Skip to content

Intigriti 1337UP CTF 2024: Password Management

TL;DR

  • Analyse provided disk image with forensic tools.
  • Recover deleted image files from unallocated space.
  • One image contains a master password.
  • Extract Firefox profile data from the disk image.
  • Use recovered master password to decrypt saved credentials.
  • Flag found in Firefox saved passwords.

Challenge Description

My computer broke and I don't know what to do! Can you take a look at the drive? There shouldn't be any sensitive information on there, I deleted personal files a while ago..

Solution

Players will download the disk image and analyse it with some forensics tool, e.g. FTKImager or Autopsy. I like FTKImager for file recovery but Autopsy has some extra features to pull out interesting files, patterns, indicators etc.

Disk image loaded in forensic analysis tool

Players will find 13 images that were deleted (and recycle bin emptied), but this doesn't erase them fully!

List of deleted images recovered from disk

So, let's extract them.

Extracting deleted image files from disk image

12 of the images are AI generated, the last one is a photograph of a password: SevenSuns397260

Recovered photo showing handwritten password

Players can find reference of interesting website visit https://super-really-real-bank.com in the web data.

Browser history entry for super-really-real-bank.com

A bit of a hint that players should focus on browser history but it is encrypted!

{
    "nextId": 2,
    "logins": [
        {
            "id": 1,
            "hostname": "https://super-really-real-bank.com",
            "httpRealm": null,
            "formSubmitURL": "",
            "usernameField": "",
            "passwordField": "",
            "encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECPe0E72Bq278BAiGUkKH0HzoSg==",
            "encryptedPassword": "MFoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECNF/qseckS4/BDBYcrwEBJ5T2lxluEtiFPFfypt58TEfdDyZBaUN/7HFp4I02jsv/XKzazHG/NOHFNk=",
            "guid": "{c3899385-98e9-4900-b9de-1fabf67ed153}",
            "encType": 1,
            "timeCreated": 1728583953428,
            "timeLastUsed": 1728583953428,
            "timePasswordChanged": 1728583953428,
            "timesUsed": 1,
            "syncCounter": 1,
            "everSynced": false,
            "encryptedUnknownFields": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECN2bf71w2iK/BAiWVos1I88Zqw=="
        }
    ],
    "potentiallyVulnerablePasswords": [],
    "dismissedBreachAlertsByLoginGUID": {},
    "version": 3
}

Let's extract the Firefox browser data! It's Windows, so the profiles will be stored at C:\Users\cat\AppData\Roaming\Mozilla\Firefox\Profiles\

We can use a tool like firefox decrypt to get some juicy passwords, cookies etc (providing we have the master password).

Players use the password they found earlier to unlock the data (SevenSuns397260), then in the cookies/saved passwords will be the flag 😼

python firefox_decrypt.py /home/crystal/Desktop/pass_management/profile/

Master Password for profile /home/crystal/Desktop/pass_management/profile/:

Website:   https://super-really-real-bank.com
Username: 'cat'
Password: 'INTIGRITI{4n_unf0r7un473_53r135_0f_m1574k35}'

Flag: INTIGRITI{4n_unf0r7un473_53r135_0f_m1574k35}

BTW sorry the image was so big! I actually tried to make this with Windows 10, Windows 7, and Windows XP and ran into different issues each time. I tried to clear up as many files as possible and compress etc but could never get it under 5gb lol. My first time making this kind of forensics challenge so if anyone has any tips for future, let me know!