DEADFACE Capture The Flag (CTF) 2021 - Challenge Walkthroughs [Beginner Friendly]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at some of the challenges from the dead face ctf 2021 it's hosted by cyber up cyber hectics and united states air force veterans and supported national cyber security awareness month and in the past couple of videos i've just picked a category and focused on that for the video but the difficulty the average difficulty of this of challenges in the ctf are quite a bit lower than the last couple of ctfs that i've run through so i'm going to aim to just kind of run through as many challenges as i can here from some different categories i am going to purposely leave some out for example cryptography um but yeah let's get started the first challenge we're going to take a look at is called unfinished it's a programming challenge and the description says there seems to be something wrong with this code can you figure out how to make it return a flag and it's telling us to modify the code that we have here which we can see we've got this little python script before even really looking at it let's go and create a python script i'm going to open this up in codium or vs code we can do it in your text editor of choice or ide of choice and we open this up we see that we've got this print statement so this is going to be executed this function get flag is never actually been called anywhere so there's nowhere in the code this is being called so we would need to actually say we want to call get flag in order for it to return this value so we could say flag is equal to and then it should it's basically going to call this function it's going to decode this string as you can see here decode utf-8 it's going to return it into this flag variable but we don't even need to create that variable right we're printing the flag here so we can just go and say plus get flag and that should print the flag for us uh let's try and run it and now we get flag oh look it's a flag obviously whenever we looked at the challenge there the first thing we should have seen really was that the flag was hex encoded based on the character range which is being used here so rather than actually copying over and modifying the code we could have just taken that to cyber chef to decode or you can do this in you could do it in python you can if you have phone tools installed you can just do your phone on hex and then paste that in and then you'll get the flag back in the terminal the next challenge is called the count it's a programming challenge and the description says apparently dead faces recruiting programmers but spooky boy is a little apprehensive about recruiting amateurs he placed his password hash in the form of a flag for those able to solve the challenge solve the challenge and submit the flag as this format with the sha256 hash there's a forum thread here but it's not really necessary let's just grab the server address and the port number you can see i've got my script there for solving it and let me just try and connect this with netcat and see what's going on and you can see that we get this message saying dead face keeper gatekeeper let us know how good your programming skills are if a equals zero b equals one c equals two etcetera tell me what the sum of this word is so it gave us the word cumbersome and essentially we need to find out that c is equal to two um u is equal to whatever add it all together and we need to submit that within five seconds so i wrote a script to do this i was actually expecting that whenever we run that i was expecting it to ask you to do that several times you know maybe ask you a hundred times what what's the sum of this word uh but it actually doesn't it's only needs to be done once so this is the script that i put together for it i'm important tools as i usually do just to make things easy in terms of connecting to the remote server and sending and receiving data and also using debug statements and stuff which i like doing but let me just run through this so we connect to the remote server got the level set to one here just to reduce the output in the terminal and we wait until well we receive everything let me just run that again we receive everything up to your word is and then we then then want to capture the word we're going to print it out to make sure we've got the word correctly and then we're going to run through you can see we imported string here so we can actually use string.ascii letters.index and then loop through each chart and that will tell us whether it's the zeroth element the first element the second element etcetera and we're going to add all those together into the sum variable we're going to send that off as a string and then we're going to receive our flag so i thought we're going to have to put this inside of a loop and just loop through like 100 times doing this to get the flag but apparently we don't so it's quite a bit easier than i was expecting but let's try it out anyway we'll run python exploit and the word we got was lace we could have probably actually calculated that and within five seconds and submitted it and then we got back our flag the next challenge is called trick or treat it's a programming challenge and the description says a user on ghost town create a game that he claims no one can beat check out the game and find the flag hidden inside so we've got a zip file to download which i've already got downloaded here and if we have a look at the files that were downloaded we've got a python script we've got an image directory and let's actually we'll take a look at those we got this font file in here we got an image directory just for the player and a enemy and then we've got our script so let's open that up and immediately we'll see that we have some hex values here so we might want to go and try to decode those in we can use on hex in the terminal or we can go to cyber chef if you are used to seeing flags in hex you'll know what the beginning of this string is so we can do on hex here and see that it actually begins with flag but in this case it's just a fake flag so we can keep going through in this fashion and having a look at some of these hex values just to see if it's just a case of decoding and see what these are i think some of these point two like block and stuff like that on hex death and block and basically different actions that are occurring we also have some decimal arrays here so we could go to cyber chef and convert these from decimal set this to comma although it doesn't seem to be making a difference but notice that um it's not just printing these decimal values out here it's actually using the set pref and it's calling another print function here with some more decimal values and this print value this is a custom function which is actually using these hex values here on hex okay i think that's because i don't think that was correct yeah because this is the alphabet so this is the alphabet that it's using here and it's like a custom print function so let's go let's go down towards the where the program starts anyway we've got our main functionality down here at the bottom it's going to basically set up the game for us it's going to initiate the game let's try let's play it as well you can run python game it's you need pi game installed you can just do pip in store pie game and basically you have this character you need to try and avoid as many of these enemies as possible they'll increase in speed and frequency i'm pretty sure that didn't hit me but um okay we can hit p to pause and that's it you notice it printed this flag in the background but it didn't print any more of the flag and so basically what i would do here is go and try and focus on anywhere that we have print you know so go and search around for these print functions and see when are they actually called remember that we had this gs function with these weird there's no real reason for those values as far as i can see so we have this escaped gss notice we have this here as well so the only time that gs function is called as far as you can see let's do let's double check it's called oh yeah that's called here and it's defined here so the only time it's called is whenever this condition is met which is to do with i guess the speed of the enemy so once they get up to a certain speed it's going to pause the game it's going to set the pause text to this and then it's going to pause the game so what i'm going to do is i'm just going to take this here and before we even spawned a player let's call that instead sorry before we even spawned an enemy hit go and there we go so we can see that our flag is just repeatedly printed in the background uh pause now crashes the game but that's fine we've already got our flag the next challenge is called blood bash it's a forensics challenge and the description says we've obtained access to system maintained by bloody mary there are five flags uh that we need you to read and submit submit the contents of flag1.txt so this is a five stage challenge where we've got access to this server you can see it's on port 22 so it's an ssh server so let's ssh as bloody mary into the server address and port number we don't need the port number because it's the default try and connect it'll ask us for the password then and then we're connected note that whenever i was actually trying to do this originally i got an error with the tty and i had to use the t flag whenever connecting ssh for that to work um but we're connected now we're able to access the server let's see that what we actually have here we've got this pdf file which unless we have some kind of pdf reader we're not going to be able to open here let's try and list um r so capital r to recursively list all of these directories and whenever we do that we'll see that we've got a flag1.txt file inside documents so let's just say we want to cut out documents flag1.txt and there we get back our first flag next up we have blood bash2 and it says we've obtained access to system maintained by bloody mary we believe bloody mary stole a sensitive document and storing it on a linux machine search for any such a system for any files relating to demand financial so we're already connected from the last part of the challenge let's go ahead and try to find this what i did here was just find and i literally just copied and pasted the string that they provided and then just search for from the root directory you'll see we get a lot of errors here and this might take a second to run through but hopefully when we get to the end um we get to the end and what i just noticed here was that we have this demand info um in the documents as well so it's it has a dot