Home Articles Magnet User Summit CTF: Exfiltration

Magnet User Summit CTF: Exfiltration


Hope you are having a great Sunday, and we are continuing our write-up. No more AXIOM, by the way! You wanted open source tools for CTF solution, we did it 🙂

Application for Exfil

Which application was used to exfiltrate data on the compromised system?

Let’s look into itsupport user profile folder:

Dropbox and OneDrive both look very suspicious, let’s look inside Dropbox:

Bingo! Dropbox is the flag!

Browser to Download Dropbox

Which browser was used to download the application that exfiltrated the data?

Ok, we know that it was itsupport who used Dropbox for exfiltration. So we need to find web-browsers installed by this user. Let’s look into AppData, more exactly – C:\Users\itsupport\AppData\Roaming:

Yes, Maxthon5 is a web-browser, let’s start from it. If you look at C:\Users\itsupport\AppData\Roaming\Maxthon5\Public\Downloader\TaskList, you’ll find a file named {6F3E1C74-4C0A-4747-8B21-27D988BF985E}.tsk. Here is its contents:

That’s it, tha flag is Maxthon5.

Data Exfiltrated

How much data was sent out via the application exfiltrating the data? [answer in bytes]

We are sure you already know where to look for the answer – SRUDB.dat. This is an ESE database located under C:\Windows\system32\sru\:

Let’s parse its contents with Mark Baggett’s srum-dump utility and search for dropbox.exe:

So, the flag is 1363639.

That’s all for today!

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
Load More In Articles
Comments are closed.