index

Relizane vs Tizi

1
in my heart.
2
I can't pass a day without writing something about Relizane, in my documents, images... everywhere.
3
Some of my friends from Tizi-Ouzou (script-kiddies) are jealous of me and my beloved city.
4
They compromised my computer and deleted 03 of my files that contain worthy unique words I wrote about Relizane.
5
In the same time, I tried to quickly copy at least the content of file 01 to a safer host but the second I hit CTRL+C CTRL+V boom the copmuter just crashed.
6

7
    Can you please use your DFIR skills to at least recover my worthy words!

Author : Houssem0x1

Overview

In this challenge we were given a windows filesystem taken with Kape, and tasked to recover the deleted files.

Starting with the first part Relizane_part_1.txt First idea that came to mind was to basically use strings and grep for the flag format :

Deleted files

Which gives us the first part of the flag

1
└─[$] echo 'bmV4dXN7UmVsaXphbmVfMSRfRVAxQw==' | base64 -d
2
nexus{Relizane_1$_EP1C

The screenshot shows that the JPG image contains embedded thumbnail data, Windows stores such thumbnail cache data in thumbcache_X.db files, which are located in the following location C:/Users/username/AppData/Local/Microsoft/Windows/Explorer

1
┌─[graychi@Chihiro] - [~/ctf/nexus/forensics/relvsti/C/Users/relizane/AppData/Local/Microsoft/Windows/Explorer] - [10242]
2
└─[$] l
3
total 11M
4
drwxrwxr-x 2 graychi graychi 4.0K May  3 20:31 .
5
drwxrwxr-x 5 graychi graychi 4.0K Apr 11 09:24 ..
6
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_1280.db
7
-rw-rw-r-- 1 graychi graychi 1.0M Oct 17  2024 thumbcache_16.db
8
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_1920.db
9
-rw-rw-r-- 1 graychi graychi 3.0M Oct 19  2024 thumbcache_256.db
10
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_2560.db
11
-rw-rw-r-- 1 graychi graychi 1.0M Oct 17  2024 thumbcache_32.db
12
-rw-rw-r-- 1 graychi graychi 1.0M Oct 19  2024 thumbcache_48.db
13
-rw-rw-r-- 1 graychi graychi 1.0M Apr 11 07:44 thumbcache_768.db
14
-rw-rw-r-- 1 graychi graychi 3.0M Oct 17  2024 thumbcache_96.db
15
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_custom_stream.db
16
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_exif.db
17
-rw-rw-r-- 1 graychi graychi  29K Oct 19  2024 thumbcache_idx.db
18
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_sr.db
19
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_wide.db
20
-rw-rw-r-- 1 graychi graychi   24 Oct 17  2024 thumbcache_wide_alternate.db

I started by checking thumbcache_768.db as it was the most recent modified file, Using thumbcacheviewer ( Here I had to switch to windows ) You can download the tool from here Parsing the db file we get :

Deleted files

For the third and final part Relizane_part_3.docx, After struggling for a while with this question and trying to cheese it using string, I’ve finally decided to use the sane way and start doing proper research until I stumbled upon : https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/ Talking about how Windows.edb stores files indexes in the past 24h and most importantly partial files content, which can be located at C/ProgramData/Microsoft/search/data/applications/windows After trying a bunch of different parsing tools and getting shit outputs, I found sidr tool

1
┌─[graychi@Chihiro] - [~/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr] - [10287]
2
└─[$] ./target/release/sidr -f csv ../
3
Processing ESE db: ../Windows.edb
4
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-RELIZAN_File_Report_20250503_195722.298075656_dirty.csv
5
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-RELIZAN_Internet_History_Report_20250503_195722.298126537_dirty.csv
6
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-RELIZAN_Activity_History_Report_20250503_195722.298139336_dirty.csv
7

8
WARNING: The database state is not clean.
9
Processing a dirty database may generate inaccurate and/or incomplete results.
10

