---
# System prepended metadata

title: M☆CTF 2025

---

# M☆CTF 2025
My writeup for forensic challenge 
*Note: My English is not good :v: 
![image](https://hackmd.io/_uploads/HkkeKhOeZl.png)
We are given `64c37b3d-fb54-40c4-bcea-0578f7a9f5ac.pcapng` file
When using `strings` command I found something interesting like ELF file, credential information, file transfered through HTTP protocol.
![image](https://hackmd.io/_uploads/BJgli2Oe-x.png)
![image](https://hackmd.io/_uploads/SJ7T5h_eWg.png)
Opening the file with wireshark, I applied http filter and I found that a new cyber-cube download file `README.txt.exe` and uploaded the other (because at HTTP stream we can see`File uploaded successfully!`)
![image](https://hackmd.io/_uploads/HkUZT3ue-x.png)
Then I found that attacker uploaded `Appdata.zip` file at TCP stream 47
![image](https://hackmd.io/_uploads/HycwWauxWe.png)
![image](https://hackmd.io/_uploads/Sk-oWpde-g.png)
Then I used the following python script to convert hex to file zip
```python
# hex to file

hex_data = str(input("Input hex strings:    ")).replace("\n", "").replace(" ", "")
output_file = "AppData."   
binary_data = bytes.fromhex(hex_data)


with open(output_file, "wb") as f:
    f.write(binary_data)

print("Created file:", output_file)
```
However, the zip file need password to extract, I noticed to scenerio `superevilpass` then using it to extract and get 2 file `bcache24.bmc  Cache0000.bin`
![image](https://hackmd.io/_uploads/BywS_pOg-e.png)
This ia a bitmap image compressed for RDP8 (RemoteFX).
To extract I used this tool https://github.com/microsoft/rdp-cache then we got 1098 pieces of picture 
![image](https://hackmd.io/_uploads/SkOLqTux-g.png)
But I don't know how to match exactly into plaint picture, I used the following code to see the picture but it's chaos.
```python
import os
from PIL import Image
import math

# Thư mục chứa ảnh BMP
INPUT_DIR = "./image"
OUTPUT_FILE = "merged_cache.png"

def get_bmp_files():
    files = []
    for f in os.listdir(INPUT_DIR):
        if f.lower().endswith(".bmp"):
            try:
                num = int(f.split("_")[-1].split(".")[0])
                files.append((num, f))
            except:
                pass
    files.sort(key=lambda x: x[0])
    return [f[1] for f in files]

def merge_images():
    files = get_bmp_files()
    if not files:
        print("Không tìm thấy file BMP!")
        return

    # Load ảnh đầu để lấy kích thước tile
    sample = Image.open(os.path.join(INPUT_DIR, files[0]))
    w, h = sample.size

    total = len(files)

    # Tạo grid gần vuông nhất
    cols = int(math.ceil(math.sqrt(total)))
    rows = int(math.ceil(total / cols))

    merged = Image.new("RGB", (cols * w, rows * h))

    print(f"Combining {total} images: {rows} rows x {cols} cols")

    idx = 0
    for r in range(rows):
        for c in range(cols):
            if idx >= total:
                break
            img = Image.open(os.path.join(INPUT_DIR, files[idx]))
            merged.paste(img, (c * w, r * h))
            idx += 1

    merged.save(OUTPUT_FILE)
    print(f"Done! Saved to: {OUTPUT_FILE}")

merge_images()

```
![image](https://hackmd.io/_uploads/HkIispOgWx.png)
Then I mannually rematch each parts of flag and I got this
`Flag: mctf{f0r3ns1c_@nd_y0u_b0th_1ncred1ble!}`