DUCTF 2021 Write-ups

This is going to be my write-up for some challenges from DownUnderCTF 2021.

We finished 130th, top 6.09%!

Official write-ups for all the challenges can be found here.

Forensics

1. Retro!

Very simple one to begin with, just extract the EXIF data for the flag

DUCTF{sicc_paint_skillz!}

2. How to pronounce GIF

This .gif file was the prompt

You can already see it’s a bunch of QR codes spliced together in a .gif file.

After extracting all the frames, we can append the matching frames by first categorizing them in individual directories and using convert * -append out.png

Some frames had an extra 1px garbage line which I had to fix in paint after connecting them, why author why?

This is what the 10 QR codes lead to.

As it says to f0ll0w 7h3 wh173 r4bb17, we can connect the 2 nearest strings to the rabbits and get a base64 string to decode for the flag.

DUCTF{aM_1_haXX0r_n0w?}

3. That’s Not My Name

We have a .pcapng file, which after examining seemed to have a lot of DNS entries than usual. That can be a telltale sign of DNS data exfiltration. So, after applying the dns filter in Wireshark we can determine if some sort of processed data was being sent out of the machine inside the tiny DNS packets.

Seems like the raw data was converted to hex for this exfiltration. There are more advanced ciphers that can be used for this to avoid detection but this was an easy level challenge so they kept it simple. PacketWhisper is a good tool for data exfiltration and extraction if the cipher is known.

Now we know that the raw data was hex encoded, we can simply reverse search for the hex values of the prefix for the flag format, in this case DUCTF{. This can be considered as an unintended solution by a teammate, MM0X!

After getting a hit, we can simply copy the full flag in hex to decode.

DUCTF{c4t_g07_y0ur_n4m3}

4. Want to Play a Game?

We are provided with a .raw memdump to look for malware signs, the flag consists of 3 parts; the malware name, it’s persistence folder and the origin of infection.

Running pstree in volatility, we can find a weird process named drpbx.exe which doesn’t follow the typical naming convention.

Some searching tells that it is a process ran by the Jigsaw Ransomware.

Checking for any persistence in the Software hive key, volatility shows 2 processes; out of which one is legit that is the parent process Discord.exe storing Update.exe for updating itself whenever there is an update, and other is firefox.exe but the directory is again named in the same convention we saw earlier.

Notice how the folder is named with no vowels, just like the suspicious drpbx.exe from earlier.

Now, all we need is the origin of the infection. I tried using the cmdscan and consoles plugin, but they returned nothing. Next, I tried running dlllist plugin for the drpbx.exe process, and got this:

The weird string, with notsuspicious.exe hinting, seemed to be the origin folder.

So, our complete flag, using the format

DUCTF{lowerCaseMalwareName_persistenceName_originatingFolderName}

becomes;

DUCTF{jigsaw_firefox.exe_PJxhJQ9yUDoBF1188y}

Reversing

1. no strings

We’re given an ELF executable, which is basically the windows .exe equivalent for Linux.

We can try the strings utility but nothing comes up, so let’s open it up in Ghidra, to look at the decompiled pseudo-code.

We can find the label flag here, and after following it in machine code we can get it’s cross references (XREFs) and the address…

…which is DAT_00102008 here. Jumping to there will reveal the flag.

DUCTF{stringent_strings_string}

Alternatively, as suggested by a teammate damaidec, you can just cat out the executable but I recommend not doing that as sometimes it can crash your shell.

OSINT

1. Who goes there?

We are given this domain to find out the phone number of the registrar, 646f776e756e646572.xyz

We can run a simple whois to obtain the URL from the domain.

And then use the whois from their service (namecheap), to obtain the phone number.

DUCTF{+61.420091337}

Misc

1. General Skills Quiz

This required players to connect to their remote servers using nc pwn-2021.duc.tf 31905 and in 30 seconds you must answer all the questions asked which were very calculative.

If you answer incorrectly, you get this jump-scare and have to start over.

I started writing an expect script but halfway through realized I can not run bash commands from inside an expect script. Later, we solved it with a python script, which in hindsight was way more efficient than some broken expect script. I’m only adding this one here, because expect programming was fun to look at and tinker with.

DUCTF{you_aced_the_quiz!_have_a_gold_star_champion}