10. UTECTF - Journal

# UTECTF 2025 ## Sensitive Data Leakage ![image](https://cdn.h26v.io.vn/1757852265182-364815ddf58114e6.png) ![image](https://cdn.h26v.io.vn/1757852328168-c681be40165a604e.png) ![image](https://hackmd.io/_uploads/BJpu52iqgx.png) The `SendData()` function takes input: + `Data` -> `Base64` -> `RC4`, key is generated by the function `random_bytes_string()` + `Key` -> `Base64` After that, both are sent to `http://tracuuxettuyen.hcmute.edu.vn/login`. Based on this, let’s go back and check whether the `POST` packets match what we just found. ``` http.request.method == POST ``` ![image](https://cdn.h26v.io.vn/1757573863255-fecd24a403b6029f.png) It seems that our previous analysis was spot on Now, let’s extract `User-Agent` and `X-Api-Key` for further processing (I made this part a bit complicated since I tried filtering directly for those two objects but it didn’t work). ```shell tshark -r out.pcapng -Y 'http.request.method == "POST"' -V ``` ![image](https://cdn.h26v.io.vn/1757573974830-b20c9a3006df324c.png) Using this script to strip unnecessary parts: ![image](https://cdn.h26v.io.vn/1757574033796-f9714a83f8abef54.png) At this point, the data is already quite clean, but there are still a few CRLF characters. After removing them, we end up with a neat list like this: ![image](https://cdn.h26v.io.vn/1757574048545-32ba6109ed23a840.png) Running the script above to decrypt all the captured data: ![image](https://cdn.h26v.io.vn/1757574080570-8a70a3be58c04dcb.png) ![image](https://cdn.h26v.io.vn/1757574096196-b248429e62910d93.png) **Flag:** UTECTF{ExF1lTr4t3_v1a_Us3r_4g3nT!!!!!Avetetsu82skakw}  ## Security Breached Alert 2 ![image](https://hackmd.io/_uploads/HkxWsfi9xg.png) We were provided with **two evidence files** for this challenge: ![evidence](https://hackmd.io/_uploads/SJyqpesqll.png) On the Desktop, we found a **`.docx` file with an unusual extension**, suggesting it might be encrypted. Opening the preview confirmed our suspicion: ![encrypted docx](https://hackmd.io/_uploads/By3T6xs9ll.png) Inside the `AppData` folder, we discovered a **suspicious binary**. Running it through **DIE (Detect It Easy)** showed it was a **Python-compiled executable** — highly suspicious. To trace its origin, we checked the PowerShell console history at: ``` C:\Users\raviel\AppData\Roaming\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` ![console log](https://hackmd.io/_uploads/S1qFe-j9gx.png) --- ### Q1 ``` http://LobotomyCorp.moon/interview_invitation ``` From the PowerShell history, we recognized a **ClickFix phishing technique** — a command designed to appear harmless at the beginning but appends a **malicious payload hidden far beyond the visible screen width** using tab autocompletion. The file `HRPolicy.docx` is used as a **decoy** to make the victim think they’re opening a normal document, while the malware executes silently. ![clickfix](https://hackmd.io/_uploads/rydqiWiclx.png) --- ### Q2 ``` C:\company\internal-secure\filedrive\HRPolicy.docx ``` We located the decoy file in a secure internal path: ![file view](https://hackmd.io/_uploads/HkEBRgj5gg.png) ![file meta](https://hackmd.io/_uploads/BkX3Axjqel.png) --- #### Malware Analysis We extracted and decompiled the Python-based binary using: - [PyInstxtractor](https://pyinstxtractor-web.netlify.app/) - [PyLingual](https://pylingual.io/) ![decompile](https://hackmd.io/_uploads/SypmJWi9gl.png) --- #### Summary of Malware Capabilities: - **Keylogger**: records keystrokes to a log file. - **System recon**: collects system info (hostname, OS, CPU, GPU, IP). - **Remote control via Telegram**: - Screenshot capture - Webcam capture - PowerShell command execution - File exfiltration (logs or arbitrary files) - **AES encryption**: encrypts targeted files, sends `key` and `IV` to attacker via Telegram. - **Persistence**: sets itself to run on startup via registry modification. - **Cleanup**: can delete files or folders, send messages, etc. --- #### Encryption logic The function encrypts the target `filepath` with a **random AES key and IV** generated using: ```python generate_random_key_iv() ``` These are then exfiltrated to the attacker via Telegram. ![encrypt func](https://hackmd.io/_uploads/S16eEWo5lx.png) The `bot token` and `channel ID` are **hardcoded** in the malware: ![token](https://hackmd.io/_uploads/S1BE8Wsqel.png) ![channel](https://hackmd.io/_uploads/r1-Y8Wj9lg.png) We dumped the Telegram channel to retrieve the AES key and IV: ![telegram dump](https://hackmd.io/_uploads/Sk3gvZs5xe.png) Using them, we successfully decrypted the `wu.docx.Ravi` ![decrypted](https://hackmd.io/_uploads/HyzSD-o9lg.png) ![final doc](https://hackmd.io/_uploads/S1iLPWsqle.png) --- ### Q3 ``` Cl1ckF1xPh1shIngTechn1qu3 ``` This identifies the **attack technique** used — the ClickFix phishing method. --- ### Q4 ``` RaviDeLycoris@Project.Moon:DayLaMatKhauManhHeHeDomaCrackDuoc? ``` Inside the dropped malware folder, we found a `Log.txt` file containing **keylogged credentials**: ![log.txt](https://hackmd.io/_uploads/SJOWuZjqgl.png) --- ### Q5 ``` T1547.001 ``` Putting everything together, we can reasonably conclude that the MITRE technique used is T1547.001. (This was one part I really regret — instead of selecting .001, I skipped over GPT's advice... probably because I was panicking with only 3 minutes left 😅) #xinloiGPT - **Tactic**: Persistence - **Technique**: Boot or Logon Autostart Execution - **Sub-technique**: Registry Run Keys / Startup Folder - **ID**: `T1547.001` ![image](https://hackmd.io/_uploads/HkV99zj5xx.png) ![mitre](https://hackmd.io/_uploads/H13dOWs5gx.png) --- ### Final Flag ``` UTECTF{http://LobotomyCorp.moon/interview_invitation_C:\company\internal-secure\filedrive\HRPolicy.docx_Cl1ckF1xPh1shIngTechn1qu3_RaviDeLycoris@Project.Moon:DayLaMatKhauManhHeHeDomaCrackDuoc?_T1547.001} ``` W Ravi in the chat