SEC-T CTF: G1bs0n Writeup

Solved by sh1v and sherl0ck

First of all kudos to the admins for conducting such a great CTF. The challenges were really cool and we had loads of fun solving them.

Now getting to this particular challenge, we were given a 326 MB file, which when unpacked, amounted to about 1.1 GB. We were told to find the virus in the dump. Seeing the size of the file, we first scanned the file with volatility and sure enough –

imageinfo

We chose the ‘Win2008R2SP1x64’ profile and viewed the running processes at the time the dump was taken with volatility’s ‘pslist’ plugin .

pslist

Here we spent some time, without any luck, going through the processes and checking if any of them was malicious.  We also checked the ‘Command Prompt’ history for some malicious commands. We used Volatility’s ‘consoles’ plugin to do this, but again we found nothing. Finally, we got really frustrated and were try some other chall when we got the idea to search for .bat files (batch files). Using the ‘filescan’ plugin we found something that got our interest right back into the challenge.

hackbat

Notice that the third file found has a name hack.bat. This looked like a suspicious batch file and we decided to dump this file and inspect it’s contents using the dumpfiles plugin.

$volatility -f G1bs0n –profile=Win2008R2SP1x64 dumpfiles -Q 0x000000003eef7e20 -D ./dumps

Here are the contents of the file –

hackbat

Let’s focus only on the interesting parts of this file. We see that a zip file was expanded in the folder ” C:\T3MP\ ” and a powershell script (z.psl) was executed from the same folder. Also note that from the same folder, a registry key was added from run.reg and another batch file, run.bat was executed. We dumped the run.bat using the similar process as we did for hack.bat and found these as it’s contents –

REM “Hack the Planet!”
cmd /c “powershell -c C:\T3MP\run.ps1

So it’s basically executing a powershell script ‘ run.ps1 ‘. At this point we decided to check all files in the C:\T3MP folder.

t3mp

We dumped all three files using the dumpfiles plugin. Here are the contents of the file gibson.jpgp –

