Category: OSINT

Huntress CTF: Week 2 – OSINT: Where Am I?, Operation Not Found, Under the Bridge

CTF, DFIR, OSINT, PowerShell

Where Am I?

Opening the picture we see it’s a location.

I’ve frequently used exiftool to inspect the metadata of pictures, including GPS coordinates.

The file does contain GPS metadata but before we even get there, looks like something out of the ordinary for the Image Description…

Instead of the usual CyberChef, this time we’ll do the conversion using PowerShell.

The converted string is our flag.

Operation Not Found

First off, lets adjust the positioning of the image and see if we can get better view of our location.

That’s better.

Actually when I ran this challenge, I started on my mobile device.

I took a screenshot of the building and then used the Google Lens function to identify the building.

Georgia Tech Library. That’s consistent with the description in the challenge. I bring up the location in Google Maps.

Zooming and scrolling and zooming and scrolling to get the Google Maps location and the mini-map on the challenge to the same areas. The mini-map is a PAIN to navigate. Even knowing where I was going to it took me several minutes to manipulate my positioning on the map.

But once I’m finally there, I mark my location and submit for the flag and…

Under the Bridge

Pretty much the same methodology as above.

Pivot the screen for a clearer landmark.

Grab a screenshot and send it to Google Lens

Rickroll Tunnel. LOL.

Once again back and forth with Google Maps and the mini-map and getting familiar with all the London highways, and finally….

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress Capture the Flag – A CTF Marathon

CTF, DFIR, Forensics, Malware, Memory Analysis, OSINT, Steganography

Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges.

First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not observing the rules and using brute force tools where they weren’t needed (or allowed.)

Overall, I found the event to be a great learning experience that challenged me, increased my confidence, and gave me an avenue to pursue skills I want to develop further.

The challenges covered a wide area of subjects with the majority being DFIR related. The categories included:

  • Warm Ups (14)
  • Forensics (10)
  • Malware (16)
  • M365 (4)
  • OSINT (3)
  • Steganography (1)
  • Miscellaneous (10)

Today the final challenge of the event, graced us with another lovely malware sample to analyze.

I was very pleased with myself at having solved nearly 80% of the challenges. There’s still another 20 or so hours to go, so we’ll see if that improves any further. The only categories I didn’t have 100% in were Miscellaneous and Malware. I think this is fair considering my skill levels. The Malware scenarios were appropriately challenging for someone newer to this area. This is an area that I’ve been developing my skills in more recently. I’m looking forward to seeing others’ write-ups on those challenges where I didn’t make it all the way through, and following along with my own data.

Tools used in the CTF

I added a number of new tools to my toolkit throughout the CTF, and got more experienced with some old friends as well. Depending on the challenge I switched between operating systems including MacOS, REMnux (Linux), and a customized Windows VM with a plethora of malware analysis utilities. By the end of the event the tools used included:

  • PowerShell
  • Strings
  • CyberChef
  • Gimp
  • Curl
  • Firepwd.py
  • rita
  • the_silver_searcher
  • nmap
  • dcode.fr
  • meld
  • Cutter
  • Ghidra
  • Python
  • ChatGPT
  • Google Chrome Developer Tools
  • iSteg
  • exiftool
  • Google Lens
  • Google Maps
  • detonaRE
  • Process Monitor (procmon)
  • Visual Studio Code
  • Site Sucker
  • 7zip
  • Magnet AXIOM
  • olevba
  • x64dbg
  • AADInternals
  • Microsoft Excel
  • Event Viewer
  • chainsaw
  • PowerDecode
  • PowerShell ISE
  • rclone
  • Volatility3
  • hashcat
  • impacket

Write-Ups

Over the next few days I’ll be releasing the write-ups on how I solved each of the completed challenges. The organizers requested that no solutions be posted until 24 hours after the conclusion of the CTF.

Based on the amount of content, I’ll be breaking the write-ups down by week number (1-4) and challenge category.

Wednesday:

Thursday:

Friday:

Saturday:

You can follow along through the week, or come back on the weekend to read them all.

Once again, I want to extend my thanks to the Huntress team for a great event. I hope you’ll follow along with my solutions, and please comment with other ways to solve if you have them. It’s all about the learning.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.