From Evidence to Answers: Navigating Forensic CTF Challenges with Skill — Part II
Welcome to the Part II of From Evidence to Answers: Navigating Forensic CTF Challenges with Skill.
I recently discovered the amazing idea of “Shellbags” while reading Joakim Kävrestad’s book “Fundamentals of Digital Forensics” as part of my quest to learn more about digital forensics. The concept immediately piqued my interest, as Shellbags provide valuable insights into a user’s folder navigation and activity on a Windows system. Intrigued by the potential of this artifact, I was inspired to create a forensics CTF challenge that would put participants’ skills to the test. By leveraging the power of Shellbags, it aims to challenge participants to analyze and interpret these artifacts to uncover hidden clues and investigate the actions of a potential attacker.
Shells in the Bag !
Challenge Description: In our software development world, a puzzling incident has occurred. One of our developers innocently downloaded project files from a well-known version control system, only to discover that their laptop was compromised soon after. We’ve examined the aftermath and found that the only clue left behind is something called “Shellbags.” Your mission is to explore the Shellbags artifact and follow the hidden traces left by the attacker.
Download Challenge File
Explanation
As we can see from the title “Shells”, the file given is certainly for shellbags artifact. Once we get to know how to analyze the given file, the challenge becomes very easy to crash.
After some Google Fu, we figured out that for exploring shellbags, there is a tool named “Shellbags Explorer”, developed by Eric Zimmerman.
Download the tool from: https://ericzimmerman.github.io/#!index.md
Solution
Open ShellBags Explorer and Import file.
To load the file , follow these steps:
Launch ShellBags Explorer.Click on the "File" menu at the top left corner of the screen.Select "Load Offline Hive" from the drop-down menu.Browse to the location of the file and select it.Click on the "Open" button to add the file.Once the hive is loaded, you can begin analyzing its contents.
Let’s explore this.
Personal Folder has nothing of interest.
If we read the description again, it says the developer “downloaded” the code. So let’s explore the downloads folder.
We found folders named as
- Source_code
- DarkWand
- SAP
- Project
- Backup.rar
Explore them one by one
Nothing useful in Project Folder.
Source_code and SAP are empty folders.
We are left with DarkWand.
We can see the file names. It includes files “git” and “replit.md”, which indicates the project is linked to these platforms. There is another file named as “Backdoor.py”.
Let’s search the project on GitHub, as we need to have “Replit account” to check out projects on platform, it is better to search GitHub first.
The file Backdoor.py is simple python file to create remote connection (Reverse Shel). Nothing of interest found here.
Analyzing the repository, I found the commit which might be of our interest.
It is URL Encoded File.
We can decode it using https://www.urldecoder.org/
On decoding, we can see that it is double URL Encoded.
Copy the contents and decode it again.
For better visibility, I copied the decoded content on VS Code.
Upon reading the file, there is a print statement, which prints the flag :)
This challenge might be easy for intermediate and even beginners if they have good knowledge about the windows artifacts.
The core reason for developing this challenge to discover this artifact.
I hope you enjoyed the writeup and the challenge!
Read More about Shellbags at: https://medium.com/ce-digital-forensics/shellbag-analysis-18c9b2e87ac7
