📗 CTF Writeup
BelkaCTF6 2024 Writeup
date
Apr 7, 2024
slug
belka624-plzentertext
author
status
Public
tags
BelkaCTF
Digital Forensics
CTF
summary
I managed to get 48th out of 230 professional and student players, and ranked 12th among student players in the BelkaCTF6 by Belkasoft. Here is the writeup for it :D
type
Post
thumbnail
category
📗 CTF Writeup
updatedAt
Apr 7, 2024 06:41 PM
BELKACTF IS FINALLY BACK WOOT WOOT! I really really missed this CTF since it was how I got introduced to digital forensics and also where it all started, so was looking forward to it for a long while 😂 I managed to get 48th out of 230 professional and student players this time and 12th among student players, but one day I’ll get to Top 10 :’)
Anyhow, this was my attempt at writing my own writeup for the CTF, before I have a glimpse into the official one 👀 So here we go!
Huge thanks to Yuri Gubanov, the Belkasoft team, and the TO:DO Security Team for this awesome CTF! The flow, questions, and storyline were super nice and I definitely enjoyed it!🔥
Solved questions are marked with ✅, and unsolved ones are marked with ❌
For unsolved questions, I’ll write out what I think the solution to the questions is (From a student perspective), so if it's wrong, I mean you can just look at the official one 😂
✅ 1. What is the Apple ID used on the imaged iPhone?✅ 2. What is the iPhone owner's full name?✅ 3. Which Telegram accounts did the owner discuss shady stuff with?✅ 4. Where does William live?✅ 5. What is the username of the laptop user?✅ 6. What is the amount of William's first take in April?❌ 7. Where did the gang go to celebrate their success together in March?✅ 8. Which file does the guy keep his encrypted container in?✅ 9. Which luxurious item did Phorger put his laundered money into?❌ 10. Which concert were Phorger and his girlfriend planning to attend in May?❌ 11. What's the name of the person who designed the print template for the bills?❌ 12. Where is the makeshift lab where they printed the cash located?✅ 13. What is the precise moment their largest printing batch was completed?✅ 14. What's the printer model they used to print money?❌ 15. Which ATM did Phorger test his bills on recently?❌ 16. Who leaked the technical data on the bill validator to the gang?❌ 17. Which offshore financial institution did the gang bank with?❌ 18. Paste Phorger's entire bank statement here, containing all his offshore transactionsSome Sidequests that I Ventured and Failed 😂Sidequest 1Sidequest 2Possible Things I Could Think Of to Proceed, But Didn’t Have Enough Time
✅ 1. What is the Apple ID used on the imaged iPhone?
iOSAccounts artifact > “Type of account” Apple ID > Username
✅ 2. What is the iPhone owner's full name?
By looking at the Telegram conversations, William was mentioned a few times (First name)
Full name was at: SMS artifact > Contacts > Properties
William Phorger
✅ 3. Which Telegram accounts did the owner discuss shady stuff with?
Just get every username from
the.party Telegram groupchat @diddyflowers, @Sm00thOperat0r, @locknload771, @JesusStreeton1999
✅ 4. Where does William live?
Uber artifact had a home tag to state where he lived
38°35'23.8"N 90°19'31.2"W
✅ 5. What is the username of the laptop user?
I just looked at the file system: Users > phorger
phorger
✅ 6. What is the amount of William's first take in April?
This took me a while lol, so I found
Capture2.png which was created on March 3 2024 in the path below while I was browsing the file system:
Tried browsing to the link mentioned, which was https://crbk.com.pa/account but to no avail, but I found a similar link in the browsing history which was https://crbk.org/account. The following entries mentioned that the user clicked on Forget password, so I did the same and got a temporary password :D
To get a temporary password, all you need is the username of the user and their account number, which was already in
Capture2.png so YAYSo the answer is definitely the new entry in the website (The “Last 10 transactions” in the website is different from the one in
Capture2.png, which I will mention again later ) : 
7012.39
❌ 7. Where did the gang go to celebrate their success together in March?
