# Table of Contents - [Introduction | CTF Training](#introduction-ctf-training) - [General | CTF Training](#general-ctf-training) - [KAPE Triage | CTF Training](#kape-triage-ctf-training) - [Memory dump analysis | CTF Training](#memory-dump-analysis-ctf-training) - [Unknown](#unknown) - [Unknown](#unknown) - [Registry Analysis | CTF Training](#registry-analysis-ctf-training) - [Event Log Analysis | CTF Training](#event-log-analysis-ctf-training) - [Introduction | CTF Training](#introduction-ctf-training) - [Unknown](#unknown) - [General | CTF Training](#general-ctf-training) - [Unknown](#unknown) - [Unknown](#unknown) - [Introduction | CTF Training](#introduction-ctf-training) - [Unknown](#unknown) - [Unknown](#unknown) - [Unknown](#unknown) --- # Introduction | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/introduction.md) . [](https://fareedfauzi.gitbook.io/ctf-training#flag) Flag -------------------------------------------------------------- Flag is a special string format that needs to be submit in the CTF platform indicate the player solved the challenge. Flag could be in format like flag{example} OR could be the direct answer such as: * IP Address * Md5 hash * Anything [](https://fareedfauzi.gitbook.io/ctf-training#stages-in-ihack-2024) Stages in iHack 2024 ---------------------------------------------------------------------------------------------- There will be 3 stages: 1. Stage 1 - Jeopardy 2. Stage 2 - Attack and Defense 3. Stage 3 - Jeopardy Time-Based Attack [](https://fareedfauzi.gitbook.io/ctf-training#how-to-play) How to play? ----------------------------------------------------------------------------- 1. Team consist of 3 people 2. Play with strategy 3. Laptop with a good speed (For VM) 4. Comfortable using Windows and Linux - Linux got a lot of useful security tools 5. Good foundation knowledge of security, OS, programming and networking. 6. Solve the challenges and submit the flag [](https://fareedfauzi.gitbook.io/ctf-training#os) OS ---------------------------------------------------------- * Linux for sure * Lot of CTF tools pre-installed in Linux * We used both Kali Linux and Windows * Some tools are easier to play in windows environment and some not. * Use VM or bash for Windows * Suggestions: Kali Linux, Remnux, Flare VM [](https://fareedfauzi.gitbook.io/ctf-training#jeopardy) Jeopardy ---------------------------------------------------------------------- You will be given a few categories of challenges. Solve the cybersecurity challenges and find the flag. The team with the most points will win. ### [](https://fareedfauzi.gitbook.io/ctf-training#strategy) Strategy 1. Focus on solving challenges that you find easy first. * Solve easy one first. For the sake of momentum, motivation and brain processing. 2. Distribute the challenges among your team members. Dedicate a person in the team to specific category based on interests and their skill. 3. Dedicate yourself to a challenge until you feel exhausted. 4. Assign a dedicated person to solve challenges within a specific category. ### [](https://fareedfauzi.gitbook.io/ctf-training#categories-in-jeopardy) Categories in Jeopardy 1. Digital Forensics = Analyze artifacts 2. Reverse Engineering = Reverse the given program/file and find the flag 3. Malware Analysis = Analyze malware and find the flag 4. Web = Hack the web system and solve the challenge 5. Pwn = Reverse the given program first, and try to exploit the program to get flag/shell 6. Boot2root = Hack the box that contains several services/ports such as Web, SSH and etc. Get the USER privilege and ROOT privilege ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FIbcLhtpeDqkLqERJqKrI%252Fimage.png%3Falt%3Dmedia%26token%3D217d802b-729a-4768-b11b-f5333f4e1635&width=768&dpr=3&quality=100&sign=e5511a79&sv=2) [](https://fareedfauzi.gitbook.io/ctf-training#attack-and-defense) Attack and Defense ------------------------------------------------------------------------------------------ ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2Flh7-us.googleusercontent.com%2Fslidesz%2FAGV_vUdrkpTC1Zt-oGnSD2EkOT5tYughF02Nwl49SCt9-q3BcsoewEi8oRZdLgt6wSH4hsq01yIaK7FHohfkk45RJ6zHEokjwGy59Qn1llXVjsvtz2F-yVpNCKoCZ7v89YPysHFqGzhkyDXcyiLYcpL01sigX_PuuaS0%3Ds2048%3Fkey%3D6sBnfbe-hRKRyzudaRwS3Q&width=300&dpr=3&quality=100&sign=74f1744&sv=2) You will be given an IP address with several vulnerable services and ports, similar to the other team's setup. Your objectives are: 1. Defend your services from being hacked or exploited by the other team. 2. Attack the other team's IP services and ports to capture the flag. 3. Do not disable your services to prevent exploitation, as doing so will result in penalties for your team. The services might be: * Vulnerable website (Web Pentest) * Vulnerable running binary (ELF Pwn) * Vulnerable outdated application (Public exploit) ### [](https://fareedfauzi.gitbook.io/ctf-training#general-strategy) General Strategy 1. **Defend Yourself First:** Apply patches to your services. 2. **Identify and Exploit Vulnerabilities:** Once you identify the vulnerable code or points, use your knowledge of the exploit to attack the other team. ### [](https://fareedfauzi.gitbook.io/ctf-training#strategy-to-defend) Strategy to Defend 1. **Scan Your IP:** Identify which services are running. 2. **Gain Access:** Without credentials or direct access to patch the services, exploit your own services to gain shell access. 3. **Identify Vulnerabilities:** After gaining shell or backdoor access to your system, locate the vulnerable points. 4. **Patch Vulnerabilities:** Patch the vulnerable code to defend against attacks from the other team. ### [](https://fareedfauzi.gitbook.io/ctf-training#strategy-to-attack) Strategy to Attack 1. **Leverage Previous Knowledge:** Use your experience in finding, attacking, and patching your own services to exploit the other team's vulnerabilities. 2. **Target Unpatched Systems:** Focus on teams that have not patched their systems. 3. Use given API to automate attack, more flag! [](https://fareedfauzi.gitbook.io/ctf-training#jeopardy-time-based) Jeopardy Time-Based -------------------------------------------------------------------------------------------- Within a given time frame, all teams will be presented with the same challenge and have the same amount of time to solve it. When time is up, the challenge will change to another question. The first team to solve each challenge will earn points. The team with the most points will win. Teamwork is crucial during this time. All team members should be dedicated to solving the same question. There is a high possibility of encountering IoT challenges, and web challenges might also be included. [](https://fareedfauzi.gitbook.io/ctf-training#tips-before-the-game) Tips before the game ---------------------------------------------------------------------------------------------- * Prepare your tools and cheat sheet * Do not study hard a day before CTF, * Sometimes when your brain is loaded up too much.. you will blank during the game. * Just relax and calm. ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2Flh7-us.googleusercontent.com%2Fslidesz%2FAGV_vUfTaqsZAf6ZnWaYFsvx-N9c-7EUfn3TA8zaP8c3f3f0xe1ENuLbKGz0jY0Dj0m7UuPVbXQV3kEKi4Jj0W5symS5RNHGeMmpG4ENPLPkQJQ1ckHDWBKKk0z0CpiN6G7GVQMN4LRdOx7An-gvQQfi_TTuO4P00Zmw%3Ds2048%3Fkey%3D6sBnfbe-hRKRyzudaRwS3Q&width=300&dpr=3&quality=100&sign=c6d2c51c&sv=2) [](https://fareedfauzi.gitbook.io/ctf-training#tips-during-the-game) Tips during the game ---------------------------------------------------------------------------------------------- * Refer your cheat sheets. * If you don’t know how to approach, please ask Google and ChatGPT * If you’re stuck. Free your mind by rest. Take a walk, eat your lunch, perform solat and come back later. ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2Flh7-us.googleusercontent.com%2Fslidesz%2FAGV_vUf6U0OpZoIobJK4l_WNL5sBYq17G5tCyQPB7ERZnhjVTuys109sjxCI6OcgvgfLozlxvRDHt-822_6NOsGLDSISg2QHZ5SDIRUdJraNtHg7O708tzjPJ9B-q_OikxYMxXhvFXLa3ncTgqkLw6bnZXY6O8Ad3uS_%3Ds2048%3Fkey%3D6sBnfbe-hRKRyzudaRwS3Q&width=300&dpr=3&quality=100&sign=14e14a8d&sv=2) [](https://fareedfauzi.gitbook.io/ctf-training#dump-exercise) Dump exercise -------------------------------------------------------------------------------- 1. [https://github.com/fareedfauzi/UiTM-iHack2022-Qualification/tree/main](https://github.com/fareedfauzi/UiTM-iHack2022-Qualification/tree/main) 2. [https://drive.google.com/drive/folders/1t0rN8BHCfawbg4--pKfS9LpkY1\_JPQdZ?usp=sharing](https://drive.google.com/drive/folders/1t0rN8BHCfawbg4--pKfS9LpkY1_JPQdZ?usp=sharing) [NextIntroduction](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction) Last updated 1 year ago --- # General | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general.md) . Given file type and tools for reverse: File type Tools EXE, DLL IDA Free, x32dbg, strings, UPX, PEID EXE, DLL (.NET) DnSpy, DE4dot, open-source unpacker APK, DEX Android Simulator, JADX, GDA ELF IDA Free, GDB-Peda, EDB Tools for malware analysis: 1. Malware analysis = [https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html](https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html) 2. Maldoc refer = [https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html](https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html) Questions example: * Sharppanda malware * .net + de4dot * Maldoc (template injection) with Sandbox * Fileless powershell * ELF * JS malware * EXE * Threat intel involve Censys * Dex file APK [](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general#crackme) Crackme ------------------------------------------------------------------------------------------------ Copy #include #include int main() { char password[20]; printf("Welcome to the Crack Me challenge!\n"); printf("Please enter the password: "); scanf("%s", password); if (strcmp(password, "abc123") == 0) { printf("Congratulations! You have successfully cracked the password.\n"); } else { printf("Sorry, the password you entered is incorrect.\n"); } return 0; } Copy #include int main() { int password; printf("Welcome to the Crack Me challenge!\n"); printf("Please enter the password (a 4-digit number): "); scanf("%d", &password); if (password == 1234) { printf("Congratulations! You have successfully cracked the password.\n"); } else { printf("Sorry, the password you entered is incorrect.\n"); } return 0; } Copy #include #include #define BUFFER_SIZE 50 void encrypt(char* message, int key) { int msgLen = strlen(message); for (int i = 0; i < msgLen; ++i) { message[i] = message[i] ^ key; } } int main() { char password[BUFFER_SIZE]; printf("Welcome to the Crack Me challenge!\n"); printf("Please enter the password: "); scanf("%49s", password); // Limiting input length to the buffer size - 1 encrypt(password, 0xF); if (strcmp(password, "li{{|t}jyj}|jpi`}|par") == 0) { printf("Congratulations! You have successfully cracked the password.\n"); } else { printf("Sorry, the password you entered is incorrect.\n"); } return 0; } Copy #include #include void reverseString(char* str) { int i, j; char temp; for (i = 0, j = strlen(str) - 1; i < j; i++, j--) { temp = str[i]; str[i] = str[j]; str[j] = temp; } } int main() { char secret[] = "rofgnikooluoygalfehtsiisthistragnoC"; char userInput[50]; printf("Welcome to the Reverse Engineering challenge!\n"); printf("Please enter a string: "); scanf("%49s", userInput); // Limiting input length to the buffer size - 1 reverseString(userInput); if (strcmp(userInput, secret) == 0) { printf("Congratulations! You have found the secret string.\n"); } else { printf("Sorry, the string you entered is incorrect.\n"); } return 0; } [PreviousMemory dump analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis) Last updated 1 year ago --- # KAPE Triage | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage.md) . KAPE (Kroll Artifact Parser and Extractor) is a tool used in digital forensics for quickly collecting and processing data from target systems. Files often being extracted: 1. Event logs 2. Registry 3. MFT UsnJrnl 4. Win10 Timeline 5. SRUM 6. BAM/DAM 7. Prefetch 8. Jumplist 9. Browser history Please refer: [https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysis](https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysis) [PreviousIntroduction](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction) [NextEvent Log Analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis) Last updated 1 year ago --- # Memory dump analysis | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis.md) . Memory dump analysis is the most common type of challenge that creators give to participants. They might provide a .raw or .mem file, and you are required to conduct analysis and solve the challenge's questions. Here are the tools you need for this type of challenge: 1. Volatility3 or Volatility Workbench 2. MemProcFS 3. EVTXtract Noted that in the industry, we don't just get a memory dump file; we get both disk images and memory dumps. However, for the sake of challenge puzzles, the challenge creator might give you only a memory dump to make it more challenging. But before we use all these actual weapons, please