Huntress Capture the Flag – A CTF Marathon

CTF, DFIR, Forensics, Malware, Memory Analysis, OSINT, Steganography

Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges.

First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not observing the rules and using brute force tools where they weren’t needed (or allowed.)

Overall, I found the event to be a great learning experience that challenged me, increased my confidence, and gave me an avenue to pursue skills I want to develop further.

The challenges covered a wide area of subjects with the majority being DFIR related. The categories included:

  • Warm Ups (14)
  • Forensics (10)
  • Malware (16)
  • M365 (4)
  • OSINT (3)
  • Steganography (1)
  • Miscellaneous (10)

Today the final challenge of the event, graced us with another lovely malware sample to analyze.

I was very pleased with myself at having solved nearly 80% of the challenges. There’s still another 20 or so hours to go, so we’ll see if that improves any further. The only categories I didn’t have 100% in were Miscellaneous and Malware. I think this is fair considering my skill levels. The Malware scenarios were appropriately challenging for someone newer to this area. This is an area that I’ve been developing my skills in more recently. I’m looking forward to seeing others’ write-ups on those challenges where I didn’t make it all the way through, and following along with my own data.

Tools used in the CTF

I added a number of new tools to my toolkit throughout the CTF, and got more experienced with some old friends as well. Depending on the challenge I switched between operating systems including MacOS, REMnux (Linux), and a customized Windows VM with a plethora of malware analysis utilities. By the end of the event the tools used included:

  • PowerShell
  • Strings
  • CyberChef
  • Gimp
  • Curl
  • Firepwd.py
  • rita
  • the_silver_searcher
  • nmap
  • dcode.fr
  • meld
  • Cutter
  • Ghidra
  • Python
  • ChatGPT
  • Google Chrome Developer Tools
  • iSteg
  • exiftool
  • Google Lens
  • Google Maps
  • detonaRE
  • Process Monitor (procmon)
  • Visual Studio Code
  • Site Sucker
  • 7zip
  • Magnet AXIOM
  • olevba
  • x64dbg
  • AADInternals
  • Microsoft Excel
  • Event Viewer
  • chainsaw
  • PowerDecode
  • PowerShell ISE
  • rclone
  • Volatility3
  • hashcat
  • impacket

Write-Ups

Over the next few days I’ll be releasing the write-ups on how I solved each of the completed challenges. The organizers requested that no solutions be posted until 24 hours after the conclusion of the CTF.

Based on the amount of content, I’ll be breaking the write-ups down by week number (1-4) and challenge category.

Wednesday:

Thursday:

Friday:

Saturday:

You can follow along through the week, or come back on the weekend to read them all.

Once again, I want to extend my thanks to the Huntress team for a great event. I hope you’ll follow along with my solutions, and please comment with other ways to solve if you have them. It’s all about the learning.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

Baker Street Forensics joins the Fediverse

Social

Just about a year ago I switched my default social platform of choice to Mastodon and created an account at Infosec.Exchange. If you’d like to follow me there directly, here is my profile.

What’s the Fediverse?

In short, it’s a network of networks, without a central control, using open standards to communicate.

Baker Street Forensics joins the Feds 😉

Recently I learned that WordPress.com blogs can now be followed on Mastodon and other federated platforms.

By using the plug-in, blog owners have the potential to reach more followers as they’ll be able to share their posts to other platforms and, in turn, receive replies from those platforms that are transformed into blog comments.

TechCrunch.com

If you’re on Mastodon and/or the Fediverse, please give a follow to “bakerstreetforensics.com@bakerstreetforensics.com“.

If it works, you my faithful readers are the beta-testers, you should be able to see future posts by following this account. Additionally, comments via Mastodon should be visible here.

What do you think about this functionality? How are you consuming or engaging with content in the Fediverse?

Creating YARA files with Python

DFIR, Malware, Python, yara

When I’m researching a piece of malware, I’ll have a notepad open (usually VS Code), where I’m capturing strings that might be useful for a detection rule. When I have a good set of indicators, the next step is to turn them into a YARA rule.

It’s easy enough to create a YARA file by hand. My objective was to streamline the boring stuff like formatting and generating a string identifier ($s1 = “stringOne”) for each string. Normally PowerShell is my goto, but this week I’m branching out and wanted to work on my Python coding.

