[CTF] DEFCON9111 0x05 CTF - Writeup


Forensics - Challenge 1

We are given a pcap file, I opened it in Wireshark as usual. Checked the packets and majority are HTTP.

Our objective is to find most malicious executable from this pcap file, since most of the packets are HTTP, I opened the HTTP objects export window ( File –> Export Objects –> HTTP ). There is multiple exe files, saved all files to a folder by clicking Save All button.

Afterwards I uploaded each exe files to virustotal , Among them CandyCrush.exe had the most malicious score.

Just check the md5 of the CandyCrush.exe file, md5sum CandyCrush.exe.

flag : DC0x5{944051786d60b086e659476b586905a8}


Forensics - Challenge 2

In this challenge we are given with a zip file. The zip is encrypted, we have to crack the password to extract it.


$ zip2john TipstoBecomeRich_DownloadNow.zip > ziphash
$ john --wordlist=/usr/share/wordlists/rockyou.txt ziphash
$ unzip -P blahblahblahblah TipstoBecomeRich_DownloadNow.zip

Extracting the zip file gives a MSWord document named Lottery.docm. The document is telling/tricking user to enable editing mode. Enabling editing mode will allow to run malicious vbscripts embedded in the document.

The MSWord doc file is basically a zip, we can extract it and see different file contents and configs. I extracted the Lottery.docm file and then run grep on the folder to find flag. It looks like flag is in multiple parts, I obtained first part from document part of the Lottery.docm file.


$ unzip Lottery.docm
$ grep -rnw . -e "DC0x5"

flag part 1 : DC0x5{ZFAgzgoLBXJNH1m7SKAs

We saw in the document to enable the edifing mode. So I assume rest of the flag parts would be in the malicious scripts embedded with this file. I used olevba tool to check embedded vbascripts, pip2 install oletools in case if you haven’t installed it.

Looking at the script I can see many ASCII codes and also a reverse function at the bottom, I copied all the ASCII codes to a file. Finally made a python script to decode ASCII codes.


a = [103, 110, 105, 114, 97, 104, 115, 61, 112, 115, 117, 63, 119, 101, 105, 118, 47, 121, 122, 109, 74, 82, 72, 49, 71, 77, 76, 102, 52, 75, 121, 109, 89, 80, 118, 107, 82, 72, 111, 98, 45, 117, 98, 70, 74, 74, 114, 113, 54, 49, 47, 100, 47, 101, 108, 105, 102, 47, 109, 111, 99, 46, 101, 108, 103, 111, 111, 103, 46, 101, 118, 105, 114, 100, 47, 47, 58, 115, 112, 116, 116, 104]

a.reverse()

for i in a:
    print(chr(i), end='')

Running the script gives a Google Drive URL :
https://drive.google.com/file/d/16qrJJFbu-boHRkvPYmyK4fLMG1HRJmzy/view?usp=sharing
It is also a password protected zip file. After cracking the password and extracting zip file we get the final part of the flag.

flag : DC0x5{ZFAgzgoLBXJNH1m7SKAsptUGP626azte4O7yjBt6}


Forensics - Challenge 3

This is a log analysis challenge, we are given a webserver logfile. The challenge Hint says not to bother about sessionID in the logs. Searching for flag format doesn’t help, I was careless and submitted this string but it was incorrect.

Then after some time, I found an upload endpoint under profile page. Looks like someone tried to backdoor the server and one of the RCE command have a link. controlc.com is similar to pastebin, so the flag must be there.

flag : DC0x5{REdDUI23zgshR77v4EsFjJwjDaBybvlj1WeqcMhh}


Forensics - Challenge 4

This challenge involves memory forensics, once again a password protected zip. This time the file is huge, so using zip2john isn’t a good idea. Instead I used fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u windowsmemfor.zip to bruteforce the password, password is helloworld. Then I checked the OS profile with volatility and got Win7SP1x86 result.

The I looked at the process list with cmdscan module but couldn’t find any useful data. After some time I checked the clipboard module and found few base64 encoded strings, decoding them gives the ZIP file header. Enabling verbose mode showed the complete data in the clipboard.

I copied the base64 string and decoded it with CyberChef.

flag : DC0x5{oTyXsptrgqbh0WkqUIRFwypVmqov4FIvzVPJ08zA}


Crypto - Mordor

Encryption used in this crypto program is basic XOR. Its easy to decrypt because we just need to let the encrypted string go through the encryption function again since its just XORing. I copied the code in flag.enc file and made list.


def decrypt():
    msg = [87,80,35,107,38,104,65,32,69,32,65,64,34,93,84,76,94,35,87,76,68,39,64,76,85,70,93,76,117,113,42,32,38,42,110]
    a = 0x13
    b = 0x1337
    dec = []
    for char in msg:
        dec.append((char ^ a) % b)
    return dec

decrypted = decrypt()

for char in decrypted:
    print(chr(char), end='')

flag : DC0x5{R3V3RS1NG_M0D_W4S_FUN_fb9359}


Misc - Bundled Zip

The zip file is password protected, I just entered the filename as password and it was correct. So password for each zip file is its name itself. I made a bash script to automate this.


for i in {1999..0}
do
        unzip -q -P zip$i zip$i.zip
        rm zip$i.zip
done

echo "Extraction Complete"
cat flag.txt

flag : DC0x5{PgROwuUYV7BFZxwGhiF6cXmjFlT5vWqEk7kmVuTh}


Misc - hEar

We are given a WAV file. I opened it in Sonic Visualiser and applied Spectrogram Layer by pressing shift + G.

flag : DC0x5{w4rmup_d0n3}


Misc - Lovely Soup

This is a OSINT challenge, we are given the username of Author : cybersapien. In the description it is mentioned he uses pastebin, so I simply searched pastebin cybersapien and the first result had our Author’s Medium profile.

From his Medium profile i got his twitter profile, it had the link for his blog.

Finally checked his website page source and searched for pastebin in it.

It have a base64 encoded string, simply decode it to get the flag.

flag : DC0x5{Y0U_AR3_PYTH0N_L0V3R}