As usual, start your CTF by read the question/description that indeed “very helpful” XD

Download the “” & extract it. You’ll get the folders like below:

So I randomly checked under the svc_wgmy folder, the most interesting folder is on Desktop:

I see there’s a file named “flag.png”. But when I try to view it, it shows error:

hmm. Let’s see what filetype is this:

Oh! It’s a Zip archive. Let’s open it using 7-Zip:

Enter password? Hmm.. But I don’t have the password. Let’s search for password in the evidence given.

I tried checked on \evidence\svc_wgmy\AppData\Local\Google\Chrome\User Data; to see if Chrome browser history might have clue or password. But its empty.

So I go check on \evidence\svc_wgmy\AppData\Local\Microsoft\Terminal Server Client\Cache folder:

It contains 2 file; .bmc & .bin file.

I went to search for those 2 file extension & came across with this site –

Posts: 98
Trusted Member
I'm not sure if this will help, available from the Guidance Software website. It mentions that it can be used to extract images from the files with *.bmc and *.bin extension.


Hmm.. RDP Cached Bitmap Extractor. So its related to something something RDP image something something :p

So I went to use tool from here:

I use the “-b/–bitmap” option – Provide a collage bitmap aggregating all the tiles.

After the operation complete, you’ll get a file “*_collage.bmp“. If you look carefully, you’ll see an “Enter password” image/screenshot:

Enter the password that you see from .bmp file to open the flag.txt inside

Note: I guess the hint “Where aRe you?” probably want to hint about RDP? Maybe…

By zam

Any Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.