Skip to main content

Hacktober CTF - Writeup

 HACKTOBER CTF




 

This post contains the writeups for:

Crypto

Hail Caesar

Down The Wrong Path


Forensics

Captured Memories

Amcaching In

Prefetch Perfection

Prefetch Perfection 2


Linux

Talking to the dead 1

Talking to the dead 2


Programming

Message in an array

Trick or treat


Steganography

You believe in ghosts

Start digging

Blasphemy

 

1 OSINT

       n Creeping 1

       n Creeping 2

       n Creeping 3

       n Past Attacks

 

 

 

Hail Caesar




In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU

 




And thus the flag is flag{BOO SCARED YOU}

 

 

 

 

 

Down The Wrong Path




The given image shows a transposition cipher.

 




So reading it in a similar fashion results in this message: REMEMBER TO TELL SPOOKYBOI ABOUT THE NEW TARGETS OF OUR NEXT ATTACK

 

So the message is intended for SPOOKYBOI and thus our flag is flag{SPOOKYBOI}

 

 

 

 

 

 

Captured Memories




The first thing that I did here was run imageinfo in order to determine the profile to be used in volatility framework.




 

OUTPUT: Suggested Profile(s) : Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393

 

Then I used pslist to take a look at all the processes that were running on the system when the dump was taken.

 




This returned a list of processes. Where the last process’s ID was our answer.




 

So the flag is flag{3348}

 

 

 

 

 

 

 

 

Amcaching In




For this question I used regripper and then used its amcache module. Finally I used grep to take a closer look at mpower’s interactions with the system.

 




The image shows that mpowers is trying to install python.

So the flag is flag{python}

 

 

 

 

 

Prefetch Perfection




For this question I download and compiled the prefetch.py file from github.

The question asks for Internet Explorer and from the long list of file the only file pertaining to it is IEXPLORE.EXE. Now how do I know that. Pure experience. I guess you can also trying running it on windows and checking this in task manager. You should be able to see the iexplorer.exe process running along with others.

 




This gave me the last executed time of the process and thus the flag is flag{2017-05-01 21:11:41}.

 

If you’re doing this in WinPrefetchView then remember to change the time format accordingly. This is a mistake I made and thus making sure you understand this if you made it on this path.

 

 

 

 

 

Prefetch Perfection 2




Now this was a difficult task. We have to state the name of the path which loaded the cookie belonging to cmaldonado. And that too from all of those prefetch files. So what I did for this is made a script which uses python to run prefetch.py and stores there output to a text file. The script looked something like this.




 

Then I opened the file in gedit and find cookies in the text document (CTRL+F) which were somehow related to cmaldonado in there path. This gave me a list of some processes.

 

cookie

IEXPLORE.EXE

DLLHOST.EXE

WINSAT.EXE

 

Finally I used hit and trial and loaded all these one by one in the flag field of the question. The answer was DLLHOST.EXE I guess. I’m not very sure for this one but its in the list for sure. So the supposed flag is flag{DLLHOST.EXE}

 

 

 

 

 

 

Talking to the dead 1




This one’s dead simple. Entering into the server via ssh I used find to take a look at the locations of the flag file. The command for which was $ find . -name flag*.txt

This gave me the location of flag1, flag3 and flag4.

Then I simply went to the location of flag1.txt and used cat to get the flag.

So the flag for this one is flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}

 

 

 

 

Talking to the dead 2




This one’s a little bit challenging as the location of flag2.txt wasn’t revealed with the find command as the file is hidden. For this I had to manually go to the directories which could house the file and use $ ls -lah to check if the file was there or not. Finally I found the file at /home/luciafer/Documents. However I feel that there could have been a simple approach to this mess I made. So then the flag was extracted by using cat and the flag is flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

 

 

 

 

Message in an array




This one’s also very simple. You just need two lines of code and a little bit of programming knowledge to get the flag. 





Reaaranging the array as shown in the next line the flag is obtained and is flag{Nothing Will Stop DEADFACE}

 

 

 

 

Trick or treat




This one’s fun. Looking at the programming jargon baffled me for a minute but then I saw that the required function wasn’t even called and some other useless function was being executed. So all I did was changed it with the required function and voila.




 

The flag for this one is flag{2f3ba6b5fb8bb84c33b584f981c2d13d}

 

 

 

 

 

You believe in ghosts




After fiddling and failing with some image stego tools when I had almost given up on it, I found the answer in by its error level analysis (ELA) on imageforensic.org.

