M☆CTF 2025 - HackMD

# M☆CTF 2025 My writeup for forensic challenge *Note: My English is not good :v: ![image](https://hackmd.io/_uploads/HkkeKhOeZl.png) We are given `64c37b3d-fb54-40c4-bcea-0578f7a9f5ac.pcapng` file When using `strings` command I found something interesting like ELF file, credential information, file transfered through HTTP protocol. ![image](https://hackmd.io/_uploads/BJgli2Oe-x.png) ![image](https://hackmd.io/_uploads/SJ7T5h_eWg.png) Opening the file with wireshark, I applied http filter and I found that a new cyber-cube download file `README.txt.exe` and uploaded the other (because at HTTP stream we can see`File uploaded successfully!`) ![image](https://hackmd.io/_uploads/HkUZT3ue-x.png) Then I found that attacker uploaded `Appdata.zip` file at TCP stream 47 ![image](https://hackmd.io/_uploads/HycwWauxWe.png) ![image](https://hackmd.io/_uploads/Sk-oWpde-g.png) Then I used the following python script to convert hex to file zip ```python # hex to file hex_data = str(input("Input hex strings: ")).replace("\n", "").replace(" ", "") output_file = "AppData." binary_data = bytes.fromhex(hex_data) with open(output_file, "wb") as f: f.write(binary_data) print("Created file:", output_file) ``` However, the zip file need password to extract, I noticed to scenerio `superevilpass` then using it to extract and get 2 file `bcache24.bmc Cache0000.bin` ![image](https://hackmd.io/_uploads/BywS_pOg-e.png) This ia a bitmap image compressed for RDP8 (RemoteFX). To extract I used this tool https://github.com/microsoft/rdp-cache then we got 1098 pieces of picture ![image](https://hackmd.io/_uploads/SkOLqTux-g.png) But I don't know how to match exactly into plaint picture, I used the following code to see the picture but it's chaos. ```python import os from PIL import Image import math # Thư mục chứa ảnh BMP INPUT_DIR = "./image" OUTPUT_FILE = "merged_cache.png" def get_bmp_files(): files = [] for f in os.listdir(INPUT_DIR): if f.lower().endswith(".bmp"): try: num = int(f.split("_")[-1].split(".")[0]) files.append((num, f)) except: pass files.sort(key=lambda x: x[0]) return [f[1] for f in files] def merge_images(): files = get_bmp_files() if not files: print("Không tìm thấy file BMP!") return # Load ảnh đầu để lấy kích thước tile sample = Image.open(os.path.join(INPUT_DIR, files[0])) w, h = sample.size total = len(files) # Tạo grid gần vuông nhất cols = int(math.ceil(math.sqrt(total))) rows = int(math.ceil(total / cols)) merged = Image.new("RGB", (cols * w, rows * h)) print(f"Combining {total} images: {rows} rows x {cols} cols") idx = 0 for r in range(rows): for c in range(cols): if idx >= total: break img = Image.open(os.path.join(INPUT_DIR, files[idx])) merged.paste(img, (c * w, r * h)) idx += 1 merged.save(OUTPUT_FILE) print(f"Done! Saved to: {OUTPUT_FILE}") merge_images() ``` ![image](https://hackmd.io/_uploads/HkIispOgWx.png) Then I mannually rematch each parts of flag and I got this `Flag: mctf{f0r3ns1c_@nd_y0u_b0th_1ncred1ble!}`