Hi all , I participated at zh3r0 ctf with my team and we finished up 7th in the ctf , there was really cool challenges . We solved all the digital forensics challenges so we’re gonna make a little writeup trying to explain everything ! enjoy !
Challenge attachement link if you are interested .
note : please read every line because it’s necessary to understand what’s going on and how i thought threw the challs !
Part 1:
Chall name : PreDestination
Chall description : MR.Zh3r0 is a mathematician who loves what he does, he loves music and of course he is really good with personal desktops but a really gullible person who could be phished or scammed easily! He had some bad colleagues in his office that led him to have some bad intentions towards them. One of his “HECKER” friend suggested to download some virus to destroy the data the other people has. As you would expect, this backfired. He has called the World’s best forensics experts to come to his rescue! We were fortunately able to get his PC’s image and some of the files in it. And We have a suspicion if he only downloaded one malware or more than one? And we need answers to some questions that follow, this would be your first assignment! .We found that his PC had some sort of problem with Time Zones even though he tries to reset it, it seems the malware is somehow able to edit the TimeZone to what it wants, which is the malware author name. How could a malware edit the TimeZone information if it had Administrator Privilege to the system!?
so basically we’re provided with some files that we got from the victim pc and we need to investigate a malware that is in the victim pc .
As for this kind of challenges i use autopsy ! really helpfull tool (ftk imager too is a good choice)
i opened the image and while it’s scaning it was there some really juicy information we can notice in the results section .
as for this kind of challenges i like to discover the os version and some information about it so i played arround the files and found this under the Operating System Information section : Windows Xp service pack 1.
we have an idea about what system is using so we can google about some paths that may be usefull in our challenges. So in this first chall we’re asked to give the name of the author that the malware have changed in the TimeZone information. So we have just to spot where can the timezonesinfo would be .
so by entering the files of the system we play arround in somefiles until we stamp by a file name called TimeZonesInformation and with it we’re pleased with the author name : Cicada3310
flag : zh3r0{Cicada3310}
Part 2 :
Chall name : Good Ol’ IE
Chall description : We haven’t found the trace of how the virus could have got into the system. There are several attack vectors that a malware could get into the system which you will need to find. Now the question is, find the most probable way the malware(s) could’ve got in and the flag would be the name of the source.
using the same in these challenge we are getting asked to search for some several vectors that the malware could get into from !
THE hint in the challenge was asking us the re read the first chall description carefully and examining the events that occured that time . So by a little brainstorming analyse we have :
MR.Zh3r0 is a mathematician
he loves what he does (math) // how this man can live xD
he also loves music
he have some enemies in the company he works in
easily to get phished
so when reranging this ideas we can have an idea that the attacker got sort kind of a malicious email that had the malware but the malware original place where ? by thinking about phishing is we found that the most phishing techinques is either sending a file or a malicious url .
so the first idea i got is to start looking in emails and reports that autopsy grabbed for us ( man i love that tool ) . but after taking some time searching arround i found out that i’m in a rabbit hole ( that i made it by myself) .
while i was searching arround i reports and documents … i was taking some notes about what could be malicious , and this where things get intersting by side ! always when doing things like that notes can help sometimes , maybe not now but later on .
After realizing that i should redirect my thinking in the browser i checked what autopsy gave as information and found a NTUSER.DAT file .
Info: NTUSER.DAT files is created for every system user which contains some personnel files and data .
after some searching i found out that internet explorer saves some good info in this file so why don’t i take look . while browsing the file i noticed a folder called typedurls , that was really worth checking because we see in autopsy the’re was a web history result section but not the full one , so after scaning this file we found a url that looks really suspecious http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/ ( please don’t enter it nthng there ) so we wrapp the url with the flag format and boom we get the flag
flag : zh3r0{http://w3.you-got-million-dollars-click-me.nr.hg.org.tech/}
Part 3 :
Chall name : UnRemovable
Chall description : Now, that you have found out how the malware got in, the next question is to find what the malware’s name is, we have got a lead though, we found out that the virus wasn’t removable from the system even after a system. Although it hasn’t been identified at a particular location, something is triggering it to restart as soon as he logs in! How could this happen? If you find the reason or the method for the above mentioned phenomenon you will find the flag there as an obvious one.
here , in this challenge the power of notes comes , remember when i said always take notes , well this chall didn’t took more than 30 seconds . So Basically autopsy gives you a report section that presents for us the recent activity that have been made in the pc . and after analysing it all , by saying analysing i mean opening it and reading it carefully because it was pretty straight we find some really good things .
well looking in all these files will take so long so why don’t we find if there is something that clue us about the file .
by scrolling down we read a “ahaha” thing in one of the files so we open it and start digging arround .
while searching arround we found an exe file that seems really obvious is a thing and boom that’s a flag .
flag : zh3r0{zh3r0ctfmalware.exe}
and also by how i solved it so fast cuz it was written as a note that’s why notes are important !
Part 4 :
Chall name : Soundless
Chall description : Good job in finding the flag! We have found traces of yet another malware! The information we have is that MR.Zh3r0’s music folder isn’t really a music folder,(i.e), he’s music folder seems to trigger the virus software somehow whenever he clicks it! Now he can’t even open his default music folder to hear some good musics! We have a certain idea that somehow the virus might be redirecting the clicks to a different location where the virus resides or the location of music folder could be compltely different! You can find the flag at the right place when you look, it will be obvoius when u look at it!
so here basically the author tells us that the pc have an another malware so we need to find it . by reaching this point we have to admit that reports section is the really usefull tool in here , it’s like monitoring some traffic in the network ( not exactly)
so this time we try to search what the reports can give us !
By just opening the first report i think we can determine after some analysis we found the flag
reading this
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
LastWrite Time Sun Jun 14 10:03:02 2020 (UTC)
and noticing the exe file make it clear , even for more you can google the name of exe , it’s not a known process or a miscrosoft one , so that makes it clearly a thing , we wrapp it into flag format and rock !
flag : zh3r0{C:\Users\zh3r0\Documents\Hades.exe}
Part 5 :
Chall name : Run Forrest Run
Chall description : Just like one other malware you found, we found traces of another malware which is able to start itself without user intervention, but this time we have no idea or info on when it starts or what triggers it, we only know that it runs automatically! If you have found out all the other flags then this one would be easy for you, this is a test of how much you know about forensics and where to look at properly!
hint — incase you weren’t able to note which is the malware name, it would be a name that is of the GOD
name of the God huh , that’s big bro x) .
so as the description says we need to find an another malware ( those guys have no mercy for this poor man ,damn…) , remember saying that reports are now our primary tool why don’t we check it again and see if we missed anything .
well for the previous challs we just used 2 reports that have such a juicy data and we didn’t have the chance to cmplete em because we were stambled by a flag ! so decided why don’t we take a look back at those 2 reports !
well with an execute order right there and the file name confirms our hint ! we officially hunted down all those three malwares !
flag : zh3r0{C:\windows\Program Files(x86)\Anubis.exe}
I salute the author of this challenges it was a really nice experience being pleased with this challenges and also the ctf organizer really thank you !
for further contact :
email : badreddine.contact@gmail.com
discord : Retr0#7958
Peace out !
