Last weekend, my team (hackstreetboys) decided to participate in the Securinets Prequals 2K19 and were lucky enough to have landed in the 23rd place out of 729 participants. For this blog post, I will write about our solutions for the Foren(sics) category.
Easy Trade
Downloading the attachment will give us foren_trade.pcap
Let’s take a look at the .pcap file:
On the highlighted entry (packet #3) we can see that the IP address 10.0.0.5
is communicating to 10.0.0.6
via port 1234.
Moreover, on packet 20:
We can see that the two hosts in question are now communicating on port 4444. Seems suspicious, let’s take a closer look!
Following TCP stream 0 gives us the following output:
TCP Stream 1:
TCP Stream 2:
Aha! Based on the ASCII characters that are displayed on TCP Stream 3, we can infer that this stream contains a .zip file (PK) that serves as a container for the precious flag.txt
However, a password prompt will appear when we try to extact flag.txt
from the archive
Since we saw the string securinetsXD
before the .zip file was sent, we can confidently assume that it must be the password string required to extract flag.txt.
Extracting flag.txt
and displaying its content via cat
will give us the following output:
Finally, we can get the flag by decoding the base64 string:
securinets{954f670cb291ec276b1a9ff8453ea601}
Contact Me
Solving this problem was quite amusing.
Downloading the attachment will give us contact_me.zip
and extracting it will give us contact_me
Let’s go back to our basics here and give contact_me
a quick inspection. Issuing the file
and trid
commands will yield no useful result:
At this point I tried to go back to the basics and perform manual inspection of the file. To do so, I ran the strings
command and looked for relevant strings.
First, I tried to look for clues as to the nature of the file:
Based on these strings
, I tried to look for Apple/Mac-related(.mdb, time machine) image/backup mounters to no avail.
At this point, I just went for the easy route and tried to look for the securinets
string, which is based on the flag format securinets{flag_here}
Still nothing. Until I went for the easier route and looked for securinets
, but this time in its base64 form:
Decrypting the base64 string c2VjdXJpbmV0c3szMTAxMmUxNmMzZTVkZmE3ZTY3MzYxMmQ3NTcxNX0
will give us the flag: securinets{31012e16c3e5dfa7e673612d75715}
Rare To Win
Downloading the attachment raretowin.zip
will yield us the raretowin.raw
memory image.
As part of our standard procedures, let’s run volatility’s imageinfo
plugin against the memory image:
Based on the results of imageinfo
, we can see that the suggested profile is Win7SP1x64
.
Let’s try to run pslist
now to get an overview of the processes that were running when the memory image was acquired:
As you can see there are a lot of chrome.exe
processes that were running on the machine.
Recall that the question told us that the user was browsing the web when his mouse suddenly started moving.
With that in mind, let’s look for Chrome
artifacts on the memory image. We can easily do so by grep
-ing results from the volatility filescan
plugin
Chrome
’s History
file looks appealing in this case.
Dumping the History file using the dumpfiles
plugin and loading the database into sqlitebrowser
will give us the following output:
So a certain music (1).rar
was downloaded from the url: https://www[.]mediafire[.]com/file/2t7bb2mflg2lwwj/music[.]rar/file
Downloading it allows us to analyze the music.rar
file. First, let’s run a quick file
command to check it:
Hmm, so it’s an .ace
file. I tried running the default unace
command to extract the .ace
file, but it didn’t work. So I tried downloading linunace
from http://webdiis.unizar.es/pub/unix/archive/linunace25.tgz
After which, we can now extract the files that were contained in music.rar
.
We can see that a certain firefox.exe
is being unpacked to the destination folder C:\Users\Public\Data
, giving us the final path of C:\Users\Public\Data\firefox.exe
Getting the full path’s md5 hash gives us the flag:
securinets{914353ebe43063302e511551e8782352}
Cat Hunting
As usual, let’s run volatility’s imageinfo
plugin:
Now that we got the suggested profile (Win7SP1x64
), we can proceed to analyze the memory image.
Since we’re looking for cat pictures, I used the filescan
plugin to locate them:
After which, I proceeded to extract them using the dumpfiles
plugin.
Analyzing the strings on the cat(8) image gives us the following output:
If you look at the <rdf:li>
(resource description) tag, we can see an IP address that was referenced (99.80.68.141)
.
Furthermore, looking at the results of the netscan
plugin gives us:
We can see that the user connected to 99.80.68.141
using firefox.exe
.
However, I didn’t find any artifacts related to firefox
. So I tried accessing the web page on 99.80.68.141
:
The login page asks for credentials, so I tried to look for files that may contain a password — to no avail. Until I decided to use the hashdump
plugin to check for stored credentials on the memory image:
Cracking Noxious’ password:
Entering the username:password pair of Noxious:#1SHOT
will lead us to this page:
As you can see there is an “image” that is not rendering properly. Downloading it and inspecting it reveals the following:
Decoding the base64 string reveals the flag:
securinets{d25736febfd809ec4eba76b0aae9eab0}
hackstreetboys aka [hsb] is a CTF team from the Philippines.
Please do like our Facebook Page and Follow us on Twitter, Medium, and GitHub.
I hope you learned something new today.
As always, thank you for reading!
-Mon