Securinets Prequals 2K19 — Forensics Write-Up
Last weekend, my team (hackstreetboys) decided to participate in the Securinets Prequals 2K19 and were lucky enough to have landed in the 23rd place out of 729 participants. For this blog post, I will write about our solutions for the Foren(sics) category.
Downloading the attachment will give us
Let’s take a look at the .pcap file:
On the highlighted entry (packet #3) we can see that the IP address
10.0.0.5 is communicating to
10.0.0.6 via port 1234.
Moreover, on packet 20:
We can see that the two hosts in question are now communicating on port 4444. Seems suspicious, let’s take a closer look!
Following TCP stream 0 gives us the following output:
TCP Stream 1:
TCP Stream 2:
Aha! Based on the ASCII characters that are displayed on TCP Stream 3, we can infer that this stream contains a .zip file (PK) that serves as a container for the precious
However, a password prompt will appear when we try to extact
flag.txt from the archive
Since we saw the string
securinetsXD before the .zip file was sent, we can confidently assume that it must be the password string required to extract flag.txt.
flag.txt and displaying its content via
cat will give us the following output:
Finally, we can get the flag by decoding the base64 string:
Solving this problem was quite amusing.
Downloading the attachment will give us
contact_me.zip and extracting it will give us
Let’s go back to our basics here and give
contact_me a quick inspection. Issuing the
trid commands will yield no useful result:
At this point I tried to go back to the basics and perform manual inspection of the file. To do so, I ran the
strings command and looked for relevant strings.
First, I tried to look for clues as to the nature of the file:
Based on these
strings, I tried to look for Apple/Mac-related(.mdb, time machine) image/backup mounters to no avail.
At this point, I just went for the easy route and tried to look for the
securinets string, which is based on the flag format
Still nothing. Until I went for the easier route and looked for
securinets, but this time in its base64 form:
Decrypting the base64 string
will give us the flag:
Rare To Win
Downloading the attachment
raretowin.zip will yield us the
raretowin.raw memory image.
As part of our standard procedures, let’s run volatility’s
imageinfo plugin against the memory image:
Based on the results of
imageinfo, we can see that the suggested profile is
Let’s try to run
pslist now to get an overview of the processes that were running when the memory image was acquired:
As you can see there are a lot of
chrome.exe processes that were running on the machine.
Recall that the question told us that the user was browsing the web when his mouse suddenly started moving.
With that in mind, let’s look for
Chrome artifacts on the memory image. We can easily do so by
grep-ing results from the volatility
History file looks appealing in this case.
Dumping the History file using the
dumpfiles plugin and loading the database into
sqlitebrowser will give us the following output:
So a certain
music (1).rar was downloaded from the url:
Downloading it allows us to analyze the
music.rar file. First, let’s run a quick
file command to check it:
Hmm, so it’s an
.ace file. I tried running the default
unace command to extract the
.ace file, but it didn’t work. So I tried downloading
After which, we can now extract the files that were contained in
We can see that a certain
firefox.exe is being unpacked to the destination folder
C:\Users\Public\Data, giving us the final path of
Getting the full path’s md5 hash gives us the flag:
As usual, let’s run volatility’s
Now that we got the suggested profile (
Win7SP1x64), we can proceed to analyze the memory image.
Since we’re looking for cat pictures, I used the
filescan plugin to locate them:
After which, I proceeded to extract them using the
Analyzing the strings on the cat(8) image gives us the following output:
If you look at the
<rdf:li> (resource description) tag, we can see an IP address that was referenced (
Furthermore, looking at the results of the
netscan plugin gives us:
We can see that the user connected to
However, I didn’t find any artifacts related to
firefox. So I tried accessing the web page on
The login page asks for credentials, so I tried to look for files that may contain a password — to no avail. Until I decided to use the
hashdump plugin to check for stored credentials on the memory image:
Cracking Noxious’ password:
Entering the username:password pair of
Noxious:#1SHOT will lead us to this page:
As you can see there is an “image” that is not rendering properly. Downloading it and inspecting it reveals the following:
Decoding the base64 string reveals the flag: