Skip to content

sixkwnp/SCIST-S3-Final-CTF-Misc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Contents:


Walkthrough

不要使用假帳看 Hint 啦,不然我要怎樣釋出更多的提示QQ


Deepeye

Format stego,Image stego

I am not the script kiddie... But I'll be the master of psychic!

FLAG Format: SCIST{.*}

  • Author: sixkwnp
  • Fri, Jul 7, 2023 4:08 PM

Hint1: 網路有現成工具可解題,請仔細聽 .wav 音頻,裡面有非常明顯的提示;並且,題目共須解開三層關卡。


Solution

In the Deep.wavfile, It had mentioned three computer tools or tricks repeatedly. Two of them, Deepsound and Magiceye (one way to steghide the image(Stereogram)), are the tools we need to solve for this challenge.

ex:

upload_cae57f0b35c351b3b1e3b0ef3e79e9a8

  1. Deepsound (.wav steghide a PDF file) ->
  2. Password is SCIST which is everywhere in the first line of .wav sound. Then we send Deep.wav to Deepsound and get a PDF file. ->

upload_4d078310b23d9ac0d699790f07fc5697

upload_2a5c8b5df7504334c883784a7318d4dd

  1. And we will be notified that First.pdf is damaged.

upload_5f699a853d55869ab7a516468c2d9a3f

  1. The correct path is to check whether this file is damaged or not. If it isn't broken, we have to find ways to open it. (There're also PDF repair challenges in Misc sometimes though) ->

upload_8d6cac6cde9c50db9b14496a722e9187

  1. After we tried to use hexdump to check PDF whether broken or not, we'll see the first line.
50 4B 03 04 | PK.. #it's the header of zip (Phil Katz)
  1. So we have 70% confidence that it's a fake .pdf file, it should be a .zip file. Addtionally, Binwalk/ Hexeditor can also find the real Filename Extension or something steghiden & compressed inside. (For instance, HxD is a great freeware to utilize and solve)

binwalkex:

upload_7e3e5a5a64f74baedbc76a852211f92f

(p.s: there's a possibility that we should change header to 25 50 44 46 2D (.pdf header) and tail of the file, but this challenge kinda few 'cause it's somewhat uncertain & need to guess)

  1. Got Final_H4ck3R.jpg image and a file called Second.

upload_a03f21836c9ce6079589de4ec84b6a51

InSecondfile:

upload_468e92f3e72ca2d23037949d0d1f2d66

Final_H4ck3R.jpg:

upload_93e1716b4d5ad777016f453dc587c677

  1. In the audio of Deep.wav (mentioned Magiceye) and Second (mentioned Magic!) hinted twice about Magiceye this trick.
  2. There're online solver related to Stereogram or Magiceye already (Automatically detect the format). example:

- Final FLAG : SCIST{YoU_4r3_K1N6_oF_T31eP47HY_XD}


Manatsunoyoru no Attack

Forensics,Pcap analysis

屈原既放,遊於江潭,行吟澤畔,顏色憔悴,形容枯槁。見一鯊,欲用線逮之,疑是身心俱疲,有黑色高級車,不幸追之。其一曰三浦,庇年幼者,俱攬其責。高級車主,暴力團員谷岡也,見此提要求數條,乃為……

upload_403456274e941d23898f2368133fdece

FLAG Format: SCIST{.*}

  • Author: sixkwnp
  • Fri, Jul 7, 2023 4:08 PM

Hint: Pcap 檔包含文字對話與混淆的亂碼,請活用 Wireshark Filter 以過濾封包,或者使用各式內建功能找到關鍵訊息;另外,要取得必需的 key 時,請觀察特定 Packet 會話收送之 IP 變化,本題目總共存在三層關卡。


Info

By using the various built-in function in the Wireshark or Tshark, we can easily identify which kinds of datas are what we want.

For example, Wireshark filter can help us to difference different packets of protocols, and it's helpful for these "fairly organized" packet flow challenge; also, Conversations function in the Wireshark is a useful tool whether to solve the CTF challenge or detect the malicious network traffic in server rooms scenario.

ex:


Location of Conversations function:


If you want to know more about

  1. Network Packet Analysis
  2. Monitoring Network Traffic
  3. Solving Pcap Forensics CTF Challenge
  4. Network Management

I had recorded some Wireshark entry video for training Network Manager & CTF player, welcome to check it:

Solution

There're many ways to solve my second challenge, I will choose two way to explain it.