at the beginning the file name so it's hidden so if we go into documents and ls we're not going to see it let me see if we do ls dash lart we will see it so it's hidden file but we can still go ahead and print it out there was probably a better way to find that without getting all these errors but um that just happened to be the first command that i tried and i found that hidden text file so that's the blood bash two flag on to the next part of the blood bash challenge we have the third part and it says there's a flag on this system we're having difficulty with unlike the previous flags we can't seem to find a file with this flag in it perhaps it isn't stored in a traditional file so let's jump back over to the server again here um i'm going to go back to the home directory but what i did here was to run sudo l and you can see that we actually have some commands that we're able to run as pseudo we have this start script and then we can also run this serve as sudo as well uh let's try and first of all if we just try to cut out that serve you'll see that we get permission denied let's try and cut out the start script and we can see here then if we run the start script as sudo it's going to run sudo user bin serve and then it's going to accept bash let's just try and run sudo um opt start dot sh address already in use okay hit ctrl and c and now you'll see that we're actually root let's try and cut this out again and this time we're actually allowed to print out that user bin serve and if we do that we can see that we have a hex value in here which from our earlier challenge you'll know that we can just jump over to our terminal and say phone on hex and then paste that in and then we get back our flag which is flag open port alls onto blood bash 4 and the description says a sensitive file from demand was exfiltrated by morticia it contains data relating to a new web portal they're creating for consumers read the contents of the file and return the flag as flag goes here so we had that pdf file didn't we in the home directory which we might want to try and recover let me just try and see initially i tried to scp this and it didn't work but that i think that was to do with the tty error which they seem to have resolved so let me just try and move this demand customer portal to new.pdf just so the file name is a bit easier to work with and i'm going to go back over to my terminal and we'll do scp let me go and copy this name and port number again so we want to grab it from bloody mary at this server address and the file we want to grab is just new.pdf and then we just want to we'll just place it here as well try and run that let's see if it asks for the password it does okay so we now get this uh this was the message i was getting whenever i tried to connect via ssh and i i got around that by using the dash t flag in ssh if we do man ssh scroll down quite a lot eventually we'll see the dash t flag in here for pseudo terminal allocation this can be used to excrete arbitrary screen based programs on a remote machine which can be very useful and so this is how i was able to get ssh working earlier i'm assuming that was you know an issue with the challenge because it doesn't seem to be the case now but um all right that still didn't work for us let's go back over to the system here another thing that we can do is we can say we want to basically for the new.pdf file we can go and take a copy of this base64 encoded value and we could go in we could basically for decode this here in fact yeah let's do it here i was going to go to cyber chef but we'll be using that a bit later so um let's go and create this file paste this in here and we want to say base64-d 2d code and see that is creating the pdf as it should so we'll say we want to pipe that to new.pdf and let's go and open the pdf and see what's in it open the pdf and now we get our flag the next challenge is called windowpanes it's a forensics challenge and the description says one of the demands employees had their personal windows computer hacked by a member of dead face the attacker managed to exploit a portion of the database backup that contains sensitive employee and customer pii inspect the memory dump and tell us the windows major operating system version bit version the image date and time and then submit it in this format here and we've got an example of how to format it so i've already downloaded the image you can see here you've got to download it and decompress it so i've gone ahead and done that let's jump over to the image now we can have a look at this fizz mem raw it just shows this data and typically what we do here is use volatility to find out what operating systems it's what profile basically we need to use to run different plugins so let me just go to vola volatility and we can open up the help menu here and get a list of the different plugin commands that are available and the syntax that we need to use but essentially what we'd normally do here is say volatility and image info dash f and then fizz mem raw and i did try doing this and it took a long time and didn't come back with anything and at the time i went and did a little bit of googling around that and seemed to find that it looked like it was to do with the volatility that i have installed on parrot not having some of the windows 10 profiles that are needed so i did actually try to download volatility 2 from github and set that up but i had a lot of problems i always have a lot of problems with python anything with that's running python 2 seems to cause a lot of issues for me in the end what i had to do was move over to volatility three so let me just grab a copy of that i'm going to grab this from github and install it so get clone let's go into volatility three and see what we've got here i'm gonna do sudo python setup install let that run through and that should be us installed you can find some good cheat sheets online if you just search for like volatility cheat sheet you'll find some good ones on here hat tricks if page not found okay it's really it's um redirecting so hatricks has a cheat sheet here and gives you some examples of different commands that you can use you can see here it's set up for volatility 2 and volatility 3 so whenever you're running through some of these different options for example say you you know that the challenge is asking you to get some passwords you go straight down to the password section click whichever tab depending whether you're using volatility two or three and this will give you the different commands that are available it seems to be having some difficulties but um there are plenty of other cheat sheets out there anyway and even the i mean well actually the reference guide available from volatility themselves is probably the best option let's go to the wiki here volatility 3 documentation and yeah you can also jump in here and find some good information about the plugins but let's go and try and solve our challenge anyway so the first thing we want to do here with volatility three now installed let's do uh python fall dot py and i'm gonna pass it in that image again dot dot slash you don't get auto complete some reason with this but um let's just type it in and then let's just try and run this first of all and see what it says just says select a plugin to run okay let's try and do windows dot info oh by the way another reason i actually noticed that um so i was kind of just looking at the strings here if we if we run strings on fizz raw and well let's first of all what i did notice if we grab out flag whenever we run strings we get back quite a few results i guess of fake flags you can see here flag fod check and the ver you can see it's been set here as a variable we have another one jimmy got pwned so maybe these are from other challenges or challenges are going to be released later in the competition we'll see but uh these weren't the correct flag anyway because obviously we're looking for the operating system the version the image date and things like that which hopefully this will come back with okay so it took a little while to get through all that but now we've got back our windows information and we can see some various things here so we can see that we have our major operating system version is 10 so windows 10 oh that's the other thing i was going to say here if you um if you grew up here i was grappling for so grab for windows 10 or wind 10 or something like that and i was getting quite a lot of results and um that's kind of how i identified that it was probably an issue with the profiles in volatility too that was causing me issues but yeah we've got our operating system which is 10 we've got our system time so this is the time that the image was captured at which we know is what we need so basically we'd be putting together our flag here our flag is going to be windows 10 and then the architecture is 64-bit and then we want our timestamps would just be 2021 0907 14 57 44. and that would be the correct flag for this one so following on from the last challenge we have window panes 2 and the description says using the memory dump from window panes 1 submit the victim's computer name and if we go back over to our cheat sheet or well our cheat sheet keeps crashing so let's just go over to the actual reference here where we can get a list of the different plugins that are available um you can see here's linux here's mac they're going to be no use to us what we'll be used to of use to us is these windows plugins so we can go through we can have a look at some of these um in this case i kind of just ran through a few of these common plugins to check uh in this case we've got this windows.nvars where we can actually print out the environment variables so let's try and run our let's run this again instead of doing windows info let's do end vars oh wrong you can see as i typed i didn't incorrectly we actually managed to get out the suggestions of the plugins as well so that's another way you can kind of get an idea what if you're not too sure what what plugins to run you can just kind of go through and run whatever sounds interesting so we run through all that anyway and you'll see one of the last things that we see here is the computer name desktop itaq nri so our flag is literally just going to be take that and then flag oops not quite that but yeah you get the idea and on to window panes three it's asking us to use the memory dump file from the previous challenges to find out the name of the malicious process and they want that submitted as flag process process id including the extension you'll note that i got very close to where's the solves four out of five so i kind of misread this i