Forensics Challenges - HTB x Synack RedTeamFive Capture The Flag (CTF) 2021

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to take a look at some of the forensics challenges from the synack hack the box red team 5 ctf which is running this weekend um and as with the previous videos we'll do an order of the number of solves so we'll start off with sneaky where the description says agent 50 delivered network capture from an enemy base can you find out the password that the enemy lieutenant used to sign in and the flag is in the format of hack the box with the password in curly braces so i've already got the file downloaded it is a pcap file i'm going to open up in wireshark although you could i guess do this in t-shock as well and we open this up we've not got too much data to look at here normally i would go and have a look at the protocol hierarchy and the file properties here but let's just go and have a look we've got a get request here to private login so we'll follow the http stream and we can see them this is a login form but this is a get request we don't actually have any data in that let's scroll down we can see we've got a post request here let's follow that instead follow the post request and we'll see that the password here for the administrator is not an easy password to guess so basically just need to wrap that up in the flag format and submit it the next challenge is called top secret and the description says our internal servers containing our top secret documents got compromised locate the file that was stolen and calculate the md5 sum so we need to submit this as hack the box with the md5 some of the file in the curly braces and again we had a pcap file to download so i'm just going to open up this time we do have a good bit more data here so let's go and have a look first of all we can have a look at the file properties see there's 132 packets in here it ran for about a minute and if we go into the protocol hierarchy we can see what kind of data we've got here so we've got fcp data so there might be some ftp files that we can extract we know that we need to try and find the file tftp no um so we need to find this ourselves let's go back let me go back to the protocol hierarchy and let's select this as a filter just so we're looking at the ftp stuff and we can see here then we've got this top secret pdf um let's select that and let's clear the filter so we have the top secret pdf let's see where the actual data is ftp data that looks good let's follow this as a tcp stream you can see we've got the pdf file header at the top so that's looking good um let's set this to raw and save as let's call it top secret in fact let me call it something else just so it's easier to i'm going to call it a dot pdf very original and let's go back let's exit this and do md5 sum md5 sum dot pdf and we get back our hash so we just need to submit this in the flag format the next challenge can take a look at is called fishing impossible and the description says the team imf sock caught a wave of malicious emails coming in to try and fish our leadership it seems like they're trying tricks in pdf straight out of 2018 it seems like most of the users have updated the pdf readers so the document didn't execute we're cleaning up the computers for the people who did open the dock all that's left is to dig into the attachment and find out what it was trying to do take a look and see if you can find the flag so we have a file to download it is a pdf file so confirm that here we've got pdf document version 1.1 just type pdf here and hit tab a couple of times you'll see that we've got quite a few tools available on para or kali by default we can try and run pdf id for example and try and get some information about it you can see we've actually got one embedded file here which is interesting we can have a look let's do pdf info i forget what a lot of these things do so just kind of run through them each time let's do pdf parser and we can see in this case well we should have actually probably looked at the document as well let's open it up we open it up and we see the text on there saying this pdf document embeds file secret info setting content ms um okay so yeah we can see that here as well so let me see pdf hit tab again we've got pdf detach if we run that it says that we can list all embedded files using the list parameter let's do list efficient impossible you see we've got one embedded file and we can save all or we can save the file with a file name so let's just say save number one and now we've got the secret info settings let's print that out print it out and we can see that we've got some kind of command here so the command.exe kind of like a powershell command as well uh so we could take a copy of this you can see here powershell.exe is being ridden with um no up i forget what the oh it's no profile no profile hidden and then we have the actual powershell command so i quite often whenever i'm doing these challenges i would go i would open up my windows vm the commando vm but i've been having some problems with my microphone kind of lagging out a bit and i don't really want to launch a second vm another thing you can do is go to something like to.run which will allow you to run various different languages you can go and pick a language here so if we were to search powershell in here select it and then just enter in our code try to run it i guess we want to um print out what this is gonna turn into but in this case we don't really need to do that let me go back here let's take let's just open this up in sublime and we can kind of just go through this right so if we let me find and replace and we'll replace a semicolon with a new line replace all okay there we go um just to make it a little bit easier to read so we can see here the flag starts with this hack the box this message and we then have it's gonna add flag plus message will self and then we just have the final part so quite easy to do that one manually the final forensics challenge is called endurance run and the description says a bunch of phishing emails have been giving us a run and slipping past the defenses recently and now the ceo says his machine is acting weird we told him to just reboot but he says he isn't fixing it here's a copy of the nt user.dat file from his machine take a look and see what you can find so i've downloaded that file already let's just verify that it is what we expect it to be it's a windows registry file so this is the uh empty user. that you would have for each user profile on windows and we can use some different tools here to look at this we can uh let me just search actually reg and just hit tab you can see we've got quite a few different tools here do we have red shell yeah shell is one of them which i haven't used in a while uh okay i'll not use it with this one then uh let's use regripper normally seems to work pretty well for me gives us a nice graphical user interface and we can load in different registry files so if we have the system or sam or something as well we can we can insert that here okay so load this here we want a report file we'll just set that here as well say new.txt and then the plugin file enter user dash all will hit rip and let it run through okay and let's just try and open up the oops new.txt and here we can then go and start having a look through some of the registry keys do we have a lot here looks like we do have quite a lot okay i'm just going to kind of scroll through see if anything stands out do we have a hdb oh we do okay so we got hdb here it's another powershell command you can see how onedrive update okay well there's a powershell command in here um again this is something we could go and try and run on that to.run that we tried on the last occasion what i'm going to do again is just copy this over and see if we can make this a bit easier to read so in this case we have these ands so i'm going to replace the ands uh where's ctrl and h okay ctrl and h to get the find and replace up in sublime and then yeah we'll change and and to new line and that makes it easy to read so just got these sets which are happening in each occasion i guess we could also do that with a semicolon as well and i think for these double um percentages at the end let's change those to be a plus because you can see that that's adding these all together at the end uh so we could go and try and run this to put this together you can see here we've got our set flag though so set flag to hdb and okay we messed that up slightly so there's a couple of ways we could do this whenever i did this initially i kind of went through the whole thing so you can go through the whole thing and say all right um power and then the ie is shell we can put together that full command or we know that we're looking for the flag so the flag actually because i just did the replace too many times there but this opu is where set flag is set so really we can start from opu say opu is equal to this bit and then the a z s is equal to this bit and then lts and we can just kind of keep building it this way until we have the whole thing i think i might have missed a bit there uh but anyway if we do the whole thing if we were to do the whole thing let me just copy and paste it from my notes earlier to go through and just add all these together which really we should just go and do in powershell but um if you're doing it manually this is what you'll come out with and there's our flag and that'll wrap it up for the forensics challenges a nice quick video compared to the other ones anyway i hope you've enjoyed it any questions or comments or anything you did differently you want to let me know leave a comment below thanks
Info
Channel: CryptoCat
Views: 1,267
Rating: undefined out of 5
Keywords: HackTheBox, Hack The Box, Synack, Synacktive, RedTeamFive, Capture The Flag, CTF, wireshark, traffic analysis, forensics, pdf-parser, obfuscation, malware, malware analysis, powershell, regripper, ntuser.dat, regshell, registry, DFIR, phishing, incident response, macro, writeup, walkthrough, redteam, blueteam, cyberchef, john hammond, liveoverflow, synack, synactive, redteamfive, sublime, hidden files, deobfuscate, static analysis, dynamic analysis, file recovery, hacking, hackathon, xor, htb, HackTheBoxEu, SRT, kali
Id: uMRWia992IQ
Channel Id: undefined
Length: 11min 20sec (680 seconds)
Published: Wed Nov 10 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.