Slow Method (newbie)

  1. Use filter for differencing different protocols to find which traffic seem more malicious; If we Scroll Down, we'll see there're a lot of ARP(Broadcast) than any others like ICMP | TCP | UDP. But that's not enough to get the FLAG.

    If you have experience related to network field, you would know that transferring data while reaching websites often uses HTTP protocol.

    (P.S.) Maybe you would notice I put MORE THAN THOUSANDS packet to interrupt anyone to find the FLAG using string -a ;)

    Like this:

    Or like this:

    Even like this: upload_d7b5b59acd8abaf4be94d6a24c489bbc

    Eastern Egg XD:

    upload_e3f154aa461e91406e282ce0ad7d7133

  2. If using TCP u might see some interesting things. But firstly let us check packet under FLAG???? and SCIST{ :

    There's a hint:

    upload_3856d0adc42771a2b4f23867abad9b41

    upload_060e233ddd515ab5e62c8b7927ef462b

  3. After that or using tcp filter, we'll easily see some malicious conversation. It's about a hacker called ''Senpai'' attacking the computer of ''MiURa''.

    Here's some image, you can watch detailed story in Black_Luxury_Car.pcap:

    upload_59b5a2f85d4e5bf8d5aa3d1b9c5b1783

    • The green TCP stream means Client Hello Packet, first packet of Three-Way Handshake (三向交握)
  4. Additionally, kinda a fun thing is that you would find IPs related to challenge or being modified are 192.168.5.55 & 192.168.244.22 -> represented Senpai and MiURa.

    (這裡需要道個歉,IP 沒有設定好,在故事部分會一直 Decrease,開賽時沒發現到這點沒修改到,因此以第一個發送的封包為準,但大部分還是可以從這判斷,從 Conversations 較為明顯)

    封包發送數量明顯較多:

    upload_aa00b7cde4d58da0b4d29052348fc05f

  5. Two packets including all data of PDF below; also, if you discover this thing, you will know you should find the key.

    SeNPai smiled and said: "OK, then. The first thing you need to do is to know this PDF..But where's the key??

    upload_cc5077441412770cf4312011b6a914aa


    Following packets -

    PDF:

    upload_53bbad0f896f7a3b8d55f50b98633c74

    upload_0bc3a35f281f55b6ac7c7df14dd70251


    Null packet:

    upload_9e6db6a9a1bc86eb20a0a88d9d5387bf

    upload_ef067092421b3fdece7e3ec7d4f8e2e0


    Hint:

    Plz combine the HEX of PDF upload_9091c5a803d96662fa54188ef637b030


    Knowledge requirements

    Black - Packet Header (include the info of packets, length, protocols, 5 levels of OSI)

    Blue (The data part which I select) - Hex / Data transferred by packet

    So we should export the selected part:

    • upload_edfbab28c93894d6aa6238bd1d11bfe2

  6. Exporting object

    (1) Method one

    upload_d2b03178a8b48233ae2032ffa14e7103

    (2) Method two

    upload_ec144ac2c57c4b6d81b683d0acea0955

    (3) Method three

    upload_38b48e497609eb132991cdc2ba3a6777

     Method(2) you will need to delete space using like this one http://www.esjson.com/delSpace.html  
    
  7. Remember to remove packet header many 00 00 00 00in the tail of second packet.

    (after 45 4f 46 0a)

    upload_3a9ff720c206fa8622f9b059f7a7ac85

  8. Hex to file (or use 010editor, Notepad++, HxD...):

    upload_d3592080a26016d8a2e52be31182f4bd

  9. It's encrypted:

    upload_1689b27c0d7360a114c9ed978b2fc738

  10. Tring to use Seipai and MiRUa's IPs to find the key of PDF.

    upload_8b02d10e94257edee9911f75b8525be1

    BOOM!!! The last conversation packet of them stored 32 characters key 2a9d119df47ff993b662a8ef36f9ea20 has found by you!

