Mason TCTF - Writeup (Update in progress)

Mason TCTF is an cyber security CTF (Capture the Flag) deployed by Mason Competitive Cyber (MasonCC), an cyber security group at George Mason University.

The challenges include Threat Detection, Linux/Scripting, Protocol Hopping, Digital Forensics, Cryptography, Password Cracking, Steganography, Recon, and Web with difficulty ranging from simple to moderately complex. It is an good CTF for learning various aspects of cyber security knowledge.

This write-up will document my thinking and process of solving the problem according to the category of the challenge.

(Update in progress)

The Office

“The Office” category is an incident response scenario about ransomware. The solver needs to analyze the “LiveResponseData” dataset to get the flags of the 4 problems.

#1 ASAP as Possible (150)

Read the scenario, and then look at the forensic data to answer the questions. What was the name of the file that ran the ransomware? Remember to enter the flag in the format masoncc{flag}

It is a really straightforward one.
By checking the running process, there is a superrrrr suspicious process.

#2 I am dead inside (175)

Which user did the attacker use to deploy the ransomware? Remember to enter your answer as masoncc{flag}

We already know the filename of the ransomware.
So…

1. Check the running process and found a suspicious one payload_133MMK.exe.
2. Use any grep tool to search payload_133MMK.exe and got 4 files
3. The malware was found on Kevin’s account.

#3 Dwight U Ignorant Slut (300)

What is the name of the decryptor that will work on the ransomware’d files? Remember to enter your answer as masoncc{flag}

By searching the encrypted file extension, ransom note, ransomware file name, bitcoin wallet, or anonymous email address we can have a overview to the ransomware type.
The online tool “ID-ransomeware” is also a good resource to do this.
https://id-ransomware.malwarehunterteam.com/

In this case, the ransomware was “Dharma Ransom”.
To know if there is any existing decryption tool, “nomoreransom” is your good friend.
https://www.nomoreransom.org/en/decryption-tools.html

There is a tool named “rakhnidecryptor” was created by Kaspersky Lab.

#4 Makin That Paper (350)

Can you find any evidence of data exfiltration by the attacker? Dunder Mifflin needs to know if any sensitive data was stolen. Enter your answer by specifying the stolen filename and the artifact that has evidence of the theft. Example answer format: masoncc{filename, artifactname} masoncc{secret.docx, Stanley_USRCLASS.DAT} masoncc{plans.jpg, mft.csv}

We already have some infomation about the ransomware.
So we can…

1. Check the running process and found a suspicious one payload_133MMK.exe.
2. Use any grep tool to search payload_133MMK.exe and got 4 files.
3. Open Kevin_NTUSR.txt and go to the line of payload_133MMK.exe.
4. Scroll up to find previous activity and got sensitive_document.txt.
5. Combine them as the flag.
   

Threat Detection

The Threat Detection category includes several implementations of threat detection techniques such as password breach, Yara, and Ja3.

#1 Hunt with Troy (75)

As a threat intel analyst, it is important to stay on top of the
latest security breaches. Find the password of security@gmail.com.
Flag format: masoncc{password}

Searching for the keywords “Hunt”, “Troy”, “breaches” according to the title of the challenge, is an article about password breaches by cyber security researcher Troy Hunt.
https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Try to find and get the so-called “Troy Hunt Collection#1” from the Internet.

Gotcha! The data size is around 36 Gigabytes and has been categorized by its origin.

Unzip all the compressed files and use any grep tool to search for the target "security@gmail.com".

The search includes several results, and after preliminary elimination and several attempts, the correct answer was confirmed.

#2 Yara Signature (125)

Write a YARA signature to find the flag. The flag is the name of the file that matches the criteria listed in README.txt.
flag format: masoncc{filename}

This challenge contains 32 dll files, the solver needs to write yara rules based on the readme document and find the target file.

Criteria:
The flag has the following ASCII string: “Redmond1”
The flag does not have the following ASCII string: “Q{dx”
The flag has the two following hex strings: (1) C6 D5 AE AD, (2) 9A 30 82 05
The flag is less than 13KB in size

*If you don’t have experience with yara, here is the good resource to start. https://yara.readthedocs.io/en/stable/writingrules.html

rule ctf
{
    strings:
        $text_string = "Redmond1"
        $false_string = "Q{dx"
        $hex_string = { C6 D5 AE AD }
        $hex_string2 = { 9A 30 82 05 }
    condition:
        (not $false_string) and filesize < 13KB and $text_string and $hex_string and $hex_string2
}

The result was as follows:

#3 C2 Channels (450)

Formerly called “Just An 3nemy.” There are two primary ways to solve this. What C2 framework is running here?
Flag format: masoncc{C2famework}

This challenge provides a sample PCAP file with most of the traffic encrypted by TLS.
The solver need to use the TLS fingerprinting tool JA3 to analyze the fingerprints of the traffic about C2 Server.

*Because of the shutdown of fingerprint lookup site ja3er.com, the original solution is temporarily unavailable.

I had problems parsing pcapng files with ja3, so I finally used the tool ja3box instead. https://github.com/Macr0phag3/ja3box

The next step is to query the md5 value(410b9bedaf65dd26c6fe547154d60db4) of the Server traffic on ja3er.com.
The answer is “Merlin”.

Basic Forensics

#1 Event Viewer (20)

What was the name of the file that the user attempted to download?
Flag format: masoncc{name of file}

#2 Sharknado (25)

Don’t try to use Wireshark with this

This challenge is a pcapng file. But according to the description it is just a misleading.
Open with Hex Editor and search keyword “flag”.

Here it is!

#3 Redacted (50)

Remember to submit the flag in the format

#4 Obfuscation Sensation (90)

You found this piece of code on a compromised web server, but it’s not clear what it does.

This challenge is a one-line php file with only one command.

<?php
eval(gzuncompress(str_rot13(base64_decode('a5yzsS/IKOBXWs7ISkPPWizOz1hBrgaKxHQWx6dJ1apbZtnbAQDefAw6'))));
?>

It seems like an obfuscated php code.
Using the keywords “str_rot13” and “base64_decode” search found an online decoding tool.
https://www.mobilefish.com/services/eval_gzinflate_base64/eval_gzinflate_base64.php

Got the answer.

#5 Unzip (95)

No description

#6 Corrupted (100)

There’s something missing from this png, something that’s in every valid png.

The challenge is a PNG image but it seems to be corrupted and cannot be opened.
Take a look with Hex Editor.

Compare with a normal PNG file.

We can find that the header of the challenge PNG file missing a section of %PNG. Manual fix the header.

Success!

#7 Bigfoot (150)

Near which town was bigfoot spotted?

The challenge is a photo.

By viewing the EXIF information of the image can get the GPS coordinates. A simple one.

Put it on the google map.

Flag: Grisdale

#8 Binding Power (175)

You are analyzing a compromised system when you find this event. You suspect it’s a bind shell. What port does it bind to?

As described, this challenge gives us the information of an installed service.

"A service was installed in the system.
Service Name: pGfbIRqLhLCxVEOS
Service File Name: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -noni -Enc IiJpZihbSW50UHRyXTo6U2l6Z...
Service Start Type: demand start
Service Account: LocalSystem"

As we can see, the filename of the service was used to run an base64 encoded PowerShell script.

Decode with CyberChef.

Base64 again… Decode with CyberChef as well.
(Note that the encoded part of this PowerShell script was compressed using Gzip and an additional Gunzip step is required for decoding.)

Decode with base64 and gunzip.
…
Encoded again…

Repeat the decoding process but this time, there is no readable thing comes out.

This is most likely the shell code that will eventually be loaded to the target machine.
To verify this, let’s go back to the last step
In the earlier PowerShell command, we can see that the encoded command was stored in the variable “$nc”.

Searching for commands that call the $nc variable, we can find the following command:

$rYtR = [System.Runtime.InteropServices.Marshal]
::GetDelegateForFunctionPointer((zajM kernel32.dll VirtualAlloc), 
(pg @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $nC.Length,0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($nC, 0, $rYtR, $nC.length)

Basically, this command called the VirtualAlloc function in kernel32.dll to allocate a block of memory of the specified size in the process, and then uses the “Copy” method to loaded the encoded command that stored in the “$nc” variable to memory. This is a common PowerShell memory Reflection attack.

In order to analyze this Shellcode, we saved it to a file.

And use Shellcode analysis tool “scdbg.exe” for analysis. The introduction and download of scdbg.exe is available at this site.
http://sandsprite.com/blogs/index.php?uid=7&pid=152

Flag: 31533

#9 Warcraft (200)

Chris is a Warcraft freak, can you help us figure out what to make of this? Note: you don’t need to install Warcraft to solve this Please submit the flag in masoncc{} format

This challenge gives an unknown file named “WorkWork”.
*Simple CTF Tips: When encountering an unknown file in CTF, always use Hex Editor to open it for observation.

By using the first few bytes of the file, “hm3w”(usually the file magic number) and “warcraft” , as keywords for searching, we can find an article explaining W3M and W3X files.
https://world-editor-tutorials.thehelper.net/cat_usersubmit.php?view=42787
Also, the article tells us that the “w3x” file is a variant of the “mpq” file.(A file packaging format created by Blizzard.)

In order to parse the challenge files we need to find a mpq file parser on the internet.
And this is a seemingly more reliable one.
http://www.zezula.net/en/mpq/download.html

Using the parser to open the challenge file “WorkWork.w3x” we get several sub-files.

Extract and analyze them with Hex Editor.
*CTF Tips: Search for known flag formats such as flag{} and masoncc{}.

FLAG was found in the subfile “war3.map”.