ASCWG Qual Round Df Challenges Writeup

Ebrahim Mustafa
3 min readAug 8, 2023

root of evil:

Description:During our investigation in the memory dump from the first challenge, our investigator stumbled upon a signed malicious driver that wes deployed on the machine, could you get the address of the windows API functions, which the driver was using?

Difficulty:Easy

Flag Format:ASCWG{Address1-Address2}

first i will use vol3

let’s search drivers with windows.driverscan

i found MSqPq.sys and search on it ifound this malicious driver used wth blackcat ransomware

then i dump it with vol2

python2 vol.py — profil=Win10x64_19041 -f ~/Desktop/Challenges1–2.vmem moddump -D ./

ok then let’s open it with ida

HalReturnToFrimware, KeIntitilzeEvent

ok this called apis and adresses

ok final flag is :

ASCWG{f8044b06c093-f8044b06c07b}

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

Track a coin from your crypto O valley of plenty

Description:During the investigation in one of the cases, our forensics analysts were tasked with tracing the following transaction hash which occured on a trial network, and get the first address who sent money. Could you find that address?

Transaction Hash:0xa150ff06619b927cc323f16984a679a24b07265f1c1a664f1c729177929cebae

after search ifound

and start investigate

let’s show what the first address who make payout transacton to reciver

this first transaction from 0xEDaf4083F29753753d0Cd6c3C50ACEb08c87b5BD

flag : ASCWG{0xEDaf4083F29753753d0Cd6c3C50ACEb08c87b5BD}

Challenge: We have a new contract for you

Description:During further investigation on the wallet that received money that we found from the transaction hash in the previous challenge, we noticed there's a token that was generated, and used to send money as part of money laundring. Could find the last address that received tokens from this contract, and the address of the smart contract?

Flag Format:ASCWG{contract address: last wallet address}

from previous challenge i know challenge let’s show contract by show all transactions user make it ,

By clicking on contract creation i get the first part of the flag, which is the contract’s address.

0x7b799DFbbfD91ECA3E82F2378455ab09463f1C73

now we have two solutions i will use easy one

first one is easy if you know the last transction record into contract will recored on orignal transcton just look on to you will find last address recive this tokens this address 0x3a79022e90fF621cd3Cc54FE95873E1A50722B97

And now we get the second part of the flag.

Flag: ASCWG{0x7b799DFbbfD91ECA3E82F2378455ab09463f1C73:0x3a79022e90fF621cd3Cc54FE95873E1A50722B97}

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Ebrahim Mustafa
Ebrahim Mustafa

Written by Ebrahim Mustafa

Cyber Security Pentester ,Bug hunter ,CTF player and Coder

No responses yet

Write a response