ICMTC CTF 2024 Qualifications | All Forensics writeup

Mohamed Elmasry
11 min readJun 27, 2024

--

Hi People :D

This writeup ALL forensic challenges included in the Qualifications phase of ICMTC CTF 2024 (27 of 27).

let’s go :D

[*] A needle in a haystack

=================================

We were provided wit a PCAP file, so let’s open it in Wireshark and see what’s going on.

I consistently love to check the files within the PCAP and try to export them first, and fortunately, the solution was at this point :).

We can see all the files that were transferred using the FTP protocol within the PCAP from File > Export Objects > FTP-DATA.

There is a JPG image (pic.jpg), so let’s save it.

It’s just a regular image. In this situation, check the metadata of the image first before going to the next level (using Windows Properties or tools like exiftool). The camera model is recorded in the image metadata.

Flag: EGCERT{ip13}

[*] Hydra

=============

We were provided with the /etc and /var directories from the Linux system.

/etc
/var

As the challenge description states that the hacker installed a backdoor, it makes sense to check the cronjobs first, as the hacker would want the backdoor to always be active on the system.

We found a crontab named g33k that starts a service called legit.service and then runs the initial.sh script.

Let’s check the legit.service file first; it’s located in the /etc/systemd/system directory.

It executes a curl command to download a malicious bash script and save it to the /tmp/shell.sh file.

Let’s manually run this command to download the shell file. After downloading it, it appears to be encrypted.

Now, let’s examine initial.sh (located in /etc/init.d). It decrypts the script using OpenSSL's rsautl with an RSA key stored on the system.

We utilized the id_rsa.pem located in /.ssh to decrypt the previously downloaded shell. When executing the script, it resulted in a connection timeout error; however, we were able to identify the required IP address and port for the challenge.

Flag: EGCERT{41.35.61.53:52385}

[*] Prodigal

===============

We were provided wit a PCAP file, so let’s open it in Wireshark and see what’s going on. After some time, we received a hint that the flag consists of more than three parts.

Once again, we reviewed the files in the PCAP, attempting to export them first. We discovered the first part of the flag in a text file named Write_.txt within the HTTP data.

You can export it from File > Export Objects > HTTP.

We obtained the first part of the flag along with a Base64-encoded string.

After decoding this string, we got a URL.

The OneDrive link contains a PDF file named Your_.pdf (the second part of the flag). This PDF instructs us to search for Emilia Norton on Facebook.

Let’s head to this Facebook account :D. The latest post includes another OneDrive link.

It contains a ZIP file, so let’s download it.

It contains three image files that look great :D.

At this point, I launched my Kali virtual machine to dig deeper into these images.

I started with the steghide tool without a passphrase, and the first image yielded a text file named first.txt that contains the third part of the flag (Long_).

I repeated the process for the other two images. The second image yielded nothing, but the third image resulted in another text file called second.txt that contains the fourth part of the flag (Lost_) plus a pastebin link.

The pastebin link contains the final part of the flag encoded in Base64, so let’s decode it and concatenate all the parts.

The last part is Idea .

Flag: EGCERT{Write_Your_Long_Lost_Idea}

[*] 3xpl0t_Q1

==================

This is a chain of 7 challenges labeled from 3xpl0t_Q1 to 3xpl0t_Q7. Let’s begin from the start.

In this chain of challenges, we are provided with a ZIP file contains two files: audit.log and auth.log.

You can easily identify the attacker’s IP address from the auth.log, as the SSH session from his IP initiates an exploit on the system.

Flag: EGCERT{37.53.132.10}

[*] 3xpl0t_Q2

==================

Based on the previous question, we can see that they logged into the madoushi user.

Flag: EGCERT{madoushi}

[*] 3xpl0t_Q3

==================

We found this Base64-encoded string within the same file.

After decoding, it provides us with a hexadecimal string.

Decoding this hexadecimal string reveals the flag :D.

Flag: EGCERT{openssh_CVE-2023}

[*] 3xpl0t_Q4

==================

You can find the path in the image above.

Flag: EGCERT{/tmp/exploit.py}

[*] 3xpl0t_Q5

==================

3xpl0t_Q3 provided us with a hint (openssh_CVE-2023), prompting us to search for this CVE on Google. The first result, CVE-2023–38408, turned out to be the answer :D

Flag: EGCERT{CVE-2023–38408}

[*] 3xpl0t_Q6

==================

Since the attacker used Python to execute the exploit, it falls under T1059.006.

Flag: EGCERT{T1059.006}

[*] 3xpl0t_Q7

==================

In the audit.log file, you can search for session_open, which indicates a successful login attempt. Here, you’ll find two logins from suspicious IPs.

Flag: EGCERT{2}

[*] Syringe_Q1

==================

Another chain of 4 challenges labeled from Syringe_Q1 to Syringe_Q4. Let’s begin from the start.

In this chain of challenges, we are provided with a PCAP file (out.pcap).

The HTTP objects list reveals some SQL injection attempts on the server.

Examine any of these packets, and the source IP will be the attacker’s IP address.

