USC 2024 - HackMD

# USC 2024 CTF Writeup for USC 2024 Challenge. I participated as "Rev" in the competition | Name | Category | Solved? | |:------------------:|:--------:|:-------:| | pineapple | Forensic | ✅ | | Computer has virus | Forensic | ✅ | | think_twice | Forensic | ✅ | | TommyCam | OSINT | ✅ | | beer sales | OSINT | ✅ | # Forensic ## pineapple [300 Pts] **Category:** Forensics **Solves:** - ### Description > Our covert pineapples intercepted this traffic from people at the convention. Try find out what was sent. > > The flag for this challenge will appear in the CYBORG{} flag format. ### Solution Based on that description, we can try to figure out what is being sent by using the `stream` function in each protocol. ![image](https://hackmd.io/_uploads/B1TMlDgQJx.png) We found something useful in this stream, namely: `username=jbarker&filename=hoolicon&filepw=conjoined_TRIANGLES` Apparently, there is a file called hoolicon somewhere inside this `pcapng` file. We can try to dump all the media/files that are inside this `pcapng` file. After dumping all the files, We found the file we're looking for in the name of `plans (1)`. ![image](https://hackmd.io/_uploads/SkjQePl7Jx.png) Change the file extenstion to `.7z` Extract the zip with `conjoined_TRIANGLES` as the password, and you got the flag #### Flag `CYBORG{pe4cefaRe_4x09}` ## Computer Has Virus [300 Pts] **Category:** Forensics **Solves:** - ### Description > Help! I just fell victim to a phishing attack! I have attached the email they sent me. See if you can recover their secrets! ### Solution We know that if we open the `URGENT.eml` file, we can find that there is an attachment named `antivirus.exe`. We can try to extract the `.eml` file using `munpack` to get the file. After getting `antivirus.exe`, we can try to examine the file using `strings` and find something interesting ``` !This program cannot be run in DOS mode. JU$g .text `.rsrc @.reloc *b(! *B(, Yh} 1P os 1& os $compressed = 'H4sIAAAAAAAA/1TNQWvyQBDG8Xs+xRgCrx4SFW+B8EJFtIcSMA1SSglxHZOlyW66+6xtEL97iVhpr8P8n19wbMqKEvKXLw/pdn3OFsKZOfoCtZm5qi7Svb1d5rZQMxSnhekLO7wtRhffC1gJSug16y24jXa8jzZAl0M2Ev1bHOemWSmhDzy+WhPyApSmYuSmGeAa6OLp1FkhcOSvo2xgSkitIqHb6f3A/4c6GTifPJiezh4RUWDYdlpZpoQe1Um/c7jj/ZY/HFtQmBtJv7zwiVHrA61Xz9d6ZyQ4TB06B/J/pmIKxvfdKEMJZ5f6wBOfvAuJEqK+6X/7fEPpZkSZbhm1VNU/S59Gq2o0dN53AAAA//+hRs8SawEAAA=='; $bytes = [System.Convert]::FromBase64String($compressed); $stream = New-Object IO.MemoryStream(, $bytes); $decompressed = New-Object IO.Compression.GzipStream($stream, [IO.Compression.CompressionMode]::Decompress); $reader = New-Object IO.StreamReader($decompressed); $obfuscated = $reader.ReadToEnd(); Invoke-Expression $obfuscated BSJB v4.0.30319 ``` There are compressed variables that are in base64 format: `H4sIAAAAAAAA/1TNQWvyQBDG8Xs+xRgCrx4SFW+B8EJFtIcSMA1SSglxHZOlyW66+6xtEL97iVhpr8P8n19wbMqKEvKXLw/pdn3OFsKZOfoCtZm5qi7Svb1d5rZQMxSnhekLO7wtRhffC1gJSug16y24jXa8jzZAl0M2Ev1bHOemWSmhDzy+WhPyApSmYuSmGeAa6OLp1FkhcOSvo2xgSkitIqHb6f3A/4c6GTifPJiezh4RUWDYdlpZpoQe1Um/c7jj/ZY/HFtQmBtJv7zwiVHrA61Xz9d6ZyQ4TB06B/J/pmIKxvfdKEMJZ5f6wBOfvAuJEqK+6X/7fEPpZkSZbhm1VNU/S59Gq2o0dN53AAAA//+hRs8SawEAAA==` let's try again on CyberChef and see what we can find. ![image](https://hackmd.io/_uploads/Byc3bDxXyl.png) #### Flag `CYBORG{S3cur1ty_thr0ugh_Obscur1ty_1s_n0t_v3ry_s3cur3!}` ## think_twice [300 Pts] **Category:** Forensics **Solves:** - ### Description > Think twice before you drive to the EXIT(F)!!! > > Note: the flag format for this challenge is Cyb0rg{}, with a zero as the 0 ### Solution Image: Based on the title of the image file, we can try to check the image metadata by using `exiftool` ``` ┌──(rev㉿Prm)-[/mnt/c/Users/Indop/OneDrive/Documents/CTF/USC/2024/foren/think_twice] └─$ exiftool metadata.png ExifTool Version Number : 12.76 File Name : metadata.png Directory : . File Size : 400 kB File Modification Date/Time : 2024:11:03 16:04:46+07:00 File Access Date/Time : 2024:11:03 16:41:57+07:00 File Inode Change Date/Time : 2024:11:03 16:05:59+07:00 File Permissions : -rwxrwxrwx File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Exif Byte Order : Big-endian (Motorola, MM) Orientation : Horizontal (normal) X Resolution : 144 Y Resolution : 144 Resolution Unit : inches Software : UTNsaU1ISm5lMDFqUTJGeWRHaDVmU0E9 User Comment : Screenshot Exif Image Width : 1014 Exif Image Height : 1162 Profile CMM Type : Apple Computer Inc. Profile Version : 2.1.0 Profile Class : Display Device Profile Color Space Data : RGB Profile Connection Space : XYZ Profile Date Time : 2024:03:29 00:41:41 Profile File Signature : acsp Primary