Belkasoft Write-up: CTF 4

This will be my write-up for the 4th Belkasoft CTF! This CTF follows a plot based progression to make it fun, so I’ll also include the plot details unlike my other write-ups :)

Prompt

— Have you heard the news?

I have.

— The CID has interrogated the father. Other than the ransom amount, there was nothing interesting.

I heard this as well.

— This Mr. Alex is a big shot… Do you know who I got a call from, asking for my intervention?

I didn’t and I really didn’t want to know either.

— The old man says the kid was fond of computers and even slept, curled up with his laptop.

Well, now this has become more interesting. For the first time during our conversation, I looked at the Boss with curiosity.

— You sure have a lot to talk about today, don’t you boy. Well, I will shut my mouth for now, the guy’s laptop is waiting for you in the lab.

1. List all users of the laptop.

Notice all the friend names.

Examine /etc/passwd file.

stanley, ivan

2. What web application was used by the boy to earn his pocket money?

— What the hell is with these young people… chickens do not peck at their dad’s money, but he is still doing it!

I raised my eyebrows in surprise.

— Chief, have you never been a teenager before?

— Okay, you’re right, — Chief grimaced. He obviously did not like to remember his youth.

I pushed away the spontaneous smirk from my face, and the Chief continued:

— So, was he doing that from his secondary account?

I always look at the .bash_history files first for every user to get a rough idea of what happened.

ivan’s history shows creation of 2 hidden directories under Documents.
This file under the hidden directory .network gives us something to work with for Q2 & Q3.

To examine internet history, I ran Autopsy ingest modules.

We can find the web app called x-tux-0.web.app

3. Which BTC wallet did the boy use to sell drugs?

— So, the boy uses one account for studying, and the other for selling drugs?

— Yes, Sir.

— Any evidence?

— Of course, Chief. Look, here is his bitcoin wallet…

Visit the web app, it accepts payment via bitcoin at shown address.

The web app is named after the victim’s friend, Tux. They both ran this operation together.

4. On which date does the kid’s database show the most sales for “Acapulco Gold”?

— Chief, you know what? Looks like that’s not his only business. The boy is definitely dealing with larger sharks.

— You sure?

— Absolutely! I have just found that he reports his sales to someone else.

Looking at the emails parsed by Autopsy, we can see a conversation between the victim and his friend Tux, asking for his monthly sales probably to tally his drug supplies and profit made by the victim from his sales.

The original mail from Tux, contains a wordlist that the victim was asked to use to encrypt the attachment.
This reply mail has an attachment called Monthly_DB.zip.

There are numerous ways to get this attachment:

  1. We can either use an online parser for .eml files. (Not optimal for real cases, your parsers and tools must be well known.)
  2. Extract the .eml file and manually get the base64 encoded attachment data from the Content-Disposition HTTP header. (Viable, requires extra reporting on the manual parsing done.)
  3. Perform a file attribute search or a keyword search. (Suggested, you’re most likely already working on Autopsy or other tools.)
We have 3 hits: on the disk image, in the mail client cache & in the vmware file transfer directory which is residual trace from the challenge author. We can disregard that for the sake of following procedure.
stanley’s history show that the victim created a second user ivan to hide some other files there, as we’ll see later. It also verifies the presence of the attachment in directory Dec which was sent to Tux via mail.
We have the shared sales records meant to be sent to Tux, and it’s password protected.

We can crack the password using john as always.

It contains the public sales data belonging to the victim.
He sold 1337gm worth $16044 on 12th May, 2021.

5. What was the other BTC wallet of the victim, which he used to hide his “under the counter” sales from his superior?

— They called me again. Twice, — It looked like the Chief was angry at me because of that.

— Are you saying I work too slow? Or should I take these calls on your behalf?

The Chief missed my words, he seemed to be looking for his cigarettes.

— Look, Chief, I found something interesting. The boy was selling their goods under the counter.

The Chief stopped the search.

— You said what? And did his supervisor…

The Chief did not complete the sentence. We looked at each other knowingly.

This is where malice rises in the case, our victim decided to start selling the common “goods” between him and Tux, his friend, under the counter to profit from it.

This file under the hidden directory .custom shows the private wallet but is missing some characters.

In the same directory there are a lot of files with different extensions. However, they are intentionally mismatched we can verify this by looking at their file signatures.

All 9 files are essentially PDFs, out of which 7 can be simply renamed to .pdf extension in Windows.

For the remaining 2 files, one is only missing the first 4 bytes of the file signature %PDF and other file is not only missing that but also the endianness is swapped for every 2 bytes. So, we will need to first convert the hex values, in 2 word lengths, from little endian to big endian and then add the 4 missing file signature bytes.

Replace the old hex values and add the 4 bytes of the signature.

After all that, you will see that both result in the exact same file. Maybe the challenge author forgot to delete the other file or maybe it was to keep the CTF beginner friendly.

All 9 files were invoices for the victim’s sales, the file that we fixed contains the BTC wallet address.

6. What is the password to the boy’s notes?

— Look, Chief. I found the kid’s notes but…

— Encrypted, — growled the Chief, without allowing me to finish.

I acted impressed.

— No wonder you are the Chief!

The Chief showed no sign that he heard me.

— And you cannot find the password.

— Yes sir. You seem like you have an idea?

My boss smiled slyly.

— Do you know what a container is?

We have these 2 files in a hidden directory .mynotes where notes is missing the extension .docx and is password protected. mynote.odt just has some text inside.
I came across this totally nonsuspicious PDF.
This PDF contains an attachment called passwd.
Decrypting it, we can get all the passwords victim used.

7. What is the “secret pin” mentioned in the notes?

— That did the trick! But how did you know?

— Was it you who said “no wonder”?

Wow, he actually heard me that time.

— If you only knew sonny, how many cases just like this I’ve already had! Though I am no expert in this “digital forensics” stuff, but…

The Chief rolled his eyes but quickly came to his senses again.

— So why are you here again?

— Chief, I found the conversation the boy tried to hide. Looks like there is a pin to access it.

This time the Chief did not have anything for me.

— So what? Go and find it!

Now that we have the note password, we can access the contents.

Notice the mention of a shark file, I started looking for a .pcap/.pcapng immediately.
We find one under the hidden directory .secs
We can export this WAV file called vault_secret_code.wav
Spectral analysis reveals the flag.

8. When did the boy receive a threat?

— Chief, I am close to the solution. If I learn the time of the threat, everything else should be easy.

In the notes, the victim states that he got threatened 10 minutes ago, before he got to school and made this entry in notes.docx

Flag was asked in Epoch format so we need to convert it back after subtracting 10 minutes.

9. Who was the kidnapper?

The Chief glanced at me in surprise.

— I was pretty sure this time you would come with a full report.

— Sir, I know the name of the kidnapper, but I also need an email.

We already know the name of the kidnapper from the victim’s notes. To get the email address we can examine this file called mycon.zip which is again password protected.

It contains all the connections our victim had.
We can use john to crack it.
It has another ZIP file inside which has this Sheet1.html with Tux’s email address.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store