English [Juniors CTF 2016] [Forensic 500 – The Good, the Bad and the Junkman] Write Up

Description

– Hey, Mabel! Help me
– What`s up, Gruncle?
– I`ve cleaned up the store recently and now some stuff is missing. I think It must be somewhere here

Resolution

We were given a zipped file with a “something” directory containing a Chrome app data directory.
One of the things to do, is to load directly the profile into Chrome (why using carving, or forensics tools?).

C:\Program Files (x86)\Google\Chrome\Application>chrome.exe --user-data-dir="D:\CTF\JuniorCTF\something\Google\Chrome\User Data"

You don’t know where to start after?
We have the answer! 😀

chrome://chrome-urls/

After looking into the history, we looked into the cache:

chrome://cache/

Searching “flag” we found:

chrome://view-http-cache/https://www.youtube.com/results?search_query=flag_ctf_some_interesting_here_go_go_be_bolder+

https://www.youtube.com/results?search_query=flag_ctf_some_interesting_here_go_go_be_bolder+

There’s only one video available:
search
https://www.youtube.com/watch?v=M2z5MWkBRZk

Flag was “Well_done_You_are_find_me.”…well in fact not at all.
What a troll! 🙁

The real flag was in the video!
video

Flag was A_little_bit_of_magic

Leave a Reply

Your email address will not be published.