Description
A compromised Windows host keeps shutting down. You’re given Security.evtx and must prove three events (install, registry change, shutdown) while extracting the Base64 flag pieces buried in the event data.
Parse the EVTX file (Windows Event Viewer, EvtxEcmd, or python-evtx all work).
Filter for Event IDs 1033, 4657, and 1074 to identify the installer, registry tampering, and forced shutdown.
python3 parse_evtx.py Security.evtx > output.xml
strings output.xml | grep -E 'cGljb0|MXNf|dDAw'
Solution
- Step 1Extract Event ID 1033The Windows Installer log for Totally_Legit_Software includes `Manufacturer: cGljb0NURntFdjNudF92aTN3djNyXw==`. Decode it to get the first third of the flag.
- Step 2Review Event ID 4657The registry modification event stores `Immediate Shutdown (MXNfYV9wcjN0dHlfdXMzZnVsXw==)`, which is the second flag chunk.
- Step 3Capture Event ID 1074The shutdown log contains `Comment: dDAwbF84MWJhM2ZlOX0=`. Concatenate the decoded pieces to assemble picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81ba3fe9}.
Flag
picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81b...}
Any Base64 decoding method works; the challenge is recognizing which events hide the chunks.