So, among all the binaries Plaidctf also followed the tradition in CTF to hide a stego as a forensics challenge. We had a challenge with this description:
“Meow meow mw mw m.
In the cat.rar file we found two files:
No challenge description
This challenge can be solved by running strings on the file we received:
No challenge description.
In this challenge we got a similar file to the Forensics 200 – 1 challenge. Again the same image:
No challenge description
The PNG file we can download contains the text “ONE OF THESE THINGS XS NOT LIKE THE OTHER”.
When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)
In order to steal financial information of Company X, IU got a job under cover. She decided to attack CFO’s computer, and then insert malicious code to his computer in the way of social engineering. She figured out that he didn’t use to turn off his computer, when he gets off work. After he leaves the office, she obtains financial data from his computer to search EXCEL file. By checking installed application program, she can find the information in the file. She lacks the file externally. In order to remove all traces, she erases malicious code, event logs and recent file list.
In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking, so it was hard for Energy Corporate X to find an attacking path. However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points.
IU is investigating the system which was contaminated by malicious code.
As a result of analyzing TimeLine, it seems to be contaminated after February 9th 2012.
Contaminating path would be from visiting Web page. IU analyses various user traces of Internet, however IU can’t find malicious URL.
Maybe traces would be removed, when it was contaminated. Find correct malicious URL and the time it was contaminated. (cf. Remove http(s)://)
The time is based on Korea Standard Time(UTC +09:00).
(‘|’ is just a character)
The zip file found on the Monolith server (seemingly) contains a VMware image of Ubuntu Server 10.10.
Archive: jhc_rc2.zip Length Date Time Name --------- ---------- ----- ---- 1298 2011-05-06 13:40 jhc_rc2/readme 1834352640 2011-05-06 17:10 jhc_rc2/Ubuntu 10.10 Server i386.vmdk 536870912 2011-04-25 12:40 jhc_rc2/Ubuntu 10.10 Server i386.vmem 2496 2011-05-06 17:10 jhc_rc2/Ubuntu 10.10 Server i386.vmx