FlagYard Compressed Confession Forensics Challenge

Challenge Overview

This writeup provides a step-by-step solution to the “Compressed Confession” challenge, which is worth 120 points in the Forensics category on the FlagYard platform.

The challenge is a Windows Registry Hive Forensics task that involves analyzing Windows Registry data files (hives) to uncover user activities, system configurations, and potential security artifacts.

While there are many tools available for tackling Windows registry forensics, in this challenge I’ll be using Registry Explorer by Eric Zimmerman.

Step-by-Step Solution

In the attachments, you are given a zipped Windows Registry Hive.
Unzip it and go to:

C:\Users\FlagYard\

Inside this folder, you will see these files:

• NTUSER.DAT (the main user registry hive)
• ntuser.dat.LOG1 (log file)
• ntuser.dat.LOG2 (log file)

  Loading the Hive

  1. Download and install Registry Explorer from here.
  2. Open NTUSER.DAT in Registry Explorer.
  3. A popup will ask if you want to load the log files. Hold Ctrl and select both ntuser.dat.LOG1 and ntuser.dat.LOG2, then press OK.
  4. Save this updated hive as NTUSER.DAT_clean.
  5. Close and re-open NTUSER.DAT_clean in Registry Explorer.

Finding the Flag

1. In NTUSER.DAT_clean, expand the Root directory.
2. Navigate to:
   Root > Software
3. Only a few software entries are listed. This draws our focus towards 7-Zip and Microsoft.
4. Expand 7-Zip, then select Compression.
5. On the right-hand panel, check the Value Stacks.
6. Open Arc History.

You will find a base64-encoded string here.

Decoding the String

The string ends with =, which is a common indicator of base64 encoding.
Open CyberChef, paste the string, and apply Base64 Decode.

The decoded output reveals that it has been XOR-encrypted with the key 01.
Apply XOR Decrypt using the key 01, and the flag will be revealed.

Flag: FlagY{c002ae7b19e980cf07debb55c8d57450}

---

Happy Hunting! Follow me on Twitter/X or connect to me on LinkedIn, you can also DM me on Discord for any queries!