Forensics Challenge Walkthroughs - DownUnderCTF (DUCTF) 2021

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at some of the forensics challenges from the down under ctf 2021 and you can see i've solved most of the forensics challenges here apart from the final one if i'm able to get that finished i'll add that in as well if not i'll keep an eye out for the walkthroughs and normally i go through and do kind of record each of the categories that i've been through but i'm a little bit short on time this week so i thought i'd just pick one category and focus the videos in that area but i did take a look at some of the other challenges which were excellent as well and i hope you enjoy the video this challenge is called retro it's a beginner forensics challenge and the description says our original logo was created in pain i wonder what other secrets it hides so i've already downloaded this og.jpg file and we can take a look at it here don't see any flags sticking out sometimes you just need to go and replace you can use like paint bucket tool to replace the color and you'll see the flag is just like a slightly different shade of maybe cream or brown and hide it in the background so that might be something to try the first thing i did here was run the xf tool on og.jpeg and go and have a look at the metadata which is in here which is kind of common as a forensics challenge so we do that and quick quickly we find that the artist is set to the flag so we can just take copy of that and submit it the next challenge is called how to pronounce gif or gif i say gif normally but i know the creator said it's supposed to be pronounced gif but anyway it's an easy forensics challenge and the description says our machine that makes qr code start playing up and then it just said pc load letter and died this is all we could recover and we've got this gif or gif file to download and i've already got a copy of that locally so let's open it up you can open that up and we can see that it's basically an animated qr code it looks like we've got a few different colors in here and it's moving from top to bottom so obviously we need to go and separate out these frames and try and join them together back in the original order to see if we can scan the qr code so there's a few different ways that we could solve this we could go to easy gif which we used in the last ctf video the activity con and we can do quite a few things in here in terms of um modifying images but we could start off by splitting it instead this time i tried to actually script it in python using the pillow library um i got kind of close but ran into some issues so let's um instead use image magic to convert this first of all make a new directory because things are going to get a bit messy when we've got a lot of frames um so we'll create a new directory and we'll just go in there and convert our challenge gif into and then we can do percentage d dot png and now if we try and list the files we can see that we've got plenty of images in here let's go and have a look at it in folder form and we can go and do that what i actually found is if you kind of move the if you move this about a bit until you've got this aligned so that we have it in blocks of 10 that these actually seem to match up with the colors i don't know how well you'll be able to see this on the video but you can actually see these a different color in each row of 10 and then we have a total of 120 here so we've basically got 12 rows of 10 and it looks like we need to append these vertically so these 10 will hopefully get us the first qr code and this will get us another qr code etc so what i initially tried here was to use convert if we do convert and append and then we can see here this is our first qr code so any of the file names ending with zero png let's append them so we'll say append asterisk zero dot png and then we'll send that out to out one dot png and then let's take a look at it so you'll see this looks quite good but the top doesn't seem to be quite correct and the reason for that is the file name so if we actually let's make another directory here and we'll move all no copy all of the png's ending with a zero over to the temp directory and if we go in there and list these files you'll see that we don't get 0 10 100 which is exactly what we want if we were to change some of these and say let's move 100 png to 91.png and let's do same with 110 we'll move it to 92.png and now if we list these you'll see that these are in order so if we run that same command again to convert these and open this up this should be our correct oh it's not our correct um qr code because i've i've gone for all only things ending with a zero let me delete that and let's run that again but this time we'll just do all png because we're in this temp folder we do that and we get the qr code so all we need to fix basically is the file naming to sort this out so what i'm going to do here is delete all of this let's okay so what we're going to do now is convert the challenge gif again this time instead of doing 0 d or d i think we did last time we'll do 0 4 d and this is the minimum that's going to be required so this will basically use 4 decimals for every file name and if we list these now you can see these are all lining up in order and if we have a look at them in the file browser as well you can see the same and you can see these are lined up in terms of the color and in terms of the structure so if we go here now and say we want to convert and we'll append star zero so all these files that end with a zero because all these ones end with one and all these n with two etcetera and we'll we'll send that to one out.png i'm going to open that up and that looks good we can test it out