Description
A compromised Windows host keeps shutting down. You're given Security.evtx and must prove three events (install, registry change, shutdown) while extracting the Base64 flag pieces buried in the event data.
Confirm the file: file Security.evtx should report MS Windows Vista Event Log.
Install python-evtx (pip install python-evtx, or pip3 install python-evtx if pip isn't on PATH). If install fails, you're usually missing Python dev headers (apt install python3-dev) or need --user because of permissions.
Dump the log to XML so you can grep it. Filter for IDs 1033 (Windows installer), 4657 (registry value modified), and 1074 (forced shutdown). Google Windows event ID <number> for any unfamiliar one.
file Security.evtxpip install python-evtx # or pip3 install python-evtxevtx_dump.py Security.evtx > output.xmlgrep -E 'EventID>(1033|4657|1074)<' output.xml -B2 -A40Solution
Walk me through it= padding here is the giveaway).- Step 1Extract Event ID 1033Event ID 1033 is the Windows installer completion record. Its Manufacturer field carries
cGljb0NURntFdjNudF92aTN3djNyXw==- the trailing==and ASCII-only charset are Base64 giveaways. Decode it for the first third of the flag.bashgrep -B2 -A25 'EventID>1033<' output.xml | grep -A1 Manufacturerbash# Sample raw field shows: <Data Name="Manufacturer">cGljb0NURntFdjNudF92aTN3djNyXw==</Data> echo 'cGljb0NURntFdjNudF92aTN3djNyXw==' | base64 -d # -> picoCTF{Ev3nt_vi3wv3r_Learn more
Windows Event Log (.evtx) files are binary logs that record system activity, security events, and application messages. The EVTX format replaced the older .evt format in Windows Vista and stores events in a structured binary format with XML-encoded content inside each record. Each event is identified by an Event ID number that describes the type of activity recorded.
Event ID 1033 is generated by the Windows Installer (MSI) subsystem when a product installation completes. It records the product name, version, language, manufacturer, and installation result code. Attackers who install malicious software on a compromised host will generate Event ID 1033 entries, making it a useful forensic artifact for detecting unauthorized software installations.
Tools for parsing EVTX files without Windows Event Viewer include python-evtx (pure Python EVTX parser), EvtxEcmd (Eric Zimmerman's command-line tool that exports to CSV/JSON/XML), and Chainsaw (a Rust-based tool designed for threat hunting in EVTX files). On Linux, python-evtx is the most accessible option.
- Step 2Review Event ID 4657The registry-value modification event records the new value
Immediate Shutdown (MXNfYV9wcjN0dHlfdXMzZnVsXw==). Decode the parenthesised Base64 chunk to get the middle third of the flag.bashecho 'MXNfYV9wcjN0dHlfdXMzZnVsXw==' | base64 -d # -> 1s_a_pr3tty_us3ful_Learn more
Event ID 4657 - "A registry value was modified" - is logged by the Security audit subsystem when a monitored registry key is changed. This event requires the Audit Registry policy to be enabled and the specific registry key to have SACL (System Access Control List) auditing configured. It records the key path, old value, new value, and the process that made the change.
Registry modifications are a key indicator of compromise. Attackers use the registry for persistence (adding run keys like
HKCU\Software\Microsoft\Windows\CurrentVersion\Run), for storing payloads, and for disabling security features. Event ID 4657 allows defenders to detect and timeline these changes, making it one of the most valuable Security log events for incident response.The Windows Registry is a hierarchical database storing configuration for the OS and applications. Understanding its structure - hives like HKLM (local machine), HKCU (current user), and HKCR (class root), along with key paths for persistence, services, and security settings - is foundational knowledge for both offensive and defensive Windows security work.
- Step 3Capture Event ID 1074The shutdown log's Comment field hides the final chunk
dDAwbF84MWJhM2ZlOX0=. Decode it, concatenate all three pieces, and paste the full flag back into the picoCTF challenge form to verify it's accepted.bashgrep -B2 -A20 'EventID>1074<' output.xml | grep -A1 Commentbashecho 'dDAwbF84MWJhM2ZlOX0=' | base64 -d # -> t00l_81ba3fe9} # Submit the concatenated flag to picoCTF to confirm.Learn more
Event ID 1074 - "The process X has initiated the restart / shutdown of computer Y on behalf of user Z for the reason: reason" - is logged when a shutdown or restart is initiated programmatically. It records the initiating process, the reason code, and a free-text comment field. Unexpected shutdowns are often a sign of ransomware, destructive malware, or an attacker clearing tracks.
The challenge hides flag segments in the Manufacturer and Comment fields of events - fields that are free-text and controlled by whoever generates the event. This mirrors a real attacker technique: embedding exfiltration data or command-and-control signals in log fields that are less likely to be scrutinized. Defenders should treat unexpected Base64 strings in event fields as suspicious.
Assembling the flag from three separate events teaches the forensic skill of timeline correlation: linking events across different log sources and event types to reconstruct an attacker's actions. Tools like Plaso (log2timeline) and Timesketch automate this correlation across dozens of artifact types simultaneously, giving investigators a unified timeline of system activity.
Flag
picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81b...}
Any Base64 decoding method works; the challenge is recognizing which events hide the chunks.