thought it was asking i wasn't sure what it was asking for the process name or the pid because it says pid i thought it was just saying process id here and then it was like asking for the file extension so i was a little bit confused with that but um once we got the format sorted out it's not too bad let's go over to let's go back over to our volatility and there are a few things we can run here we can run something like pslist we can run ps3 we can run ps scan and they'll all do slightly different things which we can go and find out about here you can see here ps list ps i think ps3 is the one that shows you hidden uh plugin for listing processes in a tree base uh based on apparent process id so we can run through those and get an idea of some of the different processes that we have running here so it might just be worth scrolling through and seeing any of them look suspicious and if you find that do look suspicious we can basically go and dump those out and see if there's anything more suspicious so here we have the process id for example of this win p mem mini etc let's um let's try and run a instead of ps list we can run dump files and then we can pass in the process id of the process we want to dump the files for we run through this and you can just have a look at what files come out do any of them look interesting we might want to go and actually look at the strings in the exe or open up the exe in gear draw or something like that to have a look at it in that case that wasn't the that wasn't the one i was looking for let me instead of ps list let's do ps3 or ps scan alright so ps3 you see this one brings back another one that we didn't see last time which was user init.exe which immediately sounds suspicious to me um so let's take a copy of that process id let's dump that out and we dump that out i didn't really look to this into too much detail i saw a mention of this crypt sp um and decrypt primitives and just to me instantly sounded like it was probably potentially malicious um and submitted this process name with the pid eight so i just confirmed the flag is where's the it is flag process id underscore eight one eight zero for the process id the next stage of the window panes challenge is asking us to get the xiao one checksum of the malicious process so we've already extracted malicious process or we already had a look at it we just need to actually go and grab dump the file and then find out what is the sha one hash of it so let's um use our python volatility again we're passing in this raw memory image and then we're going to say dash o for an output directory just say that's going to be the directory we're currently in we're going to do windows dot dump files and then we're going to set the pid to 8180 which we identified previously and that's going to dump out all those files that we saw associated with the exe so not just the exe which we'll see up here but also all of these dlls and stuff that were associated with it but we know that we're interested in getting this exe xiao one some so we'll do xiao on sum we'll provide the file name and then we get back our hash so all we need to do is go and submit that with the flag parameter the next challenge is called file 101 it's a forensics challenge and the description says an email containing a photo of a pumpkin was found in the employee's gmail inbox the photo looks normal because can be deceiving sometimes what secrets could it be holding so we've got this image to download it's a jpeg image you can see it here is just a picture of a pumpkin and i'm trying to think what i did here at the time so let's try and run strings on it first of all we can look for strings greater than 10 and we have this url in here for this dropbox so let's go and open that up open this up we have a corrupted zip corrupted.zip file and the file name is 40x png for 21 kilobytes nearly let's try and get a direct download of this i'm going to save it and let's move it from downloads here let's try and open up corrupted.zip and it asks us for a password so let's um well just try and put in here password incorrect admin incorrect password123 incorrect all right so what we can do is try and crack the password on this we can use zip to john on corrupted.zip and this will create a hash format that we'll be able to crack with john the ripper so let's run that again and this time save it to hash so it's in a file called hash and now we can run john so let's run john dash dash word list equals user share wordlessrocqueue.txt and then we want to pass in the hash we run that oh is that okay i already had this still in the either that that cracked really quickly or i already had it in a pot file but yeah you can see that it cracked there as pumpkin pie and that means we can go ahead and unzip corrupted.zip enter in pumpkin pie as our password and now we get out this png file so we can try and use and try and open this up although you notice that the thumbnail isn't showing anything so that's not a good sign open it up and then we don't get anything so we could try and have a look at the strings again nothing of interest we could have a look at the exif data to see if there's anything hidden in there nope it's a png file which you can use some stego tools like zed stag for but i mean this isn't a stego challenge so you wouldn't really expect it to find anything and we get unsupported header all right let's actually use hex edit to have a look at the header and if you're going to have a look at that you'll see that we have this j5 in here we're starting with 2e2e78 which doesn't sound right let's go and have a look what is the j5 file signature and if we go and have a look at this here we'll see that actually this should be beginning with ffdaffe0 so let's go and set that ff d8 ff e0 let's save it let's exit that and now let's try and display it this opens up now it's it's quite funny because i spent a long time on this challenge and for some reason didn't actually see the flag let me see okay so whenever i was initially doing this challenge i had the the view something like this and i was quite confused because it looked to me like it was display in the image and obviously it's not a png anymore you'll notice now we have this flag in the bottom right hand corner but for some reason i just never resized the window so i never saw that i tried to open it up in stake solve and open it up in here showing showing it now in the bottom right as well i don't know i don't know why i took so long to find that but um there's a flag anyway the next challenge is an exploitation challenge called not so complicated and the description says use the memory dump from windows panes window panes to crack jimmy's password submit the flag as and then give the plain text password so we need to use our memory dump again let's go back over to volatility and instead of running we were looking at the processors last time and dumping out the processors at the end of the forensics section but now we want to have a look at the hashes let's run hash dump and this will dump out the various hashes we need jimmy's hash which is right here so we can run hashcat now i would normally jump over to the windows outside the vm to my windows system because it's a lot quicker to run but in this case uh let's set our mode 1000 for windows ntlm and let's paste in the hash and use a share word list just because it's likely to be ins in rock you and hopefully not too far in it that we can crack it inside the vm and we did we got back our password quite quickly so the flag is oh god i always do control and v instead of ctrl shift v so that's our flag the next challenge is called old devil it's an exploitation challenge and the description says we found this program written by lucifer she used it to hide a password in the form of a flag see if you can find the flag in the program so we download the file it's called demon once we get it extracted and stuff and it's a 64-bit lsb pi executable not stripped which means we can have a look at function names and things like that might want to first of all just have a look at the strings in there to see if anything sticks out to us and see some potential input here need to enter a demon's name that's not the correct demon's name etc okay so let's make it executable let's run it and just try and put in some input enter in hello and we get that's not the demon's name okay let's try and run it with l trace and see if it's just doing a simple string compare if you do l trace daemon you can see here it's asking us for a name just say hello again and then we can see what's actually happening in the background so it's doing a string compare between hello and add drum lek and it's saying that because hello doesn't match adram lek then we didn't put in the right name so we know that we can now run it again and just paste in that correct string and we get back you are correct and then it gives us the flag which is basically the same thing but with some different capitalization and numbers and stuff instead so we just go and go and submit that the next challenge is called password insecurities it's a exploitation challenge and the description says it looks like dead face is going after the password of one of demands customers haley portress poitras she has since changed her password but demand is looking for ways to improve password requirements demand would like you to correct the password from the database leak to determine if haley's password was secure enough submit the flag as and then the password so we just need to crack the password and we've got this sql database dump to download it's from another challenge um so we want to go and grab the hash password crack it and see whether the password was secure so i've got that file downloaded let's go and take a look at it it's the demand sql so i'm just going to open that up with codium and this is an sql dump let me just go back there file iman okay it just shows ascii there i was wondering is there some way to open this in a tool to get a better kind of look of it uh kind of like you would with sqlite browser i've not used like mysql workbench in a long time but i thought that whenever i last used that you were able to kind of open dumps like this or at least populate a new database with the same data just to make it a bit easier to go through but um let's what we'll try and do here is just search for haley and if we go through find hayley did it give a surname how many hailers are there jerry lee hayley hodge okay um there's poetry here haley okay 7117 so i'm going to take a copy of this i'm going to search 7117 and okay i'm going to get quite a few results let's match whole word and then we're getting