# picoCTF 2025 [FORENSICS] ![image](https://hackmd.io/_uploads/Sk77eGehke.png) ## 1. Ph4nt0m 1ntrud3r ![image](https://hackmd.io/_uploads/B1fHxfl21g.png) Bài cho file pcap, kiểm tra qua: ![image](https://hackmd.io/_uploads/rJqvgGgnkl.png) Ở data có các đoạn base64 có thể chứa các phần flag, trích xuất ra và decode: ```bash= tshark -r myNetworkTraffic.pcap -Y "tcp.payload" -T fields -e frame.time_epoch -e tcp.payload | sort -n ``` ![image](https://hackmd.io/_uploads/HJLjgMxh1e.png) Script: ```python= import base64 hex_payloads = [ "685769557671513d", "77326952486e673d", "675673526f50553d", "6e30746e346a593d", "595a59417645733d", "7a3349797a76673d", "424e41556436553d", "67436a7679396f3d", "2b5a7968387a553d", "6f5a59725047453d", "32466c6a5541773d", "356837663967773d", "514845534847593d", "4c7050755136773d", "4736557a744a773d", "63476c6a62304e5552673d3d", "657a46305833633063773d3d", "626e52666447673064413d3d", "587a4d3063336c6664413d3d", "596d68664e484a665a513d3d", "4e575534597a63345a413d3d", "66513d3d" ] decoded_parts = [] for hex_str in hex_payloads: try: raw_bytes = bytes.fromhex(hex_str) decoded_text = base64.b64decode(raw_bytes).decode('utf-8', errors='ignore') decoded_parts.append(decoded_text) except Exception as e: decoded_parts.append("[ERROR]") flag = "".join(decoded_parts) print(flag) ``` ![image](https://hackmd.io/_uploads/Sy01Wfe31e.png) > Flag: picoCTF{1t_w4snt_th4t_34sy_tbh_4r_e5e8c78d} --- ## 2. RED ![image](https://hackmd.io/_uploads/rkpXZfxhye.png) Bài cho ảnh: ![red](https://hackmd.io/_uploads/ryk8WMg21g.png) Dùng zsteg để có thêm thông tin : ![image](https://hackmd.io/_uploads/BybnWzx3ye.png) > cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ== Decode: ![image](https://hackmd.io/_uploads/H1jAbMlhyg.png) > FLag: picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_} --- ## 3. flags are stepic ![image](https://hackmd.io/_uploads/BJ-7Gfenkl.png) Bài cho 1 trang web có các lá cờ các quốc gia, kèm theo gợi ý là lá cờ lạ lạ chứa flag: ![image](https://hackmd.io/_uploads/HyJdffe3yl.png) Có được cờ của Upanzi: ![image](https://hackmd.io/_uploads/Hy8jzMl3ye.png) Tải hình ảnh đó về, cộng với tên đề mình biết thêm thư viện stepic, viết script có luôn flag: ![image](https://hackmd.io/_uploads/SyE-mzx3yx.png) ```python= import stepic from PIL import Image img = Image.open("upz.png") hidden_data = stepic.decode(img) print(hidden_data) ``` > FLag: picoCTF{fl4g_h45_fl4g16aa94cf} --- ## 4. Event-Viewing ![image](https://hackmd.io/_uploads/rJFSmfenyg.png) Bài này cho ta file `.evtx`, đọc xong kịch bản thì có thể tìm được ở các event, tuy nhiên có 1 unintended solution là khi mình tìm được 1 part thì xác định nó bị mã hóa bằng base64, ctrlF == là ra hết: ![image](https://hackmd.io/_uploads/Bysb4Ge21g.png) > cGljb0NURntFdjNudF92aTN3djNyXw== > picoCTF{Ev3nt_vi3wv3r_ ![image](https://hackmd.io/_uploads/BkSg4Mx2kl.png) > MXNfYV9wcjN0dHlfdXMzZnVsXw== > 1s_a_pr3tty_us3ful_ ![image](https://hackmd.io/_uploads/S10z8MgnJg.png) > dDAwbF84MWJhM2ZlOX0= > t00l_81ba3fe9} ✅ Part 1 – Event ID 1033 (MsiInstaller) ✅ Part 2 – Event ID 4657 (Registry Modification) ✅ Part 3 – Event ID 1074 (Shutdown System) > FLag: picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81ba3fe9} --- ## 5. Bitlocker-1 ![image](https://hackmd.io/_uploads/H128qzg3kg.png) Bài cho gợi ý hash cracking thì làm theo là được: ```bash= ┌──(kali㉿kali)-[~/Desktop] └─$ bitlocker2john -i bitlocker-1.dd > bitlocker.hash ──(kali㉿kali)-[~/Desktop] └─$ cat bitlocker.hash Encrypted device bitlocker-1.dd opened, size 100MB Salt: 2b71884a0ef66f0b9de049a82a39d15b RP Nonce: 00be8a46ead6da0106000000 RP MAC: a28f1a60db3e3fe4049a821c3aea5e4b RP VMK: a1957baea68cd29488c0f3f6efcd4689e43f8ba3120a33048b2ef2c9702e298e4c260743126ec8bd29bc6d58 UP Nonce: d04d9c58eed6da010a000000 UP MAC: 68156e51e53f0a01c076a32ba2b2999a UP VMK: fffce8530fbe5d84b4c19ac71f6c79375b87d40c2d871ed2b7b5559d71ba31b6779c6f41412fd6869442d66d User Password hash: $bitlocker$0$16$cb4809fe9628471a411f8380e0f668db$1048576$12$d04d9c58eed6da010a000000$60$68156e51e53f0a01c076a32ba2b2999afffce8530fbe5d84b4c19ac71f6c79375b87d40c2d871ed2b7b5559d71ba31b6779c6f41412fd6869442d66d Hash type: User Password with MAC verification (slower solution, no false positives) $bitlocker$1$16$cb4809fe9628471a411f8380e0f668db$1048576$12$d04d9c58eed6da010a000000$60$68156e51e53f0a01c076a32ba2b2999afffce8530fbe5d84b4c19ac71f6c79375b87d40c2d871ed2b7b5559d71ba31b6779c6f41412fd6869442d66d Hash type: Recovery Password fast attack $bitlocker$2$16$2b71884a0ef66f0b9de049a82a39d15b$1048576$12$00be8a46ead6da0106000000$60$a28f1a60db3e3fe4049a821c3aea5e4ba1957baea68cd29488c0f3f6efcd4689e43f8ba3120a33048b2ef2c9702e298e4c260743126ec8bd29bc6d58 Hash type: Recovery Password with MAC verification (slower solution, no false positives) $bitlocker$3$16$2b71884a0ef66f0b9de049a82a39d15b$1048576$12$00be8a46ead6da0106000000$60$a28f1a60db3e3fe4049a821c3aea5e4ba1957baea68cd29488c0f3f6efcd4689e43f8ba3120a33048b2ef2c9702e298e4c260743126ec8bd29bc6d58 ┌──(kali㉿kali)-[~/Desktop] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt bitlocker.hash Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (BitLocker, BitLocker [SHA-256 AES 32/64]) Cost 1 (iteration count) is 1048576 for all loaded hashes Will run 6 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status jacqueline (?) jacqueline (?) 2g 0:00:09:35 0.02% (ETA: 2025-04-10 09:15) 0.003473g/s 6.346p/s 12.69c/s 12.69C/s lovegod..angela1 Session aborted ┌──(kali㉿kali)-[~/Desktop] └─$ sudo su dislocker -V bitlocker-1.dd -u"jacqueline" -- /mnt/bitlocker ls -l /mnt/bitlocker ┌──(root㉿kali)-[/home/kali/Desktop] └─# dislocker -V bitlocker-1.dd -u"jacqueline" -- /mnt/bitlocker ls -l /mnt/bitlocker total 0 -rw-rw-rw- 1 root root 104857600 Jan 1 1970 dislocker-file ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo mkdir /mnt/mounted sudo mount -o loop /mnt/bitlocker/dislocker-file /mnt/mounted ls -l /mnt/mounted The disk contains an unclean file system (0, 0). Metadata kept in Windows cache, refused to mount. Falling back to read-only mount because the NTFS partition is in an unsafe state. Please resume and shutdown Windows fully (no hibernation or fast restarting.) Could not mount read-write, trying read-only total 5 drwxrwxrwx 1 root root 0 Jul 16 2024 '$RECYCLE.BIN' -rwxrwxrwx 1 root root 43 Jul 16 2024 flag.txt drwxrwxrwx 1 root root 4096 Jul 16 2024 'System Volume Information' ┌──(root㉿kali)-[/home/kali/Desktop] └─# cat /mnt/mounted/flag.txt picoCTF{us3_b3tt3r_p4ssw0rd5_pl5!