Challenges from the 2018 DFRWS Rodeo, organized by Matthew Geiger and Andrew White.

Notes:

  • Flags are case sensitive
  • Flags do not contain spaces unless otherwise specified
  • Since some challenges were set up on the fly, the original names and description are not available for some challenges
  • While not intentionally malicious, unknown scripts and binaries should be run in a VM for safety
  • Some challenges which required specially configured networked resources are not available

Crypto - awhpxtvlndkfesormcjgubziqy

Author: Andrew White

Description:

Your colleague Victor, a fan of classical ciphers who usually drives squad car 29, was just found in the break room passed out while straddling his chair. Seeing the curious piece of paper in his hand, you decide to investigate this artifact before calling for help. What could this series of numbers mean?

6022242824626632432625495608279591362824261

Flag SHA256: b49fcbb73d4199b7ed392d1888afe89840580a7bc719279802b773b399e03bce

Crypto - Forensic ICO

Author: Matthew Geiger

Description:

Have you heard? ForensiCoin is the hot new crypto-currency that is headed for an ICO. Forensics + blockchain = profit, right?

Anyway, you have been commissioned to verify the blockchain scheme. Based on the following specifications, generate the verification hash for the block with blockid == 2000 and submit it to see if you can successfully match it to our reference sample.

Problem: ForensiCoin_blockchain_spec.pdf

Flag SHA256: 560fbdddd5440ffc76d58e4761920fe8be907e18a4d2a562900dafbadd1404e4

Crypto - The Good Seed

Author: Matthew Geiger

Description:

We found these files on the target’s system - how can we use them to get their private key?

Problem: booty.zip

Flag SHA256: 8b6b2aecd7b0a1cf2055fa56ad932d5f0a7f48b3a55fff1a4a159b48d92e15c4

Crypto - Hashcrypt

Author: Andrew White

Description:

Your organization has been hit by a new variant of ransomware and the password to the backups has been encrypted! An analyst has looked at the malware and determined how the encryption algorithm works, apparently there is a weakness that allows partial recovery. Can you recover the backup password from the encrypted file?

Problem: hashcrypt.zip

Flag SHA256: 9bfd8da9be0de0be2cb5091312e5c515b90e502a7e807ee9418178a95cb0da32


Files - Leaky Document

Author: Andrew White

Description:

We intercepted this document leaving a secure facility. At first glance it looks normal but there is more to this document than meets the eye. Can you find the hidden message?

Problem: DigitialForensics.doc

Flag SHA256: c40f1570b8256bc2eed662ecd55d44696dfa65fe0033c61f90df40bd7d759700

Files - Pinful

Author: Andrew White

Description:

You forgot the 4-digit pin that protects your password database! Luckily, you did not choose a very good password storage application. Can you recover your passwords?

Problem: Pinful.zip

Flag SHA256: 9ba3ca0e60fa20cde5ecf8acc81e521fa5f9f703ba70b33543bf6a14d4343d6d

Files - Ready Player One?

Author: Matthew Geiger

Description:

Do you know how the game is played? Are you keeping score?

If so, what will the high score be the next time you play after scoring 67 ?

Problem: supertrooper

Flag SHA256: 2ee25b0744b51a9b8bcdfd6870b48161b1dccc68cb048fe13a7b846f98e3a2ff

Files - Very Bizarre Encoding

Author: Andrew White

Description:

The opposing council at trial has presented this file as being a key piece of evidence. Can you figure out what the hell it means?

Problem: file

Flag SHA256: f716a97ee3addbc168aaa874eca7b8705e8326fd36348344f82c05ed54d49bf3

Files - WeCanRebuildIt

Author: Andrew White

Description:

One of your subordinates has managed to misplace a key piece of evidence. Can you rebuild it using the file they left behind?

Problem: rule.yara

Flag SHA256: f9c6f7ca14c6f3929356d139de67a7b5a9f0e3fbce5843585204b3ddda9f51f5


Forensics - Celebrate March 14

Author: Matthew Geiger

Description:

Can you retrieve the flag from this funky filesystem?

Problem: filesystem.tar.gz

Flag SHA256: c092797c555703a388627a17ceea224f8ab2c757c9251b0dac0a006c729e93e5

Forensics - Echo Of The Past

Author: Matthew Geiger

Description:

Can you decode this echo of the past?

