CYBORG SECURITY 2020 CTF SOLUTIONS

By Austin Jackson from Cyborg Security

FORENSICS (25 POINTS) — OUR LOGO IS FEELIN’ SPIDERY

Challenge text: I think a spider may have crept into the Cyborg Security logo, could you help me get him out?

$ binwalk --dd='.*' Cyborg_Logo.pngDECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 500 x 424, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, best compression
145201 0x23731 PNG image, 620 x 442, 8-bit/color RGB, non-interlaced
145329 0x237B1 Zlib compressed data, compressed
$ cd _Cyborg_Logo.png.extracted/ && file *
0: PNG image data, 500 x 424, 8-bit/color RGBA, non-interlaced
29: empty
29-0: zlib compressed data
237B1: empty
237B1-0: zlib compressed data
23731: PNG image data, 620 x 442, 8-bit/color RGB, non-interlaced
$ exiftool 23731 | grep -i comment
Comment : Q3lib3JnQ1RGe2x1YzRzXzFzXzRfbjFjM19zcDFkM3JfdGgwfQo=
$ echo "Q3lib3JnQ1RGe2x1YzRzXzFzXzRfbjFjM19zcDFkM3JfdGgwfQo=" | base64 -d
CyborgCTF{luc4s_1s_4_n1c3_sp1d3r_th0}

FORENSICS 50 — I DON’T /RUN FAST…

Challenge text: This partial Linux disk image is hiding a flag, can you find it?

$ file i_dont_run_fast.img 
i_dont_run_fast.img: Linux rev 1.0 ext4 filesystem data, UUID=8c732098-890a-4939-868d-85f380b893c4 (extents) (64bit) (large files) (huge files)
$ sudo mount i_dont_run_fast.img /mnt/
$ ls /mnt/
run/
sudo grep -r "CyborgCTF" /mnt/run/
/mnt/run/systemd/journal/streams/9:16969:FLAG=CyborgCTF{n3w_f1l3_syst3m_wh0_d1s}

MALWARE/RE 25 — CORRUPTTT

Challenge text: I think my EXE is corrupted, maybe there’s still something useful inside?

$ strings corrupttt.exe | grep -E '[A-Za-z0-9+/]{4}*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)'
...
UWVSH
UATWVSH
H9Chv`H
H9Chw
X215X2IxbnpfZzN0X2MwcnJ1cHQzZH0=
Q3lib3JnQ1RGezFfaDR0M18xdF93aDNu
uespemosarenegylmodnarodsetybdetuespemosarenegylmodnarodsetybdet\
/rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9\src\libcore\slice\mod.rs
/rustc/04488afe34512aa4c33566eb16d8c912a3ae04f9\src\liballoc\collections\btree\map.rs
...
$ echo "Q3lib3JnQ1RGezFfaDR0M18xdF93aDNuX215X2IxbnpfZzN0X2MwcnJ1cHQzZH0=" | base64 -d
CyborgCTF{1_h4t3_1t_wh3n_my_b1nz_g3t_c0rrupt3d}

MALWARE/RE 50 — CALL ME ON MY NEURALINK

Challenge text: My Neuralink went down, now all I got is this crummy old Nextel. What was the password to unlock it again?

$ file call_me_on_my_neuralink
call_me_on_my_neuralink: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=633e63ae6e6a7021d175a461e867954c450d9f25, for GNU/Linux 3.2.0, not strippe
>>> data = [30, 15, 80, 23, 27, 80, 13, 60, 26, 14, 60, 13, 83, 60, 80, 14, 60, 15, 15, 87, 0, 60, 83, 23, 60, 7, 80, 16, 22, 60, 80, 11, 16, 24, 37, 55, 32, 4, 17, 12, 1, 26, 32]
>>> ''.join([chr(i ^ 0x63) for i in data[::-1]])
'CyborgCTF{sh3_us3d_t0_c4ll_m3_0n_my_n3xt3l}'

MALWARE/RE 75 — SCHWANSOMWARE

Challenge text: Some evil Schwansomware encrypted my favorite picture! Help me get it back? One of our forensic analysts looked at the malware and told us this number might important: 1585613911

$ file Schwansomware*
Schwansomware: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=c1a01dc366cc2c0060524c7a948c8571ee1fc4ca, for GNU/Linux 3.2.0, not stripped
Schwansomware.enc: data
/*
gen_srand_array.c
*/
#include <stdio.h>
#include <stdlib.h>
int main()
{
srand(1585613911);
/*
$ du -b Schwansomware.enc
657099 Schwansomware.enc
*/
unsigned char *stream = malloc(657099);
for (int i = 0; i < 657099; i++) {
stream[i] = rand();
printf("%d ", stream[i]);
}
return 0;
}
$ gcc gen_srand_array.c
$ ./a.out > Schwansomware_array.txt
with open('Schwansomware.enc', 'rb') as f:
encrypted_bytes = [i for i in f.read()]
with open('Schwansomware_array.txt', 'r') as f:
srand_bytes = list(map(int, f.read().split()))
outf = []
for a, b in zip(encrypted_bytes, srand_bytes):
outf.append(a ^ b)
with open('Schwansomware.jpg', 'wb') as f:
f.write(bytearray(outf))

PCAP 25 — I DON’T GET IT?

Challenge text: N/A

echo "Q3lib3JnQ1RGe2QwX3kwdV9nM3RfMXRfbjB3fQo=" | base64 -d
CyborgCTF{d0_y0u_g3t_1t_n0w}

PCAP 50 — DNS ON A ROLL

Challenge text: N/A

$ tshark -r dns_on_a_roll.pcapng -T fields -e dns.qry.name -2R "dns.flags.response eq 0" | cut -d'.' -f1 | tr -d '\n' | base64 -d
We're no strangers to love
You know the rules and so do I
A full commitment's what I'm thinking of
You wouldn't get this from any other guy
I just wanna tell you how I'm feeling
Gotta make you understand
Never gonna give you up
Never gonna let you down
Never gonna run around and desert you
Never gonna make you cry
Never gonna say CyborgCTF{th3_0l3_dns_r1ckr0ll}
Never gonna tell a lie and hurt you

PCAP 75 — WE4THERTENKO?

Challenge text: We’ve intercepted a communication stream between a rogue cyborg and an unknown accomplice. Can you figure out what they are talking about?

$ tshark -r we4thertenko.pcapng -Y websocket -T fields -e text > websocket_dump.txt
$ python -i rc4-3.py
>>> rc4_decrypt = decrypt
>>> websocket_dump = open('websocket_dump.txt').read().splitlines()
>>> websocket_data = [i.split(',')[1].strip(' [truncated]') for i in websocket_dump if ',' in i]
>>> websocket_data
['F37DEC4FA21F4CAE254D6A6DF23C53DF15553D6020B3C7C1728E757EB7A07AF3899C7B1E0414DDDE473A07F863B2FD9E4C1FA547255988E498AAD2941DC84DDDA0F408D82E09E3E271739CBC',
'F37DF253A20549EB7A4F7202943D7EC73172481510B6E6D26DAB5E45AACB1E81C49046201014E2F602547F9345BCED861304F31611', ... ]
>>> websocket_data_decrypt = [rc4_decrypt('super-secret-passcode', i) for i in websocket_data]
>>> websocket_data_decrypt
['{"sysid": "ODRjNWE2MWQyZjlm\\n", "message": "SGVsbG8sIHRoaXMgaXMgTXIuIFg=\\n"}', '{"message": "SGVsbG8gTXIuIFgsIHRoaXMgaXMgTXIuIFk=\\n"}', ... ]
>>> import base64, json
>>> for i in websocket_data_decrypt:
... try:
... base64.b64decode(json.loads(i)['message'])
... except: pass
...
b'Hello, this is Mr. X'
b'Hello Mr. X, this is Mr. Y'
b'Hello Mr. X, this is Mr. Y'
b'Please Code in'
b'Please Code in'
b'Code Weathertenko'
b'Thank you, code confirmed'
b'Thank you, code confirmed'
b'Please proceed with your message'
b'Please proceed with your message'
b'Stand by for passcode'
b'Stand by for passcode'
b'CyborgCTF{w3bs0ck3t_m1ss1l3s_4r3_4_g0}'
b'CyborgCTF{w3bs0ck3t_m1ss1l3s_4r3_4_g0}'
b'Thank you commander'
b'HAIL HYDRA'
b'Hail hydra, this chatroom will no self-destruct'
b'Hail hydra, this chatroom will no self-destruct'

THREAT RESEARCH 25 — DON’T WIPE ME BRO!

Challenge text: The malware used in a cyberattack against the Ukrainian power grid in 2016 has a wiper component that is always named what?

THREAT RESEARCH 50 — I HATE HORNETS…

Challenge text: What is the last name of the person who created a credential harvesting tool used last year to kick a few hornets nests?

THREAT RESEARCH 75 — WORST SUPERHERO

Challenge text: If the Snatch Ransomware was a Marvel character what would their name be?

THREAT RESEARCH 100 — MY EXES ARE ALWAYS COZY

Challenge text: An APT group implicated in the hacking of the Democratic National Committee (DNC) re-emerged in late 2019, their new third-stage backdoor executable is named what?

WELCOME 10 — WELCOME, HUMANS!

Challenge text: Who’s ya sauce? https://ctf.cyborgsecurity.com/

$ curl -s https://ctf.cyborgsecurity.com/ | grep CyborgCTF
<!-- CyborgCTF{w3lc0m3_t0_th3_b33p_b00p} -->

Cyborg Security is a pioneer in cybernetic threat hunting, delivering an advanced, actionable threat hunting platform.