Skip to main content

Posts

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet. Author: 5k33tz MD5: 43d2a3df73fdcb10b9429a480d96ddcf This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to imdavidlee.com/9493MG/biz/US After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works. Running file against the sample: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0 We can see it's a Word Doc, but probably the
Recent posts

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used https://ezgif.com/split. After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an

IceCTF 2018 - Lost in the Forest [Forensics]

Forensics – 3. Lost in the Forest Authors: 5ynax and valrkey Worth:  $50 Description To start the challenge, you are able to download a zipped archive called fs.zip. You can unzip the archive and list out the contents to see the full directory includes all the directories you would expect to see on a Linux or Unix style machine. Checking the home directory, you will see there is only one user profile, hkr. Navigating to the hkr directory and listing contents, we see the normal user profile contents, as well as a randomly named file. Using the file command, we check on the file type and then cat the contents once we realize that it ASCII text. The contents of the hzpxbsklqvboyou file are encoded in some way, looks like some variation of base64 at this point. The strings are repeated, so we suspect string manipulation and obfuscation at this point. Let's take a gander around the rest of the user directories and see if we can find anything else intere

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any

IceCTF 2018 - Lights Out! [Web]

Web - 2. Lights Out! Author: 5ynax Worth:  $75 Description I will be the first person to admit that getting this flag was dirty and there was no grace used whatsoever. At the end of the day, we got the flag, so I will take what I can get.  The challenge was obviously focused on finding the flag that was hidden directly in the page and my initial thought was that it was hidden in the CSS of the site. Pulling up the CSS source using Chrome's developer tools, I saw the following: Overall, this looked a bit out of place so I figured this is where I would start looking. After beautifying the CSS, I started looking through the contents quickly. I first came across content: "eCTF{" in the CSS so I figured I was on to something. I quickly searched through the rest of the CSS and found the following strings: "Ic" "the_lights}" "turned" "styles" "_" "eCTF{" With a little bit of logic, we were a

IceCTF 2018 – Cave [Binary Exploitation]

Binary Exploitation – 2. Cave Author: 5k33tz, v alrkey Worth:  $50 Description:  You stumbled upon a cave! I've heard some caves hold secrets.. can you find the secrets hidden within its depths? The start of the challenge establishes an SSH connection for you. The only directory you're presented with is a directory called "cave". CD'ing into the cave directory shows the following files: The challenge is nice enough to leave the original source code used to compile the binary: This appears to be a standard buffer-overflow question, but I notice that the shell function will need to be called  separately. Running the following command we can see the the shell() function is called at a static address (0x0804850b): objdump -d ./shout | grep -A25 shell 0804850b <shell>:  804850b: 55                    push   %ebp  804850c: 89 e5                mov    %esp,%ebp  804850e: 53                    push   %ebx  804850f: 83 ec 14