Solved by sh1v and sherl0ck
First of all kudos to the admins for conducting such a great CTF. The challenges were really cool and we had loads of fun solving them.
Now getting to this particular challenge, we were given a 326 MB file, which when unpacked, amounted to about 1.1 GB. We were told to find the virus in the dump. Seeing the size of the file, we first scanned the file with volatility and sure enough –
We chose the ‘Win2008R2SP1x64’ profile and viewed the running processes at the time the dump was taken with volatility’s ‘pslist’ plugin .
Here we spent some time, without any luck, going through the processes and checking if any of them was malicious. We also checked the ‘Command Prompt’ history for some malicious commands. We used Volatility’s ‘consoles’ plugin to do this, but again we found nothing. Finally, we got really frustrated and were try some other chall when we got the idea to search for .bat files (batch files). Using the ‘filescan’ plugin we found something that got our interest right back into the challenge.
Notice that the third file found has a name hack.bat. This looked like a suspicious batch file and we decided to dump this file and inspect it’s contents using the dumpfiles plugin.
$volatility -f G1bs0n –profile=Win2008R2SP1x64 dumpfiles -Q 0x000000003eef7e20 -D ./dumps
Here are the contents of the file –
Let’s focus only on the interesting parts of this file. We see that a zip file was expanded in the folder ” C:\T3MP\ ” and a powershell script (z.psl) was executed from the same folder. Also note that from the same folder, a registry key was added from run.reg and another batch file, run.bat was executed. We dumped the run.bat using the similar process as we did for hack.bat and found these as it’s contents –
REM “Hack the Planet!”
cmd /c “powershell -c C:\T3MP\run.ps1
So it’s basically executing a powershell script ‘ run.ps1 ‘. At this point we decided to check all files in the C:\T3MP folder.
We dumped all three files using the dumpfiles plugin. Here are the contents of the file gibson.jpgp –
��UEsDBAoAAAAAAAmwGEvuaJWCPQAAAD0AAAAHAAAAcnVuLmJhdFJFTSAiSGFjayB0aGUgUGxhbmV0ISINCmNtZCAvYyAicG93ZXJzaGVsbCAtYyBDOlxUM01QXHJ1bi5wczFQSwMEFAAAAAgATKsYS7vO2B0OAgAAHhAAAAcAAABydW4ucHMxtVdtS8MwEP5e6H8IZVCEDV8Q/aIfZu1U8KWslSEIMl3QQWmlG+6LP950WZq0SZprOiFpk9zdk7tL8yQdvKdzdIm8OAwSsQbJhBShZ1cUsOWrWbvPU7eAYJjkriOiXI3j8OyU9aKY97m0icZHYUMcnT+blWvX7SogKbKmRRtKTwg5eJZEWT+KNcCqrJwcHZ/TcdaTR8q3Oot8SpUjKh/ModKWIgTIggFh6ok0r5sGmpba+ii0AKGwjFIpbe8nm9xF20SqEHhL2NTVgObLrxpiEWOTx9V7Xs6eqFHvVeaAL8M0xCrcAhK767CtzGsXNgVQtx2kbG0+ROq6cOrnNgcdGb+FUuUpOKdJHK+e1rzVWG0BpK3Gt9CV27n7NqS+tdkDn+r7dD44MqvtswwvymdX8ibivrzd1WUARKsjRn4FTMBOEQhHV8WOmKHsKFtCZrWCEc9OOOMGlnfYftSquRb/y0URzoR9+NZ1utAI4FpmseH60aHrmL0H3oW0Z9xw994PJ7mO+coBvYUwdy22E5AjPNcZZHhDfoG3f8KjAn