some credit card details and stuff what we want to see is what's the hash that's linked to that and here we've got a hash let's take a copy of that and we could use hash id here let's do hash id let's paste that hash in we just need to go and escape these dollar signs and that'll tell us that the most likely hash type is md5 crypt so we could put this into a hash file let's do subtle hash again and paste this in here and we could just use john again and say john dash dash word list equals user share wordless rock u dot txt and pass in the hash and it will just go ahead and identify it for us and you can see it's come back and told us that the password is trust no one and we could also use hash cap for that so if you go to hashcat modes or just open up the hashgap manual on your terminal or hashcat help i'm going to have a look at the modes here and look for md5 crypts you can see the mode is 500 so that hash that um command that we ran earlier we ran like hash car um dash m1000 for the ntlm but we could do dash m 500 we could pass in that hash and then we could do the same thing user share wordless rock u and hashcat should also try to crack this again it's a lot faster to do this outside of your vm probably because you can use your gpu for cracking the hashes um okay i'm going to cancel anyway we've already got the password from haley so that should be fine the next challenge is called you shall not pass it's a exploitation challenge and the description says dead face has been targeting demand employees based on the recent demand financial database leak demand has already changed their employees passwords but they would like to try and crack the victim's password see how secure it is and what they can do to train their employees to have use proper cyber security hygiene so again we need to crack a hash let's go and have a look at this ghost town thread that it's provided to us and you can see that um there's a poster saying that's a good idea i'm sure they'll probably use the same password on and off work we've got a post showing a poll where somebody's asking various questions which could be answers to security questions or could be used in passwords and with the password we're looking to crack here was one from mary lee lawless so you can see that they've answered all these questions what street did they grow up on what's their favorite tv show what's their favorite color what year were you born um so i am going to jump over to the windows system to run hashcat this time just because it is quicker and i've got rule files and stuff on there but basically we need to put together a word list of some of these so what i did here was to take each one of these words goddard friends purple albany cashier each one of them and then obviously the date of birth as well because it's kind of a hint that that's going to be used and let's let's say our word list here is so this is going to be our word list and we're going to also use a rule which will go and basically try different capitalizations it'll add like exclamation marks and underscores and things like that to it to try and crack it in hashcat so let's jump over to the window system okay over in the windows system here you can see that we've got our word list here temp.txt and it's filled with those words that we just went through and we have our hash here as well i forgot to mention actually the hash that was from the sql database dump for the user we saw there mary lee lawless because we didn't we weren't actually provided a hash with the question um so that's the hash that we've been given as well and what i'm going to run here is hashcart dot exe and then dash m 500 because it's the same mode that we just used to crack the md5 crypt that we used in the last challenge that's what the sql database was using to store the hashes and we want to provide then hashes i need to stop using autocomplete because it slows things down uh we want to provide a rule as well so we're going to say rules and then i'm just going to use one rule to rule them all although there are quite a few different options you could use here it wasn't a particularly complex password to be honest anyway and then our word list which is this word list here which we've just manually compiled uh so let's run through that we once we can hit s to get a status and we can see their time started four seconds it's expected to finish in about one minute and 30 seconds and there you go you can see it's cracked the password the password was sprinkles 1973 exclamation mark and it cracked that in about 14 seconds so then our flag is simply going to be flag sprinkles 1973 exclamation mark the next challenge is called the root of all evil or adding insult to injury and the description says great news lucifer has been spotted at an internet cafe she's using a laptop right now we can catch her if we act quickly we need your help can you figure out a way to remotely connect the machine and capture the flag so we're told that based on the the username of the system is lucifer and the host name is batescafe.deadface.io and it tells us to use the pcap from the traffic analysis challenges for this so the first thing we probably think of here is to try and connect ssh lucifer at base cafe dot dead face dot io and we do that we get permission denied we don't have a key but if we go to our traffic um capture as we were advised to do i actually found by mistake earlier the a private key in this like on the first or second traffic analysis challenge i'm not too sure where it is maybe it's in these commands at the end follow tcp stream okay it's not in here let me go back okay i think there's another stream then towards the end let's go towards the end here follow tcp stream and this time we have you can see that they actually ran cat and then printed out the id so the s private ssh key for lucifer so we can take a copy of this we can go and save this as our own key we'll call this id paste this in here we need to change the permissions to 600 and then we can run this ssh again this time use dash i for identity passing id and that gets us we're connected so we can have a look around here we don't actually see a flag but if we do ls dash capital r for recursive and have a look in all these directories we'll see that there's a flag in downloads so let's go to let's just print out downloads flag.txt and now we have the flag for that challenge the next challenge is called monstrum x machina or machina it's a traffic analysis challenge and the description says a person on the inside of ghost town was able to plant a packet sniffing device on lucifer's computer based on our initial analysis we know that she was attempting to hack computer enlightened labs and we have some idea of what she was doing but we need a more in-depth analysis this is where you come in we need you to help us analyze the packet capture look for relevant data to help to to the potential attempted attack to gather some information on the victim investigate the victim's computer activity the victim was using a s search engine to look up a name provide the name with standard capitalization okay so we've got this p cap it's already downloaded let me open it up in wireshark and one of the first things i normally do whenever i open up a peak cap like this is going to have a look well we can have a look first of all at the file properties and get an idea how big it is how long the packet capture went on for us we can see here 161 000 packets nearly um it elapsed it was a 15-minute packet capture we can see the date and stuff like that and we also can have a look at our protocol hierarchy and get an idea what kind of data we're actually looking at so is there anything in here which is going to be of interest normally some things to look out for is going to be our http data you can see here we've got ftp data as well so let's apply let's right click it apply as filter selected let's close that down and then we've got our ftp data here we can go and have a look through you can see they're retrieving a gif for gif file here png file we're retrieving some text files encryption uh some tools which have been downloaded etc um so that might be a later part of the challenge we know that in this case the search engine was used to search for something so i'm going to use i'm going to set this to http traffic and try and have a look and actually if we have a look here we've got a search query let me apply this as a filter no not apply as a filter let me follow the http stream and if we do that well we have the we have the username here in a couple of places in the search engine so we can see that it was searched by charles guess chichter so that would be our flag we would put in flag charles guess chipter and that's the first challenge the next traffic analysis challenge follows on from the last one it's called some of all fears and the description says after hacking a victim's computer lucifer downloaded several files including two binaries with identical names but with the extensions.exe and dot bin so windows binary and a links binary respectively one of the md5 hashes of the two tool programs submit both hashes as a flag this one took me quite a while because i misread the question let's go back to our ftp data that we were looking at in the last challenge and we have some files in here for some reason i thought it was talking about the secret decoder so i was looking for an exe with the same name and i wasn't finding one so i thought maybe if the name wasn't there and i was trying to extract all different sorts of files um but obviously the answer is listen crypt we have this or light encrypt sorry or i don't know how to pronounce it but uh we have a bin file we have an exe file we've got these both here so we can go and follow the tcp stream of this for example and then we could set this to raw and then we can save that i can't remember which one that was was that the bin i think that was the bin um okay so let's say this is crypt.bin save that and oh that was the exe oops let me go and rename that um move crypt.x crypt.bin to crypt.exe and then the next one we could also download these as well by the way um you can go export objects and actually i don't think it it doesn't give us the ftp options there but you can't export like http objects and stuff here as well and just save them all to a folder and go and look through the file types and things like that all right so we've got our exe we need our bin as well so let's follow the tcp stream of this let's set it to raw again and let's save it as crypt.bin and now we have both files so we can just go ahead and say md5 sum uh crypts all and then we get both of them back we