In this round, I mainly solved network and forensics tasks, along with a few others. My team and I finished in 6th place 🏅, and I’m so proud of them 😭. Without further ado, let’s dive into the writeups — hope you all enjoy them!
Table of Contents
Forensics
Complicated
In this task, goal is to find a secret message hidden in the system. A ZIP file was provided, containing a dump and JSON files:
JOHN-PC-20240418–063636.json — looks like metadata of the dmp file.
let’s look at the dump file
From file output, it’s clearly a Windows dump with ~520000 pages (~2GB) 😭. With my laziness, it worth to try strings with the flag format first.
Luckily, I didn’t have to dig deep to the dump file — Task solved!
Help me to find
In this task we have to find the flag stated that attackers encoded it and leave the trace there. The flag is that message
Providing DESKTOP-E27HKUG_20231015_004920.rar file
After extracting .rar file.
└─$ tree ..└── LiveResponseData ├── BasicInfo │ ├── diskdrive.txt │ ├── hostname.txt │ ├── netuse.txt │ ├── patches.txt │ ├── system_dtz.txt │ └── systeminfo.txt ├── NetworkInfo │ ├── ipconfig.txt │ ├── netstat_anob.txt │ └── route.txt ├── PersistenceInfo │ ├── loaded_drivers_ordered.txt │ ├── loaded_drivers.txt │ ├── schtasks.txt │ ├── service_detail.txt │ ├── service_state.txt │ └── startup.txt ├── ProcessInfo │ ├── process_detail.txt │ ├── tasklist_m.txt │ ├── tasklist_svc.txt │ └── tasklist_v.txt └── UserInfo ├── ActivitiesCache.db ├── localgroup_administrators.txt └── quser.txtThe most interesting here for me was ActivitiesCache.db. Then, I use DBbrowser for sqlite in kali to open it.
Since the description mentioned that attacker leave the trace, so my plan is go to Activity table, sort it by timestamp then look through the payload action.
After a few searching
This payload caught my attention by its format, and datatype in the payload. — I throwed it into cyberchef
Task solved!
CMS was hacked#1
The flag for this task is the name of the CMS running in the system that got hacked.
After some research, CMS refers to Content Management System software (e.g., WordPress, Drupal, Joomla, etc.). In this task, zip file provided again.
After extracting it, we got:
uac-secplayground-linux-20240516172634.log: which looks like an information for system metadata again
uac-secplayground-linux-20240516172634.tar.gz
Next, we will extract Linux system file using:
tar -xzvf uac-secplayground-linux-20240516172634.tar.gzThis gives us a Linux-like file system structure.
Since CMS is usually running on web server, I navigated to /var/log and we found Nginx dir here. Diving deeper into /var/log/nginx
There we go, CMS ran here is Joomla and task solved.
Memmy Xmas
The description said that file provided, Memmy_Xmas.mem, is memory dump file.
First let’s identify the file — It’s a windows memmory dump here.
And I will use vol or volatility3 to extract memory from the dump
Github link: https://github.com/volatilityfoundation/volatility3
Next, I decided to list all process using:
windows.pslist.PsListfrom vol option.
Since, description mentioned about remote access or mstsc.exe in windows.
Located mstsc.exe in process list
Then try to dump the process memory out using:
vol -f Memmy_Xmas.mem windows.memmap --pid 6116 --dumpcheck the dumped file — It’s a DIY-Thermocam raw data
I tried to open it and see that Gimp can browse the file but it is in the extension was unknown, so I manually convert it into .dat
Here is what it looks like in gimp, after try different settings.
Task Solved….amazingly 🤯
Networking
Guardian Network#1
In this task flag is in format {username:password}, — so we needed to find credentials from the
.pcapfile.
Let’s filter it with potential word like username
after trying severl credentials, the correct one is {admin\:P\@ssw0rd}. Task solved!
Guardian Network#2
In this task, they provided a pcap file and want us to identify the CVE of these packets and flag in format forensic{CVE-XXXX-XXXXX}
Analysis: let’s analyze the whole file first
Protocol Hierarchy Statistics
Now we know that most of communication occurs via HTTP, which must use the HTTP methods (GET, POST, DELETE, else) and since many of attacks starts with update attempts, I scoped in on the POST method first.
Filtered packets with:
http.request.method == "POST"
Now we can see the suspicious activity here:
POST /cacti/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on HTTP/1.1\r\nPOST /cacti/package_import.php?header=false HTTP/1.1\r\nBoth activities interact with /cacti/package_import.php — this gives us keyword for search CVEs.
Searching cacti package_import cve
Jackpot! NVD — CVE-2024–25641 or CVE-2024–25641 and I solved the task.
Guardian Network#3
This task said that flag is under
/tmp/flag.txt— we have to locate this file.
I just easily ran:
frame contains "flag"
Then followed the TCP stream
Task solved~
Incident Response
This was my first time dealing with the Incident Response category in a CTF competition. I was surprised to see that we had to read actual Windows Event Logs. It was mind-blowing trying to read and filter event logs 👀💥🤯
Calling from the Junkyard 1
This task’s flag is name of the first user who compromised from attacker.
Windows event log provided in following structure
Since we want to find the first user who got logon by attackers — log must included in Security.evtx and I filtered the log with Event ID 4624 (logon) then sorted the time.
After searched through 3 Security.evtx, I found the first user compromised by attacker is chris
Task Solved!
Web
mac_artifact
The description mentioned a website built by a macOS developer that left behind some auto-generated files.
The first thing came to my mind was .DS_Store. I wasn’t exactly sure what it was — I just knew macOS always generates it. So, I navigated to:
http://TARGER_IP/.DS_Storeand luckily, the file was downloadable.
As expected, it’s an Apple auto-generated file. After some research, I learned it stores custom folder attributes but isn’t readable directly.
So I searched for a way to extract content from it and found this helpful:
https://wh1c4t.medium.com/extract-file-from-ds-store-815a22542da9
After a few attempts, I was able to extract the hidden folder:
http://TARGET_IP/uVweeMU3TgQGpQA061ra2K
But the site returned 403 Forbidden, which means the folder exists but is inaccessible. So, I guessed the file might be flag.txt and navigated to:
http://TARGET_IP/uVweeMU3TgQGpQA061ra2K/flag.txt
Task is solved!