This weekend I had a bit of time to participate in the CyberCamp Individual CTF Quals. The CTF was open the entire week, but you only had 8 hours to complete as many challenges as you could once you started the challenge. This is my writeup of the challenges I solved.
It is not Caesar
In the image above we see three things of note. First of all we have the piece of ciphertext ESNTOTGCESLDUMOHIESLF:QACAIEOS. We also have the string 6x5 and the word BLANCO. Based on the challenge’s title, I’m guessing that this is some kind of cipher. 6x5 seems to be dimensions for a grid and BLANCO could be a key. After looking a bit at different transposition ciphers I found one that looked promising, the columnar transposition cipher.
The columnar transposition cipher works by arranging the text you want to encrypt in columns with the key at the top, just like this:
You then sort the columns alphabetically based on the key and read the ciphertext top to bottom, left to right. This would result in something like this, in the example:
If we assume that this approach have been used on the ciphertext for the challenge, all that is needed to find the original text is to arrange the letters in a 6x5 grid, use the letters of the key BLANCO sorted alphabetically and then reorder the columns so the key is BLANCO once again.
In this challenge we were given an image of a hard drive in form of a .aff file, with the instruction to find a secret phrase used by a criminal organization to communicate. As a hint we were also told that the person whose hard drive was imaged often searched for the phrase on his computer. I would upload the .aff file, but it’s 4.5 GB.
I started off by mounting the .aff file on my computer with a tool called OSFMount. I knew I probably had to take a look at the registry of the user to view his Windows Explorer search history, so I opened up the NTUSER.DAT file found in the user’s home directory, with a tool called Registry Viewer. Under Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery we can see one of the searches, which probably contain the flag.
Transfer with terrible consequences
The premise of this challenge is a bit strange, but it boils down to having a partial hash with 6 unknown characters, 50afXXXXXX6351475e54bf6eb2c96f2b, and the first and last two digits of a 8 character password, q and oq. We don’t know the type of hash. The flag of the challenge is the hash and the matching password formatted like hash-password.
I first used a tool called hashid to list the possible types of hash this could be. Since ´X´ isn’t one of the 16 hex characters, I replaced the six X’s with 0’s.
Now that I knew some of the possible types of hashes, I created a script to generate all the possible passwords and check whether the hash of the password matches the partial hash. The first type of hash I tried was MD5 but that didn’t work, so I tried MD4 which turned out to be correct.
After waiting for a few minutes I got the full hash and the password used.
In this challenge we have a .pcap file with a lot of captured packets and instructions to find a sensitive file that was accessed over the network.
As I usually do, I start off by opening the file in a tool called NetworkMiner to quickly get an overview of the traffic. There’s a lot of hosts, but most of them are various web servers. If we sort the hosts by hostname, we can see all the local hosts at the top, since they don’t have any hostnames. After looking through the hosts on the network I picked one that looked interesting and used the IP to create a Wireshark filter to show packets originating from this host:
We can see a bunch of ICMP packets sent from the host. Some of the packets contain parts of a error message, so it seems like some sort of exploit was used to make the host respond with an error containing the path and contents of a sensitive file. This is the data of most interesting packet:
In this challenge we were given a memory dump of a PC and the instructions to look for the user credentials for the owner’s PayPal account. I used Volatility to solve this challenge, which is a pretty nice memory forensics tool.
First I had to find out what kind of system the memory dump was from, since I needed to know what profile to use with Volatility.
It turned out to be the Win7SP1x86 profile. To then get an overview of what is going on on the system, I took a look a look at the processes runing on the system when the image was created.
There’s a bunch of processes running, some of them are probably there as red herrings. I saw that Notepad was open and wanted to take a look at what was written in it, so I used the ´editbox´ module for Volatility to view the contents of all open editable boxes.
We now know the PayPal email and that the password is in the password manager LastPass. I have previously used a great Volatility plugin to extract LastPass credentials in memory, so the rest was pretty easy.
We can see the password for the user’s PayPal account, which is the flag for the challenge.
And that’s it. Pretty fun CTF, even though I’m a bit sad I didn’t get time to really dig into the layers of the final forensics challenge, The Lord of DFIR.
Feel free to follow me on Twitter where I post about the projects that I’m doing the blog posts I’m writing.