WGMY 2023 - Compromise
Compromise is a forensic challenge from WGMY 2023.
It involves searching through Windows RDP cache files, and extracting .bmp files to get the flag.
Search through the directories recursively for readable non-empty files.
find . -type -f -exec test -s {} \; -exec test -r {} \; -print
I looked for interesting files, but most weren’t useful.
There is a flag.png file, but it is empty.
Running strings on it, you can see a PK signature.
Change the file’s extension to .zip.
Other than that, the only file of interest here is the Cache bin file. Quick search online and you will find articles on Windows Forensics for RDP Cache files.
The file is located in /AppData/Local/Microsoft/Terminal Server Client/Cache/Cache0000.bin.
I used bmc-tools to extract .bmp files from the directory.
Then you can scroll through the .bmp images to find the password to the flag.zip file.