is to identify the name of the executable associated with the impersonation tool and determine the earliest suspected execution time of this executable on the affected machine. Flag format/example: BHFlagY{cmd.exe_29/12/1992_22:33:13}

1
2
3

┌──(kali㉿kali)-[~]
└─$ file execution                                   
execution: MS Windows registry file, NT/2000 or above

The challenge provided a Registry Hive file renamed as “execution”, you can open using Registry Explorer from the list of Eric Zimmerman tools: regexp

Since the challenge about “the executable” related to impersonation tools, we can investigate relevant registry keys such as “AppCompatCache” located under:

regexplorer

A suspicious executable DeadPotato-NET4.exe can be identified in these enteries :

enteries

therefore the flag would be: BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}

Hope you enjoy it! xDU0

CTF Writeups
forensics ctf
This post is licensed under CC BY 4.0 by the author.

Trending Tags

ctf forensics