You can see the basic flow of the game above. You put in your choice, then after some calculation the game chooses, and what do you know – the game always makes the winning choice.
How about a nice game of Chess?
Having played the game a couple times to get familiar with the flow, I ran the program using x64dbg.
Hit F9 a few times until it the program gets to your input choice.
Once you’ve typed in your selection in the command window, back to x64dbg. From here we will step over (F8) the instructions 1 by one.
Continue to hit F8, observing as the rest of the game text appears.
Global Thermonuclear War
In x64dbg, we see that the program tests 2 values and then does a JNE (Jump if not Equal) command to another function 416C6A.
If we use the debugger and change this to JE (Jump if equal to):
Who you calling cheater?
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Once the file was downloaded and extracted from the zip I ran the file command on it.
OK so we’ll be doing the analysis for this one on a Windows box to start.
Move the file to windows and rename to Fetch.wim
Open the .wim with 7zip explorer
Within the zip file we see a plethora of Prefetch (.pf) files, but among them we there is a fetch.zip
When we extract the contents of the zip file we have another directory of Prefetch files.
I extracted the .pf files to a folder.
I used Magnet AXIOM to process the prefetch files. Based on our scenario, I have keywords set for Huntress, ctf, and flag.
That was easy.
Opposable Thumbs
I know for a fact that Axiom can process thumbnail caches.
And BAM! there’s the flag.
Tragedy Redux
First things first, let’s get an idea of what kind of file we’re dealing with. Hmm. It shows as a zip archive. When the file is unzipped we see the structure below.
Looking at the structure, as seasoned analyst may identify that the tragedy_redux file is in fact a word document. Which will bring up another method in a minute. But before that let’s take a look at the vbaProject.bin file with olevba.
There’s a macro file with some curious fruit and vegetable related functions.
If you realized at the beginning this was a word doc file, you could append the file extension .docm to the file.
When opening the file in Word, there is a prompt to enable macros.
Once the document is open you see a document containing the definition of Tragedy.
From there we can go to Tools > Macros > Edit… we can get to the same vbs content we did with olevba.
The next step was to convert the vbs into something actionable. I struggled on this one, but one of my teammates was successful in converting the vbs to Python.
This code interprets the numeric values inย longstringย (Apples), as decimal representations of ASCII values, subtracts 17 from each value, and prints the corresponding characters. The characters are printed one by one without newlines, forming a string of characters as the output.
So we’ve got a url and a specific port. Firefox web browser yields…
So we need an Authorization header. ๐ค
Time to look at the provided files. It looks to be the export of a Splunk application.
Time to download an eval copy of Splunk and… pause. There’s probably a simpler way to attack this.
The Silver Searcher is a command line tool I picked up during the CTF and I love it. It’s like Grep on PCP.
Once installed, the base command is ag, followed by what you’re searching for, and where. So let’s do a quick search for Authorization on all the contents of this directory.
That looks interesting. A clue? One of the PowerShell scripts has Authorization and what looks to be Base64 code.
We also see a comment about the $PORT being dynamic based on the Start button. Decoding the string in CyberChef…
At this point we have all the pieces, we just need to put them together. I started to look at different ways to pass an Authorization header to a web server. There’s proxy tools galore. And then there’s the basic’s like curl. After a bit of brushing up on my syntax I had:
Yay what looks like more Base64. Once more with our Chef’s hat and…
Traffic
rita was a tool I hadn’t used before but it was very easy to use. I installed it on my REMnux box and then ran it against the dataset.
I then used the command to generate an html report.
Looking through the DNS requests there’s something sketchy indeed.
Let’s go take a look at that.
Dumpster Fire
Let’s start with the_silver_searcher again and see if we have any luck with “Password”.
There’s a number of hits including references to an encryptedUsername and encryptedPassword in the logins.json file. So we’ve got some encrypted Firefox user passwords. If only there were a utility that could decrypt those. Enter firepwd.py, an open source tool to decrypt Mozilla protected passwords.
Run the script in Python and point it to the directory for the user profile (where the logins.json file is).
That’s a pretty LEET password ๐
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges.
First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not observing the rules and using brute force tools where they weren’t needed (or allowed.)
Overall, I found the event to be a great learning experience that challenged me, increased my confidence, and gave me an avenue to pursue skills I want to develop further.
The challenges covered a wide area of subjects with the majority being DFIR related. The categories included:
Warm Ups (14)
Forensics (10)
Malware (16)
M365 (4)
OSINT (3)
Steganography (1)
Miscellaneous (10)
Today the final challenge of the event, graced us with another lovely malware sample to analyze.
I was very pleased with myself at having solved nearly 80% of the challenges. There’s still another 20 or so hours to go, so we’ll see if that improves any further. The only categories I didn’t have 100% in were Miscellaneous and Malware. I think this is fair considering my skill levels. The Malware scenarios were appropriately challenging for someone newer to this area. This is an area that I’ve been developing my skills in more recently. I’m looking forward to seeing others’ write-ups on those challenges where I didn’t make it all the way through, and following along with my own data.
Tools used in the CTF
I added a number of new tools to my toolkit throughout the CTF, and got more experienced with some old friends as well. Depending on the challenge I switched between operating systems including MacOS, REMnux (Linux), and a customized Windows VM with a plethora of malware analysis utilities. By the end of the event the tools used included:
PowerShell
Strings
CyberChef
Gimp
Curl
Firepwd.py
rita
the_silver_searcher
nmap
dcode.fr
meld
Cutter
Ghidra
Python
ChatGPT
Google Chrome Developer Tools
iSteg
exiftool
Google Lens
Google Maps
detonaRE
Process Monitor (procmon)
Visual Studio Code
Site Sucker
7zip
Magnet AXIOM
olevba
x64dbg
AADInternals
Microsoft Excel
Event Viewer
chainsaw
PowerDecode
PowerShell ISE
rclone
Volatility3
hashcat
impacket
Write-Ups
Over the next few days I’ll be releasing the write-ups on how I solved each of the completed challenges. The organizers requested that no solutions be posted until 24 hours after the conclusion of the CTF.
Based on the amount of content, I’ll be breaking the write-ups down by week number (1-4) and challenge category.
Wednesday:
Thursday:
Friday:
Saturday:
You can follow along through the week, or come back on the weekend to read them all.
Once again, I want to extend my thanks to the Huntress team for a great event. I hope you’ll follow along with my solutions, and please comment with other ways to solve if you have them. It’s all about the learning.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 