Writeup Cyber Threat Force : Trojan tools

For this challenge, we were given a TROJAN_TOOLS.exe file. Before manually analyzing it, I tried feeding it to hybrid analysis. Here is the link to the full report. The “Interesting strings” section contained the flag: CYBERTF{Y0u_H4s_P3wn_Th3_H4ck_T0ol}. We can also try to solve the challenge in a more conventional way. Executing the application gives us: C:\Users\IEUser\Desktop>original.exe Please enter the good PIN Using a process monitor We can use procmon from the Sysinternals suite to monitor the process.
Read more →

Writeup Cyber Threat Force : Viking crypt

For this challenge, we were given a ransomware (VIKING_CRYPT.exe and VIKING_DECRYPT.exe) along with a LOCKER.HTML file and IMPORTANT_NOTE.txt.vkg. Let’s take a look at that encrypted note: $ file Perso/IMPORTANT_NOTE.txt.vkg Perso/IMPORTANT_NOTE.txt.vkg: ASCII text, with no line terminators $ cat Perso/IMPORTANT_NOTE.txt.vkg 8a9b600b5a745d39cb7c7e7890e816848a9fe77280b42ca0751d150bb849 It doesn’t really look like any encryption I know. We can try to run VIKING_DECRYPT.exe: As expected, we’re asked for a decryption key. Let’s encrypt a few files in a VM, and compare the plaintext and the .
Read more →

Writeup Cyber Threat Force : The document is strange

For this challenge, we were given a CV.doc document. Opening it reveals a pretty normal looking resume template, and a warning about macros from LibreOffice.

Using the macros menu, we can dump their code:

Read more →

Writeup Cyber Threat Force : Smasher

For this challenge, we were given two files: smasher-1.0.0.AppImage smasher_Setup_1.0.0.exe I only looked at the AppImage one, since I’m running linux. Launching the program reveals an electron app: We can simply use the dev tools to reveal the source code. Only one javascript file is there, login.js: function Login() { var i = { _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=", encode: function(r) { var t, e, o, a, n, c, h = "", d = 0; for (r = i.
Read more →

Writeup Cyber Threat Force : Verify this

For this challenge, we were given a Stagged.exe executable. Before running it on our machine, we can try to run it against hybrid analysis, an online malware analysis service. Here is the link to the full report. We can see in the “Network Analysis” tab that the program made two requests: HTTP Traffic” part of the report" Trying to download the first image gives us a PE file. If we upload it again, we see that it also makes a request to /ordertoexecute.
Read more →

Writeup Cyber Threat Force : Flag checker

For this challenge, we were given a program executable. $ ./program ./program FLAG $ ./program MYFLAG failed Seems like it valides the flag that is passed as an argument. Let’s open the binary in Ghidra. There are a lot of functions defined, and looking at the exports we see that quite a lot of them start with caml_. I didn’t know you could compile OCaml to C, that’s pretty neat.
Read more →

Writeup Cyber Threat Force : Take your time

For this challenge, we were given a TakeYourTime executable, which seems to hang when we run it. We can analyze its code using ghidra: unsigned int FLAG[] = { 0xb5, 0x63, 0x98, 0x3d, 0xb5, 0x06, 0x46, 0xba, 0x0f, 0xd5, 0x47, 0xce, 0x97, 0xef, 0x7b, 0x28, 0xdb, 0xe7, 0x39, 0x10, 0xb0, 0xf5, 0x44, 0xec, 0x30, 0x88, 0x46, 0xf6, 0x88, }; undefined8 main(void) { byte bVar1; int iVar2; uint local_28; int local_24; ulong local_20; local_28 = 0; local_20 = 0x32; while (local_20 < 0x4f) { bVar1 = fibonacci(); local_28 = local_28 >> 8 | (local_28 ^ bVar1) << 0x18; local_20 = local_20 + 1; } srand(local_28); local_24 = 0; while (local_24 < 0x1d) { bVar1 = FLAG[local_24]; iVar2 = rand(); putchar((uint)bVar1 ^ iVar2 % 0xff); local_24 = local_24 + 1; } puts("\nGood you can validate the chall with this password ;)!
Read more →