Hacktober 2020 CTF - AmCaching In
Oct 16, 2020
Challenge Description
The amcache can be a pretty handy tool to help build out a timeline of execution during an investigation, and is always located in %SystemRoot%\AppCompat\Programs\Amcache.hve what was the application installed by the user mpowers? Submit the flag as flag{program}.
Solution
For this task we used RegRipper. u can run the program in either invirements, in windows or in linux using wine, there is also an official repo for kali users 👀
in a windows invirement we parsed the Amcache.hve file content, then greped for user mpowers
C:\Users\ADMIN\Desk\CTF\HT\RegRipper3.0> rip.exe -r C:\Users\ADMIN\Desk\CTF\HT\Amcache.hve -a > ..\out.txt
C:\Users\ADMIN\Desk\CTF\HT\RegRipper3.0> cd ..
C:\Users\ADMIN\Desk\CTF\HT>type out.txt |findstr /I "mpowers"
c:\users\mpowers\appdata\local\temp\d930e9b6-7d1b-4a5d-804e-ce667e431ff9\dismhost.exe LastWrite: 2018-08-08 03:17:33Z
c:\users\mpowers\desktop\ftk imager\ftk imager.exe LastWrite: 2018-08-08 20:19:12Z
c:\users\mpowers\downloads\python-3.7.0-amd64-webinstall.exe LastWrite: 2018-07-23 13:38:02Z
c:\users\mpowers\appdata\local\temp\4\{b04d01b2-0174-4ef5-8fb5-84584c0964f5}\.be\python-3.7.0-amd64-webinstall.exe LastWrite: 2018-07-23 13:38:23Z
c:\users\mpowers\appdata\local\temp\4\{4a1d9cda-5382-4f04-b44d-51927f9c602a}\.cr\python-3.7.0-amd64-webinstall.exe LastWrite: 2018-07-23 13:38:18Z
c:\users\mpowers\desktop\sub-win-x64_104.148.109.124_5682_3262.exe LastWrite: 2018-08-08 05:21:15Z
C:\Users\ADMIN\Desk\CTF\HT\output>
Obviously python-3.7.0-amd64-webinstall.exe is the program mpowers was trying to install, the flag was flag{python}