Forensics

Forensic Odyssey 1: A Message in the Mist

1. First, we downlaod and unzip the Artifact.zip file with the password given by the challenge.
2. Inspect what inside the file.
   • There is only a file name CyberX_CTF.E01 file.
3. Look closer, it is a E01 extension file, as we know, E01file is a file extension for Encase Disk Image or (Encase Evidence Files or Expert Witness Format (EWF) files) Google ^_^!
4. To open this file, we need to download Auotspy(https://www.autopsy.com/ (opens in a new tab)) or Eterro FTK Imager(https://www.exterro.com/digital-forensics-software/ftk-imager (opens in a new tab))
5. After that, open Autospy(for this time I use Autospy), but before others flag, we need to find the first flag, i have mount the image to local disk E and I can see there is a Welcome.txt file in the disk.
6. 
7. And you will get the flag in the txt file.

Forensic Odyssey 2: The Hidden Path

1. CONTINUE to the Forensics Odyssey 1.
2. Open the autospy and open the disk image.
3. Before started, we should think where is the data normally will be hidden.
   • Recycle bin etc...
4. 
5. We can see there is the flag, but opps, it is not the correct flag after I tried. Lets have a check for others flag.
6. After few searching we can see there is a hidden named file in user/plssk/download/
7. there is a txt file name flag2.txt and when we press in, there is a sentences
   • 
8. Where is the flag??
9. When we highlights it, we can see there is different size of space in there
   • 
10. Copy it and go to white space decoder()

11. There you go ! The flag for this challenge is out!

Forensic Odyssey 3: The Time Traveler

1. Continue Forensics Odyssey 2.
2. We can see there is something hidding in here
3. 
4. After we take the encrypted code from txt and put into CyberChef to decode the base64 text.
5. 
6. Here this is the flag!

Forensic Odyssey 4: The Final Trail

1. Continue Forensics Odyssey 3.
2. Last we can see there is a deleted files in the side of the tab

3. Press All
4. And we can see the last flag at here, it is easy right!

Knock Knock

1. Download the attachment given by the challenge.
2. Open the pcap file using wireshark(https://www.wireshark.org/#downloadLink (opens in a new tab))
3. We can see theres only TCP Protocol this time, but hey look at the down-right corner, its at there again.
   • 
4. OK lets try different port. And we can see there is a different character but the same as flag CyberX word.
5. So just follow and record it one by one and we can get the flag for this challenge.
   • 
6. Hooray there goess the flag!

Knock Knock, whose there? CyberX here hehe.

Poslaju

1. Download the attachment given by the challenge.
2. Open the pcap file using wireshark(https://www.wireshark.org/#downloadLink (opens in a new tab))
3. Choose one port of http and right click, follow the http stream.
4. You can see there is a C in front of the HTTP/1.1.
   • 
5. Looks like there is a flag there maybe, so lets try increase the stream.
   • 
6. Looks like there is a y, so lets record it (flag type = CyberX)
   • 
   • Record the flag one bye one by increasing the stream.
7. And there is it the flag!

Powershell 1

1. Download the Runme.zip file from the attachment.
2. Unzip the file
3. Inspect what inside the file.
   • It contains only runme.ps1
4. I try edit the file with notepad and inside we can see this code

   powershell -EncodedCommand ZQBjAGgAbwAgAEMAeQBiAGUAcgBYAHsAdwBoADQAdABfADEAbgBfAHQAaAA0AF8AYgBhAHMAZQA2ADQAXwAxAHMAXwBUAGgAMQBzACEAIQB9AA==
5. ZQBjAGgAbwAgAEMAeQBiAGUAcg.... is smoehow look like a encryted words.
6. Use CyberChef(https://cyberchef.net/ (opens in a new tab))
7. 
8. And there is it the Flag!

Santa Scan

1. First download the attachment given by the challenge.
2. It is a file call santa_scan.pcap.
3. Open the file using wireshark(https://www.wireshark.org/#downloadLink (opens in a new tab))
4. The hint given by the challenge is TCP, so let us type TCP in the seach box.
5. As you can see there is a lot of port with TCP Protocol.
6. Now lets find where is the flag, but hey see, there is something at the down-right corner (highlighted)
   • 
7. After pressing few TCP Ports and we can sure that it is the Flag for us (TCP Stream with port length 60)
   • 
8. Thats the flag!! Hooray, Happy Christmas HoHoHo!!!

ZipCrack 1: The Hidden Lock

1. Download the zip file from the attachment.

2. unzip the file, but hemm, look like normally unzip is not suitable(see the attach picture)

   • 

3. So use command 7z e flag.zip 7zip is a better unzip tools in this case. But ohno there is a password.

   • 

4. So i try to bruteforce it using John The Ripper.

   • because it is a zipfile, we need to use command zip2john flag.zip > hash.txt to make the zip file a hash text then we can use to bruteforce finding the same hash to find out the password.

5. Use this command john -w usr/share/wordlists/rockyou.txt hash.txt

6. And we will found out that the password for this file is rainbow1

   • 

7. And now let use use the password to go inside and take a look of the flag.txt file

   • 

8. Thats it!! the flag for this question!!

ZipCrack 2: The Champion Lock

• this make me frustrated and at the end just found out a word in upper case causing fail .....

1. First download the attachment for the challenge.

2. Same as the last question it need to use 7z to unzip. But this time, hint is using the LOL Champions name.

3. Im not a LOL player so, i go online search what is champion and blablabla~, and found out champions is a character of the LOL Games.

4. Ok now have the hint, i try go GPT to let it list it our for me all champions name 100+ and make it a wordlist (.txt)

5. Last, use john to bruteforce the zipfile answer using the command

   zip2john champion.zip > hash_flag2.txt
   john --wordlist=lol_wordlist.txt hash_flag2.txt

6. And we found out the password for this file is

   • 
   • Credit to my teammates Ching Yang to find out, as my wordlist is with uppercase in the first character.......

7. use 7z to unzip it and we can see the flag is inside Yay!

   • 

8. There you go the flag!!