Post

Magnet Virtual Summit CTF 2023 - PC Writeup

Posted Updated
By Sarah Osborn 6 min read

Info

Link: https://www.magnetforensics.com/blog/announcing-the-mvs-2023-ctf-winners-and-a-new-ctf-challenge/

Problem: There’s an Windows physical image to analyze and a series of questions to answer.

1. Gmail? Outlook? Yeah, right..

Prompt: What non-standard email service has the user used previously?

After running Autopsy’s ingest modules on the E01, I noticed in Data Artifacts -> Web Form Autofill a Chrome autofill entry with value MichaelKBorchardt@protonmail.com, indicating the user had a Protonmail account.

Protonmail Autofill

Answer: Protonmail

2. Two different versions, twice the emulation power! Makes sense to me!

Prompt: The user installed and ran a mobile device emulation program on their system. Which 2 versions of this software did the user install? (Format: SoftwareName V1/V2)

Navigating in Autopsy to Data Artifacts -> Installed Programs gives an entry for BlueStacks 5 from the SOFTWARE registry hive, which a quick Google verifies to be a mobile emulation program.

BlueStacks 5

But in C:\Program Files (x86) there’s a folder BlueStacks X. So the answer is BlueStacks 5/X.

Answer: BlueStacks 5/X

3. LITEning fast write speeds!

Prompt: The user’s system is equipped with a 256GB NVMe SSD. What is the make and model of this drive?

I start inspecting the SYSTEM hive (C:\Windows\System32\config\) in Autopsy and look at the usual suspects for device information. I come to the ControlSet001\Enum\SCSI key and see a subkey Disk&Ven_NVMe&Prod_LITEON_CA1-8D256. Hmm…NVMe, LITEON, this could be the drive we’re looking for. Clicking on the subkey displays Autopsy’s aggregated information on the drive, including the FriendlyName: LITEON CA1-8D256-HP.

Enum/SCSI key

Answer: LITEON CA1-8D256-HP

4. Really…? Plaintext…?

Prompt: The user frequently accesses a Chrome Remote Desktop virtual machine. What password is used to log into this VM?

There’s a file on the user’s Desktop called Employee Logins.txt which contains the password to the Google VM: ,a]JEU0yG^+]2O].

VM Password

Answer: ,a]JEU0yG^+]2O]

5. Why was 6 afraid of 7? Because 7 can unarchive virtual drives!

Prompt: Within the past 2 years, a popular unarchiving program gained the ability to unarchive VHDX virtual disk images. What version of the program was this upgrade implemented?

In C:\Program Files\ there’s a folder 7-Zip corresponding to the 7-Zip archiving application. In this folder there’s a file History.txt that contains version history for 7-Zip. Extracting and running a grep (grep -B 3 VHDX History.txt) reveals this feature was implemented in version 21.07.

7z History

Answer: 21.07

6. We’re not in Kansas anymore…

Prompt: The user has established an RDP connection to one destination more than any other. What is the Geolocation of this destination? (Format: City, ST)

I extract C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx which contains Windows RDP logs, and open it in Event Viewer. The events indicate the user tried to connect to two different IPs: 34.162.141.21, and more prevalently, 34.162.97.100.

Event Viewer

Looking up the IP on https://www.maxmind.com/en/geoip-demo shows the IP originates in Columbus, OH.

Maxmind

Answer: Columbus, OH

7. Make sure to keep some tabs on that SysAdmin from Southern California

Prompt: The user visited the Mastodon page of one user more than any others on the platform. What is the full legal name of the user Michael visited?

In Autopsy, I look through Data Artifacts -> Web History and notice the only profile visits are to https://mastodon.social/@scriptingosx@mastodon.social.

Mastodon History

Following the URL to the profile, there’s a link to the user’s LinkedIn, and there we get the full name: Armin Briegel.

Mastodon Profile

LinkedIn

Answer: Armin Briegel

8. We have a History of attracting some sizeable donors with our projects

Prompt: Michael used PowerShell to clone a particular GitHub utility. What is the account name of one of this repo’s most prominent sponsors?

PowerShell history can be found in C:\Users\borch\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. The first commands are cloning the repository at https://github.com/LSPosed/MagiskOnWSALocal.git.

PowerShell History

Navigating to the repo, there’s one entry for Sponsors: yujincheng08.

Github Repo

Answer: yujincheng08

9. Scratch that Itch.io

Prompt: The user viewed a YouTube video by the creator BenBonk surrounding video game developers. Within this video, how many developers were involved with the project?

Looking back at Autopsy’s Data Artifacts -> Web History, there are three entries for YouTube videos with titles about game developers.

YouTube URLs

Of those videos, only the third one was created by BenBonk. Per the title, 20 developers were involved.

Answer: 20

10. The breakfast bell is ringing

Prompt: The user has been doing some research lately on fast food items. What is, according to some experts, the unhealthiest food item of the bunch?

Still in Autopsy’s Data Artifacts -> Web History, there’s a YouTube video entitled ‘Ranking the “Healthiest” Taco Bell Items.’

Taco Bell Video

The unhealthiest item they ranked in the video was the Breakfast Crunchwrap Sausage Supreme.

Answer: Breakfast Crunchwrap Sausage Supreme

11. Gotta Git going fast with some Accelrated emulation!

Prompt: In order to emulate an Android device, the user required some specialized management tools. What Android port is used by default with these services?

In Autopsy, under Data Artifacts -> Installed Programs there’s an entry for WSA PacMan, which is a package manager for Windows Subsystem for Android.

WSA PacMan

I followed the first link from my preliminary Google search to the Github repository (https://github.com/alesimula/wsa_pacman), and the README listed the default port as 58526.

WSA PacMan README

Answer: 58526

12. Oh Deer…I think we’re lost

Prompt: Michael lives just a mile south of a beautiful body of water. What is the name of this body of water

One of the first autofill entries in Data Artifacts -> Web Form Autofill gives the first line of an address, from the Chrome Default profile.

Address Autofill

I plug this address into Google Maps and see it’s just below a river called Deer Creek.

Google Maps Address

Answer: Deer Creek

13. PCA – Program Clang Assistant?

Prompt: The user has installed Android Studio with a specialized plugin dedicating to diagnosing and fixing some programming errors. When this plugin runs, what exit code is used upon completion?

I struggled a lot with this one, and ultimately had to consult Kevin Pagano’s writeup, but on the upside, I learned about a new forensic artifact I’m positive I wouldn’t have found on my own: the Program Compatibility Assistant described in this blog by Andrew Rathbun and Lucas Gonzalez. Within C:\Windows\appcompat\pca are three files that provide evidence for application execution: PcaAppLaunchDic.txt, PcaGeneralDb0.txt, and PcaGeneralDb1.txt. The first provides file paths and timestamps, and the second and third provide more detailed information such as runtime, run status, execution path, software vendor… and the exit code value we’re looking for.

There are many executions listed in PcaGeneralDb0.txt, but significantly, there’s evidence of an Android Studio plugin named clang-tidy.exe, which turns out to be a C++ linter.

PcaGeneralDb0.txt

The program continually exits with code 0xc0000135.

Answer: 0xc0000135

Debrief

This CTF was interesting, to say the least. I pretty much breezed through the first 12 questions, and my confidence soared to new heights. And then 13 hit me like a truck. I think this was the best outcome, though: I feel assured in that I’m most comfortable with Windows, but I also am glad to have learned something new along the way.

CTF
magnet windows
This post is licensed under CC BY 4.0 by the author.