Gen-Z Found My Registry — metactf

Description

No separate organizer description was provided with the artifact beyond the registry export chal.reg.

English summary: the challenge provides a Windows registry export for the Services hive. The goal is to identify the malicious persistence entries, recover the hidden payload spread across legitimate service keys, and decode it into the flag.

Analysis

Artifact triage shows that chal.reg is a UTF-16 Windows Registry export of HKLM\SYSTEM\CurrentControlSet\Services. Most of the file contains normal service definitions, but three added services stand out immediately as malicious persistence:

• HKLM\SYSTEM\CurrentControlSet\Services\+7
  • ImagePath = cmd.exe /c start cmd
  • ObjectName = LocalSystem
  • Parameters\evens = ""
• HKLM\SYSTEM\CurrentControlSet\Services\-6
  • ImagePath = cmd.exe /c start cmd
  • ObjectName = LocalSystem
  • Parameters\odds = ""
• HKLM\SYSTEM\CurrentControlSet\Services\MALWARESVC
  • ImagePath = cmd /c start cmd.exe
  • ObjectName = LocalSystem

The ImagePath values clearly launch a command shell as LocalSystem, so these keys are suspicious on persistence grounds alone. The more important clue is the naming and parameter scheme of +7 and -6: they strongly suggest a decoding rule based on position parity.

The registry also contains hidden numbered single-character string values inserted into legitimate service keys. Ordered by number, the payload is:

1=J, 2=Z, 3=}, 4=`, 5=I, 6=M, 7=L, 8=t, 9=w, 10=n, 11=9, 12=,, 13=t, 14=X, 15=6, 16=_, 17=e, 18=m, 19=n, 20=,, 21=e, 22=a, 23=7, 24=o, 25=9, 26=v

Exact locations of the hidden values:

...