So based on the Telegram conversation, they went to eat somewhere on March 18th, and they added the bill split details to Splitwise:
So I was searching for Splitwise databases / application information but I couldn’t find it :’D
✅ 8. Which file does the guy keep his encrypted container in?
In the mounted device artifact, there were other drives available which are indicated by the different Alphabets:
So after a LOT of searching, I noticed that the label for the Y: drive was “Vault” (Very suspicious 👀):
Now I spent A LOT of time trying to find the location of the Y:\ drive, and after a LOT of searching, my brain decided, why not search for the name of the label instead? So I searched for “Vault”, and very interesting information popped out:
Now at this moment, I was like, in the
Documents? But I already checked that! Now surprise surprise, IT WAS IN desktop.ini, which was the only file out of the rest that I did not click into 💀 
So I spent an hour extracting this file by using the “Copy File to Folder” function and trying to get the ADS by doing
Get-Item -path file_path -stream * on Windows, but the stream named vault.vhdx didn’t appear, so at the end I just viewed the ADS in hex, Ctrl + A, download, and saved the entire thing.Now we got
vault.vhdx, all you have to do is mount the thing! But wait, you need a password! But you have an option to just enter the Recovery key instead. Earlier, I found a BitLocker recovery file, so this information came in handy:BitLocker recovery Identifier: 929983CA-5012-49E9-A194-4550C08C6127 Recovery key: 590238-514580-359986-088242-029766-319495-410509-636911
So now, the vault is mounted yahoo!
C:\Users\phorger\Documents\desktop.ini:vault.vhdx
✅ 9. Which luxurious item did Phorger put his laundered money into?
Remember the Vault we just mounted? There is a file called
spending.xlsx, so all you gotta do is just look at the most expensive item, and tadaaa:
Rolex Submariner Date 126619LB
❌ 10. Which concert were Phorger and his girlfriend planning to attend in May?
So you can see this conversation in the Telegram chat:
Hence my thought is that @diddyflowers deleted previous chat history regarding the vacation plans, but I can’t find anything related :’))
❌ 11. What's the name of the person who designed the print template for the bills?
There was one part in the Telegram conversation between @diddyflowers and @billthemegakill where Drew sent a design template in
.psd:
Based on previous CTFs I played, I know that PSD files normally saves the name of the owner in its metadata, but I couldn't extract the PSD document, and I couldn’t figure out how 🥲
❌ 12. Where is the makeshift lab where they printed the cash located?
I was pretty sure it was this location from Geofences:
I mean, look at the picture from Google Maps:
But I copied the address below and submitted it, still to no avail :’) Tried out every other location I could find, but still nope
✅ 13. What is the precise moment their largest printing batch was completed?
So based on the conversation between @billthemegakill and the bot he created (@prochefbakerbot), I looked for the highest number, and got the timestamp:
(Some previous context is that @billthemegakill mentioned in the group chat that this bot was for printing bills)
2024-04-02 10:44:30 PM
✅ 14. What's the printer model they used to print money?
There were A LOT of red herrings for this one, so I’ll save you the trouble and tell you which one is the direct answer. You can check the previous connected USB devices, and check the one for printing:
Then by searching for the hardware ID online, you will get the answer:
https://members.driverguide.com/driver/device.php?hwid=USB\Vid_03f0%26Pid_042a%26Rev_0100%26MI_00
HP LaserJet M1132
❌ 15. Which ATM did Phorger test his bills on recently?
