Nahamcon-CTF 2024 — Forensic (1)
Last week, I participated in the NahamCon 2024 CTF, focusing specifically on the forensic challenges. These challenges are designed to test skills in digital investigation, where participants analyze data to uncover hidden details or solve complex problems.
Here, some steps about my approach to finding flags in these challenges. This write-up is both a personal record of my learning journey and a way to reflect on the methods and tools that were effective.
Breath of the Wild (easy)
Description:
I got a sweet desktop background for my favorite video game, but now I want more! Problem is, I forget where I downloaded it from… can you help me remember where I got this old one?Here’s a backup of all my wallpapers. For security, I set the drive password to be
videogames.
Given a .7z files named breath-of-the-wild.7z as evidence. Then just unzip it and it contains same file with no extention. Lets see the metadata using xxd.
It’s have header like a vhdx file. Then we can rename the file with its extention become breath-of-the-wild.vhdx. And it can be open by windows normally but it locked like the description said. Unlock it and we have several images with random name
There is nothing difference there, so i open the vhdx file with autopsy, and see something unusual like deleted files. Then when I check file per file, there is one difference Zone.Identifier from an image
https://www.gamewallpapers.com/wallpapers_slechte_compressie/01wallpapers/f&%23108;&%2397;&%23103;&%23123;&%2356;&%2351;&%23102;&%2350;&%2398;&%2348;&%2397;&%2356;&%2399;&%23101;&%2351;&%2357;&%23102;&%2350;&%23101;&%2353;&%2398;&%2397;&%2349;&%23100;&%2354;&%2399;&%2355;&%2348;&%23101;&%2357;&%2355;&%23102;&%2350;&%2357;&%2349;&%23101;&%23125The url seems suspicious, then we can decode the url use decoder tools like cyberchef. And find the flag with decode that as HTML Entity.
1337 Malware (easy)
Description:
We received a plea for help from a rather frustrated looking employee. He said he accidently ran malware on his computer, but when he tried to pay the “leet hacker” to get his files back they said the malware was “broken”… best IT could do was provide us a PCAP.
Attachments: 1337-malware.pcapng
Let’s take a closer look at the pcap file using our preferred tools like Wireshark or Tshark. By examining the HTTP stream, we can spot the various files being transmitted, including one named rans.py.
Here is some list down files there:
Sending: /home/davey/Documents/resources.zip
Sending: /home/davey/Documents/ecorp.png
Sending: /home/davey/Documents/Welcome Aboard.pdf
Sending: /home/davey/Documents/.ssh/id_rsa
Sending: /home/davey/Documents/.ssh/id_rsa.pub
By inspecting the python script, we can conclude that is a python script that attempts to exfiltrate dataXOR-ing it using a random 32-byte value.
To break this encryption, we try using some known files as a guide to find the key we need to unlock the other files. We focus on the id_rsa file since its first 32 bytes appear to hold the key in different instances.
Find the key by use the sample 32 byte from id_rsa. I got it from my local wsl.
elend@elend:/mnt/e/chall/ctf/nahamcon24$ head -c 32 /home/elend/.ssh/id_rsa | xxd -p
2d2d2d2d2d424547494e204f50454e5353482050524956415445204b45592d2dUse this strings and xor it by the 32 byte data from encrypted id_rsa from the captured traffic, and store it as hex value. I utilize dcode.fr.
Then, we can use the key to decrypt the files from the pcapng file by dumped them and xor it with these key using some common tools like cyberchef.
Among the files we decode, we stumble upon Welcome Aboard.pdf. Inside, there are instructions on how to extract information from resources.zip.
We unzip the resources.zip file and find flag.txt and welcome.txt, leading us to discover the hidden flag.
elend@elend:/mnt/e/chall/ctf/nahamcon24/1337-file/resources$ ls
flag.txt welcome.txt
elend@elend:/mnt/e/chall/ctf/nahamcon24/1337-file/resources$ cat flag.txt
flag{c95c4ff18b0eb88123de779051a7a24f}