You can see the basic flow of the game above. You put in your choice, then after some calculation the game chooses, and what do you know – the game always makes the winning choice.
How about a nice game of Chess?
Having played the game a couple times to get familiar with the flow, I ran the program using x64dbg.
Hit F9 a few times until it the program gets to your input choice.
Once you’ve typed in your selection in the command window, back to x64dbg. From here we will step over (F8) the instructions 1 by one.
Continue to hit F8, observing as the rest of the game text appears.
Global Thermonuclear War
In x64dbg, we see that the program tests 2 values and then does a JNE (Jump if not Equal) command to another function 416C6A.
If we use the debugger and change this to JE (Jump if equal to):
Who you calling cheater?
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Once the file was downloaded and extracted from the zip I ran the file command on it.
OK so we’ll be doing the analysis for this one on a Windows box to start.
Move the file to windows and rename to Fetch.wim
Open the .wim with 7zip explorer
Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip
When we extract the contents of the zip file we have another directory of Prefetch files.
I extracted the .pf files to a folder.
I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress, ctf, and flag.
That was easy.
Opposable Thumbs
I know for a fact that Axiom can process thumbnail caches.
And BAM! there’s the flag.
Tragedy Redux
First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.
Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.
There’s a macro file with some curious fruit and vegetable related functions.
If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.
When opening the file in Word, there is a prompt to enable macros.
Once the document is open you see a document containing the definition of Tragedy.
From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.
The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.
This code interprets the numeric values in longstring (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.
Ooof. That hurts the eyes. If we throw it into CyberChef, with the assistance of some magic (or detailed reading of the challenge), we see that it’s VB Script, which can be converted using the Microsoft Script Decoder recipe.
Copy the output to VS Code.
The syntax highlighting shows that all the ””””””””al37ysoeopm’al37ysoeopm entries are just comments, so let’s remove them.
There also seems to be an abundance of “&” obscuring the code. We’ll remove them too.
That’s a lot more readable. Looking at the code we see it’s going to use PowerShell to create a file C:\Users\Pubic\Documents\July.htm using as input the content from a pastebin URL.
Snake Eater
We’ll detonate snake_eater.exe in our lab environment.
I really enjoyed this challenge as I used my detonaRE PowerShell script to control the detonation and solve the challenge. Besides firing the malware itself, the script will initiate a pcap capture and monitor the malware process using Process Monitor. The script the converts the ProcMon output to csv for easy analysis.
Scrolling through the csv we find that the application was writing a file to:
~\AppData\Roaming\Mael Horns\flag{hashforflag}
Opendir
Let’s get Started
The link brings us to an Open Directory (duh) with lots of scripts and executables, not to mention a number of subdirectories.
The first thing to do is grab everything.
Site Sucker works well for this.
Once we’ve captured all the files and subdirectories locally we can search through them en masse. Once again in this CTF, the_silver_searcher (ag) comes into play.
Tucked away in /sir/64_bit_new/oui.txt is the flag.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
I’ve frequently used exiftool to inspect the metadata of pictures, including GPS coordinates.
The file does contain GPS metadata but before we even get there, looks like something out of the ordinary for the Image Description…
Instead of the usual CyberChef, this time we’ll do the conversion using PowerShell.
The converted string is our flag.
Operation Not Found
First off, lets adjust the positioning of the image and see if we can get better view of our location.
That’s better.
Actually when I ran this challenge, I started on my mobile device.
I took a screenshot of the building and then used the Google Lens function to identify the building.
Georgia Tech Library. That’s consistent with the description in the challenge. I bring up the location in Google Maps.
Zooming and scrolling and zooming and scrolling to get the Google Maps location and the mini-map on the challenge to the same areas. The mini-map is a PAIN to navigate. Even knowing where I was going to it took me several minutes to manipulate my positioning on the map.
But once I’m finally there, I mark my location and submit for the flag and…
Under the Bridge
Pretty much the same methodology as above.
Pivot the screen for a clearer landmark.
Grab a screenshot and send it to Google Lens
Rickroll Tunnel. LOL.
Once again back and forth with Google Maps and the mini-map and getting familiar with all the London highways, and finally….
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 