# Forensic

Challenge	Link
industrialspy	Here
E2EBleed	Here

## industrialspy ### Description \- ### Solution Diberikan memdump, gunakan volatility untuk melihat proses yang ada. ```bash python3 vol.py -f ~/ctf/compfest/industrial/lyubov_20230712.mem windows.pslist ```

Karena pada saat mengerjakan sudah ada 2 hint dan 1 hint menunjukkan mspaint.exe jadi lakukan dump untuk proses mspaint.exe. ```bash python3 vol.py -f ~/ctf/compfest/industrial/lyubov_20230712.mem -o ./compfest_dump/ windows.memmap.Memmap --pid 1320 --dump ``` Dari referensi berikut diketahui bahwa kita bisa load hasil dump dengan gimp (open as raw). Selanjutnya untuk offset kita gunakan offset pada hint 1 dan tinggal bruteforce width saja (manual). Disini kami coba-coba untuk mengubah image type menjadi RGB Alpha dan akhirnya nemu yang pas yaitu dengan width 1020.

Karena warnanya sedikit aneh, kami coba geser offset dan dapat yang pas

Selanjutnya tinggal rotate aja gambarnya dan dapat flag

Flag : COMPFEST15{m0D3rn\_D4y\_5p1es\_cb06cc3651} ## E2EBleed ### Description \- ### Solution Diberikan file pcap dan source code suatu website, informasi dari salah satu anggota tim kami ada enkripsi di frontend. Dengan informasi tersebut, langkah paling mudah adalah lakukan deploy dan debug javascript di front end.

Lakukan debug pada beberapa baris kode diatas dan diketahui bahwa kode tersebut merupakan kode dari algoritma RSA. Selanjutnya lakukan pencarian terhadap faktor dari modulus dan nilai modulusnya pada traffic yang ada. Didapatkan type init mengirim nilai modulus dan prime digenerate pada endpoint /prime/{length}. Selanjutnya buka file pcap, sempat stuck karena tidak bisa baca data websocket (masked) namun ternyata wireshark sudah menyediakannya pada bagian Line-based text data.

