Drew Wade

Free Flag (CovidScammers)

You've been contacted by a high-end but morally ambiguous finance company (unhackable-bitcoin-wallet.com) to investigate a data breach. The box in question is a mail server in their internal network, a sample of the malware found on the system has been pulled and given to you. Your task, should you choose to accept it, is to reverse-engineer the sample and locate, fuzz and exploit the C2 server, and then hack-back to learn about the malicious actor and recover the stolen documents.

Download this binary to begin!

Look for the free flag. Get on the scoreboard!

OK. Easy start. We download the binary, open the file, and search for flag:
covid{freeFlagLookatMe}

Arch (CovidScammers)

What architecture is this sample compiled for?

running file on the binary, we can see it is an ELF for an Intel 30386, so x86 it is, and that's accepted as the flag.

Who Me? (CovidScammers)

What is this malware sample called (not the actual binary name)?

I didn't actually get the answer to this, but the work gave other answers:

Well, we don't get that info out a a simple readelf of the file, so let's crack it open in IDA...

The main function contains a b64 encoded string that comes out to covidfunds.net

Main also contains the string: egarots_rroz

Further in, we can also see several series of 1-letter strings:

MNXXM2LEPNVUKZLQJF2FGZKDOJCVI3KSFZDHEMDEJ4QX2===
This base32 decodes to covid{kEepItSeCrETmR.Fr0dO!} and I missed out on submitting it! /etc/init.d/zorr
so egarots_rroz is probably hiding zorr_storage by storing it in reverse
/tmp/.serverauth.tn6aUcM0uM
ALIVE

So, it looks like we've got some Zorro ransomware, but it's not accepting variation on that...

Scouting (CovidScammers)

What is the C2 server? Provide the domain as the answer.

We got that - covidfunds.net

This is nice, might stay a while... (CovidScammers)

How does the malware persist? SHA1 hash the path of the persistence location.
echo -n "/full/path" | sha1sum

We got that, too - the sha1 of /etc/init.d/zorr:
560e4a09711d0adce6379c9dec4d703fb3c3c4f3

Tom Nook - Internet traffic (Forensics)

WOAH!!! Investigation on Tom Nook server has led us to believe he's up to something. I just can't put my finger on it. Could you help me out?

We are provided with a 7zipped archive containing the WhatInTheExfil.pcap. Opening it in Wireshark, we can follow a TCP stream and see the submission of flag.txt with the content:
DERP{WayToCatchMyForeignServer}

Something Derpy (Web)

This challenge is hosted by one of our amazing sponsors. Go to https://www.randori.com

You will not need burp, nmap, nikto (oh gawd), dirble or any other scanning tool. Just use the techniques you already know. Challenge is scoped to the home page. Please don't abuse the site.

This looks like a legitimate business webpage, and there's no clear challenge here, so I'm not sure what we're permitted to do here. Looking at the source code, there is a comment that an image "looks derpy", so let's start there:

Opening the image in Hex Fiend, we can see a b64 string at the very end:
ZGVycHtEb250UGV0VGhlVGlnZXJzfQ==

which decodes to:
derp{DontPetTheTigers}

Web Recon 1 (Tiger King)

Joe developed the site and may have left some notes for you. http://joe.threatsims.com

This is a terrible looking Web 1.0 site. Let's look at the source and get out of it before we suffer an aneurysm.

Sure enough a comment:
I don't know how many times I have to say it!
derp{CaroleBaskinDidIt}

Web Recon 2 (Tiger King)

What is a common file to check for URLs Joe doesn't want Carole to find? http://joe-cv.threatsims.com

Back to the awful website, and it sounds like we're heading to robots.txt. Sure enough there's a User-Agent rule:
derp{JeffLoweStoleMyTigers}

Showing off my Tigers (Tiger King)

Joe Really loves showing off his tigers. There is more to the picture then you can see. http://joe-cv.threatsims.com

There is a link called Tigers in the menu bar to ./tigers, which hosts a picture of tigers entitled "There is more to my Taligers than just a picture". Sounds like some more stego...

Opening the file in Hex Fiend, we can see a pile of EXIF data, including the flag:
derp{JoeMadeTaligers}

Eating Sweets (Tiger King)

Joe left you another message, maybe in a storage cracker or something? http://joe-cv.threatsims.com

Cookie time!
There's a cookie called JoesMessage, with the value:
ZGVycHtQZW9wbGVDb21lVG9TZWVNZX0=

Base64 decoded, that's:
derp{PeopleComeToSeeMe}

Browser Check (Tiger King)

Try to use Joe's browser checking service. http://joe-cv.threatsims.com

The menu bar has a "browser check" option, and the flag is just there on that page:
derp{ThisBrowserIsPerferctForJoeExoticTV}

Tiger Auction 1 (Tiger Auction)

This whole time I could have had a tiger for $2K? http://tiger-auction-tk.threatsims.com/

The page just has a search bar for Search my Tiger Collection.

