[OtterCTF 2018] WP
[OtterCTF 2018] What the password?
Title Description:
you got a sample of rick’s PC's memory. can you get his user password?
First use vol2 to look at the memory image information, version Win7SP1x64
Then use the lsadump option to export the LSA data (including the default passwords, if auto-login is set) to see the passwords
[OtterCTF 2018] General Info
Title Description:
Let's start easy - whats the PC's name and IP address?
IP check the network connection can be, with the netscan command, the most frequently occurring 192.168.202.131 is the IP we are looking for
The username submission we got with the hashdump command was incorrect (checking the hostname and username are two different concepts), so we checked the registry with hivellist
The hostname is in \REGISTRY\MACHINE\SYSTEM, and we use the printkey command to display location-specific information.
Then follow up with ControlSet001.
Then follow all the way through to see the hostname WIN-LO6FAF3DTFE
[OtterCTF 2018] Play Time
Title Description:
Rick just loves to play some good old videogames.
can you tell which game is he playing?
whats the IP address of the server?
To find the game he's playing, use pslist to view the process
Then copy the process name and throw it at gpt, ask him which is the game, and finally realize it's the game LunarMS
We then use the netscan command to check the game server IP and get 77.102.199.102
[OtterCTF 2018] Name Game
Title Description:
We know that the account was logged in to a channel called Lunar-3. what is the account name?
For us to find the account name of this Lunar-3 channel, we need to analyze the process data.
Open it with 010, search for the string Lunar-3, followed by the account name (no reason, it's all metaphysical), 0tt3r8r33z3
[OtterCTF 2018] Name Game 2
Title Description.
From a little research we found that the username of the logged on character is always after this signature: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2}
What's rick's character's name?
He said that the character name for the game login is always in the signature 0x64 0x? {6-8} 0x40 0x06 0x? {18} 0x5a 0x0c 0x00{2} followed by here we can use wildcard search in 010 to search for the search4006??????????????????5a0c0000The string of characters after that is the character name of the game, M0rtyL0L
[OtterCTF 2018] Silly Rick
Title Description:
Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?
He asked for Rick's email password and said he always copies and pastes it so he doesn't make a mistake. We used the clipboard command to check the clipboard information and this is the password M@il_Pr0vid0rs
[OtterCTF 2018] Hide And Seek
Title Description:
The reason that we took rick's PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)
To find the malicious process, let's check the process tree with the pstree command
I found one that is a child process of Rick And Morty, which is a bit suspicious. I used cmdline to look at the command line of these two processes.
Here you see two exe files, the filescan command scans these two files and extracts them.
Then I looked at the two exe's, ran them by hand (don't learn from them, because no one would ever think to put a real horse in a race question), and then I knew the answer.
[OtterCTF 2018] Path To Glory
Title Description:
How did the malware got to rick's PC? It must be one of rick old illegal habits…
The question asks how the malicious process got in, but I'm confused and it doesn't say what the flag has to deliver. We scan for files related to the parent process
Then we mainly analyzed the seed files to extract the three seed files
Use strings to look at the printable characters and find something called website, the one after that is the answer (don't understand it, I think it's a topic setting), M3an_T0rren7_4_R!ck
[OtterCTF 2018] Path To Glory 2
Title Description:
Continue the search after the way that malware got in.
I was even more confused by this question, it said to further analyze how the malicious program got in. Went online and searched for wp and it said this sign means the seed was downloaded from the internet
Just now, when pslist checked the process, process is the most frequent, which means it is the most used browser.
We can use filescan and dumpfiles to find and extract the Chrome history database (bean knowledge: Chrome stores history data in a SQLite database)
Change the extension to .sqlite, execute with sqlite3
executable statementselect current_path, site_url from downloads;Query download path and url
You can see that the seed file is downloaded from the This is the URL to download where we extract the files from the process memory.
We then use strings with grep to look at these extracted files, filtering for mailbox suffixes@rounding off the first ten lines of the
Found Rick's email here, got the email and password, I tried to log into the email to look for clues, but it said email/password error (after all, this is a memory forensics question, so better be honest), and then followed it uprickopicko@of the twenty lines before and after, the string was very much like a flag, and the submission was indeed correct, Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in
[OtterCTF 2018] Bit 4 Bit
Title Description:
We've found out that the malware is a ransomware. Find the attacker's bitcoin address.
He said the malware was ransomware, told us to find the attacker's bitcoin address, reverse analyze the exe we just extracted, check it with detect first
It's written in c#, decompiled with dnSpy.
