BDSec CTF 2023 — Write Up

Raj Upadhyay
3 min readJul 21, 2023

--

After long time i recently participated in “BDSec CTF 2023” CTF. I was able to solve few challenges. Here i am sharing my approach to solve few challenges.

Forensics

1. SYSTEM CHECK

Question: When Last system audit policy was changed?

Flag Format:BDSEC{MM/DD/YEAR_Hour:Minute:Second_Am/PM}

Answer:

So to check about “last system audit policy change” we can utilize event logs to do that.

  1. So let’s open event viewer and open “Security.evtx” file.

Next we need to filter security.evtx using event id : 4719

Once we click on OK then the very First entry that we see, will be the latest entry.

So our flag is as follows:

BDSEC{07/20/2023_07:12:17_AM}

2. Maintain shedule

So as name suggest it appears this challenge is related to some “Task schedular”.

So let’s open computer management. ( click on start and type “Computer Management)

So now expand schedule task → click on Event Viewer Tasks

As we can see we have 2 task. one with “Disabled” status and one with Ready status. Let’s click on “Prmsiam_task2”

Now let’s click on “Run” to execute task.

So our flag is:

BDSEC{You_Are_L3g3nd_#proved}

3. Hackers username & email

so based on description of challenge it appears that Author is talking about either Credentials that generally gets stored in web browser or some config files.

So after going through internet history : NO success.

So i decide to start looking for registry and more importantly i started with persistence methods. So for that i checked “Run” key

Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Double click on “FLAGFILE2HERE” and we get path.

So when i went to path mentioned in above registry value i found this:

which appears to be something suspicious. so i opend Config file via notepad and found this:

so we found flag:

BDSEC{comando1337_blbna@mail2tor.com}

4. Find Values

So challenge was simple. Open “Windows 7.ova” file in FTK and then export vmdk and ovf file and utilize PowerShell command to get SHA1 value for both.

Flag:

BDSEC{11BC7CC41D7BA2FD92724500F4CBEC3F6D44108A_2A3760CBF758C78BF5EC18A5C547B7DA31E44D35}

--

--

Raj Upadhyay

DFIR Consultant || #LoveToPlayCTF #infosec #cybersecurity #4n6