Belkasoft CTF 6: Write-up

The Plot

The CTF plot develops around a seemingly dull and insignificant incident. A cashier at a corner shop received a fake $50 bill and reported it to the police. Given the absence of other intriguing cases (it seems like you are working in a happy community!) your boss wants you to uncover what happened. Quite unexpectedly, your investigation leads to some significant findings.

Will you be able—using digital forensics only—to expose a well-organized gang involved in counterfeit currency crimes?

Let's begin taking flags!

1. Ident (Baby)

Question

What is the Apple ID used on the imaged iPhone?

Solution

1. Open your Belkasoft X v.2.4
2. Create a new case and add the first CTF image as a data source (at this point you do not have the password for the second image, so just disregard it for now)
3. Analyze the image, selecting all artifacts for extraction
4. Navigate to Artifacts → Overview → iOS Accounts

Flag

[email protected] (the task was solved 231 times)

2. Namedrop (Baby)

Question

What is the iPhone owner's full name? Flag format: First name Last name

Solution

1. Navigate to Artifacts → Overview → Contacts
2. Find the email from the previous question

Flag

William Phorger (the task was solved 223 times)

3. Conspirators (Warmup)

Question

Which Telegram accounts did the owner discuss shady stuff with? Flag format: @username, @username, @username, ...

Solution

1. Navigate to the Artifacts → Overview → Chats
2. Read the Telegram chat history, list all usernames discussed for shady dealings

Flag

@Sm00thOperat0r, @locknload771, @JesusStreeton1999, @diddyflowers (this task was solved 172 times)

4. Visit (Tricky)

Question

Where does William live? Flag format: latitude, longitude—or just click the map

Solution

1. Navigate to Artifacts → Overview → Geolocation data
2. Extract important locations from Uber, one of them is home
3. Viewing raw in SQLite, you can see a "home" label:

Flag

Nottingham Ave, 7402, Saint-Louis, MO, 63119 (this task was solved 134 times)

5. Username (Baby)

Question

What is the username of the laptop user?

The police searched Phorger's house and seized his laptop. This is your second image; you can now unpack it using the provided password.

Note: from now on, you have 2 images. You would want to look at each one from time to time. You have an option to filter artifacts by data source (preferred way when you are not in rush) or create two Belkasoft X cases to avoid need for filtering artifacts Overview (not recommended for real life, but can save some time for the CTF rush). Below, when we write [iPhone], it will mean that you have to either filter by iPhone data source or to look into your iPhone case (similarly, [Windows]).

Solution

1. Add the new image to your case and analyze it with all available Belkasoft X options
2. Navigate to [Windows] → Artifacts → Overview → Windows → User name and Sid list

Flag

phorger (this task was solved 188 times)

6. April Paycheck (Warmup)

1. Navigate to [Windows] → Artifacts → Overview → Notifications
2. There's a notification from the chat application called "Element": "sm00thoperat0r (Friends) | Yo William, gotta talk cash. That mess we made? Yeah, we're sorry, bro. Upping your take this month by 15%. You're landing at 7012USD total this round."

Flag

7012 (this task was solved 96 times)

7. Party (Tricky)

Question

Where did the gang go to celebrate their success together in March? Flag format: latitude, longitude—or just click the map

Solution

1. Navigate to [iPhone] → Artifacts → Overview → Chats
2. Read the chat history. Firstly, on March 19th, the boss suggests hanging out somewhere: Yo, crew! We've been grindin' like crazy. How's 'bout we crash that bar downtown tomorrow night? Time to throw down some celebration for us bustin' our butts. ?? on me! Eh?
3. Secondly, a bit earlier, it's mentioned they use Splitwise: Now that's what I call a great meal! Added it to our Splitwise
4. Search for the Splitwise database. For this, unpack .tar for file name search, search for "splitwise". A Splitwise settings file is found: /private/var/mobile/Containers/Data/Application/E951DC58-CF30-4518-9482-3E076D89A20B/Library/Preferences/com.Splitwise.SplitwiseMobile.plist
5. Nearby in the same container lies the database: /private/var/mobile/Containers/Data/Application/E951DC58-CF30-4518-9482-3E076D89A20B/Library/Application Support/database.sqlite
6. Open in Belkasoft's SQLite Viewer. In the SWExpense table, there is a record with description "Get-together at Cunetto":
7. Search for Cunetto—it is Cunetto House of Pasta

Flag

5453 Magnolia Ave, St. Louis (this task was solved 14 times)

8. Crypto (Warmup)

Question

Which file does the guy keep his encrypted container in? Flag format: full path, e.g. C:\VeraCrypt\MyContainer.vc

