-
SCC 2026 Quals Writeup: Forensics Challenges Walkthrough
Summary: This post provides a technical walkthrough of three forensics challenges I authored for the SCC 2026 Qualifiers. It covers the intended solutions for “The Silent Leak” (DNS exfiltration), “Beeper’s Revenge” (COM hijacking), and “Vault 126” (App-Bound encryption).
1. The Silent Leak
Category: Forensics
Difficulty: Easy
Points: 50
Description
A suspicious PCAP file has been recovered from a compromised system. Something is quietly slipping through the network traffic. Find it and retrieve the flag.
Overview
The challenge provides a PCAP file containing a mix of legitimate network traffic and a large volume of DNS queries. The goal is to identify and reconstruct a data exfiltration stream hidden within these DNS requests.
Identification
Filtering for DNS traffic reveals two primary domains involved in unusual activity:
flag-provider.com: Contains static or decoy fragments.
system-update.internal: Contains the actual encoded payload.
The subdomains for system-update.internal follow a structured format: [data_chunk].[hex_index].system-update.internal. For example, a query might appear as Q1R.00.system-update.internal.
Data Reassembly
The primary technical hurdle is that the packets are not captured in chronological order. To successfully reconstruct the payload, the extracted chunks must be sorted by their hexadecimal index (the second level of the subdomain). Simply concatenating the strings as they appear in the capture will result in an invalid Base64 string.
Solution
tshark -r dump.pcap -Y 'dns.flags.response == 0 && dns.qry.name contains "system-update.internal"' -T fields -e dns.qry.name | sort -t '.' -k2 | cut -d '.' -f1 | tr -d '\n' | base64 -d
The Flag
SCC{pr0mpt_3ngin33r1ng_15_n0t_for3n51c5}
2. Beeper’s Revenge
Category: Forensics
Difficulty: Medium
Points: 50
Description
System administrators are reporting mysterious audible beep signals coming from the Admin workstation, while File Explorer is showing signs of instability.
Although all standard security tools claim the system is clean, a sophisticated “fileless” malware is suspected of manipulating system objects and hiding deep within the system memory.
Your task is to analyze the provided memory dump and disk image, locate the phantom module, and reconstruct the flag, which is split into three fragments (Registry, Environment, and Memory).
Overview
The challenge centers around a COM Hijacking technique. Instead of deploying a standalone executable, the malware resides as a DLL masquerading as a system binary: IconCache_x64.bin. By overriding a legitimate COM Class ID (CLSID) in the Current User registry hive, the malware ensures it is loaded by trusted Windows processes whenever specific folder operations occur.
The flag was fragmented into three distinct “shards” across different layers of the Windows OS:
Registry Layer: A non-standard key within the Explorer advanced settings.
Process Layer: A specific environment variable injected into the surrogate process.
Memory Layer: An encrypted shard within the process VAD (Virtual Address Descriptor) space.
Solution
1. Process Identification
Initial triage begins by identifying the active surrogate process. Given the symptoms of audible beeps and PowerShell activity, we list the active processes.
vol -f dump.raw windows.pslist
PID is 9392
2. Extraction of Shard 1: Registry Analysis
The first fragment is hidden within the User’s Registry hive, specifically under the Explorer folder modes.
vol -f dump.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\FolderMode"
Result: InternalID = SCC{d34d_
3. Extraction of Shard 2: Environment Variables
The second fragment is stored in the Environment Block of the hijacked process.
vol -f dump.raw windows.environ --pid 9392
Result: COMPLUS_Version = DLLs_t3ll_
4. Memory Analysis: Locating Shard 3
The final shard is stored within a memory-mapped file that does not have a standard .dll extension, making it invisible to basic module listing.
Step A: VAD Enumeration
vol -f dump.raw windows.vadinfo --pid 9392 | grep "IconCache_x64.bin"
Identify the base address of IconCache_x64.bin (e.g., 0x7fff0b830000).
Step B: Memory Region Extraction
vol -f dump.raw -o . windows.memmap --pid 9392 --address 0x7fff0b830000 --dump
The resulting dump contains the encrypted payload.
5. Cryptographic Key Recovery (Machine SID)
Shard 3 is XOR-encrypted using the Machine SID as the cryptographic key. This requires the investigator to recover the SID from the system’s security tokens.
vol -f dump.raw windows.getsids --pid 9392
The key is derived from the base Machine SID (e.g., S-1-5-21-98682186-3360650230-258948293).
6. Final Reconstruction
By applying the recovered XOR key to the bytes extracted from the VAD space, the final fragment is revealed.
Decrypted Shard 3: n0_t4l35}
The Flag
SCC{d34d_DLLs_t3ll_n0_t4l35}
3. Vault 126
Category: Forensics
Points: 432
Difficulty: Medium
Description
Following an internal audit of the workstation Admin-PC, a selective triage of forensic artifacts was performed to investigate a suspected unauthorized session.
