BSides-Jeddah-CTF
Writeups to the BSides Jeddah CTF - 2021
Situation - BSides Jeddah
BSides Jeddah is coming up with a blueteam flavored CTF this year hosted by CyberDefenders. This will be a Jeopardy-style intermediate CTF with a few harder challenges, including network analysis, memory forensics, and malicious document analysis.
To get latest updates, follow us on twitter @JeddahBsides , @CyberDefenders.
PS: Make sure to analyze files in an isolated/virtualized environment as some artifacts may be malicious.
Files
| Link2file | hash |
|---|---|
| PCAP | 776f65caeb03d541202a7f86cc4e9834d06f5351 |
| MEMORYDUMP | 0c0a610a3d6be28d0c1de68a570aff750c7f1907 |
Compression password: J59fRMPxKCT3VEwB
- Category 1: Memory Dump
- Category 2: PCAP File
Q#1 What is the victim's MAC address? Format: XXXXXXXXXXXX
Weight: 50
A#1
Victim was 192.168.112.139 -> Look for the MAC in any paket send or received from that IP
Flag: 000c29b7ca91
Q#2 What is the address of the company associated with the victim's machine MAC address?
Weight: 100
A#2
Search for the MAC address -> find VMWare, look for the address of their HQ.
Flag: 3401 Hillview Avenue Palo Alto CA 94304 US
Q#3 What is the attacker's IP address? Format: 123.123.123.123
Weight: 50
A#3
As we know the victim was .139, look at the sources of the traffic to the victim -> 192.168.112.128 stands out a lot and is our attacker.
Flag: 192.168.112.128
Q#4 What is the IPv4 address of the DNS server used by the victim machine?
Weight: 50
A#4
Set filter to "DNS", look at the pakets
Flag: 192.168.112.2
Q#5 What domain is the victim looking up in packet 5648?
Weight: 50
A#5
Look at package and copy the URL.
Flag: omextemplates.content.office.net
Q#6 What is the server certificate public key that was used in TLS session: 731300002437c17bdfa2593dd0e0b28d391e680f764b5db3c4059f7abadbb28e
Weight: 50
A#6
Wireshark Filter: ssl.handshake.type == 11
Packet 2739 is the correct package. Look inside TLS, TLSv1.2, Handshake Protocol: Server Key Exchange, EC Diffie-Hellman, Pubkey
Flag: 64089e29f386356f1ffbd64d7056ca0f1d489a09cd7ebda630f2b7394e319406
Q#7 What domain is the victim connected to in packet 4085?
Weight: 100
A#7
Search for package, select TCP Stream and look for URLs.
Flag: v10.vortex-win.data.microsoft.com
Q#8 The attacker conducted a port scan on the victim machine. How many open ports did the attacker find?
Weight: 150
The port scan is done via a SYN scan, look out for a SYN from the attacker, a SYN/ACK from the victim, another ACK from the attacker and then a RST/ACK from the attacker -> You can find the following open ports: 25, 110, 135, 139, 143, 445 and 587
Flag: 7
Q#9 Analyze the pcap using the provided rules. What is the CVE number falsely alerted by Suricata? Format: CVE-XXXX-XXXXX
Weight: 50
A#9
I installed suricata on my kali vm, run it on the pcap file -> grep the output for CVE.
Flag: CVE-2020-11899
Q#10 What is the command parameter sent by the attacker in packet number 2650?
Weight: 100
A#10
Look at the package -> command is "EHLO kali"
Flag: kali
Q#11 What is the stream number which contains email traffic?
Weight: 100
A#11
Filter on the stream from package 2650: Look at either the filter or the top of the pop-up windows -> "tcp.stream eq 1183"
Flag: 1183
Q#12 What is the victim's email address?
Weight: 50
A#12
Find the email stream (question 11), follow the stream and read the data from the pop-up
Flag: joshua@cyberdefenders.org
Q#13 What was the time attacker sent the email? Format: HH:MM:SS
Weight: 100
A#13
Filter on the stream 1183 and read the time from the email
Flag: 12:31:54
Q#14 What is the version of the program used to send the email? Format: 2.30
Weight: 50
A#14
Look at the filtered stream from the questions before -> Sendmail 1.56
Flag: 1.56
Q#15 What is the MD5 hash of the email attachment?
Weight: 50
A#15
Filter the selected stream to the Attacker -> Victim Connection, set it to raw, save the file as email.eml, open it and extract the word -> md5sum word
Flag: 55e7660d9b21ba07fc34630d49445030
Q#16 What is the CVE number the attacker tried to exploit using the malicious document? Format: CVE-XXXX-XXXXX
Weight: 100
A#16
Upload the word to virustotal -> lots of stuff and descriptions with CVE-2021-40444
Flag: CVE-2021-40444
Q#17 The malicious document file contains a URL to a malicious HTML file. Provide the URL for this file.
Weight: 100
A#17
Q#18 What is the LinkType of the OLEObject related to the relationship which contains the malicious URL?
Weight: 100
A#18
Extract the word file from the email, extract the "web server.docx" with 7zip -> look at the document.xml and find the string "LinkType" ->
Flag: EnhancedMetaFile
Q#19 What is the Microsoft Office version installed on the victim machine?
Weight: 100
A#19
Can be found in one of the Useragents in the pcap.
Flag: 15.0.4517
Q#20 The malicious HTML contains a js code that points to a malicious CAB file. Provide the URL to the CAB file?
Weight: 50
A#20
Q#21 The exploit takes advantage of a CAB vulnerability. Provide the vulnerability name?
Weight: 100
A#21
Search for the CVE and you can find the name
Flag: ZipSlip
Q#22 The CAB file contains a malicious dll file. What is the tool used to generate the dll?
Weight: 50
A#22
If you take the malicious dll file and upload it to virus total, you will get the answer metasploit.
Flag: metasploit
Thanks to H-mmer for the hint!
Q#23 What is the path of malicious dll (msword.inf) after being dropped by the document file? Replace your username with IEUser
Weight: 150
A#23
Analyze the word.html and the script inside -> deobfuscate the links:
Flag: C:\Users\IEUser\Appdata\Local\Temp\msword.inf
Q#24 Analyzing the dll file, what is the API used to write the shellcode in the process memory?
Weight: 100
A#24
Load the msword.inf in Cutter (or use strings)
Flag: WriteProcessMemory
Q#25 Extracting the shellcode from the dll file. What is the name of the library loaded by the shellcode?
Weight: 100
Packet 3561 inside the pcap
Flag: wininet
Q#26 What is the port the attacker used to receive the reverse shell on?
Weight: 100
Looking through the pcap and you can see tons of traffic to port 443 from the attacker (17MB traffic in total)
Flag: 443