again for our second one quite easily so just change this to a one and a two check that again and that's our second qr code so i'm going to do is delete these two because we could go through and do that manually but we do have quite a few to get through so instead we'll use a bash loop and say for i in 0 to nine let's do converts and we wanna append and we wanna say anything then that is ending at the beginning it's gonna be a zero we need a dollar here dot png and we'll send that out to dollar i out.png let's try and run that and refresh the page you can see here we've got all of these out so it's looking good so we could remove all of these but i'm just going to go straight ahead and analyze the qr codes here we can do that online or we can use a tool like zbar image and i'm going to pass in then anything that ends with out.png we send that through and we get these variety of qr codes for each of the images one says the princess is in another castle follow the white rabbit we've got some links here that we can go and have a look at taking us to some different videos and things as far as i remember yep so none of those are of any interest we can have a look then this looks like it might be some kind of bass encoding due to the equals at the end so we could try and say echo that to base64-d to decode we get invalid input but you'll see that we also have this value right above it let's try the same thing it's not going to be at the end because it's already ending with an equals that would be the padding and if we try that we actually get our flag this challenge is called do the loop it's an easy forensics challenge and the description says do the loop doop doop and we have a message here saying the flag format is a string that you end up with after solving the challenge is case insensitive so i've already got the file downloaded we can go and take a look at it so we have a tune there with what sounded like some morse code faintly in the background we can open up sonic visualizer and then we'll go and take a look at it in here so using sonic visualizer we can go and actually have a look at the waveforms things like that so we can go in here to add wave form to these channels we can do the same spectrogram let's have a look at the waveform okay nothing of interest there let's try the spectrogram and here you can actually see them what looks like the morse code very faintly on this frequency which if we highlight it you can see there in the top right it's about 1000 hertz 992 to 1003 so i was hoping that we'd be able to just extract this frequency and then get rid of all this noise around here which is drowning out that sound um at a far lower frequency um i wasn't too sure how to do that i wasn't actually able to get that going so let's have a look at these options here we can change the scale to linear this makes it a little bit easier just to read the morse code if you want to transcribe this and some of the other options here not aren't needed in this case but in some ctfs you'll see uh data hidden in some of these different options here so it's worth going through and checking those out so i was investigating as i say trying to extract this frequency and put it into like a different wave file so we could just go and take it to a morse code decoder you can see i've got one here in the favorites and there are a couple of different decoders here we've got an adaptive one an advanced one and there are some options in here to set some of the frequencies so i was also playing around i played around with some of these different options that were available i was thinking this inspector morse because the frequency was so similar um but there's quite a few options to play around with so here's the in terms of the display frequency range was trying to set this between the values we saw there like 980 and 1015 or whatever and setting playing around with the volume range we have more options here um and then also the speed of it the word per minute so going through and trying some of those different options and then seeing what the output was i didn't have much luck with either of those unfortunately let's just try and upload it as it is you can see going through there you can see the morse code quite clearly here dot dash dash dash dash dot dot dot dot dot so get on board in this case it's not actually producing any well there's the message it producer so yeah that message doesn't look too useful so we also have some options here to change the frequency of stuff manually let's try and put this like 1000 maybe set this to 150 clear the message and try again okay it's looking way too fast let's try that at 100 clear the message play it again still looking very fast let's try it at like 50. but yeah i wasn't able to get this to work anyway i'll be interested to hear if anybody was able to get this tool to work what settings did you use for it or did you manage to extract the correct frequency from the audio file and then just upload it here or somewhere else or did you just transcribe the most code because that's essentially what i did here is you know you can see quite a lot of stuff here we have a dot dash dot dot dash dot um we can go and try to input these which i basically didn't testing out each word let's actually try that now so if we just go back to the home page here and this time we'll use an actual translator if we're going to have a look here at our image so if we put in dash dot dash dot dash dash dash dash dot dash dot dash dash dash you can see we've got that co and then dot dot dash dot dot dash dot dash dot dot and then dash dot dot and you can basically keep going through in this fashion some of them were a little bit harder to read but between this and then the