Tabby’s Date
Ohhhh, Tab, Tab, Tab…. what has she done. My friend Tabby just got a new laptop and she’s been using it to take notes. She says she puts her whole life on there! She was so excited to finally have a date with a boy she liked, but she completely forgot the details of where and when. She told me she remembers writing it in a note… but she doesn’t think she saved it!! She shared with us an export of her laptop files.
Extract the notepad TabState folder at:
D:\CTF\Huntress\2025\day9\tabbys_date.zip\C\Users\Tabby\AppData\Local\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\
Took a peak at the format of the files, then ran the following command to extract the flag:
find . -type f | xargs strings -ael | grep flag
flag{165d19b610c02b283fc1a6b4a54c4a58}
Beyblade
Sheesh! Some threat actor sure did let it rip on this host! We’ve been able to uncover a file that may help with incident response.
So we got a NTUSER registry file for this challenge.
“Let it rip” with RegRipper and reviewed the output. Search for flag and note the reference to part 1 of 8 with a snippet of the flag. Ran a regex which found 7 snippets:
.*8[\.,\-_:;=]{1}[a-f0-9]{4}
I was missing part 6, which was a sneaky format change ((6/8)-)to the rest which is why my regex didn’t pick it up - either way, got the flag:
flag{47cb5cd46d7bb34a0d9c315a99bb58de}
Darcy
Darcy has apparently been having a lot of fun with a unique version control system. She told me she hid a flag somewhere with her new tool and wants me to find it… I can’t make any sense of it, can you?
For a day 20 challenge this one seemed a bit straightforward…
Unpacked the files, tried running grep 'flag' which just so happened to return the flag:
flag{a0c1e852e1281d134f0ac2b8615183a3}
Webshellz
The sysadmin reported that some unexpected files were being uploaded to the file system of their IIS servers. As a security analyst, you have been tasked with reviewing the Sysmon, HTTP, and network traffic logs to help us identify the flags!
Flag 1 - Sysmon.extx
Quick review of the event log finds the ‘net user’ command being utilised. The password on first glance looks to be base64 but it doesn’t decode to anything. Tried base32 and base85 as well. Asked ChatGPT which suggested base62 - got flag:
flag{03638631595684f0c8c461c24b0879e6}
Flag 2 - revshell.aspx
Dumped all the HTTP objects from the pcap file to review. From looking at the Sysmon.evtx, a random looking binary in Program Data - frpc.exe was making a connection to 117.72.105.10:7000.
Ran grep for the frpc with the -C flag to show 5 lines before and after - spotted the network connection with an encoded string comment:
Chucked this into CyberChef to decode via base32 for the flag:
flag{c7ba76c0a4484fe8c135a1195e8d94ed}
Flag 3 - revshell.aspx
A review on some of the extracted webshell files revealed a lot of base64 type encoded strings. Decoding some of these helped correlate that the webshell commands use the format Bin_<cmd>. Done some statistics on the files using:
grep -Eho 'Bin_[a-zA-Z]{3,}' *.aspx | sort | uniq
Checked a few of the results further and noted that some commands had an additional bit not captured in the previous grep. Updated it to:
grep -Eho 'Bin_[a-zA-Z]{3,}_?[a-zA-Z]{3,}' *.aspx | sort | uniq
This gave a better view of the commands. Final flag suggested how the webshell would be accessed, so focussed on any values referencing login or password - spotted Bin_Div_Login, so ran grep for this plus 5 lines either side. This identified a base64 encoded string which decoded to the final flag:
flag{fb4e078a739ac4ce687eb78c2e51aafe}