Cellebrite CTF 2022 - Marsha's PC

Previous: Heisenberg's Android | Beth's iPhone | Marsha's iPhone

Cellebrite has returned with another CTF competition for the masses. This year they decided to reuse the evidence files from last year's CTF but with a completely new set of questions.

You can download the evidence here thanks to NIST CFReDS:

https://cfreds.nist.gov/all/Cellebrite/Cellebrite2021CTF

Let's kick things off with Marsha's PC.

#1 Device๐Ÿ’ป ๐Ÿ†”

What is the Serial Number of the disk acquired?

A fairly simple question if you know where to look. We get an Acquisition Log text file in the base of the evidence folder that has pertinent details to the acquisition. We can see the serial number is 170615BA93CC.

Figure 1: Digital Collector acquisition log

#2 ๐Ÿ”‘

How did the user most recently sign into Windows?
    •  PIN
    •  Fingerprint
    •  Facial Recognition
    •  Trusted Signal

This was something I learned that was new to me. Windows has a registry key that will tell you what type of provider was used for the last log on. For this we will have to extract the SOFTWARE registry  hive from:

C:\Windows\System32\config\SOFTWARE

Once we have that we can open it in a registry viewer, such as Registry Explorer from Eric Zimmerman and navigate to the following:

ROOT\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

Here we can see a key called "LastLoggedOnProvider" with a value of {BEC09223-B018-416D-A0AC-523971B639F5}.

Figure 2: LastLoggedOnProvider in Registry Explorer

According to Microsoft documentation here, that GUID refers to a Fingerprint unlock.

#3 ๐Ÿ’ณ๐Ÿ‘ฎ๐Ÿป‍♂️

Someone stole a truck and left his inmate card behind. What is his inmate number?

This one required a little bit of digging and dumb luck but if you look in the folder structure you could come across a photo at:

C:\Users\marsh\OneDrive\Pictures\Screenshots\2021-03-31.png

It is a screenshot showing an inmate card with the number 2101460.

Figure 3: Screenshot in OneDrive

#4 ⌨๐Ÿ–ฑ๐Ÿ’ฝUSB

What is the serial number of the last USB drive connected to the device, excluding acquisition tools?

This one I thought I had right until I got locked out after 3 tries, but later on some answers were accepted and one of the ones I submitted was given points.

I first mounted the E01 image using Arsenal Image Mounter then parsed the mounted logical drive using USB Detective. Looking at the results, I sorted by Last Connected and saw the latest USB was for BlackBag Macquisition so that entry could be ignored. The entry above showed a Toshiba drive with a serial number of 20151017004222F, which I believe is the answer.

Figure 4: USB History of the mounted image

#5 ๐Ÿ“ธ

What is the only camera model that was found within a pictured created by the user browsing the Internet?

I started off by looking at images that came from the web cache in Edge and Chrome. This can be accomplished easily in Magnet AXIOM with a quick search (it will hit on file path with some potential false positives). We can then filter on the Model EXIF data column to see the model was a "Canon EOS 5D Mark II".

Figure 5: EXIF Model in browser cache

The hit comes from the Edge cache file at the path:

C:\Windows\Users\marsh\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0014f1

#6 WebForm๐Ÿ“

What two email addresses were found in web forms? Format: [email address] [email address] e.g. john@gmail.com ryan@gmail.com

For this one, we can take a peek at the autofill for the web browsers. Edge was the browser of choice here so you can find the relevant file at the following path:

C:\Users\marsh\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Opening the database in DB Browser and going to the "autofill" table we can filter the "name" column for email and get the two answers. We were looking for "marsha4mellos@gmail.com sydney.peason@cellebrite.com".

Figure 6: Edge autofill entries for email

#7 File ๐ŸŽญ

What is the content of a user-made file where the file extension is a mismatch?

Another one where I just browsed the folder structure and looked for anything odd. In the Google Drive folder we can see a zip folder (or so it appears to be). 

C:\Users\marsh\Google Drive\Figure it out.zip

The file is actually just a plain text file which you can read with any hex editor. Here you can see the text in FTK Imager is "Huh this is a test", the answer.