just need to submit this as flag paste in the first one pipe and then paste in the second one and i believe that's what it was asking us for exe md5 and yep looks good the next challenge is called release the kraken still part of this pickup file that we're looking at and it says lucifer cracked a password belonging to the victim submit the flag as and then we need to submit the password so we go back to our pcap if we have a look here at the ftp data not the ftp data but all the ftp stuff you can actually see that they're attempting a variety of passwords here um you can see they set the user here um to the user that we submitted as being the potential victim previously and they're trying to variety of passwords eventually you'll see that they get in with the password dark angel so they cracked the password successfully and the password was dark angel the next challenge is called lucifer you clever little devil and the description says lucifer gains access to the victim's computer by using the correct password what is the packet number of the response by the victim system saying access is granted submit the flag as and then it gives us for the flag with the packet packet number i'm assuming it's talking about this user logged on it doesn't say access granted but this is where they were cracking the password you can see i've been trying a variety of passwords with the username each time it says user cannot log in and then the packet right after the uh entering in the correct password is user logged in so one five nine seven six five if i go and try and enter in it's just going to say it's already been submitted this was actually submitted by my teammate so i'm not too sure whether this at 159 765 whether it'll say incorrect no i just says you've already solved this i think unless i'm missing something somebody can let me know in the comments the next challenge is called lucifer's fatal error and the description says lucia first consummate hacker got cocky and kayla she made a fatal mistake and in doing so gave control of a computer to someone she ran a program on a computer that she shouldn't have what is the md5 sum of the program so we'll go back to our traffic peak up and let's go back to the ftp data that we were looking at one of the previous challenges i had got confused between light and crypto lit encrypt and this secret decoder which it looks like it's asking us to extract so let's follow the tcp stream and we'll set this to raw data again um although just before we do that just go back to the where's ascii oh ascii okay so you can actually see this is a reverse shell or a shell um let's yeah let's set it to raw let's save it as decoder save it to the desktop and then we just need to grab the md5 of it so we'll just do md5 sum dot dot slash decoder and there we've got our flag the next challenge is called scanners and the description says lucifer started the hack of light and labs victim by performing a port scan which tcp ports are open on the victims machine enter the flag as open ports separated by commas no spaces in numerical order disregard ports greater than greater than or equal to this port number here 16384 so let's go back over to our pickup um one thing we want to try and do here first of all let's jump over to the ftp data that we were looking at before and let's try and find out what the attackers ip address was so let me go back to towards the start here where all these passwords are being sent through and you can see there that the ip address the source ip address is ending 106. the destination ip address is 103. so our victim is 103 and our attacker is 106. so that's worth bearing in mind we can go back here and have a look through some of the traffic and basically this is some of the ports scanning here and we're getting some different results depending on whether the port is open or the port is closed captioning not is the available which we're sending the response to if we go and do that and have a look through this traffic we'll see most of these ports coming back you can see it's in red and we have the um we just have the rest act whereas if we go down towards the bottom here obviously we have some more ftp data and stuff there which isn't what we're looking for let's keep going keep going keep going keep going okay let me go back to this and we'll go up from here uh so okay so we do have some here that came through successfully so you can see that the response has gone to say that say port 135 is open or port 21 ftp is open um so what we can do is have a look and see what how could we filter these then and we could do that using the syn ack so we can see here that in this example it's using rest ack and in this example we have the syn ack so if the port is open it's going to return synack if the port is closed it's going to return this rest back so we can go here and we can actually say this syntax how do we filter by that let's go and say apply as filter selected and we see here tcp flags equals so this will select all of these responses where um it's got syn ack so let's go and use t-shirts try and put some of this together we can say t-shirt dash r traffic and that's going to read in our traffic dot pcap we can say that we want to extract we're going to say fields we want to extract the tcp oops the tcp source ports and if you're not too sure what the syntax for some of these can be just go back to um let's go and have a look here where's our source port we can go back and you see here source port you can go again and apply as filter or you can add it as a column and then you'll see the column here and you can just right click here and you can see that all right it's tcp source port tcp desk port these are the values that we would need to put into t-shark so back over to this we want to extract the source port but we only want to extract the source port when certain conditions are met for example we want the ip source to be equal to 192.168.100.103. we want the ip desk to be equal to 192. and we want the tcp.flags to be equal to 0x zero one two and then finally we want the tcp dot source port to be less than sixteen thousand three hundred and eighty four so that's all the conditions met we run through that and we didn't we don't have anything set to only find unique values so we would either need to put this into a text editor and just remove any duplicate values or we can just go and read through them i mean we've got port four four five three three eight nine twenty one one thirty nine one thirty five four four four five and it looks like the rest are just repeating so we just need to go and plug those values in and then we've got our flag the next challenge is called a warning and the description says lucifer is being watched someone on the inside of lighting labs can see what she's doing and is sending her a message one of them says stay away from lightning labs you have been warned to find the flag find the message you'll know you see it when when you see it um all right so we just go back to our p cap i actually found this one accidentally whenever i was doing the first part of this challenge so i mentioned previously that we can go to export objects and export http objects here and it just so happens that oh well there we go we can see the warning message let's actually go and take a look at it here we're going to follow this http stream and we've got the warning message.jpg is being loaded and then we have this in the response so all right let's just go and export that and export objects http let's go in and we can preview it awesome so we can just preview that and we can see that our flag is flag angels fear to tread their next challenge is called persistence pays off and the description says lucifer might have just bitten off more than she can chew she has encountered an adversary that is counter-attacking a system and it says lucifer's lighten labs litten labs adversary execute a command to attain persistence on the computer this command will allow the adversary to regain a connection to the computer again even if she reboots it what is the packet number where this command is executed so if we jump back over to our pickup and go to have a look through this we want to scroll towards the end i guess and start having a look what happens after the shell is delivered in fact what i'm going to do let's go back to our ftp data and let's go and select we know that the shell was delivered it was a secret decoder bin because we got the md5 hash of it so now that's selected let's just remove our filter that'll take us to the same place and then we can basically go and start to have a look through what happened after that stage um we can see some tcp traffic here and you can actually see the who am i command there so let me follow this tcp stream and we'll be able to see all of the commands that are entered here so who am i sudo dash l um it grabs the decoder bin and then you can see here that then this has been added as a cron job so if we go and have a look at the packet number it's one six zero four six eight is where the persistence is established so we would just go and input that as the flag the next challenge is called the zealots cryptoware ioc one and the description says the zealots cryptoware has a particular network signature this can be used as an indicator of compromise ioc this indicator is unique to the cryptoware so it can be used to indicate that a system has been infected by cryptoware or cryptoware has been tempted to affect attempted to infect it so we've got a encrypted file to download um let me go and take a look at that it's a 32-bit lsb executable and we can let's make it executable we might want to have a look for strings in there as well can be a good source of indicators there's a way to use strings to extract network locators as well but i can never actually find in the documentation i know i used to do it whenever i was doing uh some malware analysis stuff but um i've completely forgotten how to do it it's not in the documentation for some reason all right so there's a lot of strings coming out here um we could try and do that again and grep for flag and there is some mention of flags here but it doesn't look like an actual flag um okay so what i'm going to do is try and you notice it said there it mentioned network indicator didn't it network signature okay so let's try and let's try and open up wireshark to catch capture some of the network traffic and let's try and run the program and see what the network signature is so we'll run cryptoware we've run that you can immediately see some http traffic it's telling us all our files are encrypted which i hope isn't the case um and you can see here