📗 CTF Writeup

BelkaCTF6 2024 Writeup

date
Apr 7, 2024
slug
belka624-plzentertext
author
status
Public
tags
BelkaCTF
Digital Forensics
CTF
summary
I managed to get 48th out of 230 professional and student players, and ranked 12th among student players in the BelkaCTF6 by Belkasoft. Here is the writeup for it :D
type
Post
thumbnail
Screenshot 2024-04-08 015848.png
category
📗 CTF Writeup
updatedAt
Sep 21, 2024 05:54 PM
BELKACTF IS FINALLY BACK WOOT WOOT! I really really missed this CTF since it was how I got introduced to digital forensics and also where it all started, so was looking forward to it for a long while 😂 I managed to get 48th out of 230 professional and student players this time and 12th among student players, but one day I’ll get to Top 10 :’)
 
Anyhow, this was my attempt at writing my own writeup for the CTF, before I have a glimpse into the official one 👀 So here we go!
 
Huge thanks to Yuri Gubanov, the Belkasoft team, and the TO:DO Security Team for this awesome CTF! The flow, questions, and storyline were super nice and I definitely enjoyed it!🔥
 
💡
Solved questions are marked with ✅, and unsolved ones are marked with ❌ For unsolved questions, I’ll write out what I think the solution to the questions is (From a student perspective), so if it's wrong, I mean you can just look at the official one 😂


✅ 1. What is the Apple ID used on the imaged iPhone?

iOSAccounts artifact > “Type of account” Apple ID > Username
notion image

✅ 2. What is the iPhone owner's full name?

By looking at the Telegram conversations, William was mentioned a few times (First name)
Full name was at: SMS artifact > Contacts > Properties
William Phorger

✅ 3. Which Telegram accounts did the owner discuss shady stuff with?

Just get every username from the.party Telegram groupchat
@diddyflowers, @Sm00thOperat0r, @locknload771, @JesusStreeton1999

✅ 4. Where does William live?

Uber artifact had a home tag to state where he lived
notion image
38°35'23.8"N 90°19'31.2"W

✅ 5. What is the username of the laptop user?

I just looked at the file system: Users > phorger
phorger

✅ 6. What is the amount of William's first take in April?

This took me a while lol, so I found Capture2.png which was created on March 3 2024 in the path below while I was browsing the file system:
notion image
PAB = Panama Balboa = Official currency for Panama
PAB = Panama Balboa = Official currency for Panama
Tried browsing to the link mentioned, which was https://crbk.com.pa/account but to no avail, but I found a similar link in the browsing history which was https://crbk.org/account. The following entries mentioned that the user clicked on Forget password, so I did the same and got a temporary password :D
 
To get a temporary password, all you need is the username of the user and their account number, which was already in Capture2.png so YAY
 
So the answer is definitely the new entry in the website (The “Last 10 transactions” in the website is different from the one in Capture2.png, which I will mention again later ) :
notion image
7012.39

❌ 7. Where did the gang go to celebrate their success together in March?

So based on the Telegram conversation, they went to eat somewhere on March 18th, and they added the bill split details to Splitwise:
notion image
So I was searching for Splitwise databases / application information but I couldn’t find it :’D

✅ 8. Which file does the guy keep his encrypted container in?

In the mounted device artifact, there were other drives available which are indicated by the different Alphabets:
notion image
 
So after a LOT of searching, I noticed that the label for the Y: drive was “Vault” (Very suspicious 👀):
notion image
 
Now I spent A LOT of time trying to find the location of the Y:\ drive, and after a LOT of searching, my brain decided, why not search for the name of the label instead? So I searched for “Vault”, and very interesting information popped out:
notion image
 
Now at this moment, I was like, in the Documents? But I already checked that! Now surprise surprise, IT WAS IN desktop.ini, which was the only file out of the rest that I did not click into 💀
notion image
 
So I spent an hour extracting this file by using the “Copy File to Folder” function and trying to get the ADS by doing Get-Item -path file_path -stream * on Windows, but the stream named vault.vhdx didn’t appear, so at the end I just viewed the ADS in hex, Ctrl + A, download, and saved the entire thing.
 
Now we got vault.vhdx, all you have to do is mount the thing! But wait, you need a password! But you have an option to just enter the Recovery key instead. Earlier, I found a BitLocker recovery file, so this information came in handy:
BitLocker recovery Identifier: 929983CA-5012-49E9-A194-4550C08C6127 Recovery key: 590238-514580-359986-088242-029766-319495-410509-636911
 
So now, the vault is mounted yahoo!
notion image
C:\Users\phorger\Documents\desktop.ini:vault.vhdx

✅ 9. Which luxurious item did Phorger put his laundered money into?

Remember the Vault we just mounted? There is a file called spending.xlsx, so all you gotta do is just look at the most expensive item, and tadaaa:
notion image
Rolex Submariner Date 126619LB

❌ 10. Which concert were Phorger and his girlfriend planning to attend in May?

So you can see this conversation in the Telegram chat:
notion image
Hence my thought is that @diddyflowers deleted previous chat history regarding the vacation plans, but I can’t find anything related :’))

❌ 11. What's the name of the person who designed the print template for the bills?

There was one part in the Telegram conversation between @diddyflowers and @billthemegakill where Drew sent a design template in .psd:
notion image
Based on previous CTFs I played, I know that PSD files normally saves the name of the owner in its metadata, but I couldn't extract the PSD document, and I couldn’t figure out how 🥲

❌ 12. Where is the makeshift lab where they printed the cash located?