��UEsDBAoAAAAAAAmwGEvuaJWCPQAAAD0AAAAHAAAAcnVuLmJhdFJFTSAiSGFjayB0aGUgUGxhbmV0ISINCmNtZCAvYyAicG93ZXJzaGVsbCAtYyBDOlxUM01QXHJ1bi5wczFQSwMEFAAAAAgATKsYS7vO2B0OAgAAHhAAAAcAAABydW4ucHMxtVdtS8MwEP5e6H8IZVCEDV8Q/aIfZu1U8KWslSEIMl3QQWmlG+6LP950WZq0SZprOiFpk9zdk7tL8yQdvKdzdIm8OAwSsQbJhBShZ1cUsOWrWbvPU7eAYJjkriOiXI3j8OyU9aKY97m0icZHYUMcnT+blWvX7SogKbKmRRtKTwg5eJZEWT+KNcCqrJwcHZ/TcdaTR8q3Oot8SpUjKh/ModKWIgTIggFh6ok0r5sGmpba+ii0AKGwjFIpbe8nm9xF20SqEHhL2NTVgObLrxpiEWOTx9V7Xs6eqFHvVeaAL8M0xCrcAhK767CtzGsXNgVQtx2kbG0+ROq6cOrnNgcdGb+FUuUpOKdJHK+e1rzVWG0BpK3Gt9CV27n7NqS+tdkDn+r7dD44MqvtswwvymdX8ibivrzd1WUARKsjRn4FTMBOEQhHV8WOmKHsKFtCZrWCEc9OOOMGlnfYftSquRb/y0URzoR9+NZ1utAI4FpmseH60aHrmL0H3oW0Z9xw994PJ7mO+coBvYUwdy22E5AjPNcZZHhDfoG3f8KjAn+n8w+MfKLhD/03v5JvX1xeLhhReNUqUHyicqhViWIi/tWKyzCJAiIKs2K5xqPbfLXeKU3yAqObAuNMFNYUvZenZzSehigJpw93j+MkvPZ2hlO8cJ0gxfNiFP7gbH2ffyJvtswW+WaFonyDi/gLp6n3B1BLAwQUAAAACAD8qhxL+BzmnaYBAACmBgAABwAAAHJ1bi5yZWftlctOwlAQhv+1ie+APoAhUTcmLhBRUVADKF5qCKJiE2xJLVEWvrr6zVRRCAku1BVpzpnrmZl/eqZ9e20qVKQbxXrSo3Kq6VZdhfCpEg3RlLCGSLESpFPsCdYQOUJe14ryPIta8HWpPR1w5lwtFXVCvBrSoRpqIdVVQg6gse6UkrNNtFs0VSJ24GNiuw3deG0B8QZ44I82nagkIO4AeuVVLJMxxufeI3TJ18e7g9RWD+smK2AVtQENqG6VCo6dTywOqK7xTfGZhqyiI84WoC1VoUVsZXKWDBu2HSI20YP9R9hy1qGZCLMzPaRuppnAVYDrYBnYae/YCbvFqGRvdNSdtp0h+7Xni6wjSE/+jm/oSX78+ZcezEJ/DO15lBDLo2cZGiqkhxGynt1f70ZkN8D8rUNo+i7FU9AuW5XUm/ugS3BNldh3wdFwZAXXVtHWecxexrIHx+6+W25rwG1jM00Fat368qllPtmtmq/5+tP1u9Natqn0mYzYU/8zPKvv36PE9BbJZs2m2P8Yw8+pnPr9fdE+81WnnlXoms7gdqkq75qLbzPyDlBLAQI/AAoAAAAAAAmwGEvuaJWCPQAAAD0AAAAHACQAAAAAAAAAIAAAAAAAAABydW4uYmF0CgAgAAAAAAABABgAChiDmxMd0wGg+7yOPxnTAWY3uI4/GdMBUEsBAj8AFAAAAAgATKsYS7vO2B0OAgAAHhAAAAcAJAAAAAAAAAAgAAAAYgAAAHJ1bi5wczEKACAAAAAAAAEAGAAoC7/eDh3TAatdNRo+GdMBq101Gj4Z0wFQSwECPwAUAAAACAD8qhxL+BzmnaYBAACmBgAABwAkAAAAAAAAACAAAACVAgAAcnVuLnJlZwoAIAAAAAAAAQAYADT/dTAzINMB/g6BGD4Z0wH+DoEYPhnTAVBLBQYAAAAAAwADAAsBAABgBAAAAAA=

The data is clearly encoded in base64. We decrypted the data and saved it in a file. We just ran the file command on the file and surprise –

$ file out_file

out_file: Zip archive data, at least v1.0 to extract

It’s a zip file ! We unziped it and got 3 files – run.bat, run.ps1 and run.reg. The run.bat was the same as the one we got before. Here are the contents of run.ps1 –

runps1

We replicated the function of this script in python and got this –

mess

“Mess With The Best Die Like The Rest”. Hmm, nice quote but it does not really help us :). So we inspected the contents of the run.reg file. Towards the end of this file we saw something interesting –

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security]
“Special”=”}JGS_3G4X_GH0_3Z”

Reversing the last part-

Z3_0HG_X4G3_SGJ}

Now this looks like the last part of the flag. All we have to do now is to find the first part ! Here we had to guess a bit. One thing we found in the beginning was that there was a user named plauge  and GIBSON$-

username

We decided to check the files associated with those two users with the filescan plugin. Checking plauge’s files we got this path that looked pretty interesting (due to leet speak :P) –

0x000000003fe14390 16 0 R–rwd \Device\HarddiskVolume2\Users\plauge\Desktop\g4rb4g3.txt

We dumped this file and got this –

“_X43EUC_3H64YC{GPRF”

Reversing this –

FRPG{CY46H3_CUE34X_

Concatenating this with the later part of the flag that we already got –

FRPG{CY46H3_CUE34X_Z3_0HG_X4G3_SGJ}

Decrypting this using rot-13 Caesar Cipher (the first 4 letters have to be SECT, from which we get the rotation factor as 13)

SECT{PL46U3_PHR34K_M3_0UT_K4T3_FTW}
Yes ! Finally the flag !:)
Cheers !
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: