CSCV2025-FINAL-WRITEUP-CASECHARLIE#
This is write up for challenge Case Charlie (Forensics) in CSCV2025 FINAL
From MTA.SUPPORT (Military Technical Academy)
Hi everyone, last Saturday I have solved this forensics challenge in the final round of Cybersecurity Contest Viet Nam 2025. Today, I will tell you how to solve this 400 points challenge.
1, Preparation
First, I download the file gave by Author (This file is nearly 10GB so that I had downloaded it 2 days before the contest started). After download and unzip file, I have 3 files below
Next, I read file Readme.pdf and read all the information of this situation
Collecting all the information and the password to unzip file evidences, I conclude that this is a cybercrime investigation involving unauthorized hacking, data theft and crypto. My task is to analyze the seized server, recover information related to the suspect, and answer investigative questions
=> I need to analysis file evidences.vmdk (get this file after unzip evidences) and connect to the instance and answer question
- Following, I fetch instance and connect to my virtual machine by netcat
=> This challenge request us to answer 6 questions relate to a cybercrime
2, Analysis
Question 1: What was the last time the suspect logged into the server? (UTC / 24 hours format)
- Because we all know that wtmp is a file that records every login/logout session. When a user logs in, Linux writes a new record to wtmp. When the user logs out, another record is written.
→ Every new login → wtmp is written → the file is “modified”. So that I find the wtmp in the disk and note the last time this file modified
root/var/log/wtmp
- It can be easy to see that the answer is
2025-11-08 04:32:56
Question 2: The suspect used a chat application to communicate. What is the name of this application? Format: chatapp. Example: whatsapp, telegram, Discord
The author give us a example of chat application, so that I need to file a suspect app contain the communication between suspects
After find information for nearly 30 minutes, I finally find a doubt conversation between s3v3n_wOndEr113 and the0nlymak3r1338
The first line is: 12:56 -!- Irssi: Starting query in liberachat with the0nlymak3r1338
-> the suspect app is
Irssi
Question 3 Identify the usernames (handles) of the suspect and their contact in the chat application. (Case Sensitive) Format: uS3rNaME13, c0nT4cTn4m3
- This question is easy because I have already found 2 peoples chatting in the logs
-> the usernames is:
s3v3n_wOndEr113, the0nlymak3r1338
Question 4 What was the last time the suspect sent a message to their contact? (UTC / 24 hours format) Format: YYYY-MM-DD HH:MM
- The author ask us when the time the conversation ended, read the log and scroll to the end, it is easy to see that the time is 04:36
- The chat is opened Fri Nov 07 12:56:16 2025 (On the top of the log)
-> the answer is:
2025-11-08 04:36
Question 5 What command did the suspect use to overwrite the current user’s .bash_history file to cover their tracks?
- I use a super trick in this question, that is STRINGS & GREP
- Use this command in CMD:
strings -n 5 E:\khang\cscv2025_final\forensics-Case_Charlie-f0f1f0e74a82270c9374bf0a9facd097\evidences\evidences.vmdk | findstr /i .bash_history - Because this file is so large, so that using strings is hard work, but Practice makes perfect, after nearly 5 minutes waiting, I see a suspect command
sudo shred -vfz /home/ubuntu/.bash_history
shred: a command that securely overwrites a file multiple times to make its contents extremely difficult or impossible to recover, even with forensic tools.
-v (verbose): Shows detailed output about what shred is doing (progress messages).
-f (force): Forces overwriting the file even if the file has certain protection, such as read-only permissions or immutable attributes.
-z (zero pass): After overwriting with random data, shred performs one final overwrite with zeros to hide the fact that the file was shredded.
-> so that the answer for this question is: sudo shred -vfz /home/ubuntu/.bash_history
Question 6 The suspect accidentally left behind an email address. What is the email address? Format: name@domain. Example: this_Is_an_3xample_email1213@proton.me
This question request us to find an email address of the suspect, it isn’t easy to find, I look for this by scroll all the file in the disk but it is nothing there. Then the author publish a hint to discover
After reading a hint, I summary it with the log from Q2 to Q4, I have a important information -> some image had been pulled in a file with old cred (I need to find it after) and use testing to pull it, this information remind me to Docker, so that I scroll to Docker file to dig for more information
In .docker/config.json, I can find a registry url and a base64 strings
Decode this strings in Cyberchef and I have this asjdkhufh832:glpat-xwghQbDTsJbs1B2MubX_zG86MQp1OmlxOHVzCw.01.120yvtp2f -> user: asjdkhufh832 PAT: glpat-xwghQbDTsJbs1B2MubX_zG86MQp1OmlxOHVzCw.01.120yvtp2f Credentials: registry.gitlab.com
Having 3 keys to solve this question, I use this information to login in Docker and fortunately it’s successful
echo "glpat-xwghQbDTsJbs1B2MubX_zG86MQp1OmlxOHVzCw.01.120yvtp2f" | docker login registry.gitlab.com -u asjdkhufh832 --password-stdin
- Then I use ’testing’ to pull the image
docker image save -o solve.tar registry.gitlab.com/somegroup5803945/jkfhskdf2314:testing
- After that, I got a file solve.tar so that I use a Command to extract layer of this file
tar -xf solve.tar -C extracted
cd extracted
for d in */; do
[ -f "$d/layer.tar" ] && tar -xf "$d/layer.tar" -C ../rootfs
done
- Following this, I have a file name “roofts” so I use Grep to find an email
-> finally I find the suspect email name: phuchungh96@gmail.com -> Answer for the last question is: phuchungh96@gmail.com
Get the flag After answer 6 questions, we have this
So that the final flag is: CSCV2025{docKER_St0r35_0uR_cR3deNtI41S-UneNCrYPTed-ln_lt5-cOnfig_file_lmao_xd_Ow0}