I was pretty sure it was this location from Geofences:
notion image
 
I mean, look at the picture from Google Maps:
notion image
But I copied the address below and submitted it, still to no avail :’) Tried out every other location I could find, but still nope

✅ 13. What is the precise moment their largest printing batch was completed?

So based on the conversation between @billthemegakill and the bot he created (@prochefbakerbot), I looked for the highest number, and got the timestamp:
notion image
(Some previous context is that @billthemegakill mentioned in the group chat that this bot was for printing bills)
2024-04-02 10:44:30 PM

✅ 14. What's the printer model they used to print money?

There were A LOT of red herrings for this one, so I’ll save you the trouble and tell you which one is the direct answer. You can check the previous connected USB devices, and check the one for printing:
notion image
 
Then by searching for the hardware ID online, you will get the answer: https://members.driverguide.com/driver/device.php?hwid=USB\Vid_03f0%26Pid_042a%26Rev_0100%26MI_00
HP LaserJet M1132

❌ 15. Which ATM did Phorger test his bills on recently?

So this was the conversation that he went to test out his bills (Not going to lie, as someone who is not from US, I thought the “Chase” he meant was Chase ATMs, so I kept searching for Chase ATMs HAHAHAH It was after a few hours only I realised he meant “Chase” as in the other user called Mr C 💀):
notion image
Side notes I had:
  • Dude had com.apple.Maps on 3 April
  • Uber ride had S Grand Blvd, 2245, Saint-Louis, MO, 63104 on 2 April, so I thought that he was going to go to a nearby ATM in this area
Entries I tried lol:
  • Chase ATM on N Illinois St
  • Chase ATM on S Main St
  • Chase ATM on S Grand Blvd
  • Chase ATM on Lindell Blvd
  • Chase ATM on Page Blvd
  • Chase ATM on Menard St
  • Chase ATM on N Broadway
  • Chase ATM on Chippewa St
  • U.S. Bank ATM on S Grand Blvd / US Bank ATM on S Grand Blvd
  • U.S. Bank ATM on Gravois Ave / US Bank ATM on Gravois Ave
  • U.S. Bank ATM on Caroline St / US
  • LibertyX Bitcoin ATM on Arsenal St

❌ 16. Who leaked the technical data on the bill validator to the gang?

I have 0 idea on how to proceed with this

❌ 17. Which offshore financial institution did the gang bank with?

Remember the credit card we found earlier? I wanted to use it’s BIN number to find out the financial institution, so I used this website to search (https://payspacemagazine.com/bin-card/), but the BIN didn't work. So I was stuck 😂
(Now that I think about it, it’s kind of hard for a CTF to get an actual credit card number because that is A LOT of unnecessary work, so there is a super low chance that this method works, hence I think the number wasn’t supposed to be a legit credit card number)
 
A quick note on what the digits mean in a credit card that I got from online sources:
notion image
The 16-digit Primary Account Number (PAN) is made up of four components:
  • Major industry identifier (MII): identifies the card network. American Express's MII is 3, Visa is 4, Mastercard is 5, and Discover is 6.
  • Bank identification number (BIN): identifies who issued the card.
  • Account identifier: identifies the individual account.
  • Validator digit (checksum): Issuers put the first 15 digits into a formula called the Luhn Algorithm, which produces the validator digit.

❌ 18. Paste Phorger's entire bank statement here, containing all his offshore transactions

Now remember the https://crbk.org/account website we found earlier? And also do you remember that both the website and the Capture2.png had different content?
 
So the website actually has a function for you to download all transactions, but it needs a OTP! So, while searching through the large amount of pictures, I found this Google Authenticator picture:
notion image
Of course the OTP in the picture didn’t work, so I thought I had to follow the steps here to get the Google Authenticator key (So I could get the OTP on my Google Authenticator app): https://dpron.com/recovering-google-authenticator-keys-from-ios-backups/
💡
It’s a great article by Dan Roncadin, do give it a read 👀
 
But anyways, I couldn’t find the Manifest.plist, so maybe this wasn’t the intended solution :/

Some Sidequests that I Ventured and Failed 😂


Sidequest 1

In one of the Telegram conversations:
Done! Congratulations on your new bot. You will find it at t.me/prochefbakerbot. You can now add a description, about section and profile picture for your bot, see /help for a list of commands. By the way, when you've finished creating your cool bot, ping our Bot Support if you want a better username for it. Just make sure the bot is fully operational before you do this...Use this token to access the HTTP API:.6906797754:AAGMY4k5rHjZowgyjtlt84SvbrqbjBsO6jU.Keep your token secure and store it safely, it can be used by anyone to control your bot...For a description of the Bot API, see this page: https://core.telegram.org/bots/api
Since there’s a Telegram Bot API, I tried sending a query over HTTPS in this format: https://api.telegram.org/bot<token>/METHOD_NAME 👀
https://api.telegram.org/6906797754:AAGMY4k5rHjZowgyjtlt84SvbrqbjBsO6jU/help
Welp. Didn’t work xD

Sidequest 2

In one of the Telegram conversations:
Yo, William, we got issues. One of ATMs is rejecting our cash. Jesus thinks it's on us. Can you check it out? Stubborn machine is on https://bit.ly/3VKt3er
So this link is broken, and I thought of looking into web archives, found nothing HAHAHAHA

Possible Things I Could Think Of to Proceed, But Didn’t Have Enough Time


  1. Running Recuva or similar tools on the mounted new container to check if there are any deleted files
  1. Look into the Python code for @prochefbakerbot, which was in the baker folder in the mounted new container
  1. Run the image files on Volatility and use some of their plugins (imageinfo was taking too much time so I gave up)