The code relies on you having a file called strings.txt. One string per line.

When you run the script it will prompt for (metadata):

  • rule name
  • author
  • description
  • hash

It then takes the contents of strings.txt and combines those with the metadata to produce a cleanly formatted YARA rule.

Caveats:

If the strings have special characters that need to be escaped, you may need to tweak the strings in the rule after it’s created.

The script will define the condition “any of them”. If you prefer to have all strings required, you can change line 22 from

yara_rule += '\t\tany of them\n}\n'

to

yara_rule += '\t\tall of them\n}\n'

CreateYARA.py

def get_user_input():
    rule_name = input("Enter the rule name: ")
    author = input("Enter the author: ")
    description = input("Enter the description: ")
    hash_value = input("Enter the hash value: ")
    return rule_name, author, description, hash_value

def create_yara_rule(rule_name, author, description, hash_value, strings_file):
    yara_rule = f'''rule {rule_name} {{
    meta:
    \tauthor = "{author}"
    \tdescription = "{description}"
    \thash = "{hash_value}"

    strings:
    '''
    with open(strings_file, 'r') as file:
        for id, line in enumerate(file, start=1):
            yara_rule += f'\t$s{id} = "{line.strip()}"\n\t'
    yara_rule += '\n'
    yara_rule += '\tcondition:\n'
    yara_rule += '\t\tany of them\n}\n'

    return yara_rule

def main():
    rule_name, author, description, hash_value = get_user_input()
    strings_file = 'strings.txt'  

    yara_rule = create_yara_rule(rule_name, author, description, hash_value, strings_file)
    print("Generated YARA rule:")
    print(yara_rule)
    
    yar_filename = f'{rule_name}.yar'
    with open(yar_filename, 'w') as yar_file:
        yar_file.write(yara_rule)

    print(f"YARA rule saved to {yar_filename}")

if __name__ == "__main__":
    main()
Sample strings.txt file used as input for the YARA rule
Running CreateYARA.py
YARA rule created from Python script, viewed in VS Code.

Magnet RESPONSE PowerShell

DFIR, Forensic Imaging, PowerShell, Presentations, RAM

I’m excited to share with you a new script I’ve written, Magnet RESPONSE PowerShell.

Magnet RESPONSE is a free tool from Magnet Forensics that makes it easy for investigators as well as non-technical operators to collect triage collections quickly and consistently.

Released initially as a GUI tool for law-enforcement investigators, it’s a single executable that requires no installation. The available command line syntax also makes it very flexible for enterprise use.

So what do I do when there’s a command line interface available, I PowerShell the hell out of it.

If you’ve been following my CyberPipe project, you’ll definitely want to check this one out.

MagnetRESPONSEPowerShell.ps1

Functions:
  • 💻 Capture specified triage artifacts using profiles with Magnet RESPONSE,
  • 🐏 Capture a memory image with DumpIt for Windows or Magnet RAM Capture,
  • 💾 Save all artifacts, output, and audit logs to network drive.
  • 🪟 Supports x86, x64 and ARM64 versions of Windows
Prerequisites:
  • Magnet RESPONSE
  • Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints.
  • File server repository to save the file collections to.

Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions – please do so here or on GitHub via discussion or pull request.

There are two areas of the script for you to customize.

  • The Variable Setup contains the case identification, file server and web server locations.
  • The second section, Collection Profiles, define which artifact groups you want to collect. You can see all the options available in the Magnet RESPONSE CLI Guide.

VARIABLE SETUP

$caseID = "demo-161" # no spaces

$outputpath = "\\Server\Share" # Update to reflect output destination.

$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip

COLLECTION PROFILES

Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below.

#### Extended Process Capture

$profileName = "EXTENDED PROCESS CAPTURE"

$arguments = "/capturevolatile /captureextendedprocessinfo /saveprocfiles"

Execution

Once your environment and collection variables are defined, go ahead and run the script on your endpoints. Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then save the output to the file server. All data defined in the collection profile will be collected and organized by case name, hostname and timestamp of collection in the central location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber.

If you’d like to learn more about the script, and how I integrated it with AXIOM Cyber and Magnet AUTOMATE, you can register for my webcast, Responding at Scale with Magnet RESPONSE. I hope to see you there.

You can download the script at https://github.com/MagnetForensics/Magnet-RESPONSE-PowerShell