Affinity CTF Lite 2020_Forensics

Just tried to find string through "strings" and "grep"

(1) strings

(2) grep

flag: AFFCTF{you_found_something!}

---

First I checked HTTP object list, and found file "challenges.php".

But you can see its size is 0 bytes. 

Though you can find the packet number "46".

When you find no.46 packet, there's a flag.

flag: AFFCTF{DonT_TRusT_h34d3R2}

---

Fibonacci means ~ en.wikipedia.org/wiki/Fibonacci_number

(0 1 1 2 3 5 8 13 21 34 55 89 144 233 377 610 987)

Fibonacci number - Wikipedia

You can't unzip completely 7z file.

But when you open it with hex eidtor, can see some "B"s are exist at strange bytes.

And it exists at Fibonacci bytes like, 0 - 1 - 2 - 3 - 5 - 8 - 13 - 19 - ... - 610 - 987

For example, there's a "0x42 (B)" at 610th and 987th bytes.

So when you remove all "B"s at Fibonacci bytes, can unzip successfully

flag: AFFCTF{Hitchhiker}

---

Used "PDFStreamDumper" to view meta data and could find strange strings.

Like this:

Li0tLi4tLS4uLS0uLi4uLi4tLS4uLi4uLi4tLS0tLi4uLi4tLS4uLi4tLS4uLi4uLi4uLS0tLS4uLS0tLS0tLi4tLS4uLS0uLi0tLi4tLS4uLi4tLS4uLi4tLS0tLS0uLi0tLi4uLS0uLi0tLS0tLS4uLi4tLS4uLi4tLS4uLS0uLi0tLS0tLi4uLS0uLi0tLi4uLi0tLi4uLi0tLi4tLS4uLS0tLS4uLgo

I figured out that when I decoded it as b64, it seems like Morse code.

Like this:

.--..--..--......--.......----.....--....--........----..------..--..--..--..--....--....------..--...--..------....--....--..--..-----...--..--....--....--..--..----...

So when you decode all the 5 lines as b64 and get 5 line morse-ly code, you should view them as "whole"

This is when I search "." - couldn't read them

But when you search "-" - There's a flag here

flag: AFFCTF{IHATEMETADATA}

---

reference: github.com/klassiker/ctf-writeups/blob/master/2020/affinity-lite/forensics/classic-forensic.md

Used volatility - plugin: imageinfo

volatility_2.6_win64_standalone.exe -f MEMORY.DMP imageinfo

We can see dump file's profile: 

Suggested Profile(s) : Win8SP0x64, Win10x64_14393, Win81U1x64, Win2012R2x64_18340, 
					Win10x64_10586, Win10x64, Win2016x64_14393, Win2012R2x64, Win2012x64, 
					Win8SP1x64_18340, Win8SP1x64 (Instantiated with Win8SP1x64)
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (C:\Users\user\Desktop\MEMORY.DMP)
                      PAE type : No PAE
                           DTB : 0xa4f000L
                          KDBG : 0xf80002a0e0a0L
          Number of Processors : 2
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a0fd00L
                KPCR for CPU 1 : 0xfffff880009ef000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-10-30 21:39:19 UTC+0000
     Image local date and time : 2020-10-30 22:39:19 +0100

Then used pslist for check some process lists

volatility_2.6_win64_standalone.exe -f MEMORY.DMP --profile=Win8SP1x64 pslist

But can't see process name like:

So I used dumchk.exe:

dumpchk.exe MEMORY.DMP

And realized that it's "Win7SP164" not the "Win8SP164"

Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`0281d000 PsLoadedModuleList = 0xfffff800`02a62e90
Debug session time: Sat Oct 31 06:39:19.513 2020 (UTC + 9:00)

So when you command like this(changed profile info):

volatility_2.6_win64_standalone.exe -f MEMORY.DMP --profile=Win7SP1x64 pslist

Can see process name too

Used lsadump plugin:

volatility_2.6_win64_standalone.exe -f MEMORY.DMP --profile=Win7SP1x64 lsadump

flag: AFFCTF{f0rensic_w3ll_d0n3}

---

reference: github.com/Red-Knights-CTF/writeups/tree/master/2020/affinity_ctf_lite/Aether%20plane%20take%20off

Downloaded Tool for decoding here:

http://www.w1hkj.com/files/fldigi/

Index of /files/fldigi

Follow this sequence for decode:

(1) Select mode BPSK-31

Upload: Playback mode

Can see: flag

flag: AFFCTF{PSKPSKSPK31}