As usual, start your CTF by read the question/description that indeed “very helpful” XD
Download the “evidence.zip” & extract it. You’ll get the folders like below:
So I randomly checked under the svc_wgmy folder, the most interesting folder is on Desktop:
I see there’s a file named “flag.png”. But when I try to view it, it shows error:
hmm. Let’s see what filetype is this:
Oh! It’s a Zip archive. Let’s open it using 7-Zip:
Enter password? Hmm.. But I don’t have the password. Let’s search for password in the evidence given.
I tried checked on \evidence\svc_wgmy\AppData\Local\Google\Chrome\User Data; to see if Chrome browser history might have clue or password. But its empty.
So I go check on \evidence\svc_wgmy\AppData\Local\Microsoft\Terminal Server Client\Cache folder:
It contains 2 file; .bmc & .bin file.
I went to search for those 2 file extension & came across with this site – https://www.forensicfocus.com/forums/general/remote-desktop-cache-files/
hommy0 (@hommy0) Posts: 98 Trusted Member I'm not sure if this will help, available from the Guidance Software website. It mentions that it can be used to extract images from the files with *.bmc and *.bin extension. https://www.guidancesoftware.com/app/RDP-Cached-Bitmap-Extractor Regards
Hmm.. RDP Cached Bitmap Extractor. So its related to something something RDP image something something :p
So I went to use tool from here:
I use the “-b/–bitmap” option – Provide a collage bitmap aggregating all the tiles.
After the operation complete, you’ll get a file “*_collage.bmp“. If you look carefully, you’ll see an “Enter password” image/screenshot:
Enter the password that you see from .bmp file to open the flag.txt inside flag.zip:
Note: I guess the hint “Where aRe you?” probably want to hint about RDP? Maybe…