Skip to main content

Gen-Z Found My Registry — Write-Up

Challenge

Imported from local notes.md.

Solution

Original Notes

Gen-Z Found My Registry — Write-Up

1. Challenge Summary

  • Given: A Windows registry export (chal.reg) from a victim's machine. An attacker ("Gen-Z kid") claimed they would turn the registry into "String Cheese."
  • Goal: Find all changes the attacker made and recover the flag.
  • Flag format: DawgCTF{...}

2. Initial Recon / Triage

  • The .reg file is a 3.7 MB UTF-16LE Windows Registry export containing ~29,000 lines, entirely under HKLM\SYSTEM\CurrentControlSet\Services.
  • Three obviously fake services were planted:
    • +7 — ImagePath launches cmd.exe, has a Parameters subkey containing "evens"=""
    • -6 — ImagePath launches cmd.exe, has a Parameters subkey containing "odds"=""
    • MALWARESVC — ImagePath launches cmd.exe, has a custom Security descriptor

3. Hypotheses & Approach

  • The fake services +7 and -6 are cipher hints:
    • +7 with "evens" → even-indexed flag characters were shifted by +7
    • -6 with "odds" → odd-indexed flag characters were shifted by -6
  • "String Cheese" = the flag was pulled apart character by character and scattered across the registry as single-character string values injected into legitimate services.

4. Execution Steps (Reproducible)

Step 1: Convert to UTF-8

iconv -f UTF-16LE -t UTF-8 chal.reg > chal_utf8.reg

Step 2: Extract scattered characters

Search for entries of the form "N"="c" (numeric name, single-character value) injected into legitimate service keys:

grep -Pn '^"\d+"="."$' chal_utf8.reg

This reveals 26 injected entries across various services, each with a position index and an encoded character.

Step 3: Reassemble and decode

Assemble by position index, then reverse the cipher:

  • Even positions: subtract 7 from the character code (reverse of +7)
  • Odd positions: add 6 to the character code (reverse of -6)

Position 0 was absent, but from the flag format we know it's 'D'.

5. Artifacts Produced

  • chal_utf8.reg — UTF-8 converted registry export
  • solve3.py — Final solver script

6. Flag

DawgCTF{qu33n_0f_th3_h1v3}
  • Constraints:

Initial Recon / Triage

  • Observations:
  • File identification:
  • Entry points:

Hypotheses & Approach

  • Hypothesis 1:
  • Hypothesis 2:

Execution Steps (Reproducible)

Stage 1

Commands:

# commands here

Results:

Stage 2

Commands:

# commands here

Results:

Artifacts Produced

  • artifacts/

Flag

flag_here