+n8w+MfKLhD/03v5JvX1xeLhhReNUqUHyicqhViWIi/tWKyzCJAiIKs2K5xqPbfLXeKU3yAqObAuNMFNYUvZenZzSehigJpw93j+MkvPZ2hlO8cJ0gxfNiFP7gbH2ffyJvtswW+WaFonyDi/gLp6n3B1BLAwQUAAAACAD8qhxL+BzmnaYBAACmBgAABwAAAHJ1bi5yZWftlctOwlAQhv+1ie+APoAhUTcmLhBRUVADKF5qCKJiE2xJLVEWvrr6zVRRCAku1BVpzpnrmZl/eqZ9e20qVKQbxXrSo3Kq6VZdhfCpEg3RlLCGSLESpFPsCdYQOUJe14ryPIta8HWpPR1w5lwtFXVCvBrSoRpqIdVVQg6gse6UkrNNtFs0VSJ24GNiuw3deG0B8QZ44I82nagkIO4AeuVVLJMxxufeI3TJ18e7g9RWD+smK2AVtQENqG6VCo6dTywOqK7xTfGZhqyiI84WoC1VoUVsZXKWDBu2HSI20YP9R9hy1qGZCLMzPaRuppnAVYDrYBnYae/YCbvFqGRvdNSdtp0h+7Xni6wjSE/+jm/oSX78+ZcezEJ/DO15lBDLo2cZGiqkhxGynt1f70ZkN8D8rUNo+i7FU9AuW5XUm/ugS3BNldh3wdFwZAXXVtHWecxexrIHx+6+W25rwG1jM00Fat368qllPtmtmq/5+tP1u9Natqn0mYzYU/8zPKvv36PE9BbJZs2m2P8Yw8+pnPr9fdE+81WnnlXoms7gdqkq75qLbzPyDlBLAQI/AAoAAAAAAAmwGEvuaJWCPQAAAD0AAAAHACQAAAAAAAAAIAAAAAAAAABydW4uYmF0CgAgAAAAAAABABgAChiDmxMd0wGg+7yOPxnTAWY3uI4/GdMBUEsBAj8AFAAAAAgATKsYS7vO2B0OAgAAHhAAAAcAJAAAAAAAAAAgAAAAYgAAAHJ1bi5wczEKACAAAAAAAAEAGAAoC7/eDh3TAatdNRo+GdMBq101Gj4Z0wFQSwECPwAUAAAACAD8qhxL+BzmnaYBAACmBgAABwAkAAAAAAAAACAAAACVAgAAcnVuLnJlZwoAIAAAAAAAAQAYADT/dTAzINMB/g6BGD4Z0wH+DoEYPhnTAVBLBQYAAAAAAwADAAsBAABgBAAAAAA=
The data is clearly encoded in base64. We decrypted the data and saved it in a file. We just ran the file command on the file and surprise –
$ file out_file
out_file: Zip archive data, at least v1.0 to extract
It’s a zip file ! We unziped it and got 3 files – run.bat, run.ps1 and run.reg. The run.bat was the same as the one we got before. Here are the contents of run.ps1 –
We replicated the function of this script in python and got this –
“Mess With The Best Die Like The Rest”. Hmm, nice quote but it does not really help us :). So we inspected the contents of the run.reg file. Towards the end of this file we saw something interesting –
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
“Special”=”}JGS_3G4X_GH0_3Z”
Reversing the last part-
Z3_0HG_X4G3_SGJ}
Now this looks like the last part of the flag. All we have to do now is to find the first part ! Here we had to guess a bit. One thing we found in the beginning was that there was a user named plauge and GIBSON$-
We decided to check the files associated with those two users with the filescan plugin. Checking plauge’s files we got this path that looked pretty interesting (due to leet speak :P) –
0x000000003fe14390 16 0 R–rwd \Device\HarddiskVolume2\Users\plauge\Desktop\g4rb4g3.txt
We dumped this file and got this –
“_X43EUC_3H64YC{GPRF”
Reversing this –
FRPG{CY46H3_CUE34X_
Concatenating this with the later part of the flag that we already got –
FRPG{CY46H3_CUE34X_Z3_0HG_X4G3_SGJ}
Decrypting this using rot-13 Caesar Cipher (the first 4 letters have to be SECT, from which we get the rotation factor as 13)
SECT{PL46U3_PHR34K_M3_0UT_K4T3_FTW}
bi0s 
Leave a Reply