_3242adb1} ``` > FLag: picoCTF{us3_b3tt3r_p4ssw0rd5_pl5!_3242adb1} --- ## 6. Bitlocker-2 ![image](https://hackmd.io/_uploads/Sk2JifxhJe.png) Bài cho 2 file `memdump.mem` và file `.dd`, có thể hình dung ra được ta cần trích xuất key từ file mem và dùng nó để giải mã cho file dd, tuy nhiên nếu chỉ sử dụng vol2 hoặc vol3 mặc định thì sẽ không có được gì, mình cần tìm 1 plugin ngoài theo tên đề là bitlocker: > https://github.com/breppo/Volatility-BitLocker > https://github.com/p0dalirius/docker-volatility2 ```bash= ┌──(kali㉿kali)-[~/Downloads/volatility 2] └─$ git clone https://github.com/p0dalirius/docker-volatility2.git cd docker-volatility2 make install Cloning into 'docker-volatility2'... remote: Enumerating objects: 41, done. remote: Counting objects: 100% (41/41), done. remote: Compressing objects: 100% (35/35), done. remote: Total 41 (delta 19), reused 14 (delta 4), pack-reused 0 (from 0) Receiving objects: 100% (41/41), 33.23 KiB | 4.15 MiB/s, done. Resolving deltas: 100% (19/19), done. docker build -t volatility2docker:latest -f Dockerfile . [+] Building 3441.0s (11/11) FINISHED docker:default => [internal] load build definition from Dockerfile 0.0s => => transferring dockerfile: 717B 0.0s => [internal] load metadata for docker.io/library/debian:buster 4.0s => [internal] load .dockerignore 0.0s => => transferring context: 2B 0.0s => [1/7] FROM docker.io/library/debian:buster@sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225 23.8s => => resolve docker.io/library/debian:buster@sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225 0.0s => => sha256:2a0c1b9175adf759420fe0fbd7f5b449038319171eb76554bb76cbe172b62b42 529B / 529B 0.0s => => sha256:69530eaa9e7e18d0aad40c38b75a22b40c6ebdc374c059bd5f2eb07042caa50a 1.46kB / 1.46kB 0.0s => => sha256:3892befd2c3f36ceb247ba7d906de12601d69b806597e65c4c837cf3d93df119 50.66MB / 50.66MB 21.0s => => sha256:58ce6f1271ae1c8a2006ff7d3e54e9874d839f573d8009c20154ad0f2fb0a225 984B / 984B 0.0s => => extracting sha256:3892befd2c3f36ceb247ba7d906de12601d69b806597e65c4c837cf3d93df119 2.6s => [2/7] RUN apt-get -y -q update && apt-get -y -q install sudo nano git curl wget build-essential python3-pip python2 python2-dev 3377.9s => [3/7] RUN curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output /tmp/get-pip.py && python2 /tmp/get-pip.py && python2 -m pip ins 22.7s => [4/7] RUN git clone https://github.com/volatilityfoundation/volatility /volatility/ && cd /volatility/ 7.8s => [5/7] RUN echo '#!/bin/bash\npython2 /volatility/vol.py ${@}' > /bin/volatility && chmod +x /bin/volatility && ln -s /bin/volatility / 0.2s => [6/7] RUN mkdir -p /workspace/ 0.3s => [7/7] WORKDIR /workspace/ 0.1s => exporting to image 4.2s => => exporting layers 4.1s => => writing image sha256:00dc6225ccb43e2e6308ae97af6dc68d9aaa50878bdb97b839f9e264656382ab 0.0s => => naming to docker.io/library/volatility2docker:latest 0.0s 1 warning found (use docker --debug to expand): - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 22) [sudo] password for kali: [+] Installed successfully in /bin/volatility2docker ``` ```bash= root@73bfb72e969b:/workspace# cp bitlocker.py /volatility/volatility/plugins root@73bfb72e969b:/workspace# volatility2 -f memdump.mem --profile=Win10x64_19041 bitlocker --dislocker export/ Volatility Foundation Volatility Framework 2.6.1 [FVEK] Address : 0x9e8879926a50 [FVEK] Cipher : AES 128-bit (Win 8+) [FVEK] FVEK: 5b6ff64e4a0ee8f89050b7ba532f6256 [DISL] FVEK for Dislocker dumped to file: export/0x9e8879926a50-Dislocker.fvek [FVEK] Address : 0x9e887496fb30 [FVEK] Cipher : AES 256-bit (Win 8+) [FVEK] FVEK: 60be5ce2a190dfb760bea1ece40e4223c8982aecfd03221a5a43d8fdd302eaee [DISL] FVEK for Dislocker dumped to file: export/0x9e887496fb30-Dislocker.fvek [FVEK] Address : 0x9e8874cb5c70 [FVEK] Cipher : AES 128-bit (Win 8+) [FVEK] FVEK: 1ed2a4b8dd0290f646ded074fbcff8bd [DISL] FVEK for Dislocker dumped to file: export/0x9e8874cb5c70-Dislocker.fvek [FVEK] Address : 0x9e88779f1a10 [FVEK] Cipher : AES 128-bit (Win 8+) [FVEK] FVEK: bccaf1d4ea09e91f976bf94569761654 [DISL] FVEK for Dislocker dumped to file: export/0x9e88779f1a10-Dislocker.fvek ``` Sau khi trích xuất được 4 fvek thì thử từng cái cho file dd và sẽ có được flag: ```bash= ┌──(root㉿kali)-[/home/kali/Desktop] └─# mkdir -p bitlocker_mount dislocker -k 0x9e887496fb30-Dislocker.fvek -- bitlocker-2.dd -- bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo mount -o loop bitlocker_mount/dislocker-file /mnt/mounted ls /mnt/mounted mount: /mnt/mounted: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. dmesg(1) may have more information after failed mount system call. ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo umount bitlocker_mount sudo rm -rf bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# mkdir -p bitlocker_mount dislocker -k 0x9e88779f1a10-Dislocker.fvek -- bitlocker-2.dd -- bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo mount -o loop bitlocker_mount/dislocker-file /mnt/mounted ls /mnt/mounted mount: /mnt/mounted: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. dmesg(1) may have more information after failed mount system call. ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo umount bitlocker_mount sudo rm -rf bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# mkdir -p bitlocker_mount dislocker -k 0x9e8874cb5c70-Dislocker.fvek -- bitlocker-2.dd -- bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo mount -o loop bitlocker_mount/dislocker-file /mnt/mounted ls /mnt/mounted mount: /mnt/mounted: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error. dmesg(1) may have more information after failed mount system call. ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo umount bitlocker_mount sudo rm -rf bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# mkdir -p bitlocker_mount dislocker -k 0x9e8879926a50-Dislocker.fvek -- bitlocker-2.dd -- bitlocker_mount ┌──(root㉿kali)-[/home/kali/Desktop] └─# sudo mount -o loop bitlocker_mount/dislocker-file /mnt/mounted ls /mnt/mounted '$RECYCLE.BIN' flag.txt 'System Volume Information' ┌──(root㉿kali)-[/home/kali/Desktop] └─# cd /mnt/mounted ┌──(root㉿kali)-[/mnt/mounted] └─# ls '$RECYCLE.BIN' flag.txt 'System Volume Information' ┌──(root㉿kali)-[/mnt/mounted] └─# cat flag.txt picoCTF{B1tl0ck3r_dr1v3_d3crypt3d_9029ae5b} ``` >FLag: picoCTF{B1tl0ck3r_dr1v3_d3crypt3d_9029ae5b} ---