Last weekend, my team (hackstreetboys) decided to participate in the Securinets Prequals 2K19 and were lucky enough to have landed in the 23rd place out of 729 participants. For this blog post, I will write about our solutions for the Foren(sics) category.
Easy Trade
Downloading the attachment will give us foren_trade.pcap
Let’s take a look at the .pcap file:
On the highlighted entry (packet #3) we can see that the IP address 10.0.0.5 is communicating to 10.0.0.6 via port 1234.
Moreover, on packet 20:
We can see that the two hosts in question are now communicating on port 4444. Seems suspicious, let’s take a closer look!
Following TCP stream 0 gives us the following output:
TCP Stream 1:
TCP Stream 2:
Aha! Based on the ASCII characters that are displayed on TCP Stream 3, we can infer that this stream contains a .zip file (PK) that serves as a container for the precious flag.txt
However, a password prompt will appear when we try to extact flag.txt from the archive
Since we saw the string securinetsXD before the .zip file was sent, we can confidently assume that it must be the password string required to extract flag.txt.
Extracting flag.txt and displaying its content via cat will give us the following output:
Finally, we can get the flag by decoding the base64 string:
securinets{954f670cb291ec276b1a9ff8453ea601}
Contact Me
Solving this problem was quite amusing.
Downloading the attachment will give us contact_me.zip and extracting it will give us contact_me
Let’s go back to our basics here and give contact_me a quick inspection. Issuing the file and trid commands will yield no useful result:
At this point I tried to go back to the basics and perform manual inspection of the file. To do so, I ran the strings command and looked for relevant strings.
First, I tried to look for clues as to the nature of the file:
Based on these strings, I tried to look for Apple/Mac-related(.mdb, time machine) image/backup mounters to no avail.
At this point, I just went for the easy route and tried to look for the securinets string, which is based on the flag format securinets{flag_here}
Still nothing. Until I went for the easier route and looked for securinets, but this time in its base64 form:
Decrypting the base64 string c2VjdXJpbmV0c3szMTAxMmUxNmMzZTVkZmE3ZTY3MzYxMmQ3NTcxNX0
will give us the flag: securinets{31012e16c3e5dfa7e673612d75715}
Rare To Win
Downloading the attachment raretowin.zip will yield us the raretowin.raw memory image.
As part of our standard procedures, let’s run volatility’s imageinfo plugin against the memory image:
Based on the results of imageinfo, we can see that the suggested profile is Win7SP1x64.
Let’s try to run pslist now to get an overview of the processes that were running when the memory image was acquired:
As you can see there are a lot of chrome.exe processes that were running on the machine.
Recall that the question told us that the user was browsing the web when his mouse suddenly started moving.
With that in mind, let’s look for Chrome artifacts on the memory image. We can easily do so by grep-ing results from the volatility filescan plugin
Chrome’s History file looks appealing in this case.
Dumping the History file using the dumpfiles plugin and loading the database into sqlitebrowser will give us the following output:
So a certain music (1).rar was downloaded from the url: https://www[.]mediafire[.]com/file/2t7bb2mflg2lwwj/music[.]rar/file
Downloading it allows us to analyze the music.rar file. First, let’s run a quick file command to check it:
Hmm, so it’s an .ace file. I tried running the default unace command to extract the .ace file, but it didn’t work. So I tried downloading linunace from http://webdiis.unizar.es/pub/unix/archive/linunace25.tgz
After which, we can now extract the files that were contained in music.rar.
We can see that a certain firefox.exe is being unpacked to the destination folder C:\Users\Public\Data, giving us the final path of C:\Users\Public\Data\firefox.exe
Getting the full path’s md5 hash gives us the flag:
securinets{914353ebe43063302e511551e8782352}
Cat Hunting
As usual, let’s run volatility’s imageinfo plugin:
Now that we got the suggested profile (Win7SP1x64), we can proceed to analyze the memory image.
Since we’re looking for cat pictures, I used the filescan plugin to locate them:
After which, I proceeded to extract them using the dumpfiles plugin.
Analyzing the strings on the cat(8) image gives us the following output:
If you look at the <rdf:li> (resource description) tag, we can see an IP address that was referenced (99.80.68.141).
Furthermore, looking at the results of the netscan plugin gives us:
We can see that the user connected to 99.80.68.141 using firefox.exe.
However, I didn’t find any artifacts related to firefox. So I tried accessing the web page on 99.80.68.141:
The login page asks for credentials, so I tried to look for files that may contain a password — to no avail. Until I decided to use the hashdump plugin to check for stored credentials on the memory image:
Cracking Noxious’ password:
Entering the username:password pair of Noxious:#1SHOT will lead us to this page:
As you can see there is an “image” that is not rendering properly. Downloading it and inspecting it reveals the following:
Decoding the base64 string reveals the flag:
securinets{d25736febfd809ec4eba76b0aae9eab0}
hackstreetboys aka [hsb] is a CTF team from the Philippines.
Please do like our Facebook Page and Follow us on Twitter, Medium, and GitHub.
I hope you learned something new today.
As always, thank you for reading!
-Mon