'OR1=1# dumps the whole tiger list.

Running sqlmap with the --forms --crawl=2 options, we find that the 'search' parameter is injectable. Dumping the tigers database, we can see an additional "comments" data field that is mostly full of lorem ipsum garbage.

Running the attack again, with os-shell gets us a shell, and the flag.txt contains:
derp{feb97c029900494760ee09f9ff89da84}

Tiger Auction flagbearer (Tiger Auction)

Look around the file system for credz. http://tiger-auction-tk.threatsims.com/

whoami shows us we're running as www-data, and looking throught the files on the server, the index.php file belongs to root. Looking in there, we can find admin credentials for the database:
admin:WdJjkQV4uu0w

I can't switch users, since I'm not in a proper interactive shell - we can work on upgrading that, but for now, let's look around some more.

There is a webadmin.php file that references
$htaccess = ".htaccess"
$htpasswd = ".htpasswd"

We can also cat /etc/passwd, which contains flagbearer and flagholder users, but not /etc/shadow. There is another flag.txt in /home/flagbearer and in /home/flagholder, but we can't cat them with our current permissions.

Trying to su just gives us "su: must be run from a terminal"

OK. We need to get a better shell.
echo $0 tells us that we're in sh
no luck running /bin/bash - we're pretty locked down

/usr/bin/script -qc /bin/bash /dev/null
didn't help

ctrl+z
stty raw -echo
fg
didn't help either

no luck with:
python -c 'import pty; pty.spawn("/bin/sh")'
or
echo os.system('/bin/bash')

Tiger Auction 100 sql (Tiger Auction)

There is a flag in the tiger database, find it. Flag format is like the others but without 'derp{'

Let's start by cutting out just the Comments field - it's the only one large enough to hide a flag in:

cat colletion.csv | cut -d',' -f4 > comments
sort -u comments > sorted

And from there, it was easy to recognise the flag in the midst of the other sorted lorem ipsum results:
dd0279eb53d5768b9a7da70e2722e452

FINAL RESULTS

Here are a bunch of challenges that I completed in the 15 minutes I thought I still had on the clock, but apparently did not...

n Eggs (Crypto)

AAABBAABAABAAABABBBB ABAAA ABABBABBBABABABAABAA AAAABAAAAAAAABAABBBAABBAB

The repeating A and B characters tell us this is a Baconian cipher:
DERP I LOVE BACON

All about that base (Crypto)

ZGVycHtJc1RoaXNFbmNyeXB0aW9ufQ==

The basic character range and the = at the end tell us this is most likely base64 encoding:
derp{IsThisEncryption}

All about that base remix (Crypto)

MRSXE4D3KRUGS42JONCGKZSFNZRXE6LQORUW63RBPU======

This is base32 encoding:

Two Streams (Crypto)

asuo{TaoDadqtfnLukRsrvhbWyuiLop}

The simple encoding structure (flag format retained, number of characters, simple alphabet) and the challenge name would seem to indicate this is a bifid cipher:
derp{TwoStreamsAreBetterThanOne}

et tu Brute (Crypto)

qrec{NaByqvrOhgNTbbqvr}

The simple encoding structure and the reference to Julius Caesar's famous last words, tell us this is a Caesar cipher:
derp{AnOldieButAGoodie}

AFSC 29331 (Crypto)

-.. . .-. .--./-.. .. - - -.--/-... --- .--. .--. . .-. ...

The dots and dashes give this one away, and the AFSC 29331 title is a reference to the US Air Force's point-to-point ground radio operators. This is Morse code:
derpdittyboppers

Why are they even in that order in the fist place? (Crypto)

4:5:18:16:12:15:14:7:5:19:20:3:15:13:2:15:5:22:5:18

The numbers are all between 1 and 26, so it is probably a Letters to Numbers cipher:
D:E:R:P:L:O:N:G:E:S:T:C:O:M:B:O:E:V:E:R

Don't touch the third rail (Crypto)

d{zir}epZgaCpeFWrighT

The challenge name referring to a "third rail" gave me the idea that this is a Railfence cipher with 3 rails:
derp{ZigzagCipherFTW}

Mind the Padding (Crypto)

You'll need a pad for this one. It is the Mission Statement of one of our gold sponsors.
evzc{cej.ymzompsow-ab.kbu}

The clue gives this one away as a One-Time Pad cipher. It used the Solutions II mission statement:
Solutions II Mission: BRINGING YOU THE BEST IN IT SOLUTIONS
derp{www.solutions-ii.com}

Survey (n/a)

I just completed the survey

derp{ThanksForTakingTheSurvey}

"FINAL" RESULTS

By my count, that would add another 380 points to my total: 921pts

An Informative Text Blurb

This text isn't informative, yet, but it will be one day. Probably. I think. - DW - Jan 2019