TETctf

Forensics - 4n6

The chall gives us 2 files one is Ad1 file and the other one is Raw file

you can use the Ad1 file in FTK-imager and Raw image in Volatility3 (I would recommand you using FTK cause it has UI and you can see all the file and path clearly). For me I will be using the FTK imager cause It really help me solve DFIR chall easier and faster

Ok the first thing we need to do is read the Challenge description to know where to start.

“After reading the rules, my computer seemed unusual” Remember this line.

The victim’s Computer seem to be infected after reading some word files so this maybe the clue for our problem, and we have an evidence thats the malicious code may in the docx file so its must VBA macro.

Checking the Recent folder We can see that the victim download some files and “TetCTF2024-Rules” seem to be Word file that was said to be had the malicous code.

(You can search Google to know where the macros stored)

export The dotm file then copy it to Linux to check Macros with Olevba we can see the Ip and Port. At the end you can see a hex string look suspicous

Decode the strings with base64 5 times and you will got the full First flag

TETctf{172.20.25.15:4444_VBA-M4cR0

My route to find second part of the Flag is unintentional!!!

The victim said that He had registerd an Account but He no longer remember the password

->So the First thing we need to know that What site did he created the account by checking the history file stored in chrome

Export this file then Open it with SQLite checking the URl visited

Then we can see the 2nd part of the flag

REMEMBER THIS IS AN UNINTENTIONAL ROUTE IT SHOULDNT BE SOLVED LIKE THIS

Flag: TETctf{172.20.25.15:4444_VBA-M4cR0_R3c0v3rry_34sy_R1ght?}