output of the decoder on here you're able to get the full message which translated to i could listen to this on loop all day and that was the flag but yeah if anybody solved that in a better way rather than manually typing out that morse code i'd be interested here this challenge is called that's not my name it's an easy forensics challenge and the description says i think so my date has been stolen can you help me so if we download the pcap file we can double click on it or open up in wireshark from the terminal and the first thing i normally do here is go and have a look at the protocol hierarchy maybe the file properties let's just jump into the protocol hierarchy first and we can see that we've got some tls data so that's going to be encrypted we've got some dns data here's a good chunk of the data that we've got and we have this quick ietf data as well i initially had a quick look at this because i wasn't too sure what that is um and thought it might be of use we can see some hex values here although it looks like it's the same throughout so if we jump back over to our protocol hierarchy again i've still got to open here then have a look next at the dns because we've got quite a lot of dns data there it's nearly 40 of all the packets and if we do that and just widen this bit so we can go and scroll through you'll see that eventually we come into these dns queries that have a long hex value at the end so we can drill down into this or let's actually follow the udp stream and you can just get a picture here of what's going on so we have this domain name and in xyz and then we're getting different sub domains which are all hex values but we're getting different values on each query so and that's something which is going to be of interest for us to try and extract what i'm going to do is get rid of this column this hid data that's for keyboard stuff and let's see if there's anything we might want to have a look at here i'm going to exit that stream let's set this to dns only and we'll go down to some of this interesting data and we want to have a look here and basically see what's the data that we want to capture here so we've got some queries and in here we have this name which is what we want to we see as a column so i'm going to apply that as a column and that means we can actually just see this value throughout as we're scrolling through it also means you can quite easily just see that the column that we've just added is the dns.query.name so if we want to use t-shock or something like that to extract that or if we want to say dns.query.name equals and set that to our filter that's an option and we also probably want to have a look at some other details here so we had a lot of dns queries in fact let's um let's go through this first of all we'll go into t-sharp and just try and extract it as it is so if we say here we want to run t-sharp and the fields we want to extract our dns.query.name which is that column that we're just looking at and let's just pass it in the not my name pickup and we'll just run that and let it print out so you see we've got a lot of white space here you can already see you probably saw there's some urls that were going in there which aren't um just the hex values because this is just including everything so we've got some legitimate domains here blogspot and things like that that we don't necessarily want to extract so if we go back to our pickup and have a look at the type of dns query here you'll see that this is actually mail exchange which is 15 so let's apply that as a filter dns.query.type equals 15 and if we scroll through now and have a look we've basically just got all of our hex values or we've at least got maybe not just all of the hex values that we're looking for but we do have um all of the queries towards this interesting looking domain uh ending with xyz so if we go back now and say we'll do the same thing but we'll say that we only want to extract ones that have the dns.query.type is equal to 15. run that again that's looking a lot better and what we could do here actually let's just save this to dns.text or something okay i'll open this up in sublime let's go and try and actually convert somewhere so this domain is probably not going to be of interest to us it's the same in every query so we can go ahead here and just to find replacing do control h and then we'll just replace that with nothing and now we could go through and grab some of these values so we have these shorter ones which might be of interest let's take that to a hex converter and let's go ahead and paste this in let's say convert this from hex and none of these values look of any interest to us at the moment so let's try some of the longer ones we'll take a copy of a few of these paste them in and here we actually start to get some recognizable text we can see what looks to be an image this is what you kind of see in some images i i hdr and this like kind of photoshop profile and then we have some text here as well let's um grab a bit more so we can grab a bit more this doesn't look of any interest but we know that we want to try and decode some more of this so the only thing is that we've probably noticed as well from our from the data that we've captured here is that it repeats so let me now we can see here with these values so we have two of the same values and we have another two the same and another two the same and basically we've extracted all the requests and the responses so everything's going to be duplicated so what we'll probably want to do is run this again but this time we'll say that we want to set the source ip so we can say dash y ip dot source is equal to and then we can just go and grab the source ip here or the destination ip depending on