team-logo
Published on

BITSCTF 2025 - DFIR challenges

Authors

Introduction

We solved all 3/3 tasks.

Table of contents

Baby DFIR

baby-dfir
Use AccessData FTK Imager ftk-1 ftk-2 Flag: BITSCTF{a_really_simple_intro_to_DFIR_12848a9e}

Virus Camp 1

alt text
from file: .vscode\extensions\undefined_publisher.activate-0.0.1\out\extension.js virus-camp-1-1 From Cyberchef: virus-camp-2-1

Flag: BITSCTF{H0w_c4n_vS_c0d3_l3t_y0u_publ1sh_m4l1cious_ex73nsi0ns_SO_easily??_5a7b336c}

Virus Camp 2

alt text
alt text

Simple decoder:

$password = "MyS3cr3tP4ssw0rd"
$salt = [Byte[]](0x01,0x02,0x03,0x04,0x05,0x06,0x07,0x08)
$iterations = 10000
$keySize = 32
$ivSize = 16

$deriveBytes = New-Object System.Security.Cryptography.Rfc2898DeriveBytes($password, $salt, $iterations)
$key = $deriveBytes.GetBytes($keySize)
$iv = $deriveBytes.GetBytes($ivSize)

$inputFile = "flag.enc"
$outputFile = "flag_decrypted.png"

$aes = [System.Security.Cryptography.Aes]::Create()
$aes.Key = $key
$aes.IV = $iv
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7

$decryptor = $aes.CreateDecryptor()

$inStream = New-Object System.IO.FileStream($inputFile, [System.IO.FileMode]::Open)
$cryptoStream = New-Object System.Security.Cryptography.CryptoStream($inStream, $decryptor, [System.Security.Cryptography.CryptoStreamMode]::Read)

$outStream = New-Object System.IO.FileStream($outputFile, [System.IO.FileMode]::Create)

$buffer = New-Object Byte[] 4096
while ($bytesRead = $cryptoStream.Read($buffer, 0, $buffer.Length)) {
    $outStream.Write($buffer, 0, $bytesRead)
}

$cryptoStream.Close()
$inStream.Close()
$outStream.Close()
alt text Flag: BITSCTF{h0pe_y0u_enj0yed_th1s_145e3f1a}