Belkasoft 2021 CTF

Like many other forensic tool vendors in the past year, we got another capture the flag competition. This one was from Belkasoft in correlation with their BelkaDay Europe virtual conference. The format was a bit different than I'm used to but enjoyed it nonetheless. There were 11 questions total, 3 "baby" (easiest), 3 warmup, 2 tricky, and 3 hard. The harder the question the more points each were worth, up to 1000 for the hardest ones. Dynamic scoring was used which meant the more participants that solved a challenge, the less points it would be for everyone who solved it. The questions were open for 24 hours which allowed me to work on it when I wasn't busy which was nice. 

It was interesting as some of the easier questions gave me more trouble than the most difficult ones. I was able to answer 10 of the 11 during the competition to take first place in the "Professional" track. The other "Student" track winner got them all so just inched ahead of me for the overall crown, congrats Hakkı! Regardless, I was impressed overall by the competition.


With a little bit of extra time, I was able to finish the last question after the CTF closure. For anyone that wants to try their hand at it, you can get the image and questions at the following link:


We were provided an E01 disk image in five parts as well as a trial of Belkasoft's latest software offering Evidence Center X. I had never it before but nothing like the present to test it out and how it compares to my other tried and true tools. Now for the fun part, revealing how I got the answers and what tools and processes were used.

The plot

You were contacted by a company preparing their new product launch: an AI-based recommendation system that respects target privacy. Just before the date, the source code and technical documents ended up in their competitor's hands. The company suspects a recently hired developer and obtained a copy of his corporate laptop HDD. You are going to analyze the image and support the suspicion with evidence extracted from the laptop...

Question 1 - Baby

What is the full name of the laptop owner?
Format: First name Last name

 Looking at the folder structure under C:\Users we can see the old real person account on the machine was for "anit.ghosh" which properly formatted to "Anit Ghosh" was the answer.

Figure 1: User listing

Question 2 - Baby

What is the full address of company's office?
Full address line incl. country name

Knowing that it was a corporate laptop, I went straight to the parsed emails to see what we were working with. We can see that the domain was "@praivacymatrix.com".

Figure 2: email domain

A quick Google search and under the Contact Us section we get the address as "Ifangstrasse 6, 8952 Schlieren, Zurich, Switzerland".

Figure 3: praivacymatrix.com address

Question 3 - Warmup

On November 16th security department got a signal of unauthorized attempts to obtain company's trade secrets.

When did the suspect first show interest in those? Provide exact timestamp in a common format, e.g. 2021-07-07 17:07:07 UTC

This one I thought I had it in the bag quickly but there was some timezone issues. I found an email from our user Anit to his boss John on November 5th of 2020.

Figure 4: Email from Anit to John

So I tried "2020-11-05 19:21:56" but for some reason after entering the CTF system decided to subtract 3 hours. To my frustration I passed on this question and lost some points because of time but then I tried it again and realized that the system was doing what it did so I added 3 hours to my answer and it went through fine. The CTF system took "2020-11-05 22:21:56".

Question 4 - Warmup

What 3 employees should be asked questions about unauthorized requests from the suspect?
Format: First Last, First Last, First Last

Looking through email once again, we can see that user Anit had contained multiple people about "Technical documentation", including "John Finney, Rachel Corbin, Noelle Johnson".

Figure 5: "Technical documentation" emails

Question 5 - Baby

What is the SHA256 hash of the product documentation obtained by the suspect?

Using Arsenal Image Mounter I mounted the E01 image and browsed to the users' folder to see what was found in the Downloads folder. One file of interest was found there titled "xraicommend-761263a55b8cfed4bcb8f87cbbb68beaf2ec2423.tar.gz" which looking at the Zone.Identifier was downloaded from an internal Git repo, but this wasn't the proper file (more on this one later).

I then took a peek at the Documents folder and saw a single PDF file that also had a Zone.Identifier. It stuck out with the name of the file too, "Doc_-_13_Feb_2021_-_13-40.pdf". Inside was some confidential product documentation for Project X.

Figure 6: "Project X" documentation

Hashing the file using the built in CRC check with SHA256 from 7-Zip produced the answer, "ADD33EA905399C5063BCC3437CB5C0436A2FD6DEB086BB0EC5BF886F72767242".

Question 6 - Tricky

What employee has actually provided the suspect with the product documentation?
Format: First name Last name Employee ID

This one took me way longer than it should have taken me. I had a lightbulb moment when it all connected. The PDF from question 5 had black bars over top of it on certain pages. What I failed to realize was that Belkasoft can extract these embedded images fairly easily. What I did instead to get the answer was to open the PDF using SumatraPDF, right click on the page and copy image, then pasted it into MS Paint. It revealed the user and answer to be "Mark Zukko 381".


Figure 7 & 8: Document with and without black bar

Question 7 - Warmup

What URL did the suspect manage to obtain the product source code from?
Exact, including file name

This question goes back to the tar.gz file found in the Downloads folder. Using the Zone.Identifier for the file we can see it was downloaded from the following URL which was the answer:

http://git.pm.internal/GBringley/xraicommend/archive/761263a55b8cfed4bcb8f87cbbb68beaf2ec2423.tar.gz

Figure 9: Zone.Identifier for source code

You could also look at the Chrome web history and find this URL as well.

Question 8 - Hard

What e-mail address did the suspect's backdoor code send reports to?

This was the only question that I failed to answer during the actual CTF timeframe but I did solve it about an hour afterwards. It was by far the hardest question of the bunch, especially if you weren't working through a Linux environment. Anit had a folder called "adstresser" which had a few references in recents and Powershell history. I couldn't find any evidence specifically in the folder structure but saw that some code was changed.

So what better than to try out some new methods by mounting the E01 using Arsenal Image Mounter and running it as a VM. If you haven't tried it out, it's amazing and also can bypass the password almost instantly. Running Git itself shows that "adstresser" was a recent repository.


Figure 10: Git Gui launched from E01 VM

We can then launch into the branch history through the "Visual All Branch History" menu command. We see Anit pushed a work in progress on 2/10/2021. In the code below for the build.gradle we can see some lines were added that need decoded.


Figure 11: "adstresser" Git history

Copying out the echo into CyberChef, we can decode from Base64 and get the following output.

Figure 12: Base64 decode from CyberChef

We can see that plaintext is mixed in with binary. I did the a ton of Find and Replace using an Ascii Table to get the following result (recipe here):


Figure 13: Plaintext decode frmo CyberChef

As we can see the email address answer was "alert872802737@protomail.com".

Question 9 - Hard

The suspect left an offshore SIM card in his desk drawer. We suggest it might have been used in exfiltrating the leaked data. Please help us confirm that.

Another very difficult one that I solved very last minute. Both Belkasoft X and my usual tool of choice Magnet AXIOM both carved URLs related to the web version of WhatsApp from the hibernation file (hiberfil.sys). Knowing the computer was running Windows 10 and that memory images are compressed, I exported the hibernation file and ran it through Arsenal's Hibernation Recon to process it. Once it spit out a raw ".bin" file I ran that back through AXIOM to see if any more results could be pulled out and indeed it did, 3 Whatsapp message chats were carved. 

Figure 14: Carved WhatsApp messages

From my past experience with Whatsapp on mobile I knew that the phone number associated with each account would show as the account name/email address. So we have one number "8562097771657" but what about the other? I ran the ".bin" file through Bulk Extractor to see if I can get any other items related to this number from the hibernation file. Under the "email" parser we can filter using the first number and see a bunch of items, including a new address domain, "@c.us".

Figure 15: Bulk Extractor results for 8562097771657

Using the Feature Filter on emails once more for "@c.us" reveals a second WhatsApp number, "8562099907377".
Figure 16: Bulk Extractor results for "@c.us"

Using the requested formatting the answer was "+8562097771657, +8562099907377".

Question 10 - Tricky

What is the SHA256 hash of the file exfiltrated? (PHOTOS.7Z)

There were hints of recent usage of this PHOTOS.7z file all over the image but the actual file was no longer found. Going down the path shown from the WhatsApp chats above, there was a file shared using an AnonFiles link (https://anonfiles.com/z3jek3J2p3), which happened to be the file we were looking for.

Figure 17: Anonfiles link

A quick run through our 7Zip CRC check using SHA256 again leaves us with the answer "D96D26861E81673F7255F4E039384F77FE07F6C6E489670DB6000E52C4B72113".

Question 11 - Hard

What is the suspect's cryptocurrency address they intended to get reward paid to?

The PHOTOS.7z file was naturally password locked but the contents were guaranteed to contain the answer. One nice advantage of using Magnet AXIOM again is the custom artifacts. Yogesh Khatri created one for Powershell history (grab it here) which pulls out information quickly from the file at the following path:

C:\Users\anit.ghosh\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

We can see the PHOTOS.7z was password protection using PowerShell with the password "PQ3Rut8QyxghL8lu2UfF".

Figure 18: PowerShell history from custom artifact in AXIOM

Opening PHOTOS.7z with the password we can see a file called "instruction.txt" that contains the Monero cryptocurrency address for the walled. The answer was "48sEiGKnT5hMcZBmaDvFVg9FTdEfQByzcWSRgKDbwZHg9ELnZoto2uvHo8yqvWDztUJeHAke8E5sL9vDJGvg5fDJJtJJFdP".

Figure 19: instruction.txt contents

Conclusion

This was a fantastic and challenging CTF competition that I thoroughly enjoyed. I am already looking forward to playing in the next one that Belkasoft said they are already planning. Check out there results page (here) as well as their official write-up (here).

Tool Listing

Arsenal Hibernation Recon & Image Mounter - https://arsenalrecon.com/downloads/

Belkasoft Evidence Center X - https://belkasoft.com/x

Bulk Extractor - https://github.com/simsong/bulk_extractor