it's getting the zealot crypt aes key let's go ahead and follow this http stream we follow it and then we can see we've got this here so um we have a some text here scooby dooby doo but the indicator it was looking for here was the user agent so you need to take a copy of this whole user agent and then submit it as flag user agent and there we go the next challenge is called lucy offers cryptoware ioc2 and apologist for probably mispronouncing whoever lucifer is and the cryptoware causes even more rookers by encrypting the victims file names decrypt the file name and enter it here as the flag so we have this encrypted file this actually took me well it didn't take me a little while to do but i wasn't too sure what it was talking about initially because i used wget normally to download these and whenever you use wget you can see there it just downloads you can see in the bottom left we have 33e 6t 3xs so i never actually got the file name in the in the name of the description here so let's download that anyway we'll move it from the downloads folder uh what was it called fk move that here and let's have a look so we've got a file name right here uh we could go and throw this into cyber chef which we haven't used yet paste this in here uh you could just try and throw magic at it first of all see if it can actually pull out any recognizable strings it doesn't uh what we might want to do is try and rotate this because all of these characters are within a correct alphabetical range so if we go through and start rotating them to see if any of these results make any sense and as we start going through them eventually we get to -3 charles a get sticker to dark angel and then the file extension is the labs and so it's minus three or the same as 23 as well both the same value the next challenge is called lucifer's total disaster it's a reversing challenge and the description says lucifer should learn to follow directions her crypto wear is a total disaster she didn't realize that a choice of encryption algorithm although a common encryption algorithm for hiding pocs from analysts because of its simplicity and lack of obvious signature is terrible for cryptoware do some basic analysis on a malware and see what information you can come up with there are some great easy to use tools that can help a burgeoning malware analyst right so we've got this file downloaded it's been part of a couple of the challenges now so far and some hints here as to to look at some malware analysis platforms here so the first thing that i did was go to virustotal and upload the binary which we have here we can go and have a look at some information about it uh where is it detected malicious we can go and see um if the file was renamed uh what sort of dlls it's using what imports functions things like that you can see here the url where the url came from on the url that's contacted by it which maybe will come in useful later and we also have this community tab which if we go and have a look at has this message happy halloween and congrats on finding the flag and there we have the flag the next challenge is called serial killer it's a reversing challenge and the description says spooky boy is really into his serial killers he loves to watch mind hunter on netflix he also you can also slay a bowl of his favorite serial so we can choose in this case whether we want to download a windows binary to analyze or a linux binary i chose linux because i'm not a sadist and we can have a look at the strings of the serial binary again just to see if there's anything sticking out any passwords you can actually see that we've got this fake flag in here this time and you can see it's going to ask us for a passphrase in fact it looks like it's asking for a passphrase and the passphrase is right below it let's see if that's the case i'm going to make the i'm going to make executable and let's run it let's enter in that passphrase and there we go we get back our flag all right so in that case strings did it for us but let's just assume that the password wasn't sitting right there in the strings let's run gdb and we're using a pwn debug plugin here open up serial and if we do this we can have a look and see what functions are available to us we've got our main function here let's try and disassemble main disassemble main and we can go in here and try and have a look what's actually happening one thing we'll know is that at some point we have these hex values being moved into the rax and do we have some more we've got some more hex values down here let me go ahead and we'll do that pwn on hex and we can actually do that inside of this so we can do we can use that inside of phone debug opponent hex paste that in and you can see here it's in reverse order so you can see we've got this count and it's going to be chocular or whatever it was next but um in reverse order we could take some of this as well and do the same pwn on hex and um yes that's some more of the flag but obviously that's a bit hard to read and decode so what we might want to do in this case is look for the uh well we could set this to let me set a breakpoint here let's first of all break main let's run run the program let's again disassemble see where we're at we can disassemble right here and i'm going to set a breakpoint break star 0x let's continue the execution it's asking for a passphrase to say anything and whenever we hit this breakpoint you'll see that we've actually got our flag in the rsp and we can see it that it's sitting here on the stack so just if we assumed that this challenge was a little bit more difficult and that the password wasn't sitting in the strings this would be another way to have a look and see what's actually being loaded onto the stack the next challenge is called serial killer two it's a reversing challenge and the description says morticia loves spooky sugary cereal she isn't scared of hyperactivity or tooth decay download the program and decrypt the output to see what her favorite serial is and we've downloaded the file let's go and take a look at it in this case it's a windows executable so we're going to have to swap over to windows here we could open up geardroid and go and take a look at the code here and we could still do our usual um trying to get a quick easy win with strings and things like that but we're not going to see too much in this case and the reason being we can actually see some functions here but the reason we're not going to see too much is we need to go and try and decompile this it's a net assembly so unlike typical windows or linux binaries we can actually go and get a good copy of the decompiled code if we go over and use a tool like dnspy so i'm going to jump over to my windows vm here and we'll go and have a look at it so i'm over in the commando vm here this is just a windows vm which is kind of designed to be like a pen testing distribution it comes with quite a lot of different tools installed for um well i've i've added on a lot of tools here as well it's not really aimed for kind of malware analysis and forensics it's more focused on red team stuff but it comes with quite a lot of tools installed and it's quite easy to go and install new tools here through the box starter shell so if you're interested if you need a windows vm for working on ctf or pen testing stuff this might be worth looking into um and we've got our serial 2 here what i'm going to do is go and let's go back to our tools here we've got in disassemblers nope not disassemblers in net we've got dnspy so i'm going to open this up in dnspy because we know it's a net assembly so we're going to be able to just go and have a look at the code let's drill down into this we've got this symmetric encrypter and here's our function so we've got a main function right here and try and zoom in on some of these windows get rid of this we have a main function here you see it's doing console right line and we have this base64 encoded value what looks like a base64 encoded value we've got another function getkey which is going to take a password and it's basically going to generate an md5 of that password we've got encrypt string so that's going to use i guess a key and we have some decimal values here and it's going to perform some encryption we have a decryption which is going to do the same thing will reverse obviously and we have this decrypt from base64 string okay the other thing we have here is this flag flag you did not think it was that easy did you password and that's it okay so uh we can see this is an a aes decrypter and if we have a look at the decrypter here just highlight it you can see that it's taken in rgb key and it's taken in rgb iv and what it's actually being passed here is the array in both instances and then it's going to perform the encryption or perform the decryption and this is our array right here so i'm going to take a copy of this i'm going to go to um we could actually probably just run this you could modify this code to rather than doing console.writeline you could set it to call this decrypter but that's not the way that i solved it i'm just going to show you the way that i solved this instead i'm going to go to the good old cyber chef and use the aes decryption in there so let's first of all paste in our base64 oh no wait that's our decimal values that's fine okay um let me just clean these up a little bit i'm gonna remove space in here remove white space okay nice remove white space and then let's convert from decimal okay and then let's do two hex oh there we go okay looking good and then let's say we don't want any spaces here so we've just converted these decimals into this hex value now what i'm going to do is i'm going to get rid of all that i'm going to create a new recipe i'm going to say aes decrypt and as our key we're going to put in that value and as our iv we're going to put in that value because we can see that they're both the it's taken in the same array for both values actually at the beginning what i thought was happening was because we have this password which is set to this fake flag and then we have in our get key is going to take in a password and generate an md5 i thought that what we needed to do is md5 the password the fake flag and then use that as the key and then use the iv as these values here but it seems that they're just taking in the exact same array so the md5 and the fake flag and stuff is just completely irrelevant by the looks of it okay so let's grab our base64 encoded value and we'll go and say this is what we want to decrypt we want to make sure that we set our input to oh let's set our input to raw we need to convert it from base 64. um from base64 and there we get back