R:Null's hacky things

DEF CON 29 Red Team Village Capture the Flag (CTF) - Part 2

Rated-Null -

This is a continuation from my previous post. These are the challenges recorded in this part 2 of 2 post:

  1. Network Forensics - Malware Capture
  2. Kevins Chili - Sweeper
  3. Sherlock Holmes QR Code Adventure - 1. & 2.
  4. Bonk Wallet - 0x01. dev bonk

Malware Capture

For this challenge, I was given a pcap file named notmalware.pcap, with a malware network traffic. My goal was to identify the common name for this malware.

Task with max 10 attempts
packets in notmalware.pcap

Usually, I would take records of the endpoint and network devices, to visualise the network topology. However, I skipped all of those and looked directly to files transferred during this capture.

There was no HTTP traffic, only SMB. So I used Wireshark's Export Objects > SMB, and found a peculiar file named Penguins.jpg.

Penguins.jpg

I downloaded the file and looked at its metadata, as I wasn't sure if it was hiding an actual malware. Running exiftool, I noticed some odd information such as Adobe.

Next, I generated a MD5 hash of Penguins.jpg to see if I could get any info online.

MD5 hash of Penguins.jpg
Search results brought me to this

From my search, the results returned were very similar to what I was looking at. And the title gave it away, so I managed to score for this challenge. Flag: WannaCry

Kevins Chili - Sweeper

This challenge was really interesting, it was a continuation for another challenge Kevins Chili - Ingredient. There was a web version of minesweeper hidden in the website. And the game was impossible to beat by playing normally.

Challenge
Link to the secret game

The minesweeper board was 20 x 20 and only 10 cells were safe. I knew there had to be some other way to beat the game, so I opened up the browser console and found a javascript that contained the main functions of the game.

I analysed the code and found the winning condition required to get a flag.

Winning condition was to make squaresleft == 0

From the code, I understood that the safe cells were marked as False in a nested array. So I wrote a script to click on the cell with the gridclick() function if the element was False. The problem I faced was that the game did not end. This was because the game code did not reach the check at line 1109.

Script to solve minesweeper

So I scraped the code and did a much simpler method. I set variable squaresleft = 0, and trigger the game to check the win condition by calling gridclick(). It does not matter if I selected a mine or not as the winning condition only checks if the squaresleft == 0.

Game cleared

Sherlock Holmes QR Code Adventure - 1. The Beginning

This was a 5-part steganography challenge, which I could only solve 1. I only went halfway into the 2nd challenge but however couldn't solve it.

First challenge

The file was an image file named The_Beginning.jpg. Knowing there must be a flag within, I ran exiftool to see if the flag was kept in the metadata.

exiftool information

Nothing much I could tell from here, so I used steghide to try extracting any hidden files out.

steghide successfully extracted a zip file

Steghide worked and extracted the file. Within there were a few things, a partial QR code and a note, which contained the flag.

partial QR code
note

Sherlock Holmes QR Code Adventure - 2. The Mismatched Picture

This was the second challenge which I did not complete.

The Mismatched Picture

The image provided was a similar one to The_Beginning.jpg from the first challenge, however it was significantly larger in size. Steghide did not work this time, so I used an online decoder for it.

online decoder

The online decoder managed to extract an underlying image inside The_Beginning_dup.jpg, and it was a QR Code. Reading the QR code, I was brought to a link on pastebin, which a list of strings were dumped. No flag there. I spent a little more time but no avail, so I moved on to another challenge.

Bonk Wallet - 0x01. dev bonk

This challenge was an interesting one, the first to a 4-part series challenge. This first challenge included the need to rely on OSINT to obtain credentials to a user's wallet.

Challenge

In the given URL, there was a web application that was about a cryptocurrency called bonk, and the task was to get into the developer's wallet. For this challenge, I used a hint (which cost me 10 points), and it hinted that the developer might have uploaded personal stuff onto GitHub.

This was what I found after a little digging in GitHub:

bonkuser github repository

I scoured through the image folder and found a peculiar image.

bonkuser's credentials
Bonkuser wallet successfully accessed

I got into bonkuser and the flag for this challenge was found in the Settings page.

Game Over

Unfortunately time ran out and I was not able to complete the next challenge, 0x02. richbonk.

Conclusion

My friends and I all had lots of fun participating in this event. Although we didn't make it into the qualifiers, we were happy with our progress and the things we learnt along the way. 10/10 would participate again.

not too shabby!