🏳️
Bag of Flags
  • Home
  • 2023
    • 🅿️picoCTF 2023
      • money-ware
      • repetitions
      • two-sum
      • ReadMyCert
      • rotation
      • hideme
      • PcapPoisoning
      • who is it
      • Reverse
      • timer
      • Safe Opener 2
      • findme
      • MatchTheRegex
      • SOAP
    • 🐦magpieCTF 2023
      • Space Plan
      • Space Exploration
      • So Meta
      • There is no flag
      • Momma says to play fair
      • Rubis
      • What is the password?
      • Eavesdropper
      • Shredded
      • Missing Flag
      • This outta be large enough right?
      • No Password Here
      • Chocolate Chips with Zero-G
      • Education Comes First
    • 🌴ISSessions CTF 2023
      • Basic Permissions
      • Crack Me
      • File Detective
      • Word Vomit
      • Fileception
      • Coding Time
      • Ghost File
      • CryptoTools1
      • CryptoTools2
      • 1337
      • ROT++
      • RunedMyDay
      • RSA_2
      • The Man Who Sold the World
      • VaultChallenge
      • Lost Media
      • Decontamination
      • Decade Capsule
      • Password in A Haystack
  • 2022
    • 🏁UW CTF S22
      • 0s and 1s
      • simple image
      • Helikopter
      • Meow
      • Google Form
      • Strings, literally
      • WASM
      • Audio
      • Pwn0
      • YATD
      • steg
      • Passwords
      • Vitalik
  • Practice
    • 🧠CryptoHack
      • Introduction
        • Finding Flags
        • Great Snakes
      • General
        • ASCII
        • Hex
        • Base64
        • Bytes and Big Integers
        • XOR Starter
        • XOR Properties
        • Favourite byte
        • You either know, XOR you don't
        • Greatest Common Divisor
Powered by GitBook
On this page
  • Description
  • Find the Trash
  • Flag
  1. 2023
  2. ISSessions CTF 2023

Decontamination

Description

Time Corp is currently undergoing recovery from a major breach. In a last ditch effort to maintain access, the hackers dropped malicious files at various points in the network. While most of them were caught, the Incident Response team believes there may still be undiscovered files. Can you find the malicious file in the provided list? Flag Format: retroCTF{FILENAME_HERE}

Find the Trash

We have a SuspiciousFiles.txt file and a DetectedSamplesList.txt which has

Payroll_AF19FD5349.docm
PayrollE8ADFBBA4134.xlsm
Payroll_C32BADE1.xlsm
PayrollBE349BE24.docm
Payroll_ABCDEFABCD.xlsm
Payroll1234567890.docm

We can make the following observations about the malicious file:

  • Ends with .docm or .xlsm

  • Starts with Payroll

  • Payroll could be followed by an underscore _ and 8 - 12 characters A-F0-9

Can create a regular expression such as ^Payroll_?[A-F0-9]{8,12}.(docm|xlsm)$

  • ^ - Beginning of string

  • Payroll - Starts with "Payroll"

  • _? - Can have 0 or 1 "_"

  • [A-F0-9]{8,12} - Characters from "A" to "F" or "0" to "9" are used 8 to 12 times

  • .(docm|xlsm) - Either ".docm" or ".xlsm"

  • $ - End of string

Using it to search, we find there is only one result: Payroll_EA026F52BAF.xlsm

Flag

retroCTF{Payroll_EA026F52BAF.xlsm}

PreviousLost MediaNextDecade Capsule

Last updated 2 years ago

🌴