Blackhat MEA CTF 2022

My write-ups to all Digital Forensics & Reverse challenges in Blackhat MEA CTF 2022

In this CTF competition, we got 29th place after great work and speed in solving challenges
  • Name : Bus
  • Category: DIGITAL FORENSIC
  • Level: Medium
  • Flag : BlackHatMEA{Modbus_is_easy_after_all!}

We have established our communication protocol , and it is in testing phase . The message transmission is secure and can't be retrieved . It's up to you to tell us how secure it is .

SOLUTION
  • the pcap file was look like that ( i use "Modbus" as a filter ) :
  • i notice some important points
    1- the protocol Modbus.data is always 0000 or ff00
    2- the tcp destinion port is not constant and the massage sent to port = 502 :
  • so i used tshark tool to get the data :
  • i replace 0000 by 0 and ff00 by 1 :

  • then i used cyberchef :
  • Name : MEM
  • Category: DIGITAL FORENSIC
  • Level: Medium
  • Flag : BlackHatMEA{Password_hints_are_the_retrievable}

My work PC has suddenly crashed . I can no longer retrieve my secret file , also I don't remember the password . It is a hard password and securely generated , but i saved it locally . Can you help me recover the content ?

SOLUTION
  • it is raw image so i used Volatility :
  • then start to use some plugins
  • when i used filescan plugin , i found "flag.rar" :
  • so i dumped it , but i cannot open it because it has password:
  • so i start to use some plugins to search for password , and i found it at "envars" plugin
  • Name : registry
  • Category: Reverse Engineering
  • Level: Medium
  • Flag : Flag{3mbed_ex3_1n_s3lf_3xecut1ng_r3g_f1le}

My work PC has suddenly crashed . I can no longer retrieve my secret file , also I don't remember the password . It is a hard password and securely generated , but i saved it locally . Can you help me recover the content ?

SOLUTION
  • it is reg file so i used flare-vm :
  • i started by open reg file code
  • I see some powershell scripts (the script add file with extension .exe in temp file and add value in registry) :
  • i go to temp location to see if there is any change before i merge the file and after
  • then i merge the file
  • then i go to registry to see the location which was in powershell script , and there was new registry in runOnce "startup_entry"
  • so i decide to restart the flare-vm
  • i notice new file in temp location and it was with extension .exe
  • so i used Ida pro with this file



  • and i found the flag
  • Name : FinalGate
  • Category: Reverse Engineering
  • Level: Medium
  • Flag : Flag{p4s5ing_th3_g4te}

No Description

SOLUTION
  • it is exe file so i used flare-vm :
  • i started by open exports tab
  • I see two TLScallback function so i open them :
  • I put two breakpoints to stop BeingDebugging in the first TLScallback
  • I put two breakpoints to Make result = true in the second TLScallback
  • and in WinMain function I put two breakpoints to bypass the no argument
  • in first TLScallback we modify register value
  • in second TLScallback we modify register value
  • but we get fake flag :(
  • now let's bypass the no argument by set ip here
  • and i found the flag