NahamCon CTF 2023 — Fetch Writeup

Hey Folks, I participated in NahamCon CTF 2023, my main focus was on solving Forensics Category Challenges. This post covers the writeup for challenge Fetch.

Description

Author: @JohnHammond#6971

“Gretchen, stop trying to make fetch happen! It’s not going to happen!” — Regina George

Solution

The attached file was “fetch.7z”, a 7z archive file. I extracted the zip archive.

To examine the file type and data, run a “file” command on Linux, which reveals it is “Windows Imaging Format (WIM)”.

On opening archive, there are “.pf” files, hence the challenge name “fetch”. The archive has one more zip archive named as fetch.zip.

The prefetch files are basically created when user runs an application from a particular location first time. So, what clicks here is to analyze the prefetch files. Eric Zimmerman has developed bundle of forensics tools to make the analyzes easier and timely. We will be using “PECmd” (Prefetch Parser), which is used to analyze the prefetch files.

Download the tool from: https://ericzimmerman.github.io/#!index.md

I shifted to the Windows for using PECmd.

Extract the other fetch.zip inside WIM.

Inside the fetch folder, I found Calc.exe and Calculator.exe.pf, and Wordpad.exe.pf a bit suspicious, but I will analyze all the prefetch files.

D:\PECmd>PECmd.exe -d "D:\Forensics_tools\fetch~\fetch" >> out.txt

The output file contain a bundle of information with the referenced directories and files.

An efficient way is to simply search for “flag”.

I hope you enjoyed the methodology and writeup :)

Feel free to give suggestions.