ARPCON 2020 Forensics and Misc Challenge Write-up

Hello guys
I hope you liked the CTF and the virtual hacking conference.
I come directly to the point “ सीधी बात नो बकवास ”

Section : Forensics
1. Artifacts
description of this challenge : Here forensics experts got some artifacts of malware software (don’t worry file is not malware)
You need to find physical address and find this malware software folder path (not full path)
Flag format: arpcon{software/file/file.exe}

Here is a file : Ljones-musicfile.mp4 , it’s a shortcut file and you need to find physical address ….
could you directly parse the shortcut file ??? don’t do that , it’s a shortcut file of some video and you should be parse with .lnk
LEcmd Lnk is Explorer Command line edition. It’s is a tool to decode all available information contained in shortcut files found on Windows operating systems.

Command : LECmd.exe -f “D:\Computer forensic\tools\Ljones-musicfile.mp4.lnk” — all and you will got lot’s of details
(LECmd.exe and your file must be in same folder)

using this MAC Address: d0:50:99:82:33:6e address open the zip file
then you got 97743AA9.pf
.pf extension is prefetch . use Prefetch parser(PECmd.exe)
The goal of PECmd (I think) was to provide a reliable, Windows-based prefetch parser that display as much data as could be squeezed out of the files.

PECmd.exe -f “D:\Computer forensic\tools\97743AA9.pf”

and you will get malware software folder path : ADOBE\READER 10.0\READER\ACRORD32.EXE
2. illuminati-agent
whole challenge is about illuminati ..
when you open the first page its open website with some scary background
url : http://139.59.34.110:8002/
Challenge is about illuminati have you tried illuminati.txt or illuminati.html ????
No then try illuminati.html

Is anything visible ? , No then try ctrl + A

okk then try : http://139.59.34.110:8002/area51.html

here you got something yea its esoteric programming language but unstructured formation so go to the source page

copy this code go to the : http://malbolge.doleczek.pl/#

3. survival
open the data0 and you will see this some chunk of data
description : Artifacts came from the internet
when you see the data without some extension and it came from the internet
think .. think ..think
yea … it’s a cache (Browser forensics OP )
If you can’t get it then try all browsers cache viewer
this is chrome cache viewer open it and set path of data0

then i got the pastebin link: https://pastebin.com/raw/hjfcujvp


open zip file using this password
again some cache ^_^

okk it’s not look like network log ok but what ?? what any other things are related to the browser ?? hmm
what you do in daily basis in browser ? Social media … Am i right ?
yes , this is FB cache . use FBCacheView
FBCacheView is a simple tool that scans the cache of your Web browser (Internet Explorer, Firefox, or Chrome), and lists all images displayed in Facebook pages that you previously visited, including profile pictures, images uploaded to Facebook, and images taken from other Web sites. For every Facebook image, the following information is displayed: URL of the image, Web browser that was used to visit the page, image type, date/time of the image, visit time, image file size, and external URL (For images taken from another Web site).
set the path of data1


4. wrong_free
when open you get a one video but no one can get the hint.
one lady say : hi fincor here , (no other hints, no metadata , no any stenography )
they talk each other via phone .. hmm interesting , she ask for number

naah .. ok type fincor here and try to get the number (use Word to Phone Number Converter)
Word : fincor Number: 346267
video file name : oediv.mp4 (reverse string so that you should be reverse number as well otherwise “ wrong number) {762643} and open data.zip
you got data1.txt and data2.txt . both are look like same but some manipulation perform how can i check .
manually ….. you mean line by line
use diff checker


and open flag.zip
⠁⠗⠏⠉⠕⠝{⠓⠑⠇⠇⠕_⠙⠑⠧⠊⠏⠗⠁⠎⠁⠙}
decode with braille-alphabet … enjoy
Section : Misc
Corona 2.0

most of people just translate and try to get author but not that much easy
if you see my twitter handel (mrunal110) open

it’s weird naah .. Am i right ?
The letters of my tweet are replaced with similar looking letters (Unicode homoglyphs) that are used to hide your hidden message.
(don’t consider extra space)


Thank you all …..