CTF-Writeups

:(

Points: 498
Solves: 3
File: sad_face.zip → Challenge.evtx

What the hint tells us

“kept sending my machine a payload that made my screen go blue…”

A “blue screen payload” strongly suggests EternalBlue, a well-known exploit that targets SMBv1.
So we expect the flag to reference something like eternal_blu3 and/or smbv1.

1) Unzip and identify the artifact

The zip only contains a single file:

• Challenge.evtx — a Windows Event Log file

2) Extract suspicious strings

Because .evtx is a binary container, the quickest first pass is to pull out printable strings and look for:

• URLs / IPs
• PowerShell
• base64 blobs (very common in logging/artifacts)

Example approaches:

unzip sad_face.zip
strings -n 12 Challenge.evtx | less

While scrolling through the output, several base64-looking strings appear, e.g. things ending with ==.

3) Identify & decode base64 blobs

Filter the extracted strings for base64 patterns and attempt decoding them.
Three of the blobs decode cleanly into readable ASCII:

• UlVTRUN7M3Rlcm5hbF9ibHUzXw== → RUSEC{3ternal_blu3_
• c0BkX2ZhYzNfc21idg== → s@d_fac3_smbv
• MV8zODkwY24yazI5fQ== → 1_3890cn2k29}

4) Reconstruct the flag

Concatenate the decoded fragments in order:

RUSEC{3ternal_blu3_ + s@d_fac3_smbv + 1_3890cn2k29}

✅ Flag:

RUSEC{3ternal_blu3_s@d_fac3_smbv1_3890cn2k29}