11
Use esentutl for recovery (/r) and repair (/p).
12
Note that esentutl must be run from a version of Windows that is equal to or newer than the one that generated the database.
13
Processing ESE db: ../sidr/tests/testdata/Windows.edb
14
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-80RDGLC_File_Report_20250503_195722.435250914_dirty.csv
15
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-80RDGLC_Internet_History_Report_20250503_195722.435316606_dirty.csv
16
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-80RDGLC_Activity_History_Report_20250503_195722.435333058_dirty.csv
17

18
WARNING: The database state is not clean.
19
Processing a dirty database may generate inaccurate and/or incomplete results.
20

21
Use esentutl for recovery (/r) and repair (/p).
22
Note that esentutl must be run from a version of Windows that is equal to or newer than the one that generated the database.
23
Processing SQLite db: ../sidr/tests/testdata/Windows.db
24
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-O47KVAD_File_Report_20250503_195722.519416061.csv
25
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-O47KVAD_Internet_History_Report_20250503_195722.519648197.csv
26
/home/graychi/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr/DESKTOP-O47KVAD_Activity_History_Report_20250503_195722.519686640.csv
27

28

29
Found 2 Windows Search database(s)
30

31
Found 1 Windows Search database(s)
32
┌─[graychi@Chihiro] - [~/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr] - [10288]
33
└─[$] l
34
total 2.1M
35
drwxrwxr-x 7 graychi graychi 4.0K May  3 20:57 .
36
drwxrwxr-x 4 graychi graychi 4.0K May  3 20:54 ..
37
drwxrwxr-x 8 graychi graychi 4.0K May  3 20:54 .git
38
-rw-rw-r-- 1 graychi graychi    8 May  3 20:54 .gitignore
39
-rw-rw-r-- 1 graychi graychi 5.3K May  3 20:54 .gitlab-ci.yml
40
drwxrwxr-x 2 graychi graychi 4.0K May  3 20:54 .world
41
-rw-rw-r-- 1 graychi graychi  42K May  3 20:54 Cargo.lock
42
-rw-rw-r-- 1 graychi graychi  989 May  3 20:54 Cargo.toml
43
-rw-rw-r-- 1 graychi graychi 115K May  3 20:57 DESKTOP-80RDGLC_Activity_History_Report_20250503_195722.435333058_dirty.csv
44
-rw-rw-r-- 1 graychi graychi 411K May  3 20:57 DESKTOP-80RDGLC_File_Report_20250503_195722.435250914_dirty.csv
45
-rw-rw-r-- 1 graychi graychi 2.7K May  3 20:57 DESKTOP-80RDGLC_Internet_History_Report_20250503_195722.435316606_dirty.csv
46
-rw-rw-r-- 1 graychi graychi 118K May  3 20:57 DESKTOP-O47KVAD_Activity_History_Report_20250503_195722.519686640.csv
47
-rw-rw-r-- 1 graychi graychi 634K May  3 20:57 DESKTOP-O47KVAD_File_Report_20250503_195722.519416061.csv
48
-rw-rw-r-- 1 graychi graychi  12K May  3 20:57 DESKTOP-O47KVAD_Internet_History_Report_20250503_195722.519648197.csv
49
-rw-rw-r-- 1 graychi graychi  15K May  3 20:57 DESKTOP-RELIZAN_Activity_History_Report_20250503_195722.298139336_dirty.csv
50
-rw-rw-r-- 1 graychi graychi 654K May  3 20:57 DESKTOP-RELIZAN_File_Report_20250503_195722.298075656_dirty.csv
51
-rw-rw-r-- 1 graychi graychi    0 May  3 20:57 DESKTOP-RELIZAN_Internet_History_Report_20250503_195722.298126537_dirty.csv
52
-rw-rw-r-- 1 graychi graychi  574 May  3 20:54 LICENSE
53
-rw-rw-r-- 1 graychi graychi 2.5K May  3 20:54 README.md
54
drwxrwxr-x 2 graychi graychi 4.0K May  3 20:54 src
55
drwxrwxr-x 3 graychi graychi 4.0K May  3 20:56 target
56
drwxrwxr-x 4 graychi graychi 4.0K May  3 20:54 tests
57
-rw-rw-r-- 1 graychi graychi 6.1K May  3 20:54 velosidr.yaml