where you want to do it and it's [Music] point 3.24.188.205 four point one eight eight point two five and if we run that again go and reload our document here let's do the same control and replace again to get rid of that and this time then each of these values you can see is unique let's actually grab some values and go and check them out so you can see now we have this lorem ipsum so this is kind of some filler text we know that we're decoding things properly which is a good sign you can also see we have this command here down under co um so what we'll do is go and see is that any anomalies in the data because obviously we've got a lot of data in the file and it's not going to be easy to just convert all of that and potentially extract the flag so one way we could do this would be to have a look to see what kind of repeating sequences we can remove so we've got these sequences of 209 characters and it's hex value separated by a dot separated by another dot and we've got four of those so why don't we try and it could be one of these columns you see so it might be we only want to extract the first column or the second column or the third or the fourth the fourth actually looks good because it's a shorter sequence than the others but um let's try and remove all of these just out of interest to see what we're left with so we could say that we want to get rid of uh lines which have got 209 characters and the characters are all we could say hexadecimal here but just do words and decimals and [Music] dots as well you can see my system is already struggling just to try and compute the regex let alone try and process all of this so we'll also say new line as well you can see that's matching up okay we can go through and check that out and then we'll just hit replace all that's got rid of all those values we also have these very short values so you might want to remove those as well just see what we're left with so these are 18 characters each and we can do the same thing again this time we're getting rid of 18 we're actually going to want to make sure you can see that selected this line as well so let's make sure that it begins with 18 characters and ends with a new line hit replace all again we've got now very little values left let's take these and throw them back into cyber share and you'll see we've got here du ctf cat got your name so in reality we could have got that flag by just going through and looping through every line and converting it from hex and grepping for du ctf but using that technique of removing the sequences of repeating lines obviously the data wasn't repeating but we were looking for any kind of anomalous lines with a different length or maybe different characters in there um to narrow down where the flag is this challenge is called want to play a game it's a medium forensics challenge and the description says my pc has been affected i need help finding out what happened i managed to get a memory dump not sure if that can help you and then we're told that in order to recover from this infection they need the following information what is the name of the malware that affected my pc what is the name of the persistence mechanism and what folder did the infection originate from and then we need to enter the flag in the following format with the lowercase malware name the persistence name and the originating folder name so we've got a memory dump here which was password protected so i've already downloaded that and extracted it and we are left with this jacobspc.raw so we'll check the file type first of all and it's just data so there's a well-known tool for analyze memory dumps called volatility i'm just going to open up the hat tricks kind of cheat sheet here and we'll go through a little bit of this so i've got volatility 2 at the moment installed volatility dash version 2.6 there is volatility 3 as well but if you're going through this you can change the i'm trying to find some tabs here you can you can use the tab to move between volatility two and three on this cheat sheet you can also just go straight to the volatility reference which has a lot more documentation so sometimes you'll find some commands in here which you might want to find out what some of the specific options are for it and there's quite a lot of commands which don't show up in there as well so i particularly used a lot of this kind of documentation whenever i was working through developing custom profiles for challenges in the past and it's definitely a lot more useful for the more complex cases anyway but for this case um if i was working on this in a ctf actually probably the best thing to do would be to use this python auto volatility so you can download this and it'll basically allow you to run through all of the plugins so all the various plugins that you see here will run and they'll extract everything into separate folders and it just means that you can work on other ctf challenges while this is automatically happening and then you basically just have all the outputs of all the different commands to go and look through and you can quite easily grab the strings and search files and things like that okay with the introduction out of the way let's see what we need to do here first of all the first thing is going to be to try and find out what type of operating system the memory dump is so we need to find out what the profile is so you can see here we can get a list of supported profiles what we want to do is find the image info right here discover profile so let me take a copy of this and we'll run this here with jacobspc.raw some of these can take a little while to run so if you see this running very quickly on my system it's probably just that i've either sped things up or cut