BlackHat MEA CTF Qualification 2024
In this blog, I’m sharing two forensic challenges from the Black Hat MEA 2024 Qualification Round that really pushed me to sharpen my skills. These challenges were a great learning experience, helping me dive deeper into the field of digital forensics. The team rating is given as:
Challenge #1: Artifact (Easy)
Description:
Solution: The attached file is named “execution”. The file-type is given as:
Upon searching online and reading writeups, I figured that one way to view this registry file is to use RegRipper tool and extract the necessary information. I searched all the .exe files and what I found interesting is given as:
This grabbed my attention because Deadpotato is a Windows Privilege Escalation utility, part of the well-known “Potato” family of exploits. These exploits are widely recognized for their clever methods of escalating privileges on Windows systems. After aligning the information with the required flag format, the challenge was solved!
Flag: BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}
Challenge #2: NotFS (Medium)
Description:
Solution: Upon downloading and extracting the file, we get a Raw Disk Image which as given as follows:
The challenge description made it clear that the file needed to be repaired for proper analysis. With this in mind, I opened the image file in HxD to get a closer look and discovered the following:
There is an indication of NTFS file system at Offset 0x100000. Now, there are two solutions to this challenge which are given as:
Solution #1: After going through numerous writeups online, I found several tools for recovering and fixing lost partitions. However, the one that stood out and worked best was TestDisk. Here’s a breakdown of the analysis:
The sector size of Linux partition intrigued me, causing me to select the partition and perform a deeper scan which is shown as follows:
Once the deep search was complete, the next step was to change the partition type to HPFS-NTFS and then list files to verify if it resolved the issue. This adjustment was key in checking if the partition was recoverable and functioning correctly. To see if this worked, the files were listen and the following result was given:
Now, all of the files were copied to a specific directory and were given as follows:
All the files had thumbnails, indicating they were intact — except for one: “DALL·E 2024–08–08 07.08.12 — A bustling scene at Black Hat MEA (Middle East & Africa) cybersecurity event. The image includes a large exhibition hall filled with booths from vario.png”. I opened this file in hex editor to analyze the headers and quickly discovered that the file headers were incorrect, signaling an issue with the file. The analysis of headers is given as:
Changing the file headers to the following gives us the flag:
Solution #2: As discussed earlier, the NTFS file system starts at Offset 0x100000, let’s try and mount that specific portion of the image. Starting by mapping the disk image to loop device loop1 as follows:
sudo losetup /dev/loop1 Chall.img
Now that loop1 is mapped, let’s try and mount the loop device from the specified offset 0x100000 and listing the files as follows:
sudo mount -o loop,offset=$((0x100000)) /dev/loop1 /mnt/
Repeat the process of header correction here and retrieve the flag!
Flag: BHFlagY{8bd8dc3ea7636c5fb8aeb}
