26
Apr
2013

pCTF 2013 – cat_rar (forensics 150)

So, among all the binaries Plaidctf also followed the tradition in CTF to hide a stego as a forensics challenge. We had a challenge with this description:

cat_rar
150
forensics
“Meow meow mw mw m.
cat.rar

In the cat.rar file we found two files:

  • a cat.rar.jpg which seems to be an image of a cat.
  • a cat.rar.bin which seems to be an x64 ELF binary

{Read More}

30
Sep
2012

CSAW 2012 – Forensics 500

No challenge description

https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/9dc1ba24833acff030b7c85c015970c2/core

This challenge can be solved by running strings on the file we received:

{Read More}

30
Sep
2012

CSAW 2012 – Forensics 200 – 2

No challenge description.

https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/f8c64a70ad468a2fd3d9fa1e37c6b034/version2.png

In this challenge we got a similar file to the Forensics 200 – 1 challenge. Again the same image:

{Read More}

30
Sep
2012

CSAW 2012 – Forensics 200 – 1

https://csawctf.poly.edu/challenges/45b963397aa40d4a0063e0d85e4fe7a1/961c734bdd95c5b1e06cbae8c548ac04/version1.png
No challenge description

The PNG file we can download contains the text “ONE OF THESE THINGS XS NOT LIKE THE OTHER”.

{Read More}

26
Feb
2012

CODEGATE 2012 – Forensics 200

Challenge Description

When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)
{Read More}

26
Feb
2012

CODEGATE 2012 – Forensics 100

Challenge Description

In order to steal financial information of Company X, IU got a job under cover. She decided to attack CFO’s computer, and then insert malicious code to his computer in the way of social engineering. She figured out that he didn’t use to turn off his computer, when he gets off work. After he leaves the office, she obtains financial data from his computer to search EXCEL file. By checking installed application program, she can find the information in the file. She lacks the file externally. In order to remove all traces, she erases malicious code, event logs and recent file list.
{Read More}

26
Feb
2012

CODEGATE 2012 – Forensics 400

Challenge description:

In Energy corporate X which is located in Seoul, APT(Advanced Persistent Threat) was occurred.
For 6 months, Attacker A has stolen critical information with an elaborate attack.
Attacker A exerted great effort to remove his all traces such as malicious file, prefetch, registry and event logs for the period of attacking, so it was hard for Energy Corporate X to find an attacking path. However IU who is Forensic expert can find the traces of the malicious files Attacker A used by analyzing MFT(Master File Table).
What time malicious file was created? The time is based on Korea Standard Time(UTC +09:00)
Answer: YYYY-MM-DDThh:mm:ss.sTZD
(TZD : +hh:mm or -hh:mm). Calculate down to seven decimal points.

{Read More}

26
Feb
2012

CODEGATE 2012 – Forensics 300

Challenge description:

IU is investigating the system which was contaminated by malicious code.
As a result of analyzing TimeLine, it seems to be contaminated after February 9th 2012.
Contaminating path would be from visiting Web page. IU analyses various user traces of Internet, however IU can’t find malicious URL.
Maybe traces would be removed, when it was contaminated. Find correct malicious URL and the time it was contaminated. (cf. Remove http(s)://)
The time is based on Korea Standard Time(UTC +09:00).

Answer: malicious_URL|YYYY-MM-DDThh:mm:ss
(‘|’ is just a character)

{Read More}

11
Dec
2011

PHD CTF Quals 2011 – Forensics #1

The zip file found on the Monolith server (seemingly) contains a VMware image of Ubuntu Server 10.10.

Archive:  jhc_rc2.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     1298  2011-05-06 13:40   jhc_rc2/readme
1834352640  2011-05-06 17:10   jhc_rc2/Ubuntu 10.10 Server i386.vmdk
536870912  2011-04-25 12:40   jhc_rc2/Ubuntu 10.10 Server i386.vmem
     2496  2011-05-06 17:10   jhc_rc2/Ubuntu 10.10 Server i386.vmx

{Read More}