give a shot with `strings` command with `grep context_strings` on the mem dump. For example: Copy strings windows.mem | grep -i "flag{" [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#strategy) Strategy ---------------------------------------------------------------------------------------------------- 1. Check running processes 2. Check commands 3. Check Network connections 4. Check injected process 5. Check files 6. Check registry [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#memprocfs) MemProcFS ------------------------------------------------------------------------------------------------------ Imagine you can "Mount" memory images and analyze them with Explorer and Notepad. This tool, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more. To install and use MemProcFS, please install Dokan first at [https://github.com/dokan-dev/dokany/releases](https://github.com/dokan-dev/dokany/releases) Then download the binaries from the release: [https://github.com/ufrisk/MemProcFS/releases](https://github.com/ufrisk/MemProcFS/releases) ### [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#usage) Usage Mount and forensics! Copy memprocfs.exe -device memdump.mem -forensic 1 ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FEHseLRUxOcqNSX2ZtCm3%252Fimage.png%3Falt%3Dmedia%26token%3Dacf7335d-f737-40f2-bee4-8daafff9d2a4&width=768&dpr=3&quality=100&sign=c10c69f9&sv=2) Navigate and explore the folders: Directory Description [conf](https://github.com/ufrisk/MemProcFS/wiki/FS_Conf) Configuration and Status. [forensic](https://github.com/ufrisk/MemProcFS/wiki/FS_Forensic) Forensic mode. [misc](https://github.com/ufrisk/MemProcFS/wiki/FS_Misc) Miscellaneous functionality name Per-process directories listed by process name. pid Per-process directories listed by process pid. py Python based plugins. [registry](https://github.com/ufrisk/MemProcFS/wiki/FS_Registry) Registry information. [sys](https://github.com/ufrisk/MemProcFS/wiki/FS_SysInfo) System information. [vm](https://github.com/ufrisk/MemProcFS/wiki/VM) Virtual Machine (VM) information. ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FnTF2NT8J310WgApjyvWK%252Fimage.png%3Falt%3Dmedia%26token%3D0a67bcab-4366-4bb9-8dfb-0113a47d2723&width=768&dpr=3&quality=100&sign=fb6f75c8&sv=2) ### [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#running-processes) Running Processes Navigate to `M:\sys\proc` where the files: `proc` \= Show process in tree mode `proc-v` = Show process with command ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FlQJywAJHoWnFkKA9YKHQ%252Fimage.png%3Falt%3Dmedia%26token%3D1b7d5807-5120-44e9-8a25-48bbad27d357&width=768&dpr=3&quality=100&sign=25f82d71&sv=2) ### [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#network-connection) Network connection Navigate to `M:\sys\net\` ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252Fguro0EocW1h0tg9Dd5K8%252Fimage.png%3Falt%3Dmedia%26token%3Deaa92a6f-e4e8-44c4-887b-ef26b48991a6&width=768&dpr=3&quality=100&sign=17fc4675&sv=2) ### [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#investigate-injected-process) Investigate injected process Navigate to `M:\forensic\findevil` and find RWX section in the output result ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FTBa9A36uAH6ZAdGf01X5%252Fimage.png%3Falt%3Dmedia%26token%3De8b850cc-d9a9-46b4-a4ea-663b3111a661&width=768&dpr=3&quality=100&sign=b9e7ac6&sv=2) ### [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#dump-shellcode) Dump shellcode Go to `M:\pid\ Choose `Windows` Platform as option -> Refresh Process List > Choose `Command` options -> Run -> Investigate the output ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252Fr8VmTdGxPkTp2xpNmT1V%252Fimage.png%3Falt%3Dmedia%26token%3Df7c490ca-5b81-481d-af56-5e52602b38ca&width=768&dpr=3&quality=100&sign=f663fc10&sv=2) These is the plugins that I found crucial in analysis: Plugin Description `windows.cmdline.CmdLine` Lists process command line arguments. `windows.dlllist.DllList` Lists the loaded modules in a particular Windows memory image. `windows.dumpfiles.DumpFiles` Dumps cached file contents from Windows memory samples. `windows.envars.Envars` Displays process environment variables. `windows.filescan.FileScan` Scans for file objects present in a particular Windows memory image. `windows.getservicesids.GetServiceSIDs` Lists process token SIDs. `windows.getsids.GetSIDs` Prints the SIDs owning each process. `windows.handles.Handles` Lists process open handles. `windows.malfind.Malfind` Lists process memory ranges that potentially contain injected code. `windows.mbrscan.MBRScan` Scans for and parses potential Master Boot Records (MBRs). `windows.memmap.Memmap` Prints the memory map. `windows.modscan.ModScan` Scans for modules present in a particular Windows memory image. `windows.mutantscan.MutantScan` Scans for mutexes present in a particular Windows memory image. `windows.netscan.NetScan` Scans for network objects present in a particular Windows memory image. `windows.netstat.NetStat` Traverses network tracking structures present in a particular Windows memory image. `windows.pslist.PsList` Lists the processes present in a particular Windows memory image. `windows.psscan.PsScan` Scans for processes present in a particular Windows memory image. `windows.pstree.PsTree` Lists processes in a tree based on their parent process ID. `windows.registry.hivelist.HiveList` Lists the registry hives present in a particular memory image. `windows.registry.hivescan.HiveScan` Scans for registry hives present in a particular Windows memory image. `windows.registry.printkey.PrintKey` Lists the registry keys under a hive or specific key value. `windows.registry.userassist.UserAssist` Prints UserAssist registry keys and information. `windows.sessions.Sessions` Lists processes with session information extracted from environmental variables. `windows.skeleton_key_check.Skeleton_Key_Check` Looks for signs of Skeleton Key malware. [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#evtxtract) EVTXtract ------------------------------------------------------------------------------------------------------ This tool recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. The use case of this tool is when the challenge creator ask us to find something in the event log, but all he/she gives is a mem dump. Download: [https://github.com/williballenthin/EVTXtract](https://github.com/williballenthin/EVTXtract) ### [](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis#usage-1) Usage It's quite hard to read the XML output, you might need CTRL+F with context of the incident. ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FuW7FWne4zdJAja4jOshc%252Fimage.png%3Falt%3Dmedia%26token%3D0b92cccd-fd62-4b65-8b38-52e27f6d9ed2&width=768&dpr=3&quality=100&sign=821138e6&sv=2) [PreviousRegistry Analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis) [NextGeneral](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general) Last updated 1 year ago --- # Unknown \# CTF Training ## CTF Training - \[Introduction\](https://fareedfauzi.gitbook.io/ctf-training/introduction.md) - \[Introduction\](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction.md) - \[KAPE Triage\](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage.md) - \[Event Log Analysis\](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis.md) - \[Registry Analysis\](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis.md) - \[Memory dump analysis\](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis.md) - \[General\](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on a page URL with the \`ask\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/introduction.md?ask= \`\`\` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/introduction.md). # Introduction ## Flag Flag is a special string format that needs to be submit in the CTF platform indicate the player solved the challenge. Flag could be in format like flag{example} OR could be the direct answer such as: \* IP Address \* Md5 hash \* Anything ## Stages in iHack 2024 There will be 3 stages: 1. Stage 1 - Jeopardy 2. Stage 2 - Attack and Defense 3. Stage 3 - Jeopardy Time-Based Attack ## How to play? 1. Team consist of 3 people 2. Play with strategy 3. Laptop with a good speed (For VM) 4. Comfortable using Windows and Linux - Linux got a lot of useful security tools 5. Good foundation knowledge of security, OS, programming and networking. 6. Solve the challenges and submit the flag ## OS \* Linux for sure \* Lot of CTF tools pre-installed in Linux \* We used both Kali Linux and Windows \* Some tools are easier to play in windows environment and some not. \* Use VM or bash for Windows \* Suggestions: Kali Linux, Remnux, Flare VM ## Jeopardy You will be given a few categories of challenges. Solve the cybersecurity challenges and find the flag. The team with the most points will win. ### Strategy 1. Focus on solving challenges that you find easy first. \* Solve easy one first. For the sake of momentum, motivation and brain processing. 2. Distribute the challenges among your team members. Dedicate a person in the team to specific category based on interests and their skill. 3. Dedicate yourself to a challenge until you feel exhausted. 4. Assign a dedicated person to solve challenges within a specific category. ### Categories in Jeopardy 1. Digital Forensics = Analyze artifacts 2. Reverse Engineering = Reverse the given program/file and find the flag 3. Malware Analysis = Analyze malware and find the flag 4. Web = Hack the web system and solve the challenge 5. Pwn = Reverse the given program first, and try to exploit the program to get flag/shell 6. Boot2root = Hack the box that contains several services/ports such as Web, SSH and etc. Get the USER privilege and ROOT privilege
## Attack and Defense !\[\](https://lh7-us.googleusercontent.com/slidesz/AGV\_vUdrkpTC1Zt-oGnSD2EkOT5tYughF02Nwl49SCt9-q3BcsoewEi8oRZdLgt6wSH4hsq01yIaK7FHohfkk45RJ6zHEokjwGy59Qn1llXVjsvtz2F-yVpNCKoCZ7v89YPysHFqGzhkyDXcyiLYcpL01sigX\_PuuaS0=s2048?key=6sBnfbe-hRKRyzudaRwS3Q) You will be given an IP address with several vulnerable services and ports, similar to the other team's setup. Your objectives are: 1. Defend your services from being hacked or exploited by the other team. 2. Attack the other team's IP services and ports to capture the flag. 3. Do not disable your services to prevent exploitation, as doing so will result in penalties for your team. The services might be: \* Vulnerable website (Web Pentest) \* Vulnerable running binary (ELF Pwn) \* Vulnerable outdated application (Public exploit) ### General Strategy 1. \*\*Defend Yourself First:\*\* Apply patches to your services. 2. \*\*Identify and Exploit Vulnerabilities:\*\* Once you identify the vulnerable code or points, use your knowledge of the exploit to attack the other team. ### Strategy to Defend 1. \*\*Scan Your IP:\*\* Identify which services are running. 2. \*\*Gain Access:\*\* Without credentials or direct access to patch the services, exploit your own services to gain shell access. 3. \*\*Identify Vulnerabilities:\*\* After gaining shell or backdoor access to your system, locate the vulnerable points. 4. \*\*Patch Vulnerabilities:\*\* Patch the vulnerable code to defend against attacks from the other team. ### Strategy to Attack 1. \*\*Leverage Previous Knowledge:\*\* Use your experience in finding, attacking, and patching your own services to exploit the other team's vulnerabilities. 2. \*\*Target Unpatched Systems:\*\* Focus on teams that have not patched their systems. 3. Use given API to automate attack, more flag! ## Jeopardy Time-Based Within a given time frame, all teams will be presented with the same challenge and have the same amount of time to solve it. When time is up, the challenge will change to another question. The first team to solve each challenge will earn points. The team with the most points will win. Teamwork is crucial during this time. All team members should be dedicated to solving the same question. There is a high possibility of encountering IoT challenges, and web challenges might also be included. ## Tips before the game \* Prepare your tools and cheat sheet \* Do not study hard a day before CTF, \* Sometimes when your brain is loaded up too much.. you will blank during the game. \* Just relax and calm. !\[\](https://lh7-us.googleusercontent.com/slidesz/AGV\_vUfTaqsZAf6ZnWaYFsvx-N9c-7EUfn3TA8zaP8c3f3f0xe1ENuLbKGz0jY0Dj0m7UuPVbXQV3kEKi4Jj0W5symS5RNHGeMmpG4ENPLPkQJQ1ckHDWBKKk0z0CpiN6G7GVQMN4LRdOx7An-gvQQfi\_TTuO4P00Zmw=s2048?key=6sBnfbe-hRKRyzudaRwS3Q) ## Tips during the game \* Refer your cheat sheets. \* If you don’t know how to approach, please ask Google and ChatGPT \* If you’re stuck. Free your mind by rest. Take a walk, eat your lunch, perform solat and come back later. !\[\](https://lh7-us.googleusercontent.com/slidesz/AGV\_vUf6U0OpZoIobJK4l\_WNL5sBYq17G5tCyQPB7ERZnhjVTuys109sjxCI6OcgvgfLozlxvRDHt-822\_6NOsGLDSISg2QHZ5SDIRUdJraNtHg7O708tzjPJ9B-q\_OikxYMxXhvFXLa3ncTgqkLw6bnZXY6O8Ad3uS\_=s2048?key=6sBnfbe-hRKRyzudaRwS3Q) ## Dump exercise 1. 2. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/introduction.