During this challenge, our objective is to recover a deleted PDF from a drive where MBR is broken. To achieve this, we delve into parsing the transaction history stored in $LogFile to identify the locations of file data scattered across the disk.
At ECSC, HTB created a challenge requiring the decryption of Empire C2 communication using a PowerShell process dump and a Wireshark capture. A month later, during the DG’hAck CTF, another similar challenge was proposed (the authors weren’t aware of the previous challenge release). It was more realistic as it provided the memory dump of the complete computer.
I found that the idea of using ntds.dit to find persistence was very original. First, we have to convert the ETL file provided to a PCAP format. Then, we extract the files contained in the SMB frames. Three files are relevant here: SYSTEM hive, ntds.dit, and ticket.kirbi. By decrypting the ticket file, we can identify the first persistence technique, which is a diamond ticket. Afterward, we mount ntdis.dit and parse it with AdTimeline to extract Active Directory replication metadata. With the result, we discover that Logon Script, Shadow Credentials and krbtgt delegation persistence techniques have been used.
This following challenge of the FCSC was divided into 7 parts. It was not the hardest but a very cool one. We had to find a persistence mechanism within a Windows installation ISO. Then, deobfuscating a PowerShell script, retrieving a binary that was no longer available on GitHub, and reversing it to find C2 connection information.
This challenge of the FCSC in the forensic category was divided into 4 parts. Looking back, this was the hardest one I found in this category. Firstly, it was necessary to retrieve fairly basic information about the system from a memory dump. Then, we had to find a deleted file and decrypt it by reversing the code of a malicious executable. Next, we tried to recover information about C2 Meterpreter communications. Finally, we had to find the connection informations of the C2.
This FCSC web challenge was really fun to solve. You had to bypass some nginx directives to reach a specific endpoint.
