CyberTalents BlueTeam Scholarship CTF Writeups

a1l4m
6 min readSep 30, 2023

--

scoreboard

I had the privilege of participating in an individual Capture The Flag (CTF) event hosted by Cybertalents, wherein I achieved first place by successfully solving all of the challenges presented. This article serves as a comprehensive write-up, recounting the experience and providing insights into the various intriguing challenges encountered. Have fun.

Note: The Writeup will start with Hard and go until easy

Let’s just get started.

Challenge Name: History 102
Difficulty: Hard
Category: Digital Forensics

History 102

In this challenge, we got an image file for a Windows system. I used FTK Imager for looking around for anything looking weird, and I have checked the most common places when it comes to forensics, like downloads, documents, desktops, and temp directories.

The only thing I have found is this, which is a bit sus.

downloads folder.

So, I get the hash of the executable, and looking at the virus total, it shows that it is malicious.

Now we have the first part of the flag Flag{316fcaf0160b0025e13187624d0ac081_?_?}

The challenge name is History, so it kind of makes sense to check the history of the browser. Also, the challenge says the ads got him.

Checking history at this path AppData/Local/Micorosoft/Edge/UserData/Default/History. Open it with any SQL lite viewer.

History

Now you got the second part Flag{316fcaf0160b0025e13187624d0ac081_156.26.173.114_?}

For the last part of the flag, it requires a bit of reverse, but before that, let me explain the mindset. We need to get the wallet address that it may be a bitcoin address or smth, so normally attackers leave that as a note on Desktop folder, but in our case, there are no files there. After checking the strings on the malicious executable and doing some basic static analysis, I had no luck.

That’s when i decided to fire IDA, which is debugger that reverse engineers use for extracting IOCs and doing their reverse nerdy stuff

IDA

When I fired, I noticed this string 'secr3t', which is value that the malware stored inside this registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion.

I have exported the SOFTWARE Hive and checked this secr3t value, and we got something.

secr3t subkey

Hella weird, right? I grabbed this nonsense and told Cyberchef I wanted to do something that made sense from that.

Cyberchef

CyberChef never disappoints me.

Now we got the three parts of the flag Flag{316fcaf0160b0025e13187624d0ac081_156.26.173.114_bc1qxy2kgdygjrsqtzq2n0yrf2493!83kkfjhx0wlh}

Challenge Name: T3ST4R
Difficulty: Medium
Category: Network Forensics

T3ST4R Challenge

We got a PCAP file, and the description says that our website got hacked, and the attackers hid something.

Filtering for HTTP requests

http filter

You going to notice that there are a bunch of POST requests to panel.php from 192.168.235.137

Checking these streams, you are going to find a flag.jpg that he is uploading. Easy

Flag.jpg

Export the file and open it.

lol

Well, we got played and felled into the rabbit hole.

Continue our analysis. I have found ‘elephant.php.png’ and why there is double extension. It is because this is a technique that attackers use to bypass the WAF, if the WAF only allowing a Png files. So, the attacker tricked the WAF and uploaded a php file.

Checking the content of the php file

php file

So, the attacker file simply loads this URL and pass to shell_exec() function, so it may be a reverse shell. It was kind of obvious for me because of my pen test background, as when I saw PentestMonkey all the reverse shell alarms just started going.

After checking the URL, it downloaded a favicon file, which after doing strings on it It appears that it does indeed contain a reverse shell.

This string looks like it needs decryption. Getting the string and going to CyberChef

Cyberchef

You will get most of the flag, and you can guess the rest easily.

Flag{0H_1M_H3R3_MY_FR13N6_Y0U_G0T_MY_B4CKD00R}

Challenge Name: Job
Difficulty: easy
Category: Digital Forensics

Job

In this one, we got an .eml file, which is an extension of an email file. Checking it with any mail software or text editor, you can notice that there is an attachment that was sent with the email.

Mail

So, downloading the docx file and checking if there is any macors inside it with oletools. olevba -c <document.docx>

Macros

We are going to notice there is VBA Macro inside the document, but it is base64 encoded. Decode it.

Macro after decoding

You can get your flag which is Flag{162.219.145.2:184}

Challenge Name: Qakbot Case
Difficulty: Easy
Category: Digital Forensics

Qakbot case

In this one, we got an event log file after opening it with Event Log Explorer and searching for .br

searching

We got only one result.

search results

Which gave us the flag right away. Flag{graficalevi.com.br}

Challenge Name: D4rkHun7
Difficulty: easy
Category: OSINT

D4rkHun7

Searching for an AlphaBay administrator. It appears that his name is Alexandre Cazes.

Administrator

In the CTF, he asks for his mobile signing keys. Searching with Alexandre Cazes Signing keys. You will notice this, dude.

search results

Checking his mobile devices there we got our flag. flag{01202cfd4f25d1b8208b3bfcfb3601c5ba32a3b842b7cbb522b69216932e6502da170a}

mobile sign keys

Challenge Name: easywin
Difficulty: easy
Category: Web Security

easywin

After opening the link, we got this site that says you don’t need an account.

website

Looking at the source code, we see this JS code that is obfuscated.

source code.

Looking closely at that code

js code

We have something called 5up3res3cre3t.html, accessing this endpoint will give us the flag.

NOW, I have included everything except two challenges, Serv3r, Admin and that’s because they are actually taken from Boss of the SOC v1 famous CTF, so you can just check any writeup for it, as it even contains more juicy information.

That’s it for now.

Cya geeks.

--

--