Initial analysis suggests that a persistent session state may be preserved within the local environment. However, due to recent security hardening on the host, standard recovery procedures have proven unsuccessful. You are tasked with analyzing the provided filesystem structure to verify the identity of the active session.
Known Data:
Target User: Admin-PC
Known Password: Admin123
Environment: Windows 10
Zip Password: forensics
Overview
This challenge focuses on the modern App-Bound Encryption introduced in recent versions of Google Chrome. Standard DPAPI extraction fails because the encrypted_key in the Local State file is double-encrypted: first at the machine level (S-1-5-18) and then at the user level.
Solution
1. Registry & LSA Secrets
The process begins by extracting the DPAPI_SYSTEM secret from the SYSTEM and SECURITY registry hives. This secret is necessary to unlock the machine-level MasterKey.
mimikatz # lsadump::secrets /system:SYSTEM /security:SECURITY
2. Unlocking the System MasterKey
Using the machine secret, we derive the MasterKey for the S-1-5-18 (System) account located in C:\Windows\System32\Microsoft\Protect\.
mimikatz # dpapi::masterkey /in:"\Windows\System32\Microsoft\Protect\S-1-5-18\User\0f72ee3c-8c78-4522-a588-926ef9f3c512" /system:67e4c0007ac65c240f3278682f97535b835cd55caa4310c984b78b1d5d63640a5fb2bd17ea7f5235
SystemKey: 8e266617067c8d324e19d2e145d5a909fd0b1723e85dbf8509ce274aa5955da7fe66f9d86b63fa0a401c2e5cbe58bb813ea5d7419111d037495d5e5fd98eede0
3. Unlocking the User MasterKey
Unlock the user-level encryption using the known password and SID:
mimikatz # dpapi::masterkey /in:"\Users\Admin-PC\AppData\Roaming\Microsoft\Protect\S-1-5-21-...\a47ee1c4-f671-45d8-b518-83170fa9087b" /sid:S-1-5-21-98682186-3360650230-258948293-1001 /password:Admin123
Result: pbData: a5cd29b02511d808a3ebc2c5fb8f9f8545e54fc31a2a559a9611dc1ddb5a4d99
4. Decrypting the App-Bound Key (Double DPAPI Pivot)
With both keys cached, decrypt the Local State key blob (ensure the APPB header is removed):
5. Database Decryption
Use the extracted AES key to decrypt the SQLite Cookies database:
mimikatz # dpapi::chrome /in:"\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /masterkey:a5cd29b02511d808a3ebc2c5fb8f9f8545e54fc31a2a559a9611dc1ddb5a4d99
6. Decode the Flag
Flag is stored in AuthToken Cookie. The decrypted cookie value contains JWT token with the flag embedded in its payload. Decoding the JWT reveals base64-encoded flag fragments, which are then concatenated to reconstruct the final flag.
AuthToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkbWluLVBDIiwicm9sZSI6InN1cGVydXNlciIsImludGVybmFsX2lkIjoiVTBORGUyNHdYMjB3Y2pOZmJURnNhMTltTUhKZmRHZ3pjek5mTTNod01EVXpaRjlqTURCck1UTTFmUT09IiwiaWF0IjoxNTE2MjM5MDI2LCJleHAiOjE4MDUwOTYzMTZ9.w_1pnqEb50fIE4z6GiERzGJbeF3uQ7HRFAm3o2TdOBg
The Flag
SCC{n0_m0r3_m1lk_f0r_th3s3_3xp053d_c00k135}
-
My Path to the HTB CDSA Certification: How I Passed and What I Learned
Summary: This post details my personal journey of passing the practical HTB Certified Defensive Security Analyst (CDSA) exam. It covers my preparation strategy, a breakdown of the 7-day exam experience, and essential tips for anyone aspiring to earn this blue team certification.
Certification at a Glance
Attribute
Value
Certification Name
HTB Certified Defensive Security Analyst (CDSA)
Provider
Hack The Box
Focus Area
Blue Team, SOC, DFIR
Exam Format
100% Practical, Hands-on
Duration
7 Days
Final Deliverable
Professional Incident Report
Hello everyone, and welcome to my first-ever blog post! The feeling is incredible, not just because I’m launching this blog, but because I have some exciting news to share – I have officially passed the Hack The Box Certified Defensive Security Analyst (HTB CDSA) exam!
The journey was challenging but immensely rewarding. Through this article, I want to share my entire experience, from the moment I decided to pursue it, through the preparation, and all the way to the exam itself. I hope my story will be helpful to all of you who are considering the same path.