  11. To prevent the Key leaked by the string -a, I used Base64 to encode it. (Maybe use cipher identifier to decode?)

    upload_95e664c9fae651065af1aae3b19618d4

  12. Decoding Result:

Fast Method

  1. Just use Conversation, you would not only find the story, also quicker to see the key in the last packet. (ip.addr of Encrypted PDF is 0.0.0.0, but still, easier to find when you saw Packet Sequence Number)

    upload_f1c73d1a041364a63454184a40b4845e

- Final FLAG : SCIST{pc4p_4n4lyS15_1snT_h4rd_W17H_Bl4CK_LUXURY_C4R}


Entry Forensics

Disk forensics,MEM forensics

In Disk Forensics challenges, participants are typically presented with a disk image or a collection of files, which they must examine and extract relevant information from. Revolving around investigating and analyzing data stored on computer hard drives or other storage devices to uncover valuable information, such as evidence of malicious activity, data breaches, or unauthorized access.

You need to utilize their expertise in various CTF abilities of digital forensics, including identifying hidden files or directories, data recovery techniques, analyzing file system structures, cracking encrypted content, or reconstructing a sequence of events leading up to a particular incident.

Challenge Background: 最近一家跨國公司遭遇了一次嚴重的資料外洩,該公司的 IT 部門從受影響的電腦之一提取了一個 Disk image,他們懷疑其中包含了與外洩事件相關的重要證據;作為一名數位鑑識調查人員,您的任務是分析這個 Disk image,並找到以 FLAG SCIST{a-z_A-Z_0-9} 表示的關鍵信息,以協助調查工作。

  • Author: sixkwnp
  • Fri, Jul 7, 2023 4:08 PM

Hint1: 用工具或指令對 .mem dump 出 FLAG 資料夾的位置 Hint2: FLAG 為 .png 檔案


Solution

(Many ways / hints)

  1. Use FTK Imager, Autopsy or other Forensics tool to open it, we don't introduce and teach the funtions of these tools step by step here, there're a lot of tutorials on the internet. (p.s. walkthrough lots of disk forensics/mem forensics will be helpful for utilizing these tools)

     [root] means the system disk. ex: C:\ in the windows system
    

This a Windows image, just see the name of dir. upload_5884992e376b9d781968ad9b73f21605

upload_37d4b118364d07d54daad36f43fe8a97

  1. Fail to generate Malicious_Image.ad1... -> .txt is the log You can think that the company tried to generate this disk image for DFIR, but the process was broken by hacker's intrusion.

!upload_b6266c384069287eeeedc05eb5022e35

Hints
- C:\Users\sixkwnp\Documents
- C:\Users\sixkwnp\Contacts
- C:\Users\sixkwnp\Videos
  • upload_510933380205500e623cb8b64e8f2a50

  1. It gave you a file called SCIST.Entry.forensics.txt (find detail below), and SCIST_address hint the address of .MEM forensics file:
    C:\Windows\SysWOW64\Recovery\Company\SCIST.fixed.mem
    

C:\Users\sixkwnp\Documents: upload_3c419f098fb224d0c3641296ccccb659

Memory Forensics

Introduction Memory analysis or Memory forensics is the process of analyzing volatile data from computer memory dumps. With the advent of “fileless� malware, it is becoming increasingly more difficult to conduct digital forensics analysis. Memory analysis not only helps solve this situation but also provides unique insights in the runtime of the system’s activity: open network connections, recently executed commands, and the ability to see any decrypted malicious file. There are plenty of traces of someone's activity on a computer, but perhaps some of the most valuble information can be found within memory dumps, that is images taken of RAM. These dumps of data are often very large, but can be analyzed using a tool called Volatility provided by the Volatility Foundation.

Volatility is an open-source memory forensics framework for incident response and malware analysis. This is a very powerful tool and we can complete lots of interactions with memory dump files, such as:

  • List all processes that were running.
  • List active and closed network connections.
  • View internet history.
  • Identify files on the system and retrieve them from the memory dump.
  • Read the contents of notepad documents.
  • Retrieve commands entered into the Windows Command Prompt.
  • Scan for the presence of malware using YARA rules.
  • Retrieve screenshots and clipboard contents.
  • Retrieve hashed passwords.
  • Retrieve SSL keys and certificates.
  • SCIST.Entry.forensics.txt

upload_c7bdda3e79e1b74fe70eff8fa15e8ba1

  • SCIST_address

There's also a hint upload_6f74d6604ef609c67705e571d0b249a4

  • [root] -> C:\
  1. As you follow the hint, you should use your Mem Forensics skills/tools to solve .MEM file hidden challenge; but first, let us find hints / stories in Directory that mentioned in Malicious_Image.ad1.txt:
    - C:\Users\sixkwnp\Contacts
    - C:\Users\sixkwnp\Videos
    
  • First story that later will use in solving final challenge

C:\Users\sixkwnp\Videos:

upload_f3002fa1e3c3facafbea798688d4c9db

[17:35] <phy114c1<3r>:

I have some news for you. I found a way to hack into the confidential computer of the company we are targeting.

