Writeup Cyber Threat Force : Trojan tools
For this challenge, we were given a TROJAN_TOOLS.exe file. Before manually analyzing it, I tried feeding it to hybrid analysis.
Here is the link to the full report.
The “Interesting strings” section contained the flag: CYBERTF{Y0u_H4s_P3wn_Th3_H4ck_T0ol}.
We can also try to solve the challenge in a more conventional way. Executing the application gives us:
C:\Users\IEUser\Desktop>original.exe Please enter the good PIN Using a process monitor We can use procmon from the Sysinternals suite to monitor the process.
Writeup Cyber Threat Force : Viking crypt
For this challenge, we were given a ransomware (VIKING_CRYPT.exe and VIKING_DECRYPT.exe) along with a LOCKER.HTML file and IMPORTANT_NOTE.txt.vkg.
Let’s take a look at that encrypted note:
$ file Perso/IMPORTANT_NOTE.txt.vkg Perso/IMPORTANT_NOTE.txt.vkg: ASCII text, with no line terminators $ cat Perso/IMPORTANT_NOTE.txt.vkg 8a9b600b5a745d39cb7c7e7890e816848a9fe77280b42ca0751d150bb849 It doesn’t really look like any encryption I know.
We can try to run VIKING_DECRYPT.exe:
As expected, we’re asked for a decryption key. Let’s encrypt a few files in a VM, and compare the plaintext and the .
Writeup Cyber Threat Force : The document is strange
For this challenge, we were given a CV.doc
document. Opening it reveals a pretty normal looking resume template, and a warning about macros from LibreOffice.
Using the macros menu, we can dump their code:
Writeup Cyber Threat Force : Smasher
For this challenge, we were given two files:
smasher-1.0.0.AppImage smasher_Setup_1.0.0.exe I only looked at the AppImage one, since I’m running linux. Launching the program reveals an electron app:
We can simply use the dev tools to reveal the source code. Only one javascript file is there, login.js:
function Login() { var i = { _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", encode: function(r) { var t, e, o, a, n, c, h = "", d = 0; for (r = i.
Writeup Cyber Threat Force : Verify this
For this challenge, we were given a Stagged.exe executable. Before running it on our machine, we can try to run it against hybrid analysis, an online malware analysis service.
Here is the link to the full report.
We can see in the “Network Analysis” tab that the program made two requests:
Trying to download the first image gives us a PE file. If we upload it again, we see that it also makes a request to /ordertoexecute.
Writeup Cyber Threat Force : Flag checker
For this challenge, we were given a program executable.
$ ./program ./program FLAG $ ./program MYFLAG failed Seems like it valides the flag that is passed as an argument. Let’s open the binary in Ghidra.
There are a lot of functions defined, and looking at the exports we see that quite a lot of them start with caml_. I didn’t know you could compile OCaml to C, that’s pretty neat.
Writeup Cyber Threat Force : Take your time
For this challenge, we were given a TakeYourTime executable, which seems to hang when we run it. We can analyze its code using ghidra:
unsigned int FLAG[] = { 0xb5, 0x63, 0x98, 0x3d, 0xb5, 0x06, 0x46, 0xba, 0x0f, 0xd5, 0x47, 0xce, 0x97, 0xef, 0x7b, 0x28, 0xdb, 0xe7, 0x39, 0x10, 0xb0, 0xf5, 0x44, 0xec, 0x30, 0x88, 0x46, 0xf6, 0x88, }; undefined8 main(void) { byte bVar1; int iVar2; uint local_28; int local_24; ulong local_20; local_28 = 0; local_20 = 0x32; while (local_20 < 0x4f) { bVar1 = fibonacci(); local_28 = local_28 >> 8 | (local_28 ^ bVar1) << 0x18; local_20 = local_20 + 1; } srand(local_28); local_24 = 0; while (local_24 < 0x1d) { bVar1 = FLAG[local_24]; iVar2 = rand(); putchar((uint)bVar1 ^ iVar2 % 0xff); local_24 = local_24 + 1; } puts("\nGood you can validate the chall with this password ;)!