Figure 7: Figure it out.zip contents

#8 ๐ŸŽพ๐Ÿˆ๐Ÿ๐Ÿ๐Ÿ“

The target captured a sports game that took place in April 2014. What was the name of the venue (at that time) and the name of the guest team? Format: [Name of stadium] [guest team] eg: Mercedes Benz Stadium Atlanta Falcons

From previous questions I knew there were a bunch of dumped videos categorized by year dated folders. There was only one file (a video file) found at the path:

C:\Users\marsh\OneDrive\Pictures\Camera Roll\2014\20140426_205245000_iOS.MOV

The video is of a soccer match. We can see at approximately 2 seconds that the name of the stadium was displayed as CenturyLink Field, part of our answer. 

Figure 8: Screen capture of the video

A quick Google search shows that the stadium has been renamed now but is still the home to the Seattle Sounders. Because we have the date stamped in the file name (presumed correct) we can do a search to see who the Sounders played on April 26th of 2014. ESPN results show they played the Colorado Rapids.

Figure 9: ESPN results for 4/26/2014

Putting all the results together, the proper answer was "Centurylink Field Colorado Rapids".

#9 ๐Ÿ˜ฃCollector

How many unique acquisition tools were recognized by Marsha's PC, how many times did the acquisition tools connect, and when was the last time an acquisition tool was connected? Format: [unique #] [total #] MM-DD-YYYY HH:MM e.g. 1 3 01-22-2019 19:46

I wasn't able to get this one figured out. I'm not sure if it was because the formatting was complicated or I just had it incorrect. Back in USB Detective I can see 3 distinct instances of BlackBag Macquisition. It would appear they were all connected at least twice per instance judging by the different first and last connected timestamps.

Figure 10: USB history in USB Detective

I also see a Kali Live disk but I'm not sure if that is considered an acquisition tool or not. I'm curious what the actual answer was and how it was achieved.

#10 ๐Ÿ”ขcode

What is the Windows Hello PIN code of the user signed into the Windows PC with a Microsoft account?

Having no experience with Windows Hello and it's forms of logins this was something completely new to me. Banaanhangwagen has a script to extract the proper hash information from certain Windows folders. Those include:
  • cryptokeys folder
    • C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys 
  • masterkey folder
    • C:\Windows\System32\Microsoft\Protect\S-1-5-18\User
  • SYSTEM hive
    • C:\Windows\System32\config\SYSTEM
  • SECURITY hive
    • C:\Windows\System32\config\SECURITY
  • PINGUID
    • PIN guid
  • NGC folder
    • C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc
  • SOFTWARE hive
    • C:\Windows\System32\config\SOFTWARE
Once we run the script with the necessary parameters, it will spit out a hash that can be potentially cracked using Hashcat.

Figure 11: Output of WINHELLO2hashcat

We can now fire up Hashcat and see if it can crack the hash supplied. Using a command similar to this should get you the results quickly.

hashcat.exe -m 28100 "E:\Github\WINHELLO2hashcat\hash.txt" -a 3 ?d?d?d?d?d?d

The "-m 28100" is specific hash mode for Windows Hello pin, following by the path of the text file containing just hash from the python script. The "-a 3" refers to the attack mode, which is brute-force. The "?d?d?d?d?d?d" was the mask for the character set, looking for a 6-digit combo (this was after some trial and error). We can see below it cracked it and the PIN was 134679.

Figure 12: Hashcat cracking the PIN hash

#11 ๐Ÿ”๐Ÿ†”

What is the Personal Meeting ID of the Zoom user account holder?

I think this was by far the most hated and most difficult question in the whole CTF (for good reason). Evandrix created this question and he breaks down how he did it briefly in his notes here. I will update the post once I can actually recreate this solve.

#12 ๐Ÿ’ปpwd

What is the password for the URL containing a private IPv4 address in Microsoft Edge web browser's saved logins? (Case Sensitive)

Once we got the PIN from question 10 we can get this one a bit easier. Using the E01 image we can virtualize it into a VM. There are a few different ways to do this. You can do it for free by following these steps, or if you have a pro license of Arsenal Image Mounter (like I do) you can boot it from there.

At the login screen you can enter the PIN 134679 and then open Edge and go to Settings > Passwords. We can authenticate with the PIN once more to see that the saved password for the website 10.4.106.102:9997 was "NPaacYaE".

Figure 13: Edge saved password