The given data is VM image of VMWare.
We started up the image and found “flag” file on Desktop. The task is to find password of flag file.
Why they give live VM ? Is it impossible to solve this task without Windows environment ? (ex. KeyLogger)
We analyzed MFT, evtx, tasks, and found following fact.
- flag.7z and Hello.rar is transfered using vmware’s function (drag’n’drop)
- there is no reason using keylogger because flag.7z has been encrypted at first
- suspcious description in
cmd /c "vssadmin > %userprofile%\m"
- according to
\Users\M\m is created in a moment
We got lost and ruined about a day.
Hello.rar with xxd after a while,
Zone.Identifer!!! We doubt that there is ADS (Alternate Data Stream).
Hello.rar, We found
This data seems to be a Rar file.
ADS have to be extracted in NTFS, We used ADSManager.
There is more ADS
We got Word flie from
Opening this file with MS Word, and found VBA macro! But the macro cannnot be edited because it is encrypted with password.
We used olevba to extract macro.
We rewrote CTF() function with python.
install.log from VM (
\Users\M\install.log) and executing this script, It says “No such file or directory ‘M’”. So we recovered ‘M’ using description of Tasks.
Executing the script, we got
flag.7z using the password, and got flag.