DFIR CTF 2018 Writeup - Part 1

دائمًا أشعر ببركة الوقت خصوصًا في رمضان، وبما أن من بعد صلاة التراويح إلى وقت النوم تقريبًا يكون هناك وقت كافي لفعل أشياء كثيرة.

وَ بما أني لا أتابع برامج أو مسلسلات بالعادة لذلك أشغل وقتي بفعل أشياء كثيرة ومنها أقوم باللعب :)

في الحقيقة ترددت كثيرًا بنشر هذا المنشور، بالعادة لا أنشر أي writeup أقوم بكتابته لكن بما أن هذه المدونة لي وحدي سأقوم بنشر الجزء الأول فقط :)

وبنشره أشعر بأن جزء آخر مني أصبح واضح للكثير :)

لدي قائمة بال CTFs التي أريد اللعب بها مع نفسي و في الحقيقة لا أهتم كثيرًا بالمشاركة فيها كمسابقات.

فتحت القائمة واخترت أحدها بشكل عشوائي وهي ما أود الكتابة عنه هنا..


1- ليس بالضرورة أن تكون طريقتي صحيحة أو وِفق معايير معينة، قد تكون طريقة الحل ليست مثالية لكن من باب المتعة فقط وجميع الإجابات كانت صحيحة :) ومن لديه طُرق أفضل أسعد جدًا بالمشاركة.

2- ليس الغرض من هذا المنشور الشرح التفصيلي لكل خطوة.

المسابقة عبارة عن ثلاث images و اسئلة عليها، قمت بتنزيل أول image وبدأت حل الأسئلة بشكل عشوائي لأنها غير مترابطة:

ملاحظة: حاولت كثيرا كتابة أجوبتي باللغة العربية لكن لم أستطع، الجزء الثاني ان شاء الله :)

1- Which software was used to image the HR Server?

by following the easiest way and luckily the image log is available, we can see it as:

ans: X-Ways Forensics

but you can use many other ways if these logs were not available such as imageinfo, …etc

2- Which version of the software was used to image the HR Server? [Format: n.n]

Following the same approach:

ans: 19.6

3- What is the file name that represents MFT Entry 168043?

First let’s export the $MFT file

Parsing the MFT file

By filtering out the requested MFT entry

ans: pip3.7.exe

4- What is the MFT Entry number of the following file? \xampp\mysql\bin\mysql.exe

[format is an integer]

ans: 115322

5- At 2018-08-08 18:10:38.554 (UTC) what was the IP address of the client that attempted to access SMB via an anonymous logon?

you can check System current control set then check the time zone information then based on that you check the SMB Server security logs to find the answer.


you can export the SMB Server Security then using “Event Log Explorer” you can view the time in UTC


6- What was the name of the batch file saved by mpowers?

[answer is fullpath starting with c:*****]

From different location

ans: C:\Production\update_app.bat

7- What was the public url for the HR system's portal?

[format: http://*****]

Since I don’t know what is the HR system, let us check all installed application to have an idea

Ok, seems the HR application is OrangeHRM. By playing around with the files we can see the apache access log file

We can see the GET request to : /orangehrm-4.1/symfony/web/index.php/auth/login

To get the full path and since it is hosted in the same server, we need to get the IP of the server by checking the System Registry Hive:

ans: /orangehrm-4.1/symfony/web/index.php/auth/login

8- What is name of the file that had a change recorded with an update sequence number of 368701440?

Going back to MFT parsed file, we can filter it by Update sequence Number

9- What is the name of the deleted file with a reference number of 12947848928752043?

Ok, we know that reference number is 8 Bytes and it is Sequence Number (2 Bytes) + MFT Record Number (6 Bytes)

2E00000000F1AB (converted to hex)

The given reference number is 7 so we will add 0x00 in the left


Sequence #: 002E (46)

Record (Entry) Number: 00000000F1AB (61867)

Convert them back to Decimal and check MFT file for record number 61867

ans: _MEI78882

*have you noticed the sequence number :)

10 - What is the name of the hr management application that hosts a web server?

We have identified it before: OrangeHRM

11- At 2018-07-30 22:31:33 UTC which user was logged in under, what was the logon type (integer), and the logon process name?

[format: {TargetUserName} - {LogonType} - {LogonProcessName} - {IpAddress}]

Sounds easy, let’s check the Security Logs to check who logged in

Using Event Log Explorer, we can see only 37 events! umm

By checking these logs, we see that the Administrator has cleared the logs

Let’s check the VSS files and check old Security events.

We can see one Shadow copy that has been created before clearing logs attempt, let’s play with it

And now we can open it again with FTK imager and export the Security logs

By using Event Log Explorer:

ans: Mpowers - 10 – User32 –

12 - At 2018-07-27 02:42:43 (UTC), what is the name of the task that was started?

ans: \Throw Taco

13- Which IP address was accessing the OrangeHRM portal via Chrome 68.0.3440.84?

Let’s go back to the access logs file in OrangeHRM folder


14- What version of Apache was being used?

[format: n.n]

ans: 2.4

15- What is the integer representation for the reason code given a USN V2 record where the record's reason flags have the following:


Finding the reason code for USN v2 and put it in this format


0x80000000 | 0x00000002 | 0x00000100 = 80000102

Ans: 2147483906

16- What was the top communicating IP address with the web server?

Using our lovely tool “excel”


17- How many requests were made to the web server where the requested url contained a wget command within in?

Filter using “wget” keyword then clean noise

ans: 780