![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised.png?resize=320%2C180&ssl=1)
As usual, start your CTF by read the question/description that indeed “very helpful” XD
Download the “evidence.zip” & extract it. You’ll get the folders like below:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised1.png?resize=310%2C290&ssl=1)
So I randomly checked under the svc_wgmy folder, the most interesting folder is on Desktop
:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised2.png?resize=640%2C172&ssl=1)
I see there’s a file named “flag.png”. But when I try to view it, it shows error:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised9.png?resize=305%2C155&ssl=1)
hmm. Let’s see what filetype is this:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised3.png?resize=640%2C50&ssl=1)
Oh! It’s a Zip archive. Let’s open it using 7-Zip:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised4.png?resize=519%2C393&ssl=1)
Enter password? Hmm.. But I don’t have the password. Let’s search for password in the evidence given.
I tried checked on \evidence\svc_wgmy\AppData\Local\Google\Chrome\User Data
; to see if Chrome browser history might have clue or password. But its empty.
So I go check on \evidence\svc_wgmy\AppData\Local\Microsoft\Terminal Server Client\Cache
folder:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised5.png?resize=640%2C153&ssl=1)
It contains 2 file; .bmc & .bin file.
I went to search for those 2 file extension & came across with this site – https://www.forensicfocus.com/forums/general/remote-desktop-cache-files/
hommy0 (@hommy0) Posts: 98 Trusted Member I'm not sure if this will help, available from the Guidance Software website. It mentions that it can be used to extract images from the files with *.bmc and *.bin extension. https://www.guidancesoftware.com/app/RDP-Cached-Bitmap-Extractor Regards
Hmm.. RDP Cached Bitmap Extractor. So its related to something something RDP image something something :p
So I went to use tool from here:
I use the “-b/–bitmap” option – Provide a collage bitmap aggregating all the tiles.
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised6.png?resize=640%2C103&ssl=1)
After the operation complete, you’ll get a file “*_collage.bmp“. If you look carefully, you’ll see an “Enter password” image/screenshot:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised7.png?resize=640%2C174&ssl=1)
Enter the password that you see from .bmp file to open the flag.txt inside flag.zip:
![](https://i0.wp.com/blog.khairulazam.net/wp-content/uploads/2023/12/wgmy-Compromised8.png?resize=315%2C75&ssl=1)
Note: I guess the hint “Where aRe you?” probably want to hint about RDP? Maybe…