[17:36] <phy114c1<3r>:

it's not easy, but it's possible. You need to use a special software that I developed, and a code word that I will give you.

[17:37] <phy114c1<3r>:

are you interested?

[17:40] <zal0>:

of course I am! This is what we have been waiting for. How did you do it?

[17:41] <phy114c1<3r>:

I can't tell you the details here, it's too risky. But I can show you the software and the code word when we meet.

[17:42] <phy114c1<3r>:

the software is called Zephyr, and it can bypass the security system of the computer. The code word is Z̴͆̆̾̆̈́̈́̄͊̈́͂̃Í�̣͖̦̲̭̙̭̾Ì�̩̦Ì�̗͉aÌ´Í›Ì�Ì�̿̾̀̅̓̑̚̚Ì�͂̒̀̚Í�̖̟̞̞̬̦͙̰̱lÒˆÍ�Ì�ÍŠÍ�Í�̙͈̜͈̘̀ͅg̶̦͖̰̤̖̬̙̩̦̎̄͗̉̑oÌ´Í�Ì“Ì�̫̟̮̲̭͙̰̞͉͉͌̈̀͋̀͗͗͆͂.̸͛͋̈̚Í�̑̎̇Ì�ÌŠÌ�Ì�͓̀͗̾͂Ì�͕̱Í�Ì Í•Ì¤ÍˆÍ™Ì¬ÌŸ.̶̪̂͒̌͌̀͒̄Í�̱͙̥͈̞̮̩͓̘͎ͅÍ�Ìœ.̶͊̀̿͌̾̽Ì�͓͈̬͖̣̳̱͕͇̪̳̙̘͕̆̾, just put the software into the confidential computer in ur company.

[17:43] <zal0>:

Zephyr and Z̴͆̆̾̆̈́̈́̄͊̈́͂̃Í�̣͖̦̲̭̙̭̾Ì�̩̦Ì�̗͉aÌ´Í›Ì�Ì�̿̾̀̅̓̑̚̚Ì�͂̒̀̚Í�̖̟̞̞̬̦͙̰̱lÒˆÍ�Ì�ÍŠÍ�Í�̙͈̜͈̘̀ͅg̶̦͖̰̤̖̬̙̩̦̎̄͗̉̑oÌ´Í�Ì“Ì�̫̟̮̲̭͙̰̞͉͉͌̈̀͋̀͗͗͆͂.̸͛͋̈̚Í�̑̎̇Ì�ÌŠÌ�Ì�͓̀͗̾͂Ì�͕̱Í�Ì Í•Ì¤ÍˆÍ™Ì¬ÌŸ.̶̪̂͒̌͌̀͒̄Í�̱͙̥͈̞̮̩͓̘͎ͅÍ�Ìœ.̶͊̀̿͌̾̽Ì�͓͈̬͖̣̳̱͕͇̪̳̙̘͕̆̾. Got it. When can we meet?

ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟ㄎ̸̔̉̃͋�͕̀̀̅��̤̲̱�̜̪̫̣̥̙͓ㄕ̵̎̄�͎͎̙̭̚�̥͙͕̭̥̮̘͎ㄊ̵̊̒̄�͇̀̉̊̆̚�̫�͎͈̭̩̟

[17:45] <phy114c1<3r>:

tomorrow night, at the usual place. Be careful, and don't tell anyone else about this.

[17:46] <zal0>:

don't worry, I won't. See you tomorrow, hacker buddy.

[17:47] <phy114c1<3r>:

see you tomorrow.

  • confidential.cam
  1. Check other dirs
C:\Users\sixkwnp\Contacts

C:\Users\sixkwnp\Contacts:

upload_e6904e10460cc8a583b2718b6a83ff4b


  • Hint twice about the location of .MEM file challenge below

C:\Users\sixkwnp\Contacts\Company Confidential:

upload_7053ba3289dfcc9f04506504146b712c


  • Second story that later will use in solving final challenge

C:\Users\sixkwnp\Contacts\Andrew:

upload_da6625ba65d3dc284764a8b55bcb7961

<Zoe> 2023-07-06 16:46:00

I'm ready. Today is my last day at this company. Are you sure you've inserted the malicious software into the highly confidential computer?

