Cyber Security Competition (CSC - 1)

My write-ups to many Digital Forensics challenges in Cyber Security Competition (CSC - 1)

---

---

In this CTF competition, we got 10th place after great work and speed in solving challenges

---

SOLUTION

• the challenge was pcap file so I opened it with networkminer
• in files section i saw 2 malicious files
• so i opened them and i found the 2 files contain base64 content
• then i Used CyberChef , and got the flags

SOLUTION

• the description of the challenge :The IT staff has noticed an abnormal activities, they contacted the Incident Response team to take logs and investigate.
• so i start to use "A Golang EVTX Parser" tool
• i start to Parser Security.evtx file to try to find any abnormal activities
• "LogonProcessName" is a field that appears in Security.evtx, which is the Windows Security event log. It refers to the name of the process responsible for handling a user's logon attempt.
  When a user attempts to log on to a Windows computer, an authentication process takes place. During this process, the user's credentials are verified by the operating system, and if the credentials are valid, the user is granted access to the system. The "LogonProcessName" field in Security.evtx records the name of the process that handles this authentication process.
  The LogonProcessName field can be useful in troubleshooting issues related to user logons, such as failed logon attempts or unauthorized access attempts. By examining this field in Security.evtx, security administrators can identify which process was responsible for handling a particular logon attempt and use this information to investigate any anomalous or suspicious activity.
• 
• 
• i used "sort -u" to show uniqe result and don't repeate
• then i decided to try "ssh" in the flag format and i got the right flag EGCERT{ssh}

SOLUTION

• it was easy , just see the content of the challenge

SOLUTION

• so i start to use "A Golang EVTX Parser" tool
• the description of the challenge :What is the name of the malicious executable that was downloaded on DC01?
  so i decided to search in powerShell
• and just search about http , and i got the flag

SOLUTION

• when we solve "Pivoting-2" challenge, we saw the full command , just here

SOLUTION

• the description of the challenge : What was the technique used to access Workstation_2?
• so i start to Parser Security.evtx file
• i searched for "event id for failed login"
• i realised that there is a large number of failed login
• and in small time too !
• 
• so simply it is bruteforce

SOLUTION

• the description of challenge was unclear, so i can not solve it in the competition , after competition i see this description in challenge file
• and from "Pivoting-7" challenge i know the flag is "EGCERT{Workstation_2, Workstation_1, DC01}" so all i want is getting the ip of Workstation_2
• i tried to open SYSTEM registry file using the Registry Explorer tool but i get this error
• so i searched about this erorr
• i found this amazing artical here "https://cybermeisam.medium.com/blue-team-system-live-analysis-part-11-windows-user-account-forensics-ntuser-dat-495ab41393db" and his suggestion to use these tools
• so i install "RegRipper3.0" and used it
• and i get the ip

SOLUTION

• the description of the challenge : Using the names (DC01, Workstaion_1, Workstation_2)
• 
• so i test : EGCERT{Workstation_2, DC01, Workstation_1}
  EGCERT{Workstation_2, Workstation_1, DC01}

SOLUTION

• i started by search about .dmp Forensics and i found this website "https://helpdeskgeek.com/windows-10/how-to-analyze-memory-dump-files-dmp-in-windows-10/"
• so i install the tool and searched about cheat-sheet for it and i found this website "https://theartofdev.com/windbg-cheat-sheet/"
• i tried many commands untill i found this
• i tried many with "C:\Users\CAIOS\Desktop\twodrive.exe" but it was not correct
  but "C:\Users\CAIOS\Desktop\VCRUNTIME140_1.dll" was right