 




A bit difficult to read but its the flag alright. In case you want to know more about ELA you can check out this tutorial on fotoforensics.

 

The flag is flag{ghosts_everywhere}

 

 

 

 

Start digging




A binwalk into the image revealed that we have some other images inside it. So i extracted them using binwalk itself and took a look at it and there was the flag inside one of the images.

Commands used: binwalk steg06.jpg and binwalk --dd=’.*’ steg06.jpg





So the flag for this is flag{buried_s3cr3ts}

 

 

 

 

Blasphemy




Trying to extract the file with an empty password with the help of steghide turned out to be a very good choice when it gave me the password in another text file hidden in the given image.

 

The flag here is flag{950634ccc97ca3ef03e22c759a356973}






Creeping 1




Ali Tevlin has a facebook profile which has some very interesting information about him. We can also confirm that he's actually the guy that we're after by comparing his facebook and hacktober DP's.

 

The flag for this one is flag{F. Kreuger Financial}

 

Creeping 2




This is also available on his facebook profile.

 

The flag is flag{Senior Acquisitions Supervisor}

 

Creeping 3




This information is again on his facebook profile

 

The flag here is flag{17 Jun 1973}






Past Attacks




A simple google search led me to this site which had the answer for this question.

 

The answer and the flag is flag{Watering Hole}

Labels:

Comments

  1. KartiOctober 18, 2020 at 1:27 PM

    Great writeup, thanks. Spent ages trying to do the prefetch and amcache on linux. Now I know!! Also the "ghosts_everywhere" I used stegsolve.jar, which allows you to see the individual layers of the image which should be easier. Once again thanks for the right up.

    ReplyDelete
  2. Archit VatsOctober 18, 2020 at 3:10 PM

    Thank you so much for the comment. Feels good to know that my work helped someone. In my case I took 1 hour each on prefetch and amcache. Pretty difficult I would say. Now this is the best part about writing a blog you share some info and get back some in return. I'll try stegsolve in my next CTF for sure. Again thanks for coming, hope you have some awesome CTF's ahead

    ReplyDelete

Post a Comment

Popular posts from this blog

C4ptur3-th3-fl4g Walkthrough

TryHackMe c4ptur3-th3-fl4g Walkthrough Task - 1 Translation and Shifting Question 1 -  c4n y0u c4p7u23 7h3 f149? Solution -  This one's quite simple. This is called leet in which the text is written with modified spellings with the help of numbers in place of some characters. The answer for this one is - can you capture the flag? Question 2 -  01101100 01100101 01110100 01110011 00100000 01110100 01110010 01111001 00100000 01110011 01101111 01101101 01100101 00100000 01100010 01101001 01101110 01100001 01110010 01111001 00100000 01101111 01110101 01110100 00100001 Solution -  This is written in binary as you can see that every set of 1's and 0's (separated by space) is a string of 8 numbers. So you can use any online resource such as  rapidtables  to convert binary to ascii. The answer for this is -  lets try some binary out! Question 3 -  MJQXGZJTGIQGS4ZAON2XAZLSEBRW63LNN5XCA2LOEBBVIRRHOM====== HINT :  Hav...
Post a Comment
Read more

Krypton Walkthrough

Krypton Walkthrough Level 1 >> Level 2 Level 2 >> Level 3 Level 3 >> Level 4 Level 4 >> Level 5 Level 5 >> Level 6 Level 6 >> Level 7 Level 1 >> Level 2 Hint Read the question carefully. Solution 1. SSH into the server with username as krypton1 and password as KRYPTONISGREAT $ ssh krypton1@krypton.labs.overthewire.org -p 2231 2. The next step is to find the file upon which we'll be practising. This information is provided in the previous level. So lets hop onto the location. $ cd /krypton/ $ ls $ cd krypton1 3. Reading the README file gives us the answer to try skipping that and directly cat the other file $ cat krypton2 OUTPUT: YRIRY GJB CNFFJBEQ EBGGRA 4. With practice you'll be able to recognize this cipher. Also you can use an online service called boxentriq for recognizing the cipher. It'll also help you in breaking it. As of now the cipher is rot13 which is a caesar cipher with key as 13. The way rot13 works is that it adds 13...
Post a Comment
Read more