Overview of the HTB CDSA
The HTB CDSA is not your typical multiple-choice certification. It is a completely practical, hands-on exam that places you in the role of a Security Analyst in a realistic scenario. Its goal is to test your skills in security analysis, Security Operations Center (SOC) procedures, and Incident Response.
This certification is designed for those who want to validate their Blue Team skills. If you are interested in roles like SOC Analyst, Incident Responder, Threat Hunter, or Digital Forensics Analyst, then this is the right choice for you. It confirms that you possess intermediate-level technical competence and are capable not only of finding traces of an attack but also of writing a professional report about it.
Domains & Pricing
The HTB CDSA teaches and tests you in the following domains:
SIEM Operations (Splunk and the ELK Stack)
Log Analysis from various sources
Threat Hunting (proactively searching for threats)
Network Traffic Analysis (Wireshark, Suricata/Zeek)
Basic Malware Analysis
Digital Forensics and Incident Response (DFIR)
Professional Incident Report Writing
Regarding the price, there are two components: the training and the exam itself.
Training (HTB Academy): To be eligible for the exam, you must complete the entire “SOC Analyst” job-role path on the Hack The Box Academy. The most cost-effective option is the Silver Annual subscription, which costs $490 per year. This plan grants you access to all the necessary modules and includes one exam voucher (for the CDSA, CPTS, or CBBH).
Exam (Voucher): If you purchase the exam voucher separately, its price is $210.
So, for the complete package (training + exam), the most common investment is $490 (Before new VIP update).
My Preparation Strategy
Preparation is the key to everything, and there are no shortcuts. The only real path is to complete the entire “SOC Analyst” job-role path on HTB Academy. This path consists of 28 modules (this number may change) that cover everything from the fundamentals to advanced techniques. It’s worth noting that I was juggling my high school classes at the same time, so my preparation process naturally took more time to ensure I could thoroughly absorb all the material.
My approach to preparation was as follows:
Focused Module Completion: I didn’t just read and click “next.” I carefully studied each module and did the hands-on exercises multiple times until I was certain I fully understood the concepts.
Note-Taking: This is absolutely crucial. I used Obsidian for my notes. For every tool and technique, I wrote down key commands, SIEM queries, and processes. I created my own personal cheat sheet that proved invaluable during the exam.
Understanding the “Why”: It’s not enough to just know a command. I made an effort to understand why I was using a specific Splunk query or why I was looking at a particular log file. Understanding the attacker’s perspective greatly helps in defense.
Extra Practice: Although the Academy is sufficient, If you don’t have experience you should do some HTB boxes before attepmting certification.
The 7-Day Exam Experience
The exam itself lasts for 7 days. When you begin, you are given VPN access and a “Letter of Engagement” that explains your task. You are placed in an environment with multiple machines, and your task is to investigate two separate security incidents. During your investigation, you will find evidence, analyze logs, network traffic, memory dumps, and files.
The key to passing isn’t just the technical analysis. To pass, you must write and submit a professional, detailed incident report. This report must contain all your findings, evidence (screenshots), the attack timeline, the tools and SIEM queries you used, and recommendations for remediation. The report carries a massive portion of the final grade.
My 7-day exam felt like a real job as a SOC Analyst. Here’s a breakdown of how it went for me:
On the very first day, I managed to solve 16 out of 20 flags for the first incident. By the second day, I had already met the minimum passing requirement and started writing the report for Incident 1. On the third day, I began working on Incident 2, which was more difficult. After spending two days on that incident, I started writing the report for it.
The final day was dedicated solely to finishing and polishing the report. Throughout the entire process, I took meticulous notes and screenshots. I spent about 5 hours of real, productive work each day. Thanks to my previous experience, I didn’t find the certification overly difficult, but my thorough preparation on the HTB Academy was also a major contributing factor to that.
Key Tips for Success
If you are planning to take the HTB CDSA, here are a few tips from my firsthand experience:
Trust the Academy Process: Everything you need for the exam is genuinely in the modules. Study them in detail.
Notes, Notes, and More Notes: I cannot stress this enough. Organize them by tools and techniques.
Practice Report Writing: Before the exam, read several publicly available DFIR reports (e.g., from The DFIR Report). Practice writing based on a scenario. Use a tool like SysReptor, which HTB recommends.
Manage Your Time: You have 7 days. Make a plan. You don’t need to be at it 24/7. Rest is important to stay fresh and focused.
Take Lots of Screenshots: Document every step, every command, and every significant result with a screenshot. You will thank yourself later when you’re writing the report.
Don’t Panic: If you get stuck, take a break. Go for a walk. The solution is often obvious, but you can’t see it when you’re fatigued.
I hope this detailed breakdown was useful. The HTB CDSA is more than just a certification—it’s a fantastic learning experience that truly prepares you for real-world cybersecurity challenges.
If you have any questions, feel free to contact me!
Touch background to close
EkrUp's blog
