Category: Miscellaneous

Huntress CTF: Week 4 – Miscellaneous: MFAtigue

CTF, DFIR, Miscellaneous

MFAtigue

For any of these challenges where there’s a download and an online component, I’ll usually start with the files.

OK. So how can we get a password if we have access to the ntds.dit and the SYSTEM registry hive?

The iredteam.com article looks like a good place to start.

There’s a reference to dumping hashes using impacket.

I don’t have the SECURITY hive, but I do have the ntds.dit and the SYSTEM hive.

From here we’ll copy out all the hashes for user accounts. The accounts ending with $ are computer accounts so we won’t bother with those.

With the hashes isolated in a text file, we can run hashcat on the hashes using the rockyou wordlist.

…output continues…

We’ve got a match on the hash ending ..cadab42a.

Referencing that against our account information, we see that found hash is the password for JILLIAN_DOTSON.

Now for the url in the challenge. It brings us to a Microsoft sign-in page. We’ll use the account huntressctf\JILLIAN_DOTSON

And the cracked password of katlyn99…

Oh but wait. The account has MFA?!!

Hit the Send Push Notification

Then again,

And again

After a mildly obnoxious number of repeated attempts….

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 3 – Miscellaneous: Who Is Real?, Operation Eradication

CTF, DFIR, Miscellaneous

Who Is Real?

This was a change of pace from what a lot of the CTF has been; lots of malware and deobfuscation. In this challenge we’re tasked with figuring out which faces are real and which have been AI generated.

Before starting the challenge, I familiarized myself with

https://whichfaceisreal.com/learn.html

It gave me good ideas of things to look for regarding teeth, glasses, earrings, other faces in photos, etc.

Eventually, I was able to get 5 right in a row.

Operation Eradication

Let’s take a look at the configuration file.

This looks like a config file for rclone.

Using this information, and the url provided from the challenge, we can update our rclone config file.

Now using rclone we can connect to the remote location and hopefully start deleting these ‘sensitive’ files. If only it were so easy.

I was able to get a directory listing, so I knew that my credentials were successfully connecting.

I was all over the command options at https://rclone.org. Every DELETE or SYNC operation I could think of was failing.

At my wit’s end I pinged a friend who suggested trying to overwrite the files with a 0 bit file. If successful the files would still be there, but the content gone – so essentially, they’d be safe again.

Using the file listing from the server, I wrote a PowerShell script that would touch, or create a 0 byte file, locally for each file names.

Next the script would run the rclone copy command to copy the local 0 byte files to the network location.

I run the PowerShell script and then return to the webpage and refresh…

DOH! There was a typo in one line of the script. I’ll re-run the file listing command again. All but one file have the 0 byte file size.

Run the copy command one more time to take care of our errant file and…

Success!

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – Miscellaneous: Rock, Paper, Psychic

CTF, DFIR, Miscellaneous

Rock, Paper, Psychic

Do you want to play a game?

You can see the basic flow of the game above. You put in your choice, then after some calculation the game chooses, and what do you know – the game always makes the winning choice.

How about a nice game of Chess?

Having played the game a couple times to get familiar with the flow, I ran the program using x64dbg.

Hit F9 a few times until it the program gets to your input choice.

Once you’ve typed in your selection in the command window, back to x64dbg. From here we will step over (F8) the instructions 1 by one.

Continue to hit F8, observing as the rest of the game text appears.

Global Thermonuclear War

In x64dbg, we see that the program tests 2 values and then does a JNE (Jump if not Equal) command to another function 416C6A.

If we use the debugger and change this to JE (Jump if equal to):

Who you calling cheater?

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.