our flag frankenberry goodness nom nom nom the next challenge is called serial killer three it's a reversing challenge and the description says lucifer also has a favorite cereal it is spooky and very delicious this one however is a bit tricky download the program and decrypt the output to find out what her favorite serial is and again we've got a windows and a linux binary this time so i've downloaded the linux version and we can have a look let's check the file type first of all it's a 32-bit binary we can have a look at the strings see if we've got a password or a flag sitting there and we don't appear to we've got a fake flag but doesn't have a and we have what looks like you can see here that kind of looks like parts of a flag that maybe needs to be reordered or i guess decrypted in some kind of way and so let's make this executable chmod plus x serial and let's try and run it ask us for a passphrase okay we're putting the wrong one let's try it with l trace as we did earlier to see if it's doing a simple string compare and it's not we can't actually see anything here at all this time so i'm going to open up a new project in geardro this takes a little while to create so i'll speed through the process a bit unfortunately the audio for the rest of this challenge didn't record so i'm just going to try and describe it as i remember um so i'm just describing here we've got geardrop and we've got a decompiler we've got our disassembled code we've got our you can access our data section and stuff like that in the program trees we've got our symbol trees with our imports and exports and functions and we go to our main function to try and work out what's going on in the code and i'm just kind of noting here that the code looks quite complex if we were to try and statically analyze that we could do it but we'd need to probably go through rename a lot of variables and step through the code line by line to work out what's going on but we have at the bottom here a condition which is saying if either three is equal to zero do something otherwise it's gonna do something with this not flag you guessed it again this is not the flag so i'm just going here to verify that if we enter in the wrong password we get that message to say you guessed it so we have a couple of options here we could just basically patch the binary so that if we enter the incorrect password it'll do the opposite thing change that condition or we could run the program and set it to jump to a different address jump to that function rather than jump to the function that prints the incorrect flag and at this point so just decide that we'll be better off going over to gdb to demonstrate that so i try to open the program fail try again fail third time's the charm info functions so we're just going to have a look at the main function i guess here try and find out what the address is that we're interested in we have the string compare which is going to be comparing our password obviously so that's of interest set up a breakpoint here run the program and then we'll go and set up a breakpoint at the string compare and we run the program again we see that we've got a passphrase a password in the sitting in that um as a parameter ready to be passed for the string compare so it's being compared you can see the a in the first parameter and the boo boo berry in the second parameter so we're just going to try and run the program again pass that in as a password and that will get us the flag the next challenge is called the zealots fingerprints are all over this it's a reversing challenge and unfortunately the competition ended yesterday i didn't actually realize i thought it was still running today so i didn't get a chance to record a couple of the write-ups but luckily i still have the files from this challenge and a couple of the others so i'll run through those now um in terms of this challenge description essentially it was letting us know that there's two decrypters which are from this challenge here the decrypt in light and labs um number two there's an encrypter and a decrypter and there's an encrypted file as well and for this fingerprints are all over a challenge we were just asked to go and get the sha-256 sum of the encrypter and the decrypter so we can do sha 256 sum and then we'll say all crypto we get our two hashes and then the flag was just like flag we enter the encrypter and then piped in the decrypter the next challenge is called decrypting labs cryptoware one i can't view the description because the competition is over now but essentially we were given a windows binary and a encrypted document and we were told to go and try and find a way to decrypt the document so i still have the files locally so i'll be able to walk through the solution which i didn't actually get to solve but i'll step through where i was going with it and how we could have actually solved it now so i'm just going to jump over to the windows system so we've got a zealot crypto exe we've got an encrypted file as well and i've opened this up in ida pro i spent quite a while trying to solve this challenge using windows debuggers um let me see here we have ollie debug windybug x32 debug immunity um obviously i'm just terrible at using windows debuggers because i was struggling to even get to sections of the code that i want to separate points out and stuff um but if we have a look in here let me search for main in ida and we have a main domain as we did in our as we do in our other encrypter we have a encrypt rc rc4 and our fetch key we're unable to decompile this thing oh we are able to decompile it okay so f5 um you can use the decompiler to have a look at this and what i did notice this time is in our fetch key we have this shah 512 sum so in the other decrypting challenge which you'll see after this one if you're watching the video in order um we have an md5 some here so i thought it was going to be something kind of similar um let's go and open up wireshark and see if we can see if there's something similar going on with the network traffic let me try and find it so we'll open wireshark start capturing on the ethernet and then let's run this encrypter we should get a message oh it just closes down after the message that's fine but that runs through and basically we have a gif which is sent and if we follow the http stream you can see the gif here we can save as let's go and file export instead export http we have this image called prettylady.gif we can preview it we can save it and this is the image so i downloaded this and i was try i i took a shot of shafi12 some of this and tried to use that um thought we'd be able to use that to decrypt but um apparently that was possible looking at the an official solution you could get the 512 some but then you also needed to extract certain parts of that 512 sum to be used as the key an easier way to solve it would have been to notice that and i did notice that the rc4 it's just an xor stream so if we were able to get the key we'd just be able to go to cyber chef and select the rc4 algorithm and then apply the key it was just finding that key that was the difficulty for me but we don't actually need to find the key so there's a floor in the program meaning that if the file extension was changed so in this case the file extension is zero dev in our um in the next version of the crypto we have a decrypter and an encrypted file because it's using aes and a separate encrypted and decrypted as needed but in this case it's rc4 so it's basically a reversible function which means if we run this encrypter with a different file name so if we set the file name to i believe it's labs and then run this program again it should just decrypt the file and it does so well it's uh it's technically encrypted the file has turned it from labs to oo dev but because it's a reversible function that's actually decrypted the file so we got back our flag which is saying that rc4 is reversible but aes is not go back go back the next challenge is called decrypting lit and labs number two and it's similar to the first one which was a windows version where we just had an encrypted file and an encrypted document in this case we've got an encrypter we've got a decrypter and we've got an encrypted document so we'll go and take a look at those i can't remember exactly what the challenge description was and the competition's over so it won't let me view it but let's go and run through the challenger so if we have a look at the files available to us unlike the first version of this challenge we have this decrypter file so let's just go ahead and try and run it first of all and see what we get we're going to mess this same we need to enter the key as a 32 character hex string so we might want to go and take a look at some of the code i've got this open in gear draw already so i've loaded the encrypter and the decrypter so we could go and start having a look through some of these functions you will see quite a lot here so if you just search for main and then focus on the main dot main and we've got main dot find files main dot rotate text for some reason it's not giving me a decrypted function there let me go and check the encrypter let's go and have a look at the main here main dot main okay let me go back to the decrypter all right it's just taking a little while to load so yeah the decrypter here you can see we have some similar functions we've got a main.rotatetext main.main main.find files with extension and we have the decrypt aes it looks like it's just quite a lot of code in here you can see it's still trying to process all of this let's go back to our encrypter and have a look at this main.fetch key so this is what i was particularly interested in trying to work out what's going on here i had a quick look in here and figured it'd probably be easier to determine what's going on through some debugging rather than static analysis so let's go and set a breakpoint on this for the encrypter if we open this up in gdb phone debug encrypter and let's set a breakpoint main dots and we could set a breakpoint a few different ones here we could do the find files with extension if we want to try and find out what type of files it's focusing on encrypting or decrypting um in this case i'm going to set the breakpoint on fetch key and let's run the program run the program we hit our breakpoint which is awesome and look what we see here we see htcp insidious dead face dot io and the zealot crypt aes key so it looks like a connection is being made to this http site we could continue to step through this to see what it's actually retrieving and that should get us some information or we could go and have a look at the actual network