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Registry Analysis | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis.md) . [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis#what-is-registry) What is registry ----------------------------------------------------------------------------------------------------------------------------- Registry is a hierarchical database that serves as a central repository for 1. Configuration settings 2. Information about the software, hardware, and user preferences In perspective of attacker, registry can be abuse to: * Setup persistence * Modify config such as WDigest * Disable WinDefender * Privilege Escalation * User Account Manipulation * And many more (https://redteamrecipe.com/Registry-Attack-Vectors/) [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis#registry-hives-explained) Registry hives explained --------------------------------------------------------------------------------------------------------------------------------------------- Registry hives Description HKEY\_CLASSES\_ROOT A symbolic link to HKLM\\SOFTWARE\\Classes HKEY\_CURRENT\_USER A symbolic link to the part of HKEY\_USERS representing the currently logged in user's profile. HKEY\_LOCAL\_MACHINE Contains information about all the installed hardware and software. HKEY\_USERS Contains preferences for each of the user profiles on the machine HKEY\_CURRENT\_CONFIG Symbolic link that points to the part in HKLM that applies to the current hardware configuration [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis#registry-structure) Registry structure --------------------------------------------------------------------------------------------------------------------------------- ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2Flh7-us.googleusercontent.com%2FUVYC-adHpD7uhe9v2FUiS7ioBAbPTRA2rll2ZBFLvEqXCOvMw3jpCPMiXHgpsBZmcfZ39WYyiWNYGlnAnQwF4yBAuPhx_OdBp0SbbpUJLJc3l9uJAFT-dAECzg6VzEU6oXRbKu4jmnjTnPSAB3TzXvRfAA%3Ds2048&width=768&dpr=3&quality=100&sign=44eb6f33&sv=2) [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis#registry-artifact-location) Registry artifact location ------------------------------------------------------------------------------------------------------------------------------------------------- System registry Current user registry * %WinDir%\\System32\\Config\\\* * %WinDir%\\appcompat\\Programs\\AMCACHE.hve * C:\\Users\\\\NTUSER.dat * C:\\Users\\\\AppData\\Local\\Microsoft\\Windows\\USRCLASS.DAT [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis#using-registry-explorer) Using Registry Explorer ------------------------------------------------------------------------------------------------------------------------------------------- ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252F7BjlTlprqT4dNxNEBTlK%252Fimage.png%3Falt%3Dmedia%26token%3D46837235-2eb5-41be-a6dd-ba9552c507a9&width=768&dpr=3&quality=100&sign=69de3047&sv=2) Please refer: [https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysis](https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#triage-artifacts-parsing-and-analysis) [PreviousEvent Log Analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis) [NextMemory dump analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis) Last updated 1 year ago --- # Event Log Analysis | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis.md) . [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis#event-logs) Event logs ------------------------------------------------------------------------------------------------------------------ Records events that occur on a Windows operating system. It's critical source of information for * Investigating security incidents, * Identifying malicious/susp activities * Understanding system events Logs doesn’t lie! But it can be clear/delete by the Threat actor... Event logs is located at C:\\Windows\\System32\\winevt\\Logs [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis#save-time) Save time ---------------------------------------------------------------------------------------------------------------- Read and investigate the event logs from A-Z is time consuming for CTF. So, we use automate scanner such as Hayabusa to scan the event logs and parse the result. [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis#hayabusa) Hayabusa -------------------------------------------------------------------------------------------------------------- Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Copy hayabusa.exe update-rules hayabusa.exe csv-timeline -d C:\Users\training\Desktop\C\Windows\System32\winevt\logs -p verbose -o ..\results.csv ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252F2b5Zjdr9oNBWYO0bfSaN%252Fimage.png%3Falt%3Dmedia%26token%3D785d2e67-021e-4d6f-87fe-a4a57665b610&width=768&dpr=3&quality=100&sign=f7ca67c3&sv=2) Then open the the _results.csv_ in Timeline Explorer ![](https://fareedfauzi.gitbook.io/ctf-training/~gitbook/image?url=https%3A%2F%2F665104163-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrgnT6YaXl0rwqp4CAxuD%252Fuploads%252FltFDRGPmIoAnEfy4hVd5%252Fimage.png%3Falt%3Dmedia%26token%3D7eb1e596-fa76-4316-aece-395d70710b64&width=768&dpr=3&quality=100&sign=fea9bd45&sv=2) [](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis#event-log-explorer) Event Log Explorer ---------------------------------------------------------------------------------------------------------------------------------- Manually, use event log explorer to manually analyze the event logs Please refer: [https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#windows-event-logs-analysis](https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html#windows-event-logs-analysis) [PreviousKAPE Triage](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage) [NextRegistry Analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis) Last updated 1 year ago --- # Introduction | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction.md) . [](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction#useful-cheatsheet) Useful cheatsheet -------------------------------------------------------------------------------------------------------------- 1. [https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html](https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html) 2. [https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html](https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html) For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident. Flags could be include of: 1. URLs 2. IP Address 3. Filename 4. Registry 5. Username 6. Domain name 7. Timestamp 8. Process information 9. Command executed 10. Hash 11. Password 12. And many more! Beside that, several CTF might embed a full word of flag such as "FLAG{This\_Is\_The\_Flag}". But this way much easier for participant to just _strings_ and _grep_ the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by _strings_ command. So, it depend on the challenge creator itself. [](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction#artifacts) Artifacts ---------------------------------------------------------------------------------------------- In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives: 1. E01 file 2. KAPE Triage file such as Registry, Prefetch, SRUDB.dat 3. Memory dump 4. Log file [](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction#things-to-do-during-ctf) Things to do during CTF -------------------------------------------------------------------------------------------------------------------------- 1. Prepare a right tool and knowing how to use it 2. Having a knowledge about the given artifacts 3. Do quick analysis and find the flag [](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction#forensics-tools-for-ctf) Forensics tools for CTF -------------------------------------------------------------------------------------------------------------------------- Initial analysis * File command, TRiD * Strings, FLOSS * base64dump, XORSearch Disk image * Autopsy * FTK Imager * Arsenal Image Mounter * mount command (Linux) KAPE extracted files * Eric Zimmerman Memory dump * MemProcFS * Volatility3 and Volatily Workbench * Evtxtract Registry * Regripper * Registry Explorer Event logs * Event log Explorer * Log scanner such as Hayabusa Browser files * DBBrowser Other artifacts * WMI Forensics * BMC Tools * USB Detective * SRUM dump [PreviousIntroduction](https://fareedfauzi.gitbook.io/ctf-training) [NextKAPE Triage](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage) Last updated 1 year ago --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general.md). # General Given file type and tools for reverse: | File type | Tools | | --------------- | ------------------------------------ | | EXE, DLL | IDA Free, x32dbg, strings, UPX, PEID | | EXE, DLL (.NET) | DnSpy, DE4dot, open-source unpacker | | APK, DEX | Android Simulator, JADX, GDA | | ELF | IDA Free, GDB-Peda, EDB | Tools for malware analysis: 1. Malware analysis = 2. Maldoc refer = Questions example: \* Sharppanda malware \* .net + de4dot \* Maldoc (template injection) with Sandbox \* Fileless powershell \* ELF \* JS malware \* EXE \* Threat intel involve Censys \* Dex file APK ## Crackme \`\`\` #include #include int main() { char password\[20\]; printf("Welcome to the Crack Me challenge!\\n"); printf("Please enter the password: "); scanf("%s", password); if (strcmp(password, "abc123") == 0) { printf("Congratulations! You have successfully cracked the password.\\n"); } else { printf("Sorry, the password you entered is incorrect.\\n"); } return 0; } \`\`\` \`\`\` #include int main() { int password; printf("Welcome to the Crack Me challenge!\\n"); printf("Please enter the password (a 4-digit number): "); scanf("%d", &password); if (password == 1234) { printf("Congratulations! You have successfully cracked the password.\\n"); } else { printf("Sorry, the password you entered is incorrect.\\n"); } return 0; } \`\`\` \`\`\` #include #include #define BUFFER\_SIZE 50 void encrypt(char\* message, int key) { int msgLen = strlen(message); for (int i = 0; i < msgLen; ++i) { message\[i\] = message\[i\] ^ key; } } int main() { char password\[BUFFER\_SIZE\]; printf("Welcome to the Crack Me challenge!\\n"); printf("Please enter the password: "); scanf("%49s", password); // Limiting input length to the buffer size - 1 encrypt(password, 0xF); if (strcmp(password, "li{{|t}jyj}|jpi\`}|par") == 0) { printf("Congratulations! You have successfully cracked the password.\\n"); } else { printf("Sorry, the password you entered is incorrect.\\n"); } return 0; } \`\`\` \`\`\` #include #include void reverseString(char\* str) { int i, j; char temp; for (i = 0, j = strlen(str) - 1; i < j; i++, j--) { temp = str\[i\]; str\[i\] = str\[j\]; str\[j\] = temp; } } int main() { char secret\[\] = "rofgnikooluoygalfehtsiisthistragnoC"; char userInput\[50\]; printf("Welcome to the Reverse Engineering challenge!\\n"); printf("Please enter a string: "); scanf("%49s", userInput); // Limiting input length to the buffer size - 1 reverseString(userInput); if (strcmp(userInput, secret) == 0) { printf("Congratulations! You have found the secret string.\\n"); } else { printf("Sorry, the string you entered is incorrect.\\n"); } return 0; } \`\`\` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # General | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering/general.md) . Given file type and tools for reverse: File type Tools EXE, DLL IDA Free, x32dbg, strings, UPX, PEID EXE, DLL (.NET) DnSpy, DE4dot, open-source unpacker APK, DEX Android Simulator, JADX, GDA ELF IDA Free, GDB-Peda, EDB Tools for malware analysis: 1. Malware analysis = [https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html](https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html) 2. Maldoc refer = [https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html](https://fareedfauzi.github.io/2022/08/08/Malware-analysis-cheatsheet.html) Questions example: * Sharppanda malware * .net + de4dot * Maldoc (template injection) with Sandbox * Fileless powershell * ELF * JS malware * EXE * Threat intel involve Censys * Dex file APK [](https://fareedfauzi.gitbook.io/ctf-training/reverse-engineering#crackme) Crackme ---------------------------------------------------------------------------------------- Copy #include #include int main() { char password[20]; printf("Welcome to the Crack Me challenge!\n"); printf("Please enter the password: "); scanf("%s", password); if (strcmp(password, "abc123") == 0) { printf("Congratulations! You have successfully cracked the password.\n"); } else { printf("Sorry, the password you entered is incorrect.\n"); } return 0; } Copy #include int main() { int password; printf("Welcome to the Crack Me challenge!\n"); printf("Please enter the password (a 4-digit number): "); scanf("%d", &password); if (password == 1234) { printf("Congratulations! You have successfully cracked the password.\n"); } else { printf("Sorry, the password you entered is incorrect.\n"); } return 0; } Copy #include #include #define BUFFER_SIZE 50 void encrypt(char* message, int key) { int msgLen = strlen(message); for (int i = 0; i < msgLen; ++i) { message[i] = message[i] ^ key; } } int main() { char password[BUFFER_SIZE]; printf("Welcome to the Crack Me challenge!