Write-ups

Introduction This post is about an interesting forensic challenge that I solved during the StarHackademINT 2023 CTF. We were given a Quarantine folder coming from Windows Defender, and we had to find back the original filename on the internet. The structure of the given folder looks like this: Quarantine ├── Entries │ └── {80059732-0000-0000-6667-EF3396D235E7} ├── ResourceData │ └── 9F │ └── 9F598F562DDCFB69FA21A077BAD87F01A3F6258E └── Resources └── 9F └── 9F598F562DDCFB69FA21A077BAD87F01A3F6258E If we look on the internet, we can find some blog post that gives a lot of useful information on how to get the original files back....

Pwn La cohue Let’s perform a checksec on the binary: $ checksec la_cohue [*] './la_cohue' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled **PIE: No PIE (0x400000)** We can see that a canary is set, but no PIE. Looking at the decompiled code below, we can identify that: Once we have used option 1, we cannot use it anymore (no more user input, because of a boolean flag set to true) Once we have used option 2, we cannot use it anymore (no more user input, because of a boolean flag set to true) Our goal is to call the function canary() which is unreachable to get the flag....

Forensics kNock kNock The challenge is about a compromised .deb file. We just need to extract it: $ file MalPack.deb MalPack.deb: Debian binary package (format 2.0), with control.tar.xz, data compression xz $ ar x MalPack.deb We have a file named data.tar.xz, which contains a script with the flag: #!/bin/bash echo "PWNME{P4ck4g3_1s_g00d_ID}" Silver The file was an iso flashdrive. The challenge anme is “Silver” which is reference to ‣, a C2 written in go (good point, the challenge is about a C2)....

Cryptography Lightning Seeds We have this encryption script: #!/usr/bin/env python3 import random with open('flag.txt', 'r') as f: flag = f.read() seed = random.randint(0,999) random.seed(seed) encrypted = ''.join(f'{(ord(c) ^ random.randint(0,255)):02x}' for c in flag) with open('out.txt', 'w') as f: f.write(encrypted) # encrypted flag :4fcbac835550403f13c4cc337d8d8da48351921dfb7cd47d33857432c2ee665d821227 The problem here is the generation of the seed: only 1000 different values are possible. It will result in a weak encryption with only 1000 different keys:...

Geoint Les vacances au chateau We were given a castle image and we need to find its name. No data are inside the exif: $ exiftool FirstPart.png ExifTool Version Number : 11.88 File Name : FirstPart.png Directory : . File Size : 688 kB File Modification Date/Time : 2022:07:01 22:44:37+02:00 File Access Date/Time : 2022:07:01 23:26:07+02:00 File Inode Change Date/Time : 2022:07:01 23:28:22+02:00 File Permissions : rwxrwxrwx File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 912 Image Height : 409 Bit Depth : 8 Gamma : 2....

Forensics Ransomware 1 We were given a big pcapng file. I struggled at the beggining because at first, I couldn’t see anything interessting: There are only ARP (0.1%) and TCP (99.9%) packet Every TCP packet have the same size There are only 2 IP and 2 mac addresses TCP packet does not contains any payload So I tried to look at the parameters of the TCP packet. Something caught my attention : there are way too much flags in the TCP packets!...

Forensics Pupeteer We have a bunch of log files. I tried to parse it using EvtxEcmd or Logviewplus but there was too much data. So I tried to focus on Powershell logs : Powershell Powershell Operational Powershell Admin (empty) In the powershell logs, there is nothing really interesting but a suspicious filename special_orders.ps1. In the Powershell Operational, we can find this suspicious script (regarding the variables name) :...