You can see that there is a string of prompts,and then gives the bitcoin address,1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M , and looked at the online WP to do so:
Usually ransomware will leave a ransom note on the desktop, let's use filescan to check the desktop files
You can see that there is a READ_IT.txt, but also accidentally found that a piece of extracted, may be useful later!
Open just a hint file, or to analyze the information in the memory of the malicious process, continue to extract the
Then use strings -el (this parameter is to display unicode encoded strings) with grep to view the information inside the process memory, you can see the dialog information, followed by the bitcoin submission address, 1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M
[OtterCTF 2018] Graphic's For The Weak
Title Description:
There's something fishy in the malware's graphics.
He said the malware icon is a bit suspicious, so let's continue to analyze it, you can see the software icon in the resources, and it has the flag right on it, S0_Just_M0v3_Socy
[OtterCTF 2018] Recovery
Title Description:
Rick got to have his files recovered! What is the random password used to encrypt the files?
This question asked to find a random password for an encrypted file, continue to analyze and find two functionsCreatePassword SendPassword
It can be known that the random password isCreatePasswordfunction is generated, which is then used by theSendPasswordfunction is sent with the computer name and username spliced together, so that we use strings together with grep to search in the process memory of the malicious process and get a random password for the encrypted file, aDOBofVYUNVnmp7
[OtterCTF 2018] Closure
Title Description:
Now that you extracted the password from the memory, could you decrypt rick's files?
The question asked to decrypt Rick's file, before the desktop extracted one out, perhaps it is to decrypt this file, we first look at the encrypted file functionEncryptFile
As you can see, first convert the password to bytes, then use sha256 to calculate the hash of the password as the AES key to encrypt the file, and then add .WINDOWS to the end of the filename, then we write a script to decrypt the file, just be careful to delete the empty bytes at the end.
The decryption script is as follows, threw it to GPT to write, tried to change it to python code, but the decrypted text was always garbled, so it was abandoned
using System;
using ;
using ;
using ;
using ;
using ;
using ;
namespace ConsoleApp5
{
internal class Program
{
static void Main(string[] args)
{
string filePath = @"";
string password = "aDOBofVYUNVnmp7";
Program program = new Program();
//encrypted passage
//(filePath, password);
//("The file is encrypted.,Please do not disclose!");
//();
//Decrypted paragraphs
(filePath, password);
("The file has been decrypted.!");
();
}
public void EncryptFile(string file, string password)
{
byte[] bytesToBeEncrypted = (file);
byte[] array = Encoding.(password);
array = ().ComputeHash(array);
byte[] bytes=this.AES_Encrypt(bytesToBeEncrypted, array);
(file, bytes);
(file, file + ".WINDOWS");
}
public void DecryptFile(string file, string password)
{
string encryptedFilePath = file + ".WINDOWS";
byte[] bytesToBeDecrypted = (encryptedFilePath);
byte[] array = Encoding.(password);
array = ().ComputeHash(array);
byte[] decryptedBytes = this.AES_Decrypt(bytesToBeDecrypted, array);
(file, decryptedBytes);
(encryptedFilePath);
}
public byte[] AES_Encrypt(byte[] bytesToBeEncrypted, byte[] passwordBytes)
{
byte[] result = null;
byte[] salt = new byte[]
{
1,
2,
3,
4,
5,
6,
7,
8
};
using (MemoryStream memoryStream = new MemoryStream())
{
using (RijndaelManaged rijndaelManaged = new RijndaelManaged())
{
= 256;
= 128;
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(passwordBytes, salt, 1000);
= ( / 8);
= ( / 8);
= ;
using (CryptoStream cryptoStream = new CryptoStream(memoryStream, (), ))
{
(bytesToBeEncrypted, 0, );
();
}
result = ();
}
}
return result;
}
private byte[] AES_Decrypt(byte[] bytesToBeDecrypted, byte[] passwordBytes)
{
byte[] decryptedBytes = null;
byte[] salt = new byte[]
{
1,
2,
3,
4,
5,
6,
7,
8
};
using (MemoryStream ms = new MemoryStream())
{
using (RijndaelManaged AES = new RijndaelManaged())
{
= 256;
= 128;
var key = new Rfc2898DeriveBytes(passwordBytes, salt, 1000);
= ( / 8);
= ( / 8);
= ;
using (var cs = new CryptoStream(ms, (), ))
{
(bytesToBeDecrypted, 0, );
();
}
decryptedBytes = ();
}
}
return decryptedBytes;
}
}
}
Unsurprisingly, the decrypted file contains flags, CTF{Im_Th@_B3S7_RicK_0f_Th3m_4ll}