Selanjutnya tinggal dapatkan semua data dan dapat flag ```python from Crypto.Util.number import * p = 172469508628365404723321882828991196387481476537345092348616880359100074055988026998233608818404937910951695962582391514589981721539458320457685737847180767582249264731043268641435667506519083684687761535773456655207009978508553938721724075333909835645792223374403518406927391386894446845517160112156225955999 n = 29116566394151601664610069303747715855356214872963782920725074996047493096331676476821431269056879517823568772536760855620490099049527544187171971509815862258155490313925620884484686048228786130101120541047448887611117692445172587770626218247199123180730416521425181400941752015331410376003413756444127437320157959024490402548889859439942842331583156654429139341276215645481654587492807690300712464491524456421320753644630010989754029779101002723502469769594340720717444312470173187521567316632892142551636626491085320470170088955843101437623634822355706540812434214777107783270133737738593144570052255451657875507161 q = n//p data = [ {"type":"message","data":{"fromUsername":"dog","targetUsername":"cat","id":"1683723702544","message":"16933447801662887870119852964720377371216954236996294857522399514142220176045378344738146138733100548812257897014534848650889491467448362192329273360236484348801690459092180048470789992655291351302766527578738070791532834887681820306189934779637424314357501765123205814099132609193437446089222873579644173104090433269801585098035940593417073925395769244039356918644715319572646683354168308115669968966384404347751099910607894607160218826888832323461447566154986141870133114538920510186606705284197209524630296392666454031050571246972371940387084374192885810368314689000121663675324662171827777550409137287586779946207"}}, {"type":"message","data":{"fromUsername":"dog","targetUsername":"cat","id":"1683723717540","message":"10759128040934552042330786494370327220310465059734557898106426331483384830774920336881694650021739126051532987868928905834271147376891588229711327684800756118023383193867685250019004287402817203186963073672891663169513145871702063603274910180719885920127166647290634283739777349734647905660856976604787612364350510676426675286908932002135297592854551444577259164819757572360981045150564221028595978057067116221396935181697784078425081251023548434313448271048847767462228719784714758256760576949454573775282064370613783424874483411040327531091225486701249588418067535704762179229313716213259035758503944320096714371661"}}, {"type":"message","data":{"fromUsername":"dog","targetUsername":"cat","id":"1683723743384","message":"21908299165625487770286388235676085807884847742262423161189177254276402337046304962174103671926712120304527421591622642866625195421444134966777822323177401724812053209838398588501225805462129451675120186915801138065156265702972050521853386950319039998014278005943680821003666503440205985288054452409895267795199593744952018467226347186185303886111152783734464462949392140281170903976400190056517734521424032901526770175378215336375802508329940657650323184132480480104942805834958585303773694418149095751481553892786728569636580557523505699601888655592139396764781180565254778012222461909764637435174024070076080875146"}}, {"type":"message","data":{"fromUsername":"cat","targetUsername":"dog","id":"1683723693610","message":"3632788507148418529006889428869509656171243977620777623836618098235067706406455819243260342510654641547826983820249206673371372405174301817890630379259560058154980219102840844686260891870851655086710376648028635295977838211968649366271647704803259995356450460574318092206072387537473146741532828614488389751974847179773056679530512909887228507125822467511394900688261278684332004668391970327129899997286663422204343056817218410799196493142321104990247950636710633848543188071375233382773256889006697199044306306135152240195138979985706109188782609936829672548798113942675440020154712082554264793361214829491439745400"}}, {"type":"message","data":{"fromUsername":"cat","targetUsername":"dog","id":"1683723707949","message":"9599108131523778421374362891273568649618184093689084607921321519503819987919933805465983451365024391613480401981869613083940483359139198432038816054049265280605959383245340714626780022696898655742363609825802343767022416846356323862393565961553488760191186025066541840931393687512486667984580931956769240450448178766352166016028386363769231176672706784161283428411842123387267023143148303548157986820524405510795366579159497001142776142947759625144041575436972883554870097557284595061136227828668517158233557971175799810347656002567102262258293270039883087246585945232821604527939387020762619239180451022384706110752"}}, {"type":"message","data":{"fromUsername":"cat","targetUsername":"dog","id":"1683723726353","message":"5033094523853792311852529456179811557880524393434955476383808045012363675028085818748407982394679097737723510974587340376427824483087992807450120892677933709297473091410826535810945147011005409663552125957642362082722215534163728776340054000338326508924181405813418197405079773684319880521492485156104940642422517214754611547573223005178352525299403358263133689986579133647338995863524700363470809591952237979583941212950608644391306276114756045697072361203888512001837895143699272947674460909599050727896812068998496172972448043291330268267599423978509079671845393225855181434714852657465321176595945760956505879259"}}, {"type":"message","data":{"fromUsername":"cat","targetUsername":"dog","id":"1683723750910","message":"28926904137924643820811591921240098398801453121742466005662652665980263444398795681002113884957220908051376607534072826419070056198247627973801589890878346131182633113391705206455447814090191637546426445645829337651393586263747905697036342245722565796948884985251717558995396325259939855751159033934367193815799009117093019573244791138143818152885108870164251642743402055853433825533879346170540535652341811951465935232104230435726873287392942520477596529379660374838971014292306284493198696485808573861062027594509799398140390848058311660163660737465577118503520203377160031812000941458697841435071639019930031711708"}} ] phi = (p-1)*(q-1) d = inverse(0x10001, phi) for i in data: print(long_to_bytes(pow(int(i['data']['message']), d , n))[::-1]) ```

Flag : COMPFEST15{tH4T5\_n0T\_H0w\_y0u\_3XchAnGe\_KeYS!!} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kos0ng.gitbook.io/ctfs/write-up/2023/compfest-quals/forensic.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.