ARPCON 2020 Forensics and Misc Challenge Write-up

MRunal

Oct 12, 2020·5 min read

Hello guys

I hope you liked the CTF and the virtual hacking conference.

I come directly to the point “ सीधी बात नो बकवास ”

Section : Forensics

1. Artifacts

description of this challenge : Here forensics experts got some artifacts of malware software (don’t worry file is not malware)
You need to find physical address and find this malware software folder path (not full path)

Flag format: arpcon{software/file/file.exe}

Here is a file : Ljones-musicfile.mp4 , it’s a shortcut file and you need to find physical address ….

could you directly parse the shortcut file ??? don’t do that , it’s a shortcut file of some video and you should be parse with .lnk

LEcmd Lnk is Explorer Command line edition. It’s is a tool to decode all available information contained in shortcut files found on Windows operating systems.

Command : LECmd.exe -f “D:\Computer forensic\tools\Ljones-musicfile.mp4.lnk” — all and you will got lot’s of details

(LECmd.exe and your file must be in same folder)

using this MAC Address: d0:50:99:82:33:6e address open the zip file

then you got 97743AA9.pf

.pf extension is prefetch . use Prefetch parser(PECmd.exe)

The goal of PECmd (I think) was to provide a reliable, Windows-based prefetch parser that display as much data as could be squeezed out of the files.

PECmd.exe -f “D:\Computer forensic\tools\97743AA9.pf”

and you will get malware software folder path : ADOBE\READER 10.0\READER\ACRORD32.EXE

2. illuminati-agent

whole challenge is about illuminati ..

when you open the first page its open website with some scary background

url : http://139.59.34.110:8002/

Challenge is about illuminati have you tried illuminati.txt or illuminati.html ????

No then try illuminati.html

Is anything visible ? , No then try ctrl + A

okk then try : http://139.59.34.110:8002/area51.html

here you got something yea its esoteric programming language but unstructured formation so go to the source page

copy this code go to the : http://malbolge.doleczek.pl/#

3. survival

open the data0 and you will see this some chunk of data

description : Artifacts came from the internet

when you see the data without some extension and it came from the internet

think .. think ..think

yea … it’s a cache (Browser forensics OP )

If you can’t get it then try all browsers cache viewer

this is chrome cache viewer open it and set path of data0

then i got the pastebin link: https://pastebin.com/raw/hjfcujvp

open zip file using this password

again some cache ^_^

okk it’s not look like network log ok but what ?? what any other things are related to the browser ?? hmm

what you do in daily basis in browser ? Social media … Am i right ?

yes , this is FB cache . use FBCacheView

FBCacheView is a simple tool that scans the cache of your Web browser (Internet Explorer, Firefox, or Chrome), and lists all images displayed in Facebook pages that you previously visited, including profile pictures, images uploaded to Facebook, and images taken from other Web sites. For every Facebook image, the following information is displayed: URL of the image, Web browser that was used to visit the page, image type, date/time of the image, visit time, image file size, and external URL (For images taken from another Web site).

set the path of data1