traffic we i think we saw this earlier on a another challenge anyway uh oops let me let me exit that let's open up wireshark let's start capturing and then i'm going to go and run the encrypter we run the encrypter we quickly will notice some http traffic in the background so that's good let's stop the encrypter let's follow the http stream of that zealot crypt and that's what we see that the the key here is scooby dooby doo obviously that's not 32 bytes of hex but if we go and let me see if we can just convert this here to hex convert that to hex and then we now have 32 bytes so we could try and let me let me close down some of these windows we know we now have a 32 byte hex string so that's what it was asking us for with a decrypter let's paste that in see what we get and we get an error saying authentication failed um so maybe the key isn't correct and it was at this point that i noticed in our fetch key stage i think it was in fetch key yeah in our fetch key stage we have this crypto md5 sum and that's when i was thinking well maybe rather it's rather than just converting it to hex we actually need to get an md5 sum of that scooby-doo string so let's try and do echo dash n you need to do n to get rid of the new line and we put in that scooby dooby doo we'll echo that md5 sum and get this md5 and then let's try and run it again uh the decrypter provide that value and then we have this dark angel to charles i don't think i actually showed that before so this was set to do dev i think it was which was the encrypted file extension and it was an encrypted file and we've now successfully decrypted that file i should have actually shown that was encrypted to begin with but uh you just have to trust me it was encrypted we've now decrypted it and we've got our flag the next challenge is called sending the clowns and it's a stego challenge the description says there is a secret hidden somewhere in this image can you find it so we've got a jpeg image which has been downloaded this clowns.jpg and it does look pretty scary actually first thing we want to do is have a look at the strings let's do strings greater than 10 and we do that and we very quickly find our flag our next challenge is called scary bunny it's a stego challenge and it says what could be inside this creepy rabbit we've got this image to download and again the first thing i did here was the usual let's look for strings dash n10 let's open up stake solve we could throw this into cyber chef something as well is really good for image analysis and extracting bit planes and embedded files etc was going through this i did actually notice on the zero planes we have we always have this little square in the left let's go to the green one as well same so i was trying to extract that um it wasn't a solution anyway we need to go back and let's try and do stag hide i tried doing stag hide so we can say stack hide extract sf bunny i tried doing this with bunny um evil rabbit what else did we see in the description creepy none of them worked um let's try it without a password and this time we get our payload which is the flag the next challenge is called behind the curtain it's a stego challenge and the description says this image was intercepted from ghost town we think donal o'donnell has hidden information here but there doesn't seem to be anything special about the image can you help find the hidden information so we've got a file to download a jpeg image what i didn't notice whenever i was doing this challenge initially was that it has this link to the forum post as well um so we have this image how's this one i hid one of my passwords in it i'll make sure to change it later though and then somebody says uh could be better in my opinion and the way you hid that was easy to find but then again most people would try to use steg tools which probably wouldn't work too well for them lol so we have the same image here that's what i initially did try i tried to open up in stegsolv and let's just do it anyway open up instead solve go through and have a look at the different planes and we can go and have a look at the spectrogram and things like that try and extract data obviously it didn't get me anywhere because um i didn't see that forum hint but um what i had initially tried to do before even actually open it in this deck solve was to run foremost we run foremost against curtin.jpg and then list the output you'll see here i saw here basically the jpeg folder and then just moved on but if we were to try and do something similar with bin walk which will basically do the same thing we'll actually see that it extracts two jpeg images so i should have been a bit um more careful originally and actually gone and had a look at this jpeg folder and then i would have noticed that there's actually two jpeg images so let's go and take a look at them and yeah we've got basically an image inside an image and one of them has the flag in it the next challenge is called voice and the description says a friend sent me an audio file which supposed to tell me the time of our night out meeting but i can't comprehend the voice in the audio file can you help me figure it out i want to hang out with my friends so we download the audio file it's a dot wave file i'm not even going to open it and play it but let's run strings n10 on voice we don't find anything of interest we could have a look at the exif data and again nothing of interest we could run foremost and see is there anything inside there to extract and nope we've just got a wav file so i'm going to open this up in sonic visualizer which is quite often a useful tool to find hidden data in audio files will open up where is it desktop voice and zoom in a bit here and basically we want to go and try and do some add some uh different things here we can add a waveform we can add spectrogram let's do the waveform first of all didn't do much let's do the spectrogram all channels and there we get our flag so flag one two five seven the next challenge is called no one ever got fired for it's a stego challenge and the description says but they should have we spent 20 million dollars for this refrigerator size box and we have to pay money for every program we run and then when we try and pull data off we get garbage like this no one can read it none of our standard windows or mac os x systems can read this junk we can't even figure out what it's supposed to be what do you think can you help us enter the flag exactly as it appears in the file so we've got this file to download which i've downloaded and got a copy of here i've just called it can't read you can see it there so we can try and run strings dash n10 can't read and we won't see anything of interest we can have a look at the file type and again we won't see anything we could try and run foremost and things like that what i'm going to do is jump over to cyber chef and let's load the file in here and whenever i was actually testing this i tried to open the file and use a text decode in brute force option you can see here decode text and this allows you to specify an encoding you can already see how slow this is going to be because of the size of the file we have various encoding types here but what i was trying to do is brute force text encode in brute force you can set it to decode and try and get it to decode each one and what we could also do to trend is going to have a look at some of the hints that we have available to us here so the name of the challenge is no one ever got fired for if we go and search that we'll find that nobody ever got fired for buying ibm you'll notice that whenever we were looking at the text encoding options here quite a lot of them start with ibm which is interesting let me just cancel this because we can see already how slow it's going to be let's search for ibm text encoding and we'll see um some information about this character set then and it gives you some examples of comparing some ascii strings to these ibm strings using their character sets so here's some examples showing how the binary is different for the same characters depending whether you're using ascii or ebcdic so let's go over to our cyber chef which is apparently just completely given up now yep okay let's close that let's start again and let's open our file here can't read let's just go straight to decode text let's set this to ibm i don't know if any of these matter too much i'll set it to uk just because that's where i am let's go strings and look for strings greater than say eight characters and look what we find we find build pcs with linux instead so if we go back over and submit our flag as flag build pcs with linux instead we'll get our challenge complete so we've covered about 40 of the challenges here anyway varying and difficult is and from a couple of different categories i would have run through a couple more to be honest but the files are no longer available i can't click on anything or access the challenge descriptions or anything so maybe they'll make those public but i guess the video is getting pretty long anyway um some thoughts i had burp sweet open this entire time and there wasn't a single web challenge um i apologize for anybody's name i butchered probably lucifer's lucifer lucifer i've um i don't know how many different pronunciations i've had of that throughout this video um yeah i wish the ctf competitions would keep up the challenges so keep the files or descriptions available for after the competition's ended so that people can do walkthroughs i kind of try to make these video solutions as i'm going because otherwise i'll get to the end of the competition and be like i'm not gonna record 50 challenges now so i kind of i'll do it as i go you know i might solve five or ten challenges and then go and record a few and then go and solve some more etc um but i hope you've enjoyed this video anyway if you have any questions or comments anything you solve differently or anything i missed you can let me know in the comments below

Info

Channel: CryptoCat

Views: 2,748

Rating: undefined out of 5

Keywords: DEADFACE, deadfacectf, dfctf, dead face, CTF, capture-the-flag, forensics, hashcat, password cracking, hashing, brute force, computer forensics, DFIR, volatility, wireshark, tshark, reversing, reverse engineering, ghidra, IDA pro, dnSpy, memory forensics, dump analysis, memdump, hacking, wargames, writeup, infosec, exif, exiftool, spectrogram, stego, hacktricks, ransomware, persistence, exploit, security, cyber-security, malware, cyberchef, pen-testing, red team, oscp, scripting, cryptoware, exploitation, file signature

Id: y8fmxealw8Y

Channel Id: undefined

Length: 95min 32sec (5732 seconds)

Published: Sun Oct 17 2021