Forensic Challenges
#Artifact
I got the cheat sheet and searched for the execution file
at ShimCache location I got the execution file.
At AppCompatCache.
I though that Deadpotato is a Windows privilege escalation exploit, part of the “Potato” family of tools, which are well-known for their innovative techniques in elevating user privileges on Windows systems. These exploits manipulate Windows security features to allow a user with limited privileges to gain higher access, often leading to system compromise.
Boom that flag got submited…
BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}
#NotFS
Solution: After extensive research, I identified several tools for partition recovery. However, TestDisk emerged as the most reliable and efficient solution. Here’s a breakdown of the analysis process:
To gain a more granular understanding of the Linux partition, I opted for a deeper scan. This involved analyzing the sector size and other low-level details. The results of this scan are presented below:
Once the deep scan was finished, I modified the partition type to HPFS-NTFS. Subsequently, I listed the files on the partition to confirm if the recovery process was successful. This step was crucial in assessing the partition’s recoverability and functionality. The results of the file listing are presented below:
The recovered files were transferred to a specified directory. The contents of this directory are detailed below:
A preliminary examination of the recovered files, based on thumbnail generation, suggested their integrity. However, one file, ‘DALL·E 2024–08–08 07.08.12 — A bustling scene at Black Hat MEA (Middle East & Africa) cybersecurity event. The image includes a large exhibition hall filled with booths from vario.png’, exhibited signs of corruption. To delve deeper, a hex editor analysis was conducted. The examination of file headers uncovered irregularities, pointing to potential structural damage within the file. A detailed breakdown of the header analysis is provided below
boom…. And I got the flag
BHFlagY{8bd8dc3ea7636c5fb8aeb}
