# [L3akCTF] Forensics - L3ak Advanced Defenders Writeup  --- This write-up covers shortly the answers and my approach to a forensics challenge from `L3akCTF 2025`. It turned out to be the highest-scoring challenge for our team, which im very proud of even though its still an easy/medium challenge id say. Soo my initial step was direct. I didn't even look at the questions first lol. I just opened the `backup.dat` file in a hex editor and just saw the header `win-ad-ob` that clearly indicated it was an Active Directory object file.  Downloaded AD Explorer from https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer Opened the `.dat` file and browsed objects manually. --- ## Question 1: **1) What is the forest root domain name? Format: prefix.name.suffix** Answer: `l3ak.ctf.com` → Once opened in AdExplorer, we can instantly see "DN=l3ak,DC=ctf,DC=com"  --- ## Question 2: **2) What is the name of the primary domain controller for this domain?** Answer: `L3AKPRIDC` → Inside the root domain we can see the primary (OU) called “Domain Controllers”  --- ## Question 3: **3) Which hosts have not been assigned to an OU? Format: host1, host2, ...** Answer: `FileSrv03, FileSrvWin11, InternStn` → Found in `CN=Computers` (not placed in a specific OU).  --- ## Question 4: **4) List the oldest operating system used in the domain and the name of the workstation with this OS. Format: OS1, OS2, ...** Answer: `Windows 95, InternStn` → Look for `operatingSystem` and `operatingSystemVersion` attribute on all workstation objects.  --- ## Question 5: **5) Based on their current operating system, which workstations are placed in the wrong OU? Format: host1, host2, ...** Answer: `ITWorkstn02, ITWorkstn03` → Under the “Workstations” OU we can see OUs for various operating systems. But `ITWorkStn02` and `ITWorkStn03` are Windows 11 hosts in the Windows 10 OU.  --- ## Question 6: **6) Which hosts are no longer used by the organization? Format: host1, host2, ...** Answer: `IT, ITTroubleshootStn, Linux, Repo` → Hosts located in `CN=Deleted Objects`.  --- ## Question 7: **7) Which users have their account disabled, and what is the value (in hex) of the attribute that dictates this? Format: displayName, 0x...** Answer: `Wilhelm Firtz, Reginald Norwood, Christopher Price, 0x202` → https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties#list-of-property-flags The flags are cumulative Flag `0x2`→ 2 = ACCOUNTDISABLE Combined with `0x200` → 512 = NORMAL_ACCOUNT total = `0x202` `514 (dec)` Filtered users where attribute `userAccountControl = 514`  --- ## Question 8: **8) Which enabled users have their password set to not expire, and what is the value (in hex) of the attribute that dictates this? Format: displayName, 0x...** Answer: `Bigsby Appleton, Montgomery Fitzgerald, Lily Sampson, 0x10200` Using the references above, we can see that we need to find a `userAccountControl` value of `0x10200` → `0x10000` = DONT_EXPIRE_PASSWORD → `0x200` = NORMAL_ACCOUNT → Total: `0x10200` = `66048 (dec)` → Searched for `userAccountControl = 66048` → Excluded built-in administrator because questions always asks for users  --- ## Question 9: **9) What departments exist inside this domain, and how many active employees exist in each department? List the departments in alphabetical order. Format: DepartmentName-NumberOfEmployees** Answer: `Finance-3, HR-8, IT-5` → Just exclude disabled users (i.e. where `userAccountControl = 514`)  --- ## Question 10: **10) Which users have the most control over the structure of the AD forest? Format: user1, user2, ...** Answer: `Charlie Edgars, Lily Sampson` → Users with the most control are typically members of highly privileged groups such as Schema Admins, Enterprise Admins and Domain Admins Found at CN=Users -> CN=Schema Admins then open member attribute  --- ## Question 11: **11) Which users violate the principle of least privilege? Format: user1, user2, ...** Answer: `Christopher Price, Eleanor Wharton` Flag users in roles they shouldn’t be in: → **Eleanor Wharton** = member of IT but also in `CN=Finance Employees` → **Christopher Price** = disabled external user, still part of `CN=IT Employees`  --- ## Question 12: **12) Which OUs block inheritance? Format: OU1, OU2, ...** Answer: `Domain Controllers, IT, FileServers` https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/08090b22-bc16-49f4-8e10-f27a8fb16d18 → The gpOptions attribute determines the behavior of policy inheritance Filtered for OUs with `gPOptions = 1`  --- ## Question 13: **13) The GPOs were imported from a file supplied by a U.S. organization. Provide the sha256sum hash of the zip file containing the GPOs.** Answer:`4BD7742C73A610EDF79A6B484457351438C90DC6FAC119EF8475B46D96BD2B37` → All GPOs found under `CN=System → CN=Policies` started with `DoD`, which points to U.S. DoD baselines → Look online to find the zip file containg all the DoD GPOs https://ncp.nist.gov/checklist/914/download/13778 --- ## Question 14: **14) What anti-virus software does the domain utilize, what is the maximum age in days of the AV definitions, and what must be impeded from launching executables?** Answer: `Microsoft Defender, 7, JavaScript, VBScript` → Found AV-related GPOs → `displayName` including "Microsoft Defender" and cross-referenced with DISA STIG benchmark where we can find the rules: [DISA STIG Microsoft Defender Antivirus v2r4](https://www.tenable.com/audits/items/DISA_STIG_Microsoft_Defender_Antivirus_v2r4.audit:b453ac8bb4df792875e7cc8b4e6a1a5a)  --- ## 📝 Notes Things that took me hours - Q5: Test machines were not neccesarily workstations. - Q7: Answer needs to be ordered alphabetically by **last name**. - Q14: Answers were always a **comma-separated list** but i was trying "JavaScript and/or VBScript".