Problem: echo_of_the_past.7z

Flag SHA256: 13a2416fcd8d427af75024054b8198c1b704929ae1fd48eb05166a944cba20f4

Forensics - MemoriesEasy

Author: Andrew White

Description:

Someone is trying to be sneaky and hide the flag in a suspicious looking allocation - can you find it?

Note this image file is shared between all “Memories” challenges - password is obl3feJ)yciM

Problem: Memories.vmem.7z

Flag SHA256: b01b94cc1dff7001b585bf3affec3f0f316a39bbebcb1be47d72bb1a74b4770f

Forensics - MemoriesMedium

Author: Matthew Geiger

Description:

A target of investigation has deployed some anti-forensic techniques to disguise their communications. Can you find out which codeword the flag is?

Note this image file is shared between all “Memories” challenges - password is obl3feJ)yciM

Problem: Memories.vmem.7z

Flag SHA256: af75e97ab9e4e0854f5d910cc7e2d6994ff4c32818dbca4e2c5618ce6e50a2c7

Forensics - MemoriesHard

Author: Andrew White

Description:

Heaps of things have happend and the FLAG may not have remained intact, can you rebuild it?

Note this image file is shared between all “Memories” challenges - password is obl3feJ)yciM

Problem: Memories.vmem.7z

Flag SHA256: aa7306c93d25a5ec0c2ba23ddcb66b1d83225a75ffaf858a9034c65f1a57e85b

Forensics - Yes but Y?

Author: Matthew Geiger

Description:

Your friend from Usenet snagged the flag for you and put it in the attached archive. Easy right?

Note - flag has spaces

Problem: puzzle.zip

Flag SHA256: cb31e74d8639c343a152389c0665e3d9f3559ef1fc7ac80b5eae9e71ffe09bd8


Network Stuff - Something About Blind Pigs and Acorns

Author: Matthew Geiger

Description:

Server code unavailable

Flag SHA256: N/A

Network Stuff - Defend The Perimeter

Author: Matthew Geiger

Description:

I’m not at my desk right now, can you login and check my mail for me?

Note - this was originally a networked challenge. To solve this challenge, you will need to run the server and get it to redirect you to the flag, rather than read it from the source.

Problem: forward.zip

Flag SHA256: 578b2f9e1ee5614656648928ce0105658e8040b55197568c4650169d08c84e54

Network Stuff - D’Oh, eh?

Author: Matthew Geiger

Description:

You have been alerted by your EDR to suspicious activity on a key executive’s computer. Investigating, you find a suspicious file was added to the start-up folder. You retrieve it and start to analyze it. However, it looks like the bad guys might have goofed so it doesn’t work quite right. Can you fix it and figure out what it does?

Problem: bad.ps1

Flag SHA256: 68ff1cb1c78739af696dfeabd3f66f8d3bc46f87bb73f1f846813c4e375be4d4

Network Stuff - Littering and …

Author: Matthew Geiger

Description:

Someone made a mess in this pcap, can you figure out what they were trying to say?

Problem: output.pcap

Flag SHA256: 68ff1cb1c78739af696dfeabd3f66f8d3bc46f87bb73f1f846813c4e375be4d4


Trivia - I Got a Fever

Author: Matthew Geiger

Description:

What is the name of the organization that produced this redacted image?

Note - flag has spaces

Problem: which_agency_produced.png

Flag SHA256: 74c621c4d2d357267234a2e2a91f156bb9f108a910b6d2b5e6057ce26481c8e6

Trivia - Spaf!

Author: Matthew Geiger

Description:

N/A - you had to be there

Flag SHA256: N/A

Trivia - Wearables!

Author: Matthew Geiger

Description:

N/A - you had to be there

Flag SHA256: N/A

Trivia - When Worlds Collide

Author: Matthew Geiger

Description:

What was the hash of the first published MD5 hash collision?

Flag SHA256: ee729e9b711b3fa83a817f0aeba820d38509702ba2f74ea9d21d86a26b7a2f98

Trivia - Yo Face!

Author: Matthew Geiger

Description:

N/A - this challenge was removed due to issues

Flag SHA256: N/A