I spent a bit of time on this trying to get Volatility 2 to work with the Mimikatz plug-in. I was not successful. I was able to run the Volatility hashdump module.
I switched to Volatility3 and ran hashdump. For whatever reason the output of Volatility3 was different.
The only user besides the default accounts is for ‘Congo.’ Copy the hashed password and head over to https://hashes.com/en/decrypt/hash where we can search for the hash.
Yay, we got a match.
[Note: anecdotally I was advised that you could do this offline as well with Hashcat and the rockyou wordlist. I had tried that earlier but was using the Volatility2 output. 😦 ]
The last step is to convert ‘goldfish#’ to MD5.
Now just wrap it in the flag { } and you’re good to go.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
If you open the log with Event Viewer, you may see there’s an entry for a (non-actual) event ID of 1337.
The error content isn’t very helpful.
Let’s take a hint from the title and run the event log through Chainsaw.
Nothing significant when using the stock rules. What if we poke specifically at Event ID 1337.
That looks interesting.
Copy the binary data and bring it over to CyberChef
From unintelligible binary to unintelligible PowerShell.
Copy the output and save it is a .ps1 file. We can run the script through PowerDecode.
PowerCode works down through the obfuscation layers, finally revealing the plain text of the command.
Now that the code has been deobfuscated, time to figure out what it does. I copied the code into PowerShell ISE and start isolating the different command sections.
One of the commands does a DNS lookup and directs the output into a string.
If we run the command on its own we can see the output. The last part of the script checks to see if the output matches the pattern of a Base64 encoded string, and if so, decodes it.
Now what was that about Tokyo?
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Once the file was downloaded and extracted from the zip I ran the file command on it.
OK so we’ll be doing the analysis for this one on a Windows box to start.
Move the file to windows and rename to Fetch.wim
Open the .wim with 7zip explorer
Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip
When we extract the contents of the zip file we have another directory of Prefetch files.
I extracted the .pf files to a folder.
I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress, ctf, and flag.
That was easy.
Opposable Thumbs
I know for a fact that Axiom can process thumbnail caches.
And BAM! there’s the flag.
Tragedy Redux
First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.
Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.
There’s a macro file with some curious fruit and vegetable related functions.
If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.
When opening the file in Word, there is a prompt to enable macros.
Once the document is open you see a document containing the definition of Tragedy.
From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.
The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.
This code interprets the numeric values in longstring (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.
Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges.
First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not observing the rules and using brute force tools where they weren’t needed (or allowed.)
Overall, I found the event to be a great learning experience that challenged me, increased my confidence, and gave me an avenue to pursue skills I want to develop further.
The challenges covered a wide area of subjects with the majority being DFIR related. The categories included:
Warm Ups (14)
Forensics (10)
Malware (16)
M365 (4)
OSINT (3)
Steganography (1)
Miscellaneous (10)
Today the final challenge of the event, graced us with another lovely malware sample to analyze.
I was very pleased with myself at having solved nearly 80% of the challenges. There’s still another 20 or so hours to go, so we’ll see if that improves any further. The only categories I didn’t have 100% in were Miscellaneous and Malware. I think this is fair considering my skill levels. The Malware scenarios were appropriately challenging for someone newer to this area. This is an area that I’ve been developing my skills in more recently. I’m looking forward to seeing others’ write-ups on those challenges where I didn’t make it all the way through, and following along with my own data.
Tools used in the CTF
I added a number of new tools to my toolkit throughout the CTF, and got more experienced with some old friends as well. Depending on the challenge I switched between operating systems including MacOS, REMnux (Linux), and a customized Windows VM with a plethora of malware analysis utilities. By the end of the event the tools used included:
PowerShell
Strings
CyberChef
Gimp
Curl
Firepwd.py
rita
the_silver_searcher
nmap
dcode.fr
meld
Cutter
Ghidra
Python
ChatGPT
Google Chrome Developer Tools
iSteg
exiftool
Google Lens
Google Maps
detonaRE
Process Monitor (procmon)
Visual Studio Code
Site Sucker
7zip
Magnet AXIOM
olevba
x64dbg
AADInternals
Microsoft Excel
Event Viewer
chainsaw
PowerDecode
PowerShell ISE
rclone
Volatility3
hashcat
impacket
Write-Ups
Over the next few days I’ll be releasing the write-ups on how I solved each of the completed challenges. The organizers requested that no solutions be posted until 24 hours after the conclusion of the CTF.
Based on the amount of content, I’ll be breaking the write-ups down by week number (1-4) and challenge category.
Wednesday:
Thursday:
Friday:
Saturday:
You can follow along through the week, or come back on the weekend to read them all.
Once again, I want to extend my thanks to the Huntress team for a great event. I hope you’ll follow along with my solutions, and please comment with other ways to solve if you have them. It’s all about the learning.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 