out some of the video just so that you're not sitting through waiting so that took about two or three minutes to run it came back and we can see that we've got our suggested profiles and most likely being windows 7 service pack 1 64 bit so we'll take a copy of that and then whenever we're running this again let me oh i shouldn't have taken that out let me uh get rid of this image info so we'll pass in the dump name jacobspc.raw and then we'll need to specify the profile which in this case is our windows 7 and now we'll be able to just pass in some commands so if we go back to our cheat sheet here um you can find some depending on what we're looking for here so this is quite good if you just know that you want to extract hashes if the ctf challenger told us that we're looking for a hash or something like that um or that we're looking for specific processes then this would be useful what i'm going to do is actually jump over to the volatility command reference and we'll go through some of these so we've got quite a few options here for looking at processors let's try some of these out we've got that process list let me zoom in a bit here um let's do ps list and we can scroll through some of the processes that are running then to see if anything sticks out as being potentially malicious i don't see any names there which are bringing any bells let's keep going through so we can also let's um go through some of these so we can use process tree it will use the same technique as process list but it will also not show any hidden or unlinked processors okay well let's have a look see if the next one does so this one will actually say that this can find processors that previously terminated and are inactive and processes that have been hidden or unlinked by a rootkit so let's try ps scan instead okay get nothing back we can keep going through i think we had one there for which we missed let's do process tree okay still nothing particularly interesting that let's go back and see what else we can do we can use mem map we can use proc dump so if we found a process that we were interested in we could go and dump that out basically from memory and go and have a look at the binary which is something we'll maybe need to do later on as well let's go back to our hat tricks cheat sheet here want to make sure these are set to the right volatility version so you can see here for volatility 2 we can use netscan we can use connections let's try let's try those out and this is going to bring back all of our connections and we can see the binaries that are associated with them again not seen anything particularly interesting let's try connections what okay can't use that command conscan tcp connections okay all right let's keep going through we can look at our registry hives here user assist let's try that so the windows system maintains a set of keys in the registry database the user assist keys to keep track of programs that are executed so that might be interesting you can see that's come back with quite a lot of results but if we go and start scrolling through some of these and see what's actually been launched recently you'll see we have this binary in the sample videos folder which has this other folder name and not suspicious.exe which sounds interesting so we might want to take a copy let's take a copy of some of this info and i'm going to create a new file we'll just keep a track of this because we might need to go and search for some of this stuff later in fact if we go in let's have a look for our file options here so we can scan the file system and dump files so let's do file scan first of all i think file scan is going to come back with quite a lot of results let's try it and it looks like we've got our original binary name and our folder name from that as well so that should be part of our flag being this part here okay so this is the file scan it's coming back with all the files and basically the locations as well so if we wanted to extract some of these you can actually extract them by name or path but you can also extract by the offset so if we were to do that and grep not suspicious and we'll get back this directory with this offset as well which means if we go back here and see that we if we want to dump some of these files we can pass in a dump directory and then we can specify with dash q the offset so let's say we want to dump files and the dump directory is just have that in our current directory and we want to extract with this dash queue let's copy this offset and now we have these files let's have a look at the file types so these are showing both as executable let's go to virustotal and see what it's showing so we can choose a file to upload here we could choose both these have a look at them both let's choose the one that's slightly bigger and it's flagged by 50 or 67 antivirus lenders as being malicious and we can see here it's called bitcoin blackmailer.exe in terms of the actual detection you can see here jigsaw seems to be coming up quite a bit which is a type of ransomware and we can also see here names dropbox.exe so this might be something worth looking at on our image to see do we have some other files around this or do we have any activity with this file name which could be related to the malware we could get um a list of functions and things that are used or dlls which are used by it which could help us track things down we can have a look at the behavior here so here's some registry keys which are set so if we wanted to go and explore those registers we could do and we could do that again with our registry commands here so we can look at the hive list we can print key in fact let's do that as well let's let's do hive list you can see it's bringing up our list