Edit some post

_posts/2024-01-08-Iris-CTF.md

@@ -5,7 +5,7 @@ date: 2024-01-08T07:42:50+07:00
 tags: [osint]
 categories: [ctf]
 author : [1]
-image: assets/posts/IrisCTF2024/logo_iris.png
+# image: assets/posts/IrisCTF2024/logo_iris.png
 ---
 
 For my first CTF tournament of the year, I mainly considered challenges related to Misc, Osint, Forensics but most of them were difficult for me, so I could only do 2 Osint problems. Too bad for that.

_posts/2024-07-30-corCTF.md

@@ -13,7 +13,12 @@ Hi guys, it's me again. Three months is long time for me to participate in a CTF
 # Solution
 
 ## 1. Forensics/The-conspirasy
-- Challenge give me 2 files : one is pcap, one is python code. I tried opening the pcap file to see what was there. At first glance, it contained TCP streams containing data in the form [x,y,z ...] with 2 types including numbers less than or equal to 100 and large numbers with 3 or more digits. Read the python code file further. That's a way to encode and send data.
+- Challenge give me 2 files : one is pcap, one is python code. I tried opening the pcap file to see what was there. At first glance, it contained TCP streams containing data in the form [x,y,z ...] with 2 types including numbers less than or equal to 100 and large numbers with 3 or more digits. 
+
+    ![pic](/assets/posts/corCTF%202024/the-conspiracy/1.png)
+
+    ![pic](/assets/posts/corCTF%202024/the-conspiracy/2.png)
+- Read the python code file further. That's a way to encode and send data.
 
 ```python
 import csv
@@ -134,4 +139,47 @@ print(decrypt(finalmessage, keys))
 
 FLAG : *corctf{b@53d_af_f0r_th3_w1n}*
 
-## 2. Forensics/Ilfiltration
+## 2. Forensics/Ilfiltration
+The challenge requires answering some questions to get the flag, the challenge file is an event logs file. Since I am not familiar with using chainsaw, I only use 2 tools here, event viewer and EVTXeCMD.
+
+```Q1: We'd like to confirm what the username of the main user on the target's computer is. Can you provide this information? ```
+
+ANSWER: slice1 
+
+SOLVE: Just go through some facts and we will have the answer to this question or check EID: 4798 (User's local group membership was enumerated.)
+
+```Q2: Now, we'd like the name of the computer, after it was renamed. Ensure that it is entered in exactly how it is in the logs ```
+
+ANSWER: lemon-squeezer 
+
+SOVLE: We can see it in EID 4673 (A privileged service was called) or other, like Q1.
+
+```Q3: Great work! In order to prevent their lemons from moulding, the lemonthinkers changed the maximum password age. What is this value? Please enter it as an integer number in days``` 
+
+ANSWER: 83 
+
+SOLVE: Check EID 4739 (Domain Policy was changed). Actually I didn't check EID 4739 immediately, I used another way which is to use EVTXeCMD to convert the evtx file to a csv file, then grep "age". You can see the 2 numbers are 42 and 83, but the correct answer is 83. Check the evtx file just to be sure.
+
+```Q4: It seems that our targets are incredibly smart, and turned off the antivirus. At what time did this happen? Give your answer as a UNIX timestamp```
+
+ANSWER: 1721946080 
+
+SOLVE: This was a question that I was pretty clueless about. So when a member of my team answered it first, I knew I needed to check EID 4699 (A scheduled task was deleted)
+    ![pic](/assets/posts/corCTF%202024/ilfiltration/Q4.png)
+We can see here, in my local time it is 5:21:20 AM on the 26th, converted to UTC it is 22:21:20 on the 25th. Then just use Epoch Converter to convert to Unix time.
+
+```Q5: The main lemonthinker, slice1, hasn't learnt from the-conspiracy and has (again) downloaded some malware on the system. What is the name of the user created by this malware? ```
+
+ANSWER: notabackdoor 
+
+SOLVE: Check EID 4672 (Special privileges assigned to new logon), we can see it in first line.
+    ![pic](/assets/posts/corCTF%202024/ilfiltration/Q5.png)
+
+```Q6: Finally, we'd like to know the name of the group that the user created by the malware is part of, which has the greatest security risk. What is this?```
+
+ANSWER: Administrator 
+
+SOLVE: In this ques, i use [Timeline Explorer](https://f001.backblazeb2.com/file/EricZimmermanTools/net6/TimelineExplorer.zip) and filter `Username=notabackdoor`, we can see in EID `4672 line : Administrative logon`, so the answer is Administrator.
+    ![pic](/assets/posts/corCTF%202024/ilfiltration/Q6.png)
+
+FLAG: *corctf{alw4y5_l3m0n_7h1nk_b3f0r3_y0u_c0mm1t_cr1m3}*