Running cat *.csv | grep docx to filter out the different results, we get : Deleted files in the west of algeria. It is the best city ever... 58 32 67 77 62 54 4e 66 49 7a 51 34 4d 44 41 77 49 58 30 Houssem0x1 Windows Search I

1
└─[$] echo 5832677762544e66497a51344d444177495830 | xxd -r -p
2
X2gwbTNfIzQ4MDAwIX0
3
┌─[graychi@Chihiro] - [~/ctf/nexus/forensics/relvsti/C/ProgramData/Microsoft/search/data/applications/windows/sidr] - [10301]
4
└─[$] echo 'X2gwbTNfIzQ4MDAwIX0' | base64 -d
5
_h0m3_#48000!}%

Final flag nexus{Relizane_1$_EP1C_w0nd3rFul_&_h0m3_#48000!}

Relizane is Down v2.0

1
fter a long time doing research one Kernel security and even Browser exploitaion (v8), my friend @shadx0w didn't successed to find any CVEs this year, he was very low on $$ and needed a job like normal people, so I decided to hire him as a junior system/network analyst to secure the infrastructure of Relizane city. On his first day of job, he started to google about some automated network analysis software to automate some of the taks, he found an interesting kernel module and immediately went to execute it on one of the important servers,then boom; immediately the system freezed (rabi yahdik a Djaoued).
2

3
I staretd doing some analysis on the incident, can you plase help me answering the questions below!
4

5
        What was the Process ID (PID) and the Command Name of the task that was running on the CPU when the panic occurred?
6
        What was the IP adress of the machine when the panic occured?
7
        Identify the debugfs directory controlling the panic trigger. What is the associated module filename (*.ko)?
8
        A flag is hiding within the module's data buffer in memory, can you retrieve it ?
9

10
flag format: nexus{PID:coammand_IP_module_filename.ko_flag}
11
flag example: nexus{1337:awk_172.137.10.180_root_kit.ko_nexus{somthing_here}}

We were presented with a kernel crash mem dump, to analyze such files we need to use a tool such crash with the right symbol tables fortuantely enough after asking nicely the author provided the vmlinux file We start analyzing by running crash vmlinux-5.13.0-30-generic ubuntu20.04-5.13.0-30-generic-20250427.kdump

PID | command:

Running bt to backtrace the crash reason we straight up get :

1
crash> bt
2
PID: 2408     TASK: ffff961c0c8e1840  CPU: 1    COMMAND: "tee"

IP:

Running nt to view the network logs

1
crash> net
2
   NET_DEVICE     NAME       IP ADDRESS(ES)
3
ffff961c02347000  lo         127.0.0.1, ::1
4
ffff961c03e3c000  ens33      192.168.10.144, fe80::bb16:2ef9:9a77:8720

rootkit.ko :

Running log to check the system logs and going through them

1
crash> log

We find

1
[   60.591839] rfkill: input handler enabled
2
[   64.716879] rfkill: input handler disabled
3
[  169.947597] exfil_agent: loading out-of-tree module taints kernel.
4
[  169.947641] exfil_agent: module verification failed: signature and/or required key missing - tainting kernel
5
[  169.947915] ExfilAgent: Initializing exfiltration agent...
6
[  169.947918] ExfilAgent: Stealth protocol engaged.
7
[  169.947925] ExfilAgent: Agent active. Control: /sys/kernel/debug/exfil_ctrl/trigger
8
[  187.502418] ExfilAgent: Performing emergency cleanup...
9
[  187.502422] ExfilAgent: Sensitive data partially wiped.
10
[  187.502423] Kernel panic - not syncing: ExfilAgent: Unrecoverable error during exfiltration phase.

Flag :

Running search to basically grep the flag

1
crash> search -c "nexus"
2
ffff961c04afb1c8: nexus{Th3_W1p3r_M1ss3d_Th1s_Sp0t!_48000$$$}......6ExfilA

Forensics writeups