of registers here and again we could go ahead and extract these we could do print key i think if we just don't pass in a parameter it'll run through them all yeah so you can see it's running through those so for example you might have a registry key in the like run once or run registry which is telling it to execute a certain binary and to make sure it has persistence whenever it's booting also if you go into a community here we can see that we have some comments from a scanner so knowing that it's potentially jigsaw ransomware that could help us out anyway in identifying some of the behavior so we've already potentially got two or two out of three pieces of information here that we need which was the lowercase malware name which looks like it's jigsaw the original folder name which was this folder right here the only thing that we would need is our persistence and let's just go and have a look at what else we can check out here we can look at command line and environment variables as well so we can look using command line or consoles let's try that out that's coming back with quite a few options you can see here actually the dropbox.exe so you can see here looks like dropbox has been maybe this has just been added to dropbox or it's been moved from dropbox let's try the other one as well was the environment variables we also have consoles as well here's the environment variables or printing now you can see they've got a lot to go through there you might want to just send that to a file and then we can grep for certain things so let's send that to new and we could grep dash i not suspicious we could try and grab the folder name nothing showing up there so let's go and have a look specifically at the registry and look for these run once keys to see where the persistence is so you can see here again we can print these all out what we probably want to do is search for a value so you can see here that they can we can use the k value here to search for our software microsoft windows current version run so if there's something in run or run once that's um could be interesting let's try and run this again hive okay print key dash k no such option because we're missing the t so we run that and we find that in the nt user dot dot we have these two sub keys one for discord and one for firefox um so actually at this stage what i did was i looked into some analysis of jigsaw so if you look for jigsaw ransomware analysis and we can go and try and find a post which will describe some of the techniques that are using it for example the persistence techniques and if we do that we'll find somewhere along the lines that the program appears to copy itself to the following location disguise itself as a legitimate program so we have updater roman firefox and firefox which is exactly where we have this run key set and [Music] we can see also that it launched a new process so it launches dropbox.exe as jigsaw which actually whenever i was solving this challenge because we noticed the mention of dropbox not here somewhere else earlier we saw dropbox was mentioned with the not suspicious.exe um i did download the dropbox.exe and analyze that as well and it basically came through the same with the same info so the jigsaw.exe was copied over to dropbox.exe and then this registry change was made which you can see here then the run key was added for firefox so firefox is also disguised or the malware is also disguised as firefox which means if we go back to our ctf site and do duct and then the flag is jigsaw underscore our persistence technique which was firefox.exe underscore and then the originating folder name which is right here and if we submit that we'll get our flag
Info
Channel: CryptoCat
Views: 2,564
Rating: undefined out of 5
Keywords: downunderctf, ductf, ductf21 Down Under CTF, ctf, capture the flag, forensics, computer forensics, DFIR, volatility, wireshark, tshark, dns exfiltration, DNS, memory forensics, dump analysis, memdump, hacking, wargames, writeup, walkthrough, tutorial, infosec, exif, exiftool, spectrogram, stego, morse, hacktricks, vol.py, autovolatility, jigsaw, ransomware, persistence, registry, runonce, imagemagick, zbarimg, exploit, security, cyber-security, malware, cyberchef, pen-testing, hackathon, red team, offsec, blue team, oscp
Id: 23dH7NLuY24
Channel Id: undefined
Length: 39min 59sec (2399 seconds)
Published: Sun Sep 26 2021
Related Videos
Running a Buffer Overflow Attack - Computerphile
Computerphile
1.7M
Day 1 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021 (beginner friendly)
CryptoCat
4.4K
[HINDI] TryHackMe Brainpan | Exploiting Buffer Overflows | CTF Walkthrough #12
Bitten Tech
6.8K
recon ng full tutorial from noob to pro | #recong #fulltutorial
TECHYRICK
245
Day 4 - HTB Cyber Santa CTF: HackTheBox Capture The Flag 2021
CryptoCat
994
Google CTF - BEGINNER Reverse Engineering w/ ANGR
John Hammond
185K
Radio Hacking: Cars, Hardware, and more! - Samy Kamkar - AppSec California 2016
OWASP Foundation
1.1M
Raspberry Pi OS Bullseye Update: New Features & Camera Issues
ExplainingComputers
88K
CSAW 2021 Capture The Flag (CTF) - Qualifiers
CryptoCat
1.7K
Name Server [Tamil CTF] - Binary Exploitation (Pwn) Walkthrough
CryptoCat
1.3K
Angstrom CTF 2021 - Web Challenge Walkthroughs
CryptoCat
2.7K
HackTheBox Cyber Apocalypse 2021 CTF - Forensics Challenge Walkthroughs
CryptoCat
2.4K
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
382K
Forensics Challenges - HTB x Synack RedTeamFive Capture The Flag (CTF) 2021
CryptoCat
1.2K
BEGINNER Capture The Flag - PicoCTF 2021 001 "Obedient Cat"
John Hammond
82K
Exploiting Predictable PRNG Seeds (with PwnTools) - Badseed (Reversing/Crypto) [K3RN3L CTF]
CryptoCat
999
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.