The Spy Write-up

By
Nash N Sulthan
Published on
20 Nov 2021
4 min read
DOMECTF2021

Story

We recently captured a spy. Our forensic team provided this file for further research. Find what is the plan. Note: Flag will be three words, separated by underscores.

Solution

From the story, we understand that this is a forensic challenge listed as OSINT.

So,let us dig a little deeper into it.

Prior to on the analysis, we need to tell Volatility what kind of memory image we are working with. The imageinfo plugin will scan the image and suggest several likely profiles.

lockbox1

In Volatility, we can see a lot of suggestions for the profile. The first one would be sufficient for analysis.

Then we need to check the running processes using the pslist plugin as shown in the image given below.

lockbox1

As you can see, there are a lot of open applications. And the interesting part is that Internet Explorer is found to be open. So let us check its search history.

lockbox1

Here we can see lots of results and the last one is a Pastebin URL.

lockbox1

And on browsing the Pastebin URL, we can see the page as shown below.

lockbox1

It looks like a Hint. So let’s move to the next stage by searching for any mention of the flag in the file given.

lockbox1

On having a closer look, we can see a file named ‘domectf.webp’. So let us download and inspect the image using volatility3.

lockbox1
lockbox1

By this, we would receive an image of a ship which looks like as shown below.

lockbox1

As mentioned previously, the challenge is an OSINT.

So, let us start with getting more info about this image. On a closer inspection, we can derive the following information:

Name of ship: Veendam

The image was captured on: 05-09-2016

Let us try to find out where the ship was on that day.

lockbox1

From the search, we can find that the ship was in Halifax’s shipping port.

Now, let us search for Halifax shipping port in Google Street View & 360°. From this, we can confirm that the location is the port of Halifax, with the help of the glass building.

In Pastebin, we had seen the phrase “Your secret code will be beneath the foot of shipping magnate”.

Now, let us search for the shipping magnate of Halifax. From the search results, we can conclude that it is Sir Samuel Cunard. And there is a statue of him near the port.

lockbox1

On a closer look and remembering the note stated in the story, Flag will be three words, separated by underscores.

We can conclude that the flag is domectf{Haligonian_World_Benefactor}


Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days