Description
The Device you identified confirms that the attacker injected themselves early in the boot sequence.
However, both UEFI boot and SecureBoot were properly enabled on the system.
To verify this, we collected metadata from the Windows EFI boot partition (FAT32) using the DFIR-Orc tool.
See the attached file analyse-memoire-efi-fatinfo.csv.
Identify the vulnerability that was exploited by the attacker and the file containing the initial malicious payload used in the attack.
The flag is in the format FCSC{<CVE_number>:<file_name>} where:
<CVE_number>is the identifier of the exploited vulnerability, and<file_name>is the name of the file containing the initial malicious payload.
For example: FCSC{CVE-2022-4225:payload.bin}.
This challenge is part of a serie that should be solved sequentially:
Files
-
analyse-memoire.tar.xz
1.05 GiB – 59dbdb3d2e0eb219afc63fa086069b0e21cad79060ca3752b75e910058fce206 -
analyse-memoire-efi-fatinfo.csv
72.43 KiB – 32f4198de8fba6eaad3e76350348797ff8a13add8ab9add2c04ee4d6babb449d
Author
Flag
Submit your solution
You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.
You need to be logged in to submit a writeup.
Writeups
There are no public solutions for this challenge yet, but you can submit yours after getting the flag.