Skip to content

CTFWriteup

Kaspersky CTF – help (Forensic 500)

We were given a memory dump; First we’ll get image info to understand the image type:

kaspersky-for-1

 

It is Windows 7 