DUCTF 2021 Write-ups
This is going to be my write-up for some challenges from DownUnderCTF 2021.
Official write-ups for all the challenges can be found here.
Forensics
1. Retro!
Very simple one to begin with, just extract the EXIF data for the flag
2. How to pronounce GIF
You can already see it’s a bunch of QR codes spliced together in a .gif
file.
After extracting all the frames, we can append the matching frames by first categorizing them in individual directories and using convert * -append out.png
As it says to f0ll0w 7h3 wh173 r4bb17
, we can connect the 2 nearest strings to the rabbits and get a base64 string to decode for the flag.
3. That’s Not My Name
We have a .pcapng
file, which after examining seemed to have a lot of DNS entries than usual. That can be a telltale sign of DNS data exfiltration. So, after applying the dns
filter in Wireshark we can determine if some sort of processed data was being sent out of the machine inside the tiny DNS packets.
Now we know that the raw data was hex encoded, we can simply reverse search for the hex values of the prefix for the flag format, in this case DUCTF{
. This can be considered as an unintended solution by a teammate, MM0X!
4. Want to Play a Game?
We are provided with a .raw
memdump to look for malware signs, the flag consists of 3 parts; the malware name, it’s persistence folder and the origin of infection.
Checking for any persistence in the Software hive key, volatility shows 2 processes; out of which one is legit that is the parent process Discord.exe
storing Update.exe
for updating itself whenever there is an update, and other is firefox.exe
but the directory is again named in the same convention we saw earlier.
Now, all we need is the origin of the infection. I tried using the cmdscan
and consoles
plugin, but they returned nothing. Next, I tried running dlllist
plugin for the drpbx.exe
process, and got this:
So, our complete flag, using the format
DUCTF{lowerCaseMalwareName_persistenceName_originatingFolderName}
becomes;
DUCTF{jigsaw_firefox.exe_PJxhJQ9yUDoBF1188y}
Reversing
1. no strings
We can try the strings utility but nothing comes up, so let’s open it up in Ghidra, to look at the decompiled pseudo-code.
Alternatively, as suggested by a teammate damaidec, you can just cat out the executable but I recommend not doing that as sometimes it can crash your shell.
OSINT
1. Who goes there?
We are given this domain to find out the phone number of the registrar, 646f776e756e646572.xyz
And then use the whois
from their service (namecheap), to obtain the phone number.
Misc
1. General Skills Quiz
This required players to connect to their remote servers using nc pwn-2021.duc.tf 31905
and in 30 seconds you must answer all the questions asked which were very calculative.
I started writing an expect script but halfway through realized I can not run bash commands from inside an expect script. Later, we solved it with a python script, which in hindsight was way more efficient than some broken expect script. I’m only adding this one here, because expect programming was fun to look at and tinker with.