Hello 4n6 Geeks , this Ahmed Nasser (OxAlpha) and this is a simple write-up about 2 of 3 forensics challenges and another misc one i solved in WWF2024 …
First Challenge : All your base are belong to us
Category : misc
- As you can see, there is an encoded text and we should decode it
MkpIbmdFcWs4MzVjR3BHRXFVVnZtZWJUQWtSTlNNamE1dGZYQTdwR25ac203SnJQV2FyTUdHQnA3Uk1XZDNZVFlTNTJjemVya1BCN0dBY2NBNkN4U1VBS29TalVBOU1tR1EyYUF0UVlHZTFYOXp1TThWS2o1OHdKRFJaVXhzTGRaZUpaTGV6NUFWc2JHdm5CbTdjV28yNTRyWGpzQURYdEhkSmJmWmtGREVEQWZWeEhFeDNYanNNODZMZVo2cnM2NExGbU5QeG1mUXBqQ3BoY3pCczlRa3kySnFZb1JzSnFtUnk0cW02WFgyOU50N1g2Vg- Now let’s go to CyberChef to decode it :
Steps to decode :
Base64 > Base58 > Base32 > Base85 - After decoding the text we have a random string, so back again to challenge description (Base 2¹⁶ !! ).
- So i search about this base and found this site :
Flag : wwf{cyb3rch3f_d0esnt_h4v3_4ll_th3_4nsw3rs_4wg0432f}Second Challenge : Too Hidden
Category : Forensics
- It’s a PCAP file so load it to Wireshark
- There are many ICMP packets, so Let’s Focus on them
- All the packets are the same but there is difference in data section
- So I used Tshark to extract those data :
tshark -r chall.pcapng -Y "icmp" -T fields -e data.data | tr '\n' ' '
3436 3435 3435 3332 3436 3435 3435 3332 3436 3436 3435 3436 3332 3332 3436 3436 3436 3436 3332 3435 3435 3435 3332 3436 3435 3436 3436 3332 3435 3436 3435 3435 3332 3436 3436 3435 3435 3436 3435 3332 3436 3436 3436 3332 3436 3436 3436 3436 3332 3436 3332 3436 3332 3436 3332 3436 3332 3435 3332 3436 3436 3435 3435 3436 3435 3332 3435 3436 3435 3435 3332 3435 3435 3435 3332 3436 3436 3435 3332 3436 3436 3435 3435 3436 3435 3332 3435 3436 3435 3436 3332 3436 3435 3332 3435 3436 3332 3436 3436 3435 3435 3436 3435 3332 3436 3436 3435 3436 3332 3436 3436 3332 3435 3436 3332 3435 3436 3436 3332 3436 3436 3435 3435 3436 3435 3332 3435 3435 3332 3436 3332 3436 3436 3435 3435 3436 3435 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332 3436 3436 3435 3435 3436 3436 3332- Now let’s go to CyberChef to decode it :
- Before decode this decimal value we must add space between every two number :
echo "4645453246454532464645463232464646463245454532464546463
2454645453246464545464532464646324646464632463246324632463245
3246464545464532454645453245454532464645324646454546453245464
5463246453245463246464545464532464645463246463245463245464632
4646454546453245453246324646454546453246464545464632464645454
6463246464545464632464645454646324646454546463246464545464632
46464545464632464645454646324646454546463246464545464632" | sed 's/../& /g'
- Now Let’s decode this decimal value :
Flag : wwf{HOLY_SHEEEET_YOU_CAN_FIND_ME_??????????}Third Challenge : Forgot Password
Category : Forensics
Description : I can't login now and to change the password I need security
questions but I don't remember this guy. Can you help me recover them? - Since he mentioned security questions, I realized that the SAM registry hive could be very useful in this situation for password recovery. It contains critical information related to account credentials.
- So first Let’s load the ad1 file into FTK imager and then export SAM Hive :
- Now Let’s Parse the SAM Hive using RegRipper tool :
Flag : wwf{I_love_security_questions_s0_muChhhhhhhhhhhhhhhhh}Follow for more
