[NDH 2018] [Forensics 200 – Where Is My Purse] Write Up

Description

Helps an important person to find the content of his numeric purse.

Resolution

As it’s not the intended solution, we think it could be interesting! 🙂

Decompressing whereismypurse.7z we got 2 files:
– whereismypurse.vdi: a virtual machine
– whereismypurse.raw: its memory

Starting with the memory dump:

$ strings -e l whereismypurse.raw | grep purse | sort | uniq
?a=wmk:payto?purse=
Group:InternetCreation:26/12/2017Username:****Access:26/12/2017Password:****Modification:26/12/2017Attachment:Expiration:Jamais [-]URL:decred walletComment:pass to decrypt my purse
on:Jamais [-]URL:Comment:pass to decrypt my purse : )
pass to decrypt my purse
pass to decrypt my purse : )

We saw a Keepass running, but the most interesting part was about a wallet:

$ strings -e l whereismypurse.raw | grep wallet | sort | uniq
\??\C:\Users\SatNak\decred\dcrwallet.exe
\??\C:\Users\SatNak\decred\decred-windows-amd64-v1.1.2\dcrwallet.exe
Dcrwallet
@decred wallet
decred wallet
ed wallet
Group:InternetCreation:26/12/2017Username:****Access:26/12/2017Password:****Modification:26/12/2017Attachment:Expiration:Jamais [-]URL:decred walletComment:pass to decrypt my purse
    Information may be used by the Web site to complete the activity for which it was provided, whether the activity is a one-time event, such as returning the results from a Web search, forwarding an e-mail message or placing an order; or a recurring event, such as providing a subscription service or allowing access to an online address book or electronic wallet.
wallet bitcoin decred - Recherche Google
wallet.db

Except the executable, the search and the Keepass item, the only thing interesting was the “wallet.db”.
After mounting the hard drive of the VM, we looked for the walled.db on the disk, and dumped its content:

$ find . -name 'wallet.db' -exec strings {} \; | sort | uniq
...
date
default
defaultwatchonly
dNdk*^Zz
e['Aw
Ej:Q:n
flag{thx_you_found_my_wallet}
;gC(
GFJCi
imported
importedacctididx
...

Oh, the flag was here, in the midst of garbage! 😀

flag{thx_you_found_my_wallet}

Leave a Reply

Your email address will not be published. Required fields are marked *