Erm so I remember finding this earlier so I thought why not try it as the flag as its the last challenge.

Flag: zh3r0{C:\windows\Program Files(x86)\Anubis.exe}

Download the file, open it in Autopsy etc.

Now based on the brief, this challenge has something to do with timezones, and how malware has changed it to something.

So after doing some googling about where timezones are stored in windows filesystems, I found a registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet < (in the case of this challenge its ControlSet001)\Control\TimeZoneInformation (access through C:\Windows\system32\config\system) which leads to the flag of:

Flag: zh3r0{Cicada3301}

Download the file, open it in Autopsy etc.

Now based on the brief, this challenge has something to do with timezones, and how malware has changed it to something.

So after doing some googling about where timezones are stored in windows filesystems.

I found a registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet < (in the case of this challenge its ControlSet001)\Control\TimeZoneInformation (access through C:\Windows\system32\config\system) which leads to the flag of.

Flag: zh3r0{Cicada3301}

So I found a suspicious item in autopsy and tried the path of it as the flag and it worked sooooooo.

Flag: zh3r0{C:\Users\zh3r0\Documents\Hades.exe}

So er, download the file.

Open it in openstego and extract data.

You get a .gz file, or so it says.

Theres magic bytes for a .mid file in it.

Then once you get that file out open it in a midi editor and you get.

Flag: zh3r0{MUSIC_IS_FUN_DO_TO_DO}

So download the file.

Unzip it and notice the challenge name is Snow so use stegsnow.

Once extracted you get a file called chall.txt which presumably you use stegsnow on.

However theres hidden directories. If you go down it you find .flag.txt which is a fake flag but if you go further you find .secret.txt which is the password.

So run stegsnow -C -p "welc0me_to_zh3r0_ctf" chall.txt and you get the flag.

Flag: zh3r0{i5_it_sn0w1ng?}

Download the file, run zsteg on it and you'll get a pastebin link. https://pastebin.com/hvgCXNcP.

Visit that and you'll find base64 text that decodes into a zip file.

Save the zip file and open it but its password protected.

So run zip2john and get the hash and dictionary attack it with rockyou.txt You'll get a password of kitkat.

After catting flag.txt run a ROT47 decryption on it and you get.

This time though it wants you to find the origin of the malware that changed the time zone shid.

Since the challenge had IE I had a feeling it had stuff to do with Internet Explorer and URL history.

But looking through the most obvious files like the History folder had nothing sus.

So I had to google like where applications are stored in a registry file (this is because I thought that malware was downloaded and I had to look for a file instead).

I found that NTUSER.dat in the user's directory had this stuff in it.

But looking through I found an Internet Explorer registry key and thought I'd try looking through that stuff again and to my surprise I found a flag in NTUSER.dat\Software\Microsoft\Internet Explorer\TypeURLs\url11. UwU OwO.

Flag: zh3r0{

Anyway, continuing on from the previous one.

This one has something to do with unremovable malware. So like, it also said that restarting the computer doesn't remove it so I googled startup tasks and where in a registry this would be.

The registry is SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\. And if you go into SpecialAccounts\Shell you find the malware file that starts up.

Flag: zh3r0{zh3r0ctfmalware.exe}

So download the jpg.

Run exiftool and the author data is base62 encoded.

Decode it to get itrolledyou which you can run on steghide to get a zip.

Unzip dat zip bitch and you find a .png.

Run zsteg and you'll get 30:aDutCu4gwUtnqdVuhLUL6jFueSgRFi. No idea what the 30: is but remove that and decode the remaining thing.

Its base58 encoded. After that you get the flag but replace the 'o's with '0's.

Flag: zh3r0{y0u_g0t_th3_k3y}

Download the file, and notice the challenge is called LSB fun.

Which means LSB.

So after doing research steg tools I found jsteg, Run jsteg reveal chall.jpg outfile to get a flag of.

Flag: zh3r0{j5t3g_i5_c00l}