Prefetch Perfection 2

Challenge:

One of the processes loaded a cookie file belonging to cmaldonado, what is the name of the process?

Submit the flag as flag{process.exe}.
Use the file from Prefetch Perfection.
Max Attempts: 10

Solution:

Similar to the previous challenge in this series, Prefetch Perfection 1, I again used Adam Witt’s Windows-Prefetch-Parser but this time parsed all the PreFetch files. This produced quite a bit of output so I wrote a quick Python script to analyze the output specifically for the events to help answer the challenge question.

import subprocess, re

prefetch_data = subprocess.run(["python2", "prefetch.py", "-d", "./prefetch/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

exe = ""
new = False

for line in prefetch_data.stdout.decode().splitlines():
    if "Executable Name" in line:
        exe = line
        new = True
    if ("COOKIE" in line and "CMALDONADO" in line) and (line.endswith(".TXT") or line.endswith(".DAT")):
        if new:
            print(f"*{exe}")
            new = False
        print(re.sub(r'^.*?\\', '  ', line))

My script prints the executable name found interacting with a cookie belonging to the user “cmaldonado”, followed by the path to the cookie related resource.

*Executable Name: IEXPLORE.EXE
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\INDEX.DAT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\INDEX.DAT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@MSN[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@WWW.MSN[2].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@AT.ATWOLA[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@AT.ATWOLA[2].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@ATWOLA[2].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@PIXEL.RUBICONPROJECT[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@ADTECHUS[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@NEXAGE[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@MICROSOFT[2].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@MICROSOFT[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@C.BING[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@C.BING[2].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@C1.MICROSOFT[2].TXT
*Executable Name: DLLHOST.EXE
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@WWW.MSN[1].TXT
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\CMALDONADO@MSN[1].TXT
*Executable Name: FTK IMAGER.EXE
  DEVICE\HARDDISKVOLUME1\USERS\CMALDONADO\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\INDEX.DAT

At this point the challenge became a bit of a guessing game since the description states, “One of the processes loaded a cookie…“ but there are actually three processes that match the criteria. Additionally, after a number of players were also experiencing issues submitting the flag an admin shared on Slack that the flag was case-sensitive. Ultimately the completed flag was, flag{dllhost.exe}.

Published:

Updated:

Leave a comment