<Andrew> 2023-07-06 16:46:15

Don't worry, I've taken care of everything. Once you press the send key, it will trigger the malicious software and crash the entire system.

<Zoe> 2023-07-06 16:46:30

That's great. I've been waiting for this day for a long time. This company and CEO Mattias deserve to be punished for all the unfair things they've done to us.

<Andrew> 2023-07-06 16:46:45

Yeah, they never value our work and contributions. They only exploit our labor and intelligence. We need to show them that we're not to be messed with.

<Zoe> 2023-07-06 16:47:00

Let's take action together then. I'm pressing the send key now. Goodbye, Andrew. I hope you find a better job.

<Andrew> 2023-07-06 16:47:15

Goodbye, Zoe. I wish you all the best. We may never see each other again, but I'll always remember you.

  • Andrew\1.txt

  • Hint third about .MEM challenge and some tools + challenges

C:\Users\sixkwnp\Contacts\Zoe || C:\Users\sixkwnp\Contacts\Zephyr:

upload_3a85a555b353dbefd7476142a7c19d0a

Browsing History

https://en.wikipedia.org/wiki/Memory_forensics

8.8.8.8

https://github.com/apsdehal/awesome-ctf

https://github.com/volatilityfoundation/volatility3

  • Zoe\1.txt && Zephyr\1.txt
  1. And then we can go to C:\Windows\SysWOW64\Recovery\Company\SCIST.fixed.mem to solve Mem Forensics chanllenge.
  • Use build-in funtion (FTK imager, Autopsy, other tools...) to Export the .MEM file

upload_0b18795407a4a9f445a3737684ebeb69 -

  1. Use Volatility2(Recommended -> more funtions for WIN), Volatility3, strings -a | grep <keyword in stories>,... to find where's the flag.

For instance:

cd volatility
python2 vol.py -f SCIST.fixed.memi mageinfo   # identify the operating system
---
python2 vol.py -f SCIST.fixed.mem --profile=Win10x64 cmdscan   # CMD history
---
python2 vol.py -f SCIST.fixed.mem --profile=Win10x64 consoles  # CMD history alternatives
cd volatility3
python3 vol.py -f SCIST.fixed.mem windows.cmdline.CmdLine    # CMD history(不完整)
---
python3 vol.py -f SCIST.fixed.mem windows.pstree   # List the Running Processes while the memory dump was taken
---
...

Just use volatility2 or other tools to find Powershell/CMD history, we can easily find the hacker had tried below in the terminal.

cd 'C:\Users\sixkwnp\Appdata\Local\Temp\'
mkdir 'Who is zal0 CASESENSITIVE'
cd '.\Who is zal0 CASESENSITIVE\'
mkdir 'Who is phy114ck3r'
cd '.\Who is phy114ck3r\'
mkdir 'Who is CEO'
cd '.\Who is CEO\'
mv C:\Users\sixkwnp\Appdata\Local\Temp\112f3a99b283a4e1788dedd8e0e5d35375c33747.png .

You also can dump the file below to get Terminal(Powershell) history

C:\Users\sixkwnp\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt.
  1. Then we just go to C:\Users\sixkwnp\Appdata\Local\Temp\using Disk forensics tool

Export this Who is zal0 CASESENSITIVE.7z file

upload_0397d79ec10ada2d45057e30897bb0f0

  • C:\Users\sixkwnp\Appdata\Local\Temp
  1. If you take a glance at two stories and C:\Users\sixkwnp\Contacts, easily can understand who is zal0, phy114ck3r and CEO, respectively.

upload_0c7e1ce0744d5054d5115482ae4a78fb

  • key: Zoe (Case sensitive)
  • Who is zal0 CASESENSITIVE.7z

upload_ae7cbb4467f4cb26732ea6b16ae152fb

  • key: Andrew (Case sensitive)
  • Who is phy114ck3r.7z

upload_08018ee34a18c1db1e1e1f4cf109d66f

  • key: Mattias (Case sensitive)
  • Who is CEO.7z
  1. Successfully dump the flag!

  • upload_21520a484f556fb87738faf8891b562d

  • 112f3a99b283a4e1788dedd8e0e5d35375c33747.png

- Final FLAG : SCIST{Vol4T1L17Y_C4N_do_4LL_Non53nse_M3MFoR3Ns1cs}