Version
| By |
Version |
Comment |
| noraj |
1.0 |
Creation |
CTF
- Name : European Cyber Week CTF Quals 2016
- Website : challenge-ecw.fr
- Type : Online
- Format : Jeopardy - Student
Description
N.A.
Solution
We used Digital Forensics Framework (DFF)
We can view that usb.dd is NTFS partition in the hex view so we mounted it as it.
We browsed the files and this one retaind our attention: usb.dd/NTFS/Users/windows/Documents/tmp_rqsu78.docx:flag.
Its content is:
1
| 'Get the data from the default value of the key HKLM\SYSTEM\CurrentControlSet\Control\DeviceContainers\{000001111-2345178-232416-99801}'
|
So we need to find Windows registry and browse it.
The location of these registry hives are as follows:
HKEY_LOCAL_MACHINE \SYSTEM : \system32\config\system
Source: http://www.thewindowsclub.com/where-are-the-windows-registry-files-located-in-windows-7
We browsed it and the value of the key was: a2486aac827711258d0642176cc4f8c2.
So the flag is ECW{a2486aac827711258d0642176cc4f8c2}.
Bonus:
/Logical files/temp/usb.dd/NTFS/!j3CtfuSD5zz1RfB=MlsL]u-k8O5v+,P was certainly the target location of the attack.- There was also a
no flag here.txt troll file in Windows\system32\config\ containing a pretty list of fake flags:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| ECW{ee4f493d149e634540b79ed030b3790e}
ECW{ef20996f87a1c172223d1796f155cabb}
ECW{78a4b8dd2614fea24d694aaad4e5ee7c}
ECW{2942e64a0b3836b84aa18311be73804d}
ECW{860d8070c9fed931856856b2957316d9}
ECW{5c07ee2b8313b406a32325c7a2924011}
ECW{20b1ab287f9f4485800b15ba9cb933b0}
ECW{31470d8d9676ee5d17fe79317124d67a}
ECW{c0ad5adadd6dc5871f4cc66370757d9a}
ECW{d28aeba8bb169a6f628d77b7059e9110}
ECW{c9f619827e73ce3d61048b0ddb49ec84}
ECW{07c563dd9f91b19a18d8876e89188593}
ECW{46f8ba8cd62e3334e05501407d653587}
ECW{d55e0d52fa7c5ccb0af9efa488f5206d}
ECW{269c20f280f7326c674811f59ece9cab}
ECW{656122abbb817863ae145539bb0eeb03}
ECW{d1b46e0fa5e5c0375ade62ff820ce631}
ECW{62fd1f329ac8d59e6c4052e45b6121bf}
ECW{c4393a542ae85e178cf7da6cee80139d}
ECW{0ae1fcf8c1b5e378ba62736d59ab346c}
ECW{31e42f6a1adeb6350cda9270c164855f}
ECW{6a1dd34361fe943af6a4c4a71584ac2f}
ECW{bc65d36be9d0c6877cc0b200002e4e2d}
ECW{a0a7c3fff21f2aea3cfa1d0316dd816c}
ECW{4cf2d64e44205fe628ddd534e1151b58}
ECW{9cc72dc973e24f9623bd3fe708f60ef5}
ECW{579a3c1e12a1e74a98169175fb913012}
ECW{2b7ea5cee3c49ff53d41e00785eb974c}
ECW{a4a7e457b55b5ac2877f7973dbba37e9}
ECW{01b1688f97f94776baae85d77b06048b}
ECW{9b64ca5761c6de555d7d1b3c948ecfeb}
ECW{3ff6ba9cf6d8e5332978e057559b5562}
ECW{7dfe15854212a30f346da5255c1d794b}
ECW{f51b02427757e79621b5235d7efdf117}
ECW{e0e8b9912a4793170fd23f7aa4c6d68c}
ECW{036208b4a1ab4a235d75c181e685e5a3}
ECW{a51a588dc98a55fbbb26cf2f64589bda}
ECW{a51a588dc98a55fbbb26cf2f64589bda}
ECW{a51a588dc98a55fbbb26cf2f64589bda}
ECW{7fad9816d7334cc470e5dc82d06e222f}
ECW{d69fc8c97d906264c98463b4bca59fd4}
ECW{5088741fd5456ef3471fe11022575e03}
ECW{4d3f80683b3b9021f517e5b9920d0126}
ECW{73a00957034783b7b5c8294c54cd3e12}
ECW{1f77c389e0a69652980c341170d0834b}
ECW{b42d4ed9a6bf5cda33366c01be5d11cb}
ECW{c9440da5b11074fca7966ecde2fe3c97}
ECW{6258191d167c56dcdb51ae9fa2faee23}
ECW{095fd6a167e3c0f7331a1a6b97969c83}
ECW{40942c14fbaaff0523b88ab781900cfd}
ECW{39e14ad7477262c347f2e6d927a6518c}
ECW{cdfb31c9bd2ea0c6d87206224466ac75}
ECW{663f929002e1547fd2bf67e72f1b85e0}
ECW{2eedce1bca0150e3dcda7e77f4d8ecfd}
ECW{35b88728559e409dd550eb818228c99e}
ECW{469966e739df10b55c3c8ee3ad572617}
ECW{5146da32deef5fee7df9461eeca13e7b}
|