Flag: EGCERT{165.1.1.2}

[*] Syringe_Q2

==================

You can see from the above challenge that all requests were made to search.php, indicating that this is our vulnerable script.

Flag: EGCERT{search.php}

[*] Syringe_Q3

==================

Follow any HTTP stream containing an SQLI request; the tool used is specified in the user agent.

Flag: EGCERT{sqlmap}

[*] Syringe_Q4

==================

One of the SQLI requests returns the table names of the database, revealing that user data is stored in the customers table.

Flag: EGCERT{customers}

[*] Triage_Q1

=================

Chain of 6 challenges labeled from Triage_Q1 to Triage_Q6.

In this chain, we are provided with a ZIP file contains some data.

Since we are searching for a malicious executable and have access to the Windows event logs, the first place to look is the Windows defender logs located at \Triage\C\Windows\System32\winevt\logs.

Windows Defender alerts to a virus in a process called Firefox.exe, which runs another executable (AutoPatch.exe).

Now that we know the name of the malicious process, we still need to obtain the PID. You can find this information in the Sysmon logs.

Flag: EGCERT{Firefox.exe:6172}

[*] Triage_Q2

=================

We are still in Sysmon logs, we searched for the parent process of Firefox.exe and found it in one of the events (explorer.exe).

Flag: EGCERT{explorer.exe}

[*] Triage_Q3

=================

Continuing with the Sysmon logs, by tracing the Firefox.exe process, we found that it runs AutoPatch.exe, which is the first part of the flag. This AutoPatch.exe then runs another executable called xJX.exe, which is the second part of the flag.

Flag: EGCERT{AutoPatch.exe:xJX.exe}

[*] Triage_Q4

=================

In Sysmon, we can trace the xJX.exe and AutoPatch.exe files to see if they run any cmd processes. In our case, xJX.exe runs a cmd with a specific command, and that is the flag.

Flag: EGCERT{cmd.exe /c "C:\Users\memsh\AppData\Local\Temp\3a5e6da9.bat"}

[*] Triage_Q5

=================

We already obtained it from the previous question :D.

Flag: EGCERT{ C:\Users\memsh\AppData\Local\Temp\xJX.exe}

[*] Triage_Q6

=================

The PCAP doesn’t contain any important files.

Since we’re searching for IP, let’s view all the IPs in the PCAP by going to Statistics > Endpoints.

There is no direct indicator for the C2 IP in the PCAP itself, so I scanned these IPs on VirusTotal and found one flagged as malicious.

Apply this IP and port as filter by right-click on it and select Apply as Filter > Selected

The source port can be retrieved from the initial packets, and this is the second part of the flag.

Flag: EGCERT{51.222.173.101:50256}

[*] Decoy_Q1

=================

The last chain of challenges labeled from Decoy_Q1 to Decoy_Q7.

In this chain, we are provided with a ZIP file contains some Windows data.

As we search for a process, the first place to examine is the Sysmon logs.

We found a mimikatz.exe process.

Flag: EGCERT{mimikatz.exe}

[*] Decoy_Q2

=================

In Sysmon, we can search for cmd.exe or powershell.exe to find the commands executed on the system (since the Windows PowerShell event log contains no significant information).

A command line was used to add a new registry key to achieve the target.

Flag: EGCERT{reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t reg_dword /d 0}

[*] Decoy_Q3

=================

The answer was the persistence technique known as Scheduled Task/Job (ID T1053).

Flag: EGCERT{T1053}

[*] Decoy_Q4

=================

From the Recycle Bin data, we found a suspicious PowerShell script named totheroots.ps1 which is the persistence script.

Flag: EGCERT{totheroots.ps1}

[*] Decoy_Q5

=================

The second file in the Recycle Bin contains a Base64-encoded string.

Decoding this string reveals a Powershell command that downloads a file named craaaack.zip

Flag: EGCERT{craaaack.zip}

[*] Decoy_Q6

=================

Since the challenge description mentioned that the file was renamed, I immediately proceeded to parse $LogFile or $MFT to retrieve the records of all files on the system.

I prefer to use the LogFileParser tool for parsing $LogFile. It has a GUI, and you only need to load the $LogFile into it.

Once the tool completes its work, you’ll find a lot of CSV files. The one we’re interested in is LogFile_FileNames.csv.

Search for All_is_Fine.txt, the record above it has the same MFT reference but a different name, indicating this was the original file name.

Flag: EGCERT{Hacked_Lab.txt}

[*] Decoy_Q7

=================

The file can be found in both $MFT and $LogFile, but you can also locate its name (along with all other files needed in the challenges) in the Recent directory of Windows, located at Decoy\C\Users\The_Lab\AppData\Roaming\Microsoft\Windows\Recent.

Flag: EGCERT{violent.txt}

At this point, we have reached the end of this write-up. I hope you found it enjoyable and useful ❤.

Facebook TwitterLinkedIn Discord

--

--

Mohamed Elmasry
Mohamed Elmasry

Written by Mohamed Elmasry

Digital Forensics Investigator | CTF player and creator | SOC Analysts | Threat Hunter

Responses (1)