Artifact — BlackHat MEA 24 Qualifications Forensics Writeup

Artifact (Easy — 90pts)

The challenge provided a Registry Hive file renamed as “execution” (which can be identified as the SYSTEM hive). You can open it using Registry Explorer from Eric Zimmerman’s toolset.

Since the question focuses on “the executable” related to impersonation tools, we can examine relevant registry entries like “AppCompatCache” located under:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache

Here, you’ll find the following entries at the beginning:

Cache Entry Position    Program Name    Modified Time
0   C:\Users\Labib\Desktop\AmcacheParser\8bKpGWGh.exe   2024-08-09 23:05:18
1   C:\Users\Labib\Desktop\AmcacheParser\DeadPotato-NET4.exe    2024-08-09 22:42:13
2   C:\Users\Labib\Desktop\AmcacheParser\AmcacheParser.exe  2023-05-21 18:49:06
3   SIGN.MEDIA=2715636E DeadPotato-NET4.exe 2024-08-09 22:42:13
4   SIGN.MEDIA=BD586BEC DeadPotato-NET4.exe 2024-08-09 22:42:13
5   C:\Users\Labib\Desktop\DeadPotato-NET4.exe  2024-08-09 22:42:13

From here, you can search online for “DeadPotato” and find that it’s a Windows privilege escalation tool that exploits the SeImpersonate privilege to gain SYSTEM-level access.

Therefore, the flag would be:

BHFlagY{DeadPotato-NET4.exe_09/08/2024_22:42:13}