\n"); printf("Please enter the password: "); scanf("%49s", password); // Limiting input length to the buffer size - 1 encrypt(password, 0xF); if (strcmp(password, "li{{|t}jyj}|jpi`}|par") == 0) { printf("Congratulations! You have successfully cracked the password.\n"); } else { printf("Sorry, the password you entered is incorrect.\n"); } return 0; } Copy #include #include void reverseString(char* str) { int i, j; char temp; for (i = 0, j = strlen(str) - 1; i < j; i++, j--) { temp = str[i]; str[i] = str[j]; str[j] = temp; } } int main() { char secret[] = "rofgnikooluoygalfehtsiisthistragnoC"; char userInput[50]; printf("Welcome to the Reverse Engineering challenge!\n"); printf("Please enter a string: "); scanf("%49s", userInput); // Limiting input length to the buffer size - 1 reverseString(userInput); if (strcmp(userInput, secret) == 0) { printf("Congratulations! You have found the secret string.\n"); } else { printf("Sorry, the string you entered is incorrect.\n"); } return 0; } [PreviousMemory dump analysis](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis) Last updated 1 year ago --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis.md). # Memory dump analysis Memory dump analysis is the most common type of challenge that creators give to participants. They might provide a .raw or .mem file, and you are required to conduct analysis and solve the challenge's questions. Here are the tools you need for this type of challenge: 1. Volatility3 or Volatility Workbench 2. MemProcFS 3. EVTXtract Noted that in the industry, we don't just get a memory dump file; we get both disk images and memory dumps. However, for the sake of challenge puzzles, the challenge creator might give you only a memory dump to make it more challenging. But before we use all these actual weapons, please give a shot with \`strings\` command with \`grep context\_strings\` on the mem dump. For example: \`\`\`sh strings windows.mem | grep -i "flag{" \`\`\` ## Strategy 1. Check running processes 2. Check commands 3. Check Network connections 4. Check injected process 5. Check files 6. Check registry ## MemProcFS Imagine you can "Mount" memory images and analyze them with Explorer and Notepad. This tool, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more. To install and use MemProcFS, please install Dokan first at Then download the binaries from the release: ### Usage Mount and forensics! \`\`\` memprocfs.exe -device memdump.mem -forensic 1 \`\`\`
Navigate and explore the folders: | Directory | Description | | ---------------------------------------------------------------- | ----------------------------------------------- | | \[conf\](https://github.com/ufrisk/MemProcFS/wiki/FS\_Conf) | Configuration and Status. | | \[forensic\](https://github.com/ufrisk/MemProcFS/wiki/FS\_Forensic) | Forensic mode. | | \[misc\](https://github.com/ufrisk/MemProcFS/wiki/FS\_Misc) | Miscellaneous functionality | | name | Per-process directories listed by process name. | | pid | Per-process directories listed by process pid. | | py | Python based plugins. | | \[registry\](https://github.com/ufrisk/MemProcFS/wiki/FS\_Registry) | Registry information. | | \[sys\](https://github.com/ufrisk/MemProcFS/wiki/FS\_SysInfo) | System information. | | \[vm\](https://github.com/ufrisk/MemProcFS/wiki/VM) | Virtual Machine (VM) information. |
### Running Processes Navigate to \`M:\\sys\\proc\` where the files: \`proc\` = Show process in tree mode\\ \`proc-v\` = Show process with command
### Network connection Navigate to \`M:\\sys\\net\\\`
### Investigate injected process Navigate to \`M:\\forensic\\findevil\` and find RWX section in the output result
### Dump shellcode Go to \`M:\\pid\\
Then, we can use shellcode emulator or shellcode launcher to know what the program does including: 1. Shellcode2exe 2. Blobrunner 3. SCDbg 4. speakeasy ## Volatility WorkBench Volatility Workbench is a graphical user interface (GUI) for the Volatility if you hate Linux command line version. ### Basic Usage Browse Image -> Choose \`Windows\` Platform as option -> Refresh Process List > Choose \`Command\` options -> Run -> Investigate the output
These is the plugins that I found crucial in analysis:
PluginDescription
windows.cmdline.CmdLineLists process command line arguments.
windows.dlllist.DllListLists the loaded modules in a particular Windows memory image.
windows.dumpfiles.DumpFilesDumps cached file contents from Windows memory samples.
windows.envars.EnvarsDisplays process environment variables.
windows.filescan.FileScanScans for file objects present in a particular Windows memory image.
windows.getservicesids.GetServiceSIDsLists process token SIDs.
windows.getsids.GetSIDsPrints the SIDs owning each process.
windows.handles.HandlesLists process open handles.
windows.malfind.MalfindLists process memory ranges that potentially contain injected code.
windows.mbrscan.MBRScanScans for and parses potential Master Boot Records (MBRs).
windows.memmap.MemmapPrints the memory map.
windows.modscan.ModScanScans for modules present in a particular Windows memory image.
windows.mutantscan.MutantScanScans for mutexes present in a particular Windows memory image.
windows.netscan.NetScanScans for network objects present in a particular Windows memory image.
windows.netstat.NetStatTraverses network tracking structures present in a particular Windows memory image.
windows.pslist.PsListLists the processes present in a particular Windows memory image.
windows.psscan.PsScanScans for processes present in a particular Windows memory image.
windows.pstree.PsTreeLists processes in a tree based on their parent process ID.
windows.registry.hivelist.HiveListLists the registry hives present in a particular memory image.
windows.registry.hivescan.HiveScanScans for registry hives present in a particular Windows memory image.
windows.registry.printkey.PrintKeyLists the registry keys under a hive or specific key value.
windows.registry.userassist.UserAssistPrints UserAssist registry keys and information.
windows.sessions.SessionsLists processes with session information extracted from environmental variables.
windows.skeleton\_key\_check.Skeleton\_Key\_CheckLooks for signs of Skeleton Key malware.
## EVTXtract This tool recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. The use case of this tool is when the challenge creator ask us to find something in the event log, but all he/she gives is a mem dump. Download: ### Usage It's quite hard to read the XML output, you might need CTRL+F with context of the incident.
--- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/forensic/memory-dump-analysis.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage.md). # KAPE Triage KAPE (Kroll Artifact Parser and Extractor) is a tool used in digital forensics for quickly collecting and processing data from target systems. Files often being extracted: 1. Event logs 2. Registry 3. MFT UsnJrnl 4. Win10 Timeline 5. SRUM 6. BAM/DAM 7. Prefetch 8. Jumplist 9. Browser history Please refer: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Introduction | CTF Training For the complete documentation index, see [llms.txt](https://fareedfauzi.gitbook.io/ctf-training/llms.txt) . This page is also available as [Markdown](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction.md) . [](https://fareedfauzi.gitbook.io/ctf-training/forensic#useful-cheatsheet) Useful cheatsheet ------------------------------------------------------------------------------------------------- 1. [https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html](https://fareedfauzi.github.io/2023/12/22/Windows-Forensics-checklist-cheatsheet.html) 2. [https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html](https://fareedfauzi.github.io/2024/03/29/Linux-Forensics-cheatsheet.html) For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident. Flags could be include of: 1. URLs 2. IP Address 3. Filename 4. Registry 5. Username 6. Domain name 7. Timestamp 8. Process information 9. Command executed 10. Hash 11. Password 12. And many more! Beside that, several CTF might embed a full word of flag such as "FLAG{This\_Is\_The\_Flag}". But this way much easier for participant to just _strings_ and _grep_ the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by _strings_ command. So, it depend on the challenge creator itself. [](https://fareedfauzi.gitbook.io/ctf-training/forensic#artifacts) Artifacts --------------------------------------------------------------------------------- In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives: 1. E01 file 2. KAPE Triage file such as Registry, Prefetch, SRUDB.dat 3. Memory dump 4. Log file [](https://fareedfauzi.gitbook.io/ctf-training/forensic#things-to-do-during-ctf) Things to do during CTF ------------------------------------------------------------------------------------------------------------- 1. Prepare a right tool and knowing how to use it 2. Having a knowledge about the given artifacts 3. Do quick analysis and find the flag [](https://fareedfauzi.gitbook.io/ctf-training/forensic#forensics-tools-for-ctf) Forensics tools for CTF ------------------------------------------------------------------------------------------------------------- Initial analysis * File command, TRiD * Strings, FLOSS * base64dump, XORSearch Disk image * Autopsy * FTK Imager * Arsenal Image Mounter * mount command (Linux) KAPE extracted files * Eric Zimmerman Memory dump * MemProcFS * Volatility3 and Volatily Workbench * Evtxtract Registry * Regripper * Registry Explorer Event logs * Event log Explorer * Log scanner such as Hayabusa Browser files * DBBrowser Other artifacts * WMI Forensics * BMC Tools * USB Detective * SRUM dump [PreviousIntroduction](https://fareedfauzi.gitbook.io/ctf-training) [NextKAPE Triage](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage) Last updated 1 year ago --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction.md). # Introduction ## Useful cheatsheet 1. 2. For most of the logical forensic question, they will ask you to find Indicator of Compromises (IOCs), timestamp, filename, registry and etc. that relate to that incident. Flags could be include of: 1. URLs 2. IP Address 3. Filename 4. Registry 5. Username 6. Domain name 7. Timestamp 8. Process information 9. Command executed 10. Hash 11. Password 12. And many more! Beside that, several CTF might embed a full word of flag such as "FLAG{This\\\_Is\\\_The\\\_Flag}". But this way much easier for participant to just \*strings\* and \*grep\* the keyword, which makes challenge creator encoded the strings such as using base64 or encrypt it using encryption algorithm to avoid direct flag being discovered by \*strings\* command. So, it depend on the challenge creator itself. ## Artifacts In the forensics industry, we have a lot type of artifacts. While in CTF, the organizer likely will supposedly gives: 1. E01 file 2. KAPE Triage file such as Registry, Prefetch, SRUDB.dat 3. Memory dump 4. Log file ## Things to do during CTF 1. Prepare a right tool and knowing how to use it 2. Having a knowledge about the given artifacts 3. Do quick analysis and find the flag ## Forensics tools for CTF | Initial analysis |
  • File command, TRiD
  • Strings, FLOSS
  • base64dump, XORSearch
| | -------------------- | -------------------------------------------------------------------------------------------------------- | | Disk image |
  • Autopsy
  • FTK Imager
  • Arsenal Image Mounter
  • mount command (Linux)
| | KAPE extracted files |
  • Eric Zimmerman
| | Memory dump |
  • MemProcFS
  • Volatility3 and Volatily Workbench
  • Evtxtract
| | Registry |
  • Regripper
  • Registry Explorer
| | Event logs |
  • Event log Explorer
  • Log scanner such as Hayabusa
| | Browser files |
  • DBBrowser
| | Other artifacts |
  • WMI Forensics
  • BMC Tools
  • USB Detective
  • SRUM dump

| --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/forensic/introduction.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis.md). # Event Log Analysis ## Event logs Records events that occur on a Windows operating system. It's critical source of information for \* Investigating security incidents, \* Identifying malicious/susp activities \* Understanding system events Logs doesn’t lie! But it can be clear/delete by the Threat actor... Event logs is located at C:\\Windows\\System32\\winevt\\Logs ## Save time Read and investigate the event logs from A-Z is time consuming for CTF. So, we use automate scanner such as Hayabusa to scan the event logs and parse the result. ## Hayabusa Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. \`\`\`powershell hayabusa.exe update-rules hayabusa.exe csv-timeline -d C:\\Users\\training\\Desktop\\C\\Windows\\System32\\winevt\\logs -p verbose -o ..\\results.csv \`\`\`
Then open the the \*results.csv\* in Timeline Explorer
## Event Log Explorer Manually, use event log explorer to manually analyze the event logs Please refer: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/event-log-analysis.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. --- # Unknown \> For the complete documentation index, see \[llms.txt\](https://fareedfauzi.gitbook.io/ctf-training/llms.txt). Markdown versions of documentation pages are available by appending \`.md\` to page URLs; this page is available as \[Markdown\](https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis.md). # Registry Analysis ## What is registry Registry is a hierarchical database that serves as a central repository for 1. Configuration settings 2. Information about the software, hardware, and user preferences In perspective of attacker, registry can be abuse to: \* Setup persistence \* Modify config such as WDigest \* Disable WinDefender \* Privilege Escalation \* User Account Manipulation \* And many more () ## Registry hives explained | Registry hives | Description | | --------------------- | ------------------------------------------------------------------------------------------------ | | HKEY\\\_CLASSES\\\_ROOT | A symbolic link to HKLM\\SOFTWARE\\Classes | | HKEY\\\_CURRENT\\\_USER | A symbolic link to the part of HKEY\\\_USERS representing the currently logged in user's profile. | | HKEY\\\_LOCAL\\\_MACHINE | Contains information about all the installed hardware and software. | | HKEY\\\_USERS | Contains preferences for each of the user profiles on the machine | | HKEY\\\_CURRENT\\\_CONFIG | Symbolic link that points to the part in HKLM that applies to the current hardware configuration | ## Registry structure
## Registry artifact location | System registry | Current user registry | | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | |
  • %WinDir%\\System32\\Config\\\*
  • %WinDir%\\appcompat\\Programs\\AMCACHE.hve
|

  • C:\\Users\\<username>\\NTUSER.dat
  • C:\\Users\\<username>\\AppData\\Local\\Microsoft\\Windows\\USRCLASS.DAT
| ## Using Registry Explorer
Please refer: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the \`ask\` query parameter, and the optional \`goal\` query parameter: \`\`\` GET https://fareedfauzi.gitbook.io/ctf-training/forensic/kape-triage/registry-analysis.md?ask=&goal= \`\`\` \`ask\` is the immediate question: it should be specific, self-contained, and written in natural language. \`goal\` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections. ---