Skip to main content

IceCTF 2018 - Lost in the Forest [Forensics]

Forensics – 3. Lost in the Forest
Authors: 5ynax and valrkey

Worth: $50
Description

 To start the challenge, you are able to download a zipped archive called fs.zip.

You can unzip the archive and list out the contents to see the full directory includes all the directories you would expect to see on a Linux or Unix style machine.
Checking the home directory, you will see there is only one user profile, hkr.
Navigating to the hkr directory and listing contents, we see the normal user profile contents, as well as a randomly named file.
Using the file command, we check on the file type and then cat the contents once we realize that it ASCII text.
The contents of the hzpxbsklqvboyou file are encoded in some way, looks like some variation of base64 at this point. The strings are repeated, so we suspect string manipulation and obfuscation at this point. Let's take a gander around the rest of the user directories and see if we can find anything else interesting.
There is a clue in the Desktop directory that turns out to be a red herring:
After this find, there wasn't too much else interesting in any of the other directories. So I went back to the user directory and decided to see what shenanigans the user was up to in their previous sessions.



Scrolling through the bash history, we see that the user did a wget for a file with a random looking name. Let's grab that and then keep looking for other stuff in bash history.

We also see that there was a tool that was used to move a secret into the randomly named file we found from our initial search into the user directory. At this point, I was interested in the file that we pulled down from the wget. So I did a quick search through the bash history for that file name to see what else was done with this file.
Confirmed. This file was renamed to tool.py and used to convert the secret file into the randomly named file we are interested in. Let's cat the contents to see what it looks like inside.
OK, now we have the script that encodes the initial message (where we are very confident the flag is hidden). Now we need to undo what this script did in the first place. 

The first two lines of the encode function are opening the file, and reading the first line, and stripping off all white space characters. The heavy lifting for the obfuscation happens in the large return statement. Let's it break down:

Encoding High Level Flow
  1. Loop through all characters in the string s and add a position defined integer to the character code (offset the text by a key).
  2. Base64 encode the string
  3. Reverse the string
  4. Repeat the string 5 times

Encoding Specifics
  1. ''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])
    1. ord(c) gets the integer code for character c
    2. [...] * 3 produces an array that consists of three times the elements in the original array
    3. chr(i) gets the character for integer code i
    4. ''.join([...]) combines a character array into a string
  2. base64.b64encode('...'.encode('utf-8')).decode('utf-8')
    1. s.encode('utf-8') interprets a utf-8 encoded string s as bytes
    2. base64.b64encode(b) performs base64 encoding on bytes b
    3. b.decode('utf-8') interprets bytes b as a utf-8 encoded string
  3. s[::-1] reverses a string's characters
  4. s*5 repeats a string 5 times
Examples

Decode Flow
Perform the encoding operations in reverse:
  1. Reduce the string size by an order of 5
  2. Reverse the string
  3. Base64 decode the string
  4. Subtract the key from each character
Decode Script
Here is my script to reverse the encoding on the encrypted text:
Running the decode function across the discovered file:


Flag = IceCTF{good_ol_history_lesson}

Comments

Post a Comment

Popular posts from this blog

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet. Author: 5k33tz MD5: 43d2a3df73fdcb10b9429a480d96ddcf This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to imdavidlee.com/9493MG/biz/US After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works. Running file against the sample: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0 We can see it's a Word Doc, but probably the
Post a Comment
Read more

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used https://ezgif.com/split. After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an
Post a Comment
Read more

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any
Post a Comment
Read more