Post

UniKL Game of Hacker CTF 2023 - Writeups

Posted Updated
By warlocksmurf 2 min read

My university sponsored several students to take part in this CTF and I was fortunate enough to be picked by them. I was teamed up with my friends @Nathan and @Wowiee to compete with students from other universities in Malaysia. In the end we managed to achieve 13th place out of 30 teams.

The realm of Eerie Area [Forensics]

Question: In this mysterious realm, a malevolent force is at play. Uncover the hidden malevolence within. Figure out the dark secrets the area holds.

Flag: gohunikl2023{p3ek_4_&0o}

We are given a pcap file to investigate. The first thing that I always do is to filter and analyze important protocols first like HTTP, FTP and SMB. Looking at HTTP packets, notice a strange encoded GET request was sent.

for1

So I tried decoding the URL with base58 and we get another URL that redirects to dropmefiles.

for2

In the website, a file called dropmefiles.net_boo.exe can be downloaded from it. Analyzing the file, it was discovered that it was actually a zip file and not an executable file.

1
2

└─$ file dropmefiles.net_boo.exe 
dropmefiles.net_boo.exe: gzip compressed data, from Unix, original size modulo 2^32 10240

Using 7Zip, we can navigate to the hidden file within the embedded folder and the flag can be obtained.

for3

for4

However, the flag was actually a bait! So I just check the contents in the “flag” file and got the real flag.

for5

Find Me [OSINT]

Question:

Flag: gounikl2023{Y0u_F0und_M3}

The challenge gave us an image of an anime guy, so of course I had to reverse search it for more information. Google reverse search will lead us to a Pinterest page. Notice how there is a user Liciela that liked the image, we then go to their profile to find out he is associated with UniKL.

osint1

osint2

Going to one of his post, we can see that he also has a Hoyolab account which I assumed he used the similar name. Bingo, his Hoyolab account was found.

osint3

osint4

Checking his Hoyolab account, his Twitter account can be found on his account bio. At this point, I was prepared to dive into a deep rabbit hole. Stalking his Twitter page, I notice that he said he was Top 50 in Malaysia on TryHackMe.

osint5

osint6

When checking the monthly leaderboards on TryHackMe, we can see that his account was top 1. Inside his TryHackMe account, a GitHub account was linked to it so we can proceed there now.

osint7

osint8

In the Credentials repository, the flag can be obtained.

osint9

Scoreboard

Team Perseus

GoH

ctf
forensics osint local
This post is licensed under CC BY 4.0 by the author.