Solution

1. Navigate to [iPhone] → Artifacts → Overview → Chats
2. Read the chat; at the end, the bad guy tries to send a panic command to the bot, but the bot throws an exception: Exception has happened: Traceback (most recent call last): File "Y:\baker\bot.py", line 98, in destroy_encrypted_container os.remove(cryptocontainer) PermissionError: [WinError 32] The process cannot access the file because it is being used by another process: 'C:/Users/phorger/Documents/de...
3. Review the Windows' image in the File System viewer. What could match that "de..." file in that C:\Users\phorger\Documents? It appears to be desktop.ini
4. Hm... ini file. Now, pay attention to the dialogue between your hero and his Chief. Typically, almost meaningless, this time they provide a good hint! Your hero says, "The file might be drifting in an undercurrent, hidden from plain sight."
5. Undercurrent, current, stream... he hints at an alternate data stream!
6. Click on the desktop.ini and notice that Belkasoft reveals an Alternate Data Stream named vault.vhdx

Flag

C:\Users\phorger\Documents\desktop.ini:vault.vhdx (accepted also without ":vault.vhdx"; this task was solved 69 times)

9. Luxury (Warmup)

Question

Which luxurious item did Phorger put his laundered money into? Flag format: full name incl. any codes, e.g. Bugatti Chiron BG744

Solution

1. First, decrypt the crypto container. To do so, extract it from the alternate data stream (using Belkasoft, you can achieve this by opening its Hex Viewer full screen, select all, and clicking "Save selection")
2. Navigate to the [iPhone] → Artifacts → Overview → Notes. In the notes, you will find the BitLocker recovery key: BitLocker recovery Identifier: 929983CA-5012-49E9-A194-4550C08C6127 Recovery key: 590238-514580-359986-088242-029766-319495-410509-636911
3. Mount the extracted vault.vhdx on your Windows, and choose to unlock BitLocker using the recovery key
4. Inside the crypto container, you will find an Excel file called Spending.xlsx
5. Look for a line detailing the biggest expense:

Flag

Rolex Submariner Date ref 126619LB (this task was solved 51 times)

10. Vacation (Tricky)

Question

Which concert were Phorger and his girlfriend planning to attend in May? Format: artist, venue, city, e.g. Taylor Swift, Friends Arena, Stockholm

Solution

1. Navigate to [iPhone] → Artifacts → Overview → Chats. In the Telegram chat on December 24th, it is mentioned that Drew and William discussed the planned May trip, but then Drew deleted everything.
2. Navigate to [Windows] → Artifacts → Overview → Browsers → Cache. Search for cached images (image/jpeg) from Telegram web. Among them, there is the poster you are looking for:

Flag

Eric Clapton, Accor Arena, Paris (this task was solved 17 times)

11. Illustrator (Warmup)

Question

What's the name of the person who designed the print template for the bills? Flag format: First name Last name

Solution

1. On the crypto container in \baker\presets\, there is a PSD file with a print template for the bill. In its metadata, the edits of this file are logged; metadata is visible in the Hex Viewer: … File 50_USD_Series_2004_Note_Front.psd opened Open false true C:\Users\DrewLinesworth\Documents\work\50_USD_Series_2004_Note_Front.psd 64

Flag

Drew Linesworth (this task was solved 36 times)

12. Homebrew Lab (Tricky)

Question

Where is the makeshift lab where they printed the cash located? Flag format: full address, e.g. 314 S Main St, Kirksville, MO

Solution

1. Navigate to [iPhone] → Artifacts → Overview → Geofences
2. A geofence is set upon leaving the point 38° 35' 32.797" N, 90° 3' 26.37" W (actually, it is a geo-reminder with the text “Turn off the fume hood!”)
3. Search this location on Google Maps

Flag

900 N 88th St, East St Louis, IL (this task was solved 36 times)

13. Largest Batch (Warmup)

Question

What is the precise moment their largest printing batch was completed? Provide exact timestamp in a common format, e.g. 2023-07-17 17:07:07 UTC

Solution

1. As you know, printing was initiated through a Telegram bot. Navigate to [iPhone] → Artifacts → Overview → Chats
2. Search for the largest printing batch (of 160 sheets)
3. Check the timestamp of the message from the bot about the end of work

Flag

02.04.2024 22:44:30 UTC (this task was solved 61 times)

14. Device (Tricky)

Question

What's the printer model they used to print money? For example, Canon Color imageCLASS MF656Cdw

Solution

1. Navigate to [Windows] → Artifacts → Overview → System files → Connected USB devices → USB devices
2. In the device connection history you will find an HP device with VID_03F0&PID_042A
3. Google for this VID

Flag

HP LaserJet Professional M1132 MFP (this task was solved 51 times)

15. Night Shift (Tricky)

Question

Which ATM did Phorger test his bills on recently? Flag format: bank and street name, e.g. Chase ATM on S Main St

Solution

1. Navigate to [iPhone] → Artifacts → Overview → Chats
2. In the chat, it is mentioned that on April 1st, the guy was informed that the ATM did not accept the fakes, and he decided tp go check them.
3. Navigate to [iPhone] → Artifacts → Overview → Wi-Fi connections
4. On April 3rd at 2 am, there's a connection to the Wi-Fi network UCPLPublicWireless

5. Use wigle.net to find this Wi-FI location by its MAC address, google its name to find some PDFs mentioning the hotspot. Either way, you will figure that this is the network of University City Public Library:

6. Google for ATMs nearby

Flag

Regions Bank ATM on Delmar Blvd (this task was solved 19 times)

16. Mole (Hard)

Question

Who leaked the technical data on the bill validator to the gang? Flag format: First name Last name

Solution

1. Unlock the crypto container in Windows and mount it as a logical drive
2. Add it as a data source to Belkasoft X (Add data source → Add existing → Disk drive → Logical drive)
3. Carve the entire data source with all artifacts selected (use the "Carve all space option")
4. A deleted PDF with the label CONFIDENTIAL is found (the file name will be "document_00000D45D000.pdf", where the number represents an offset on the disk):

5. Open the file in any PDF viewer. The file turns out to be digitally signed by the insider:

Flag

Kenneth Leek (this task was solved 11 times)

17. Financial institution (Hard)

Question

Which offshore financial institution did the gang bank with? Provide its SWIFT code.

Solution

Well, this is by far the toughest task in the entire CTF! Kudos to the 4 players who were so persistent that they solved this incredibly difficult task.

Navigate to [iPhone] → Artifacts → Overview → Chats. In the chat, the boss says on March 1st, that he opened a Panamanian bank account. Some time later, Chase start communicating using cryptic hex messages:

>>2fce2a77262293ce51775dfc9322937afc115177c2e7e7ce11e377f822e77a93223b773bce9393cebd779c51 
<< a9a62f0081ed12650012caed12650012ca        

Trace back when the hex communication started—it is January 16th:

>> No messaging apps can be trusted, believe me.         

>> Have you got the Shortcut I sent to you? << Yes, Chase, but no idea how to approach its use.         

>> Just press Share on any text. And punch in the secret key we agreed on in the box that pops up.         

<< addaf04dc94ddaf04ddfc980661fc91e7caac9f0dadac94df1664d0c        

1. Looks like an external third-party encryption is used, implemented as an iOS Shortcut
2. Navigate to [iPhone] → Artifacts → Structure → iPhone → Mobile applications → Biome notifications
3. There, you can find several notifications with titles SecuEncrypt and SecuDecrypt that originated from com.apple.shortcuts
4. Search where shortcuts are stored—/private/var/mobile/Library/Shortcuts/Shortcuts.sqlite
5. The database structure is quite complicated, but if you extract strings (UTF-16, for example with the strings2 utility), you will see JavaScript code executed by the shortcut to encrypt data:

In a nutshell, the code turns the key given to it into two numbers—"a" and "b", and then transforms each text character, multiplying it by a and adding b

6. Since there are not so many variations of a and b, you can decrypt the encryption by brute force, leaving only the results made up entirely of printable characters. Here is a sample code for brute-forcing:

7. Try this code for the very first message to test. You will see the following:

It works!

8. So, now try it on the biggest message from the chat, near the discussion of the offshore account:

Flag

CRVBPA2P (this task was solved 5 times)

18. Statement (Hard)

Question

Paste Phorger's entire bank statement here, containing all his offshore transactions.

Solution

1. Navigate to the [iPhone] → Artifacts → Overview → Browsers → Sessions
2. There, you will see visits to Crooked River Bank at crbk.org

3. The bank's site has a login form (requires login and password) and a password recovery option (requires login and card number):

4. On the Windows image, there is a file C:\Users\phorger\Pictures\Capture2.png, which has a screenshot of several transactions in Panamanian balboas

5. If you look at this file in the Hex Viewer, you can see that the PNG marker of IEND is located approximately at 15% from the beginning of the file, and after it, there's a lot of data, which also ends with IEND

6. This is a sign of the Acropalypse bug—the screenshot app first takes a full-screen screenshot and writes it to a file as PNG, and when cropping, it overwrites the file content with the new cropped PNG, but does not truncate the file to the new length—so the tail of the full-screen PNG remains in the file

7. From this tail, you can recover the image, for example, with the Acropalypse-Multi-Tool

8. On the uncropped image, you can see the login "william_phorger" and the card number "1234 9936 8022 7397"

9. Using these details, you can reset the password for the account on crbk.org

10. To download the full transaction history, the bank asks to confirm the operation with a one-time code from a 2FA app

11. Find the iTunes backup inside the Windows image and navigate to pictures inside on the Artifacts → Structure → iPhone → Pictures

12. Among the pictures, there is a deleted screenshot of an export from the Google Authenticator app:

13. You can import it into the Google Authenticator app or decode it with the tool https://github.com/dim13/otpauth, and generate a 6-digit code with the authenticator

14. After entering the code, the bank gives out a CSV with the transaction history: