ARPCON 2020 Forensics and Misc Challenge Write-up

Hello guys

I hope you liked the CTF and the virtual hacking conference.

I come directly to the point “ सीधी बात नो बकवास ”

Section : Forensics

1. Artifacts

description of this challenge : Here forensics experts got some artifacts of malware software (don’t worry file is not malware)
You need to find physical address and find this malware software folder path (not full path)

Flag format: arpcon{software/file/file.exe}

Here is a file : Ljones-musicfile.mp4 , it’s a shortcut file and you need to find physical address ….

could you directly parse the shortcut file ??? don’t do that , it’s a shortcut file of some video and you should be parse with .lnk

LEcmd Lnk is Explorer Command line edition. It’s is a tool to decode all available information contained in shortcut files found on Windows operating systems.

Command : LECmd.exe -f “D:\Computer forensic\tools\Ljones-musicfile.mp4.lnk” — all and you will got lot’s of details

(LECmd.exe and your file must be in same folder)

using this MAC Address: d0:50:99:82:33:6e address open the zip file

then you got 97743AA9.pf

.pf extension is prefetch . use Prefetch parser(PECmd.exe)

The goal of PECmd (I think) was to provide a reliable, Windows-based prefetch parser that display as much data as could be squeezed out of the files.

PECmd.exe -f “D:\Computer forensic\tools\97743AA9.pf”

and you will get malware software folder path : ADOBE\READER 10.0\READER\ACRORD32.EXE

2. illuminati-agent

whole challenge is about illuminati ..

when you open the first page its open website with some scary background

url : http://139.59.34.110:8002/

Challenge is about illuminati have you tried illuminati.txt or illuminati.html ????

No then try illuminati.html

Is anything visible ? , No then try ctrl + A

okk then try : http://139.59.34.110:8002/area51.html

here you got something yea its esoteric programming language but unstructured formation so go to the source page

copy this code go to the : http://malbolge.doleczek.pl/#

3. survival

open the data0 and you will see this some chunk of data

description : Artifacts came from the internet

when you see the data without some extension and it came from the internet

Photo by Rob Schreckhise on Unsplash

think .. think ..think

yea … it’s a cache (Browser forensics OP )

If you can’t get it then try all browsers cache viewer

this is chrome cache viewer open it and set path of data0

then i got the pastebin link: https://pastebin.com/raw/hjfcujvp

open zip file using this password

again some cache ^_^

okk it’s not look like network log ok but what ?? what any other things are related to the browser ?? hmm

what you do in daily basis in browser ? Social media … Am i right ?

yes , this is FB cache . use FBCacheView

FBCacheView is a simple tool that scans the cache of your Web browser (Internet Explorer, Firefox, or Chrome), and lists all images displayed in Facebook pages that you previously visited, including profile pictures, images uploaded to Facebook, and images taken from other Web sites. For every Facebook image, the following information is displayed: URL of the image, Web browser that was used to visit the page, image type, date/time of the image, visit time, image file size, and external URL (For images taken from another Web site).

set the path of data1

4. wrong_free

when open you get a one video but no one can get the hint.

one lady say : hi fincor here , (no other hints, no metadata , no any stenography )

they talk each other via phone .. hmm interesting , she ask for number

you got this ???

naah .. ok type fincor here and try to get the number (use Word to Phone Number Converter)

Word : fincor Number: 346267

video file name : oediv.mp4 (reverse string so that you should be reverse number as well otherwise “ wrong number) {762643} and open data.zip

you got data1.txt and data2.txt . both are look like same but some manipulation perform how can i check .

manually ….. you mean line by line

Photo by Isaiah Rustad on Unsplash

use diff checker

and open flag.zip

⠁⠗⠏⠉⠕⠝{⠓⠑⠇⠇⠕_⠙⠑⠧⠊⠏⠗⠁⠎⠁⠙}

decode with braille-alphabet … enjoy

Section : Misc

Corona 2.0

most of people just translate and try to get author but not that much easy

if you see my twitter handel (mrunal110) open

it’s weird naah .. Am i right ?

The letters of my tweet are replaced with similar looking letters (Unicode homoglyphs) that are used to hide your hidden message.

https://twsteg.devsec.fr/

(don’t consider extra space)

Thank you all …..

Blogger | Security Researcher | Digital forensic analyst | Twitter — @mrunal110

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store