[SECCON CTF 2016] FORENSIC 100p MEMORY ANALYSIS

In this challenge, we have a raw file, and hints. So let check it in volatility.

It’s WinXP, and in the description we have to find the webstite in scvhost, let’s try to check it.

I really did’t know what I have to do, until hint 2 have been show. We all know host file is the file in C:\Windows\System32\drivers\etc and I got:

Let extract and see what it have:

So the web we need to find is crattack.tistory.com, but it’s failed, I have to find deeper.

Seriously, I didn’t what to do and luckyly I remember the strings command line:

 

I attend to the website http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd because it appear too many times and before it have word visited so I’m very sure it’s the website we need to find. It’s have a IP: 175.126.170.110, remember file host? Let’s change a little bit.

FLAG is: SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

[SECCON CONTEST 2016] FORENSIC 100p VoIP

In this challenge, we have a pcap file. And the challenge name is VoIP so let’s check it in Wireshark.

Go to Telephony > VoIP Calls, you will see a voice conversation chose it then press play streams, you will hear a flag.

FLAG is: SECCON{{9001IVR}

 

[Junior CTF 2016] FORENSIC 400p Dirty repo

In this challenge, we have a .tar.gz file. When I extract it, we have  20 .tar.gz files. I used binwally.py to find the differences.

Firstly, I check differences between comp_1 and comp_2

comp_1 comp_3 and comp_1 comp_4 have same result. But comp_1 and comp_5 have a difference

Let’s check it out

So the diffences is in forward.c I checked it and got the flag:

FLAG is: gRunCle_StAn_tHe_woRsT_coDeR