So this was the conversation that he went to test out his bills (Not going to lie, as someone who is not from US, I thought the “Chase” he meant was Chase ATMs, so I kept searching for Chase ATMs HAHAHAH It was after a few hours only I realised he meant “Chase” as in the other user called Mr C 💀):
Side notes I had:
- Dude had
com.apple.Mapson 3 April
- Uber ride had
S Grand Blvd, 2245, Saint-Louis, MO, 63104on 2 April, so I thought that he was going to go to a nearby ATM in this area
Entries I tried lol:
- Chase ATM on N Illinois St
- Chase ATM on S Main St
- Chase ATM on S Grand Blvd
- Chase ATM on Lindell Blvd
- Chase ATM on Page Blvd
- Chase ATM on Menard St
- Chase ATM on N Broadway
- Chase ATM on Chippewa St
- U.S. Bank ATM on S Grand Blvd / US Bank ATM on S Grand Blvd
- U.S. Bank ATM on Gravois Ave / US Bank ATM on Gravois Ave
- U.S. Bank ATM on Caroline St / US
- LibertyX Bitcoin ATM on Arsenal St
❌ 16. Who leaked the technical data on the bill validator to the gang?
I have 0 idea on how to proceed with this
❌ 17. Which offshore financial institution did the gang bank with?
Remember the credit card we found earlier? I wanted to use it’s BIN number to find out the financial institution, so I used this website to search (https://payspacemagazine.com/bin-card/), but the BIN didn't work. So I was stuck 😂
(Now that I think about it, it’s kind of hard for a CTF to get an actual credit card number because that is A LOT of unnecessary work, so there is a super low chance that this method works, hence I think the number wasn’t supposed to be a legit credit card number)
A quick note on what the digits mean in a credit card that I got from online sources:
The 16-digit Primary Account Number (PAN) is made up of four components:
- Major industry identifier (MII): identifies the card network. American Express's MII is 3, Visa is 4, Mastercard is 5, and Discover is 6.
- Bank identification number (BIN): identifies who issued the card.
- Account identifier: identifies the individual account.
- Validator digit (checksum): Issuers put the first 15 digits into a formula called the Luhn Algorithm, which produces the validator digit.
❌ 18. Paste Phorger's entire bank statement here, containing all his offshore transactions
Now remember the https://crbk.org/account website we found earlier? And also do you remember that both the website and the
Capture2.png had different content? So the website actually has a function for you to download all transactions, but it needs a OTP! So, while searching through the large amount of pictures, I found this Google Authenticator picture:
Of course the OTP in the picture didn’t work, so I thought I had to follow the steps here to get the Google Authenticator key (So I could get the OTP on my Google Authenticator app): https://dpron.com/recovering-google-authenticator-keys-from-ios-backups/
It’s a great article by Dan Roncadin, do give it a read 👀
But anyways, I couldn’t find the
Manifest.plist, so maybe this wasn’t the intended solution :/Some Sidequests that I Ventured and Failed 😂
Sidequest 1
In one of the Telegram conversations:
Done! Congratulations on your new bot. You will find it at t.me/prochefbakerbot. You can now add a description, about section and profile picture for your bot, see /help for a list of commands. By the way, when you've finished creating your cool bot, ping our Bot Support if you want a better username for it. Just make sure the bot is fully operational before you do this...Use this token to access the HTTP API:.6906797754:AAGMY4k5rHjZowgyjtlt84SvbrqbjBsO6jU.Keep your token secure and store it safely, it can be used by anyone to control your bot...For a description of the Bot API, see this page: https://core.telegram.org/bots/api
Since there’s a Telegram Bot API, I tried sending a query over HTTPS in this format:
https://api.telegram.org/bot<token>/METHOD_NAME 👀https://api.telegram.org/6906797754:AAGMY4k5rHjZowgyjtlt84SvbrqbjBsO6jU/help
Welp. Didn’t work xD
Sidequest 2
In one of the Telegram conversations:
Yo, William, we got issues. One of ATMs is rejecting our cash. Jesus thinks it's on us. Can you check it out? Stubborn machine is on https://bit.ly/3VKt3er
So this link is broken, and I thought of looking into web archives, found nothing HAHAHAHA
Possible Things I Could Think Of to Proceed, But Didn’t Have Enough Time
- Running Recuva or similar tools on the mounted new container to check if there are any deleted files
- Look into the Python code for @prochefbakerbot, which was in the
bakerfolder in the mounted new container
- Run the image files on Volatility and use some of their plugins (
imageinfowas taking too much time so I gave up)