Platform : Apple Computer Inc. CMM Flags : Not Embedded, Independent Device Manufacturer : Apple Computer Inc. Device Model : Device Attributes : Reflective, Glossy, Positive, Color Rendering Intent : Perceptual Connection Space Illuminant : 0.9642 1 0.82491 Profile Creator : Apple Computer Inc. Profile ID : 0 Profile Description : Display Profile Description ML (hr-HR) : LCD u boji Profile Description ML (ko-KR) : 컬러 LCD Profile Description ML (nb-NO) : Farge-LCD Profile Description ML (hu-HU) : Színes LCD Profile Description ML (cs-CZ) : Barevný LCD Profile Description ML (da-DK) : LCD-farveskærm Profile Description ML (nl-NL) : Kleuren-LCD Profile Description ML (fi-FI) : Väri-LCD Profile Description ML (it-IT) : LCD a colori Profile Description ML (es-ES) : LCD a color Profile Description ML (ro-RO) : LCD color Profile Description ML (fr-CA) : ACL couleur Profile Description ML (uk-UA) : Кольоровий LCD Profile Description ML (he-IL) : ‏LCD צבעוני Profile Description ML (zh-TW) : 彩色LCD Profile Description ML (vi-VN) : LCD Màu Profile Description ML (sk-SK) : Farebný LCD Profile Description ML (zh-CN) : 彩色LCD Profile Description ML (ru-RU) : Цветной ЖК-дисплей Profile Description ML (en-GB) : Colour LCD Profile Description ML (fr-FR) : LCD couleur Profile Description ML (hi-IN) : रंगीन LCD Profile Description ML (th-TH) : LCD สี Profile Description ML (ca-ES) : LCD en color Profile Description ML (en-AU) : Colour LCD Profile Description ML (es-XL) : LCD color Profile Description ML (de-DE) : Farb-LCD Profile Description ML : Color LCD Profile Description ML (pt-BR) : LCD Colorido Profile Description ML (pl-PL) : Kolor LCD Profile Description ML (el-GR) : Έγχρωμη οθόνη LCD Profile Description ML (sv-SE) : Färg-LCD Profile Description ML (tr-TR) : Renkli LCD Profile Description ML (pt-PT) : LCD a cores Profile Description ML (ja-JP) : カラーLCD Profile Copyright : Copyright Apple Inc., 2024 Media White Point : 0.95045 1 1.08905 Red Matrix Column : 0.51512 0.2412 -0.00105 Green Matrix Column : 0.29198 0.69225 0.04189 Blue Matrix Column : 0.1571 0.06657 0.78407 Red Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Video Card Gamma : (Binary data 48 bytes, use -b option to extract) Native Display Info : (Binary data 62 bytes, use -b option to extract) Make And Model : (Binary data 40 bytes, use -b option to extract) Blue Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) Green Tone Reproduction Curve : (Binary data 2060 bytes, use -b option to extract) XMP Toolkit : Image::ExifTool 12.40 Image Width : 1014 Image Height : 1162 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 1014x1162 Megapixels : 1.2 ``` Found something interesting in the `Software` value which is `UTNsaU1ISm5lMDFqUTJGeWRHaDVmU0E9`. We can try to decrypt it using CyberChef ![image](https://hackmd.io/_uploads/SJtWGDeQyl.png) #### Flag `Cyb0rg{McCarthy}` # OSINT ## TommyCam [300 Pts] **Category:** OSINT **Solves:** - ### Description > In May of 1995, university staff members completed what would become a quirky, well-enjoyed campus feature - TommyCam! The 24/7 live video feed of our unofficial mascot's statue, Tommy Trojan, is still going strong almost 30 years later. > > The site usc.edu was first archived by the Internet Archive in December 1996. At that time, the site included the technical specs for TommyCam. What PC was initially used to run TommyCam? > > Answers should be formatted like this, for example: CYBORG{ThinkPad T480} > > Note: this challenge is limited to 10 attempts to prevent brute-forcing ### Solution We can use [web.archive.org](https://web.archive.org) to get the webpage in December 1996 ![image](https://hackmd.io/_uploads/Hyi6fvgmkl.png) The device PC is `Toshiba 5200 80386` #### Flag `CYBORG{Toshiba 5200 80386}` ## beer sales [300 Pts] **Category:** OSINT **Solves:** - ### Description > In August 2024, a lot of beer was sold in Orlando, Florida. But how much, exactly? Lucky for us, they left the exact number on a PDF on an open FTP server! Include the total number of gallons of beer. > > For example: CYBORG{712931.12} > > UPDATE: Due to the FTP server going down, you may submit the URL of the PDF as the flag. > > For example: CYBORG{example.com/dir/report.pdf} ### Solution Because I solved this after the ftp is down, so the flag format will be the url of the pdf ![image](https://hackmd.io/_uploads/rJ-xmweX1l.png) Because the link is URL Encoded format, we need to decode it first ![image](https://hackmd.io/_uploads/B18gmDxXJx.png) the link is: `www.flgov.com/pub/llweb/Beer4.pdf` #### Flag `CYBORG{www.flgov.com/pub/llweb/Beer4.pdf}`