[L3akCTF] Forensics - L3ak Advanced Defenders Writeup

chall

This write-up covers shortly the answers and my approach to a forensics challenge from L3akCTF 2025. It turned out to be the highest-scoring challenge for our team, which im very proud of even though its still an easy/medium challenge id say.

Soo my initial step was direct. I didn't even look at the questions first lol.
I just opened the backup.dat file in a hex editor and just saw the header win-ad-ob that clearly indicated it was an Active Directory object file.

hex

Downloaded AD Explorer from
https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
Opened the .dat file and browsed objects manually.

Question 1:

1) What is the forest root domain name? Format: prefix.name.suffix
Answer: l3ak.ctf.com

→ Once opened in AdExplorer, we can instantly see "DN=l3ak,DC=ctf,DC=com"

q1

Question 2:

2) What is the name of the primary domain controller for this domain?
Answer: L3AKPRIDC

→ Inside the root domain we can see the primary (OU) called “Domain Controllers”

q2

Question 3:

3) Which hosts have not been assigned to an OU? Format: host1, host2, …
Answer: FileSrv03, FileSrvWin11, InternStn

→ Found in CN=Computers (not placed in a specific OU).

q3

Question 4:

4) List the oldest operating system used in the domain and the name of the workstation with this OS. Format: OS1, OS2, …
Answer: Windows 95, InternStn

→ Look for operatingSystem and operatingSystemVersion attribute on all workstation objects.

q4

Question 5:

5) Based on their current operating system, which workstations are placed in the wrong OU? Format: host1, host2, …
Answer: ITWorkstn02, ITWorkstn03

→ Under the “Workstations” OU we can see OUs for various operating systems.
But ITWorkStn02 and ITWorkStn03 are Windows 11 hosts in the Windows 10 OU.

q5

Question 6:

6) Which hosts are no longer used by the organization? Format: host1, host2, …
Answer: IT, ITTroubleshootStn, Linux, Repo

→ Hosts located in CN=Deleted Objects.

q6

Question 7:

7) Which users have their account disabled, and what is the value (in hex) of the attribute that dictates this? Format: displayName, 0x…
Answer: Wilhelm Firtz, Reginald Norwood, Christopher Price, 0x202

→ https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties#list-of-property-flags
The flags are cumulative
Flag 0x2→ 2 = ACCOUNTDISABLE
Combined with 0x200 → 512 = NORMAL_ACCOUNT
total = 0x202514 (dec)
Filtered users where attribute userAccountControl = 514

q7

Question 8:

8) Which enabled users have their password set to not expire, and what is the value (in hex) of the attribute that dictates this? Format: displayName, 0x…
Answer: Bigsby Appleton, Montgomery Fitzgerald, Lily Sampson, 0x10200

Using the references above, we can see that we need to find a userAccountControl value of 0x10200
→ 0x10000 = DONT_EXPIRE_PASSWORD
→ 0x200 = NORMAL_ACCOUNT
→ Total: 0x10200 = 66048 (dec)
→ Searched for userAccountControl = 66048
→ Excluded built-in administrator because questions always asks for users

q8

Question 9:

9) What departments exist inside this domain, and how many active employees exist in each department? List the departments in alphabetical order. Format: DepartmentName-NumberOfEmployees
Answer: Finance-3, HR-8, IT-5

→ Just exclude disabled users (i.e. where userAccountControl = 514)

q9

Question 10:

10) Which users have the most control over the structure of the AD forest? Format: user1, user2, …
Answer: Charlie Edgars, Lily Sampson

→ Users with the most control are typically members of highly privileged groups such as Schema Admins, Enterprise Admins and Domain Admins
Found at CN=Users -> CN=Schema Admins then open member attribute

q10

Question 11:

11) Which users violate the principle of least privilege? Format: user1, user2, …
Answer: Christopher Price, Eleanor Wharton

Flag users in roles they shouldn’t be in:
→ Eleanor Wharton = member of IT but also in CN=Finance Employees
→ Christopher Price = disabled external user, still part of CN=IT Employees

q11

Question 12:

12) Which OUs block inheritance? Format: OU1, OU2, …
Answer: Domain Controllers, IT, FileServers

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpol/08090b22-bc16-49f4-8e10-f27a8fb16d18
→ The gpOptions attribute determines the behavior of policy inheritance
Filtered for OUs with gPOptions = 1

q12

Question 13:

13) The GPOs were imported from a file supplied by a U.S. organization. Provide the sha256sum hash of the zip file containing the GPOs.
Answer:4BD7742C73A610EDF79A6B484457351438C90DC6FAC119EF8475B46D96BD2B37

→ All GPOs found under CN=System → CN=Policies started with DoD, which points to U.S. DoD baselines
→ Look online to find the zip file containg all the DoD GPOs
https://ncp.nist.gov/checklist/914/download/13778

Question 14:

14) What anti-virus software does the domain utilize, what is the maximum age in days of the AV definitions, and what must be impeded from launching executables?
Answer: Microsoft Defender, 7, JavaScript, VBScript

→ Found AV-related GPOs → displayName including "Microsoft Defender" and cross-referenced with DISA STIG benchmark where we can find the rules:
DISA STIG Microsoft Defender Antivirus v2r4

q14

📝 Notes

Things that took me hours

• •Q5: Test machines were not neccesarily workstations.
• •Q7: Answer needs to be ordered alphabetically by last name.
• •Q14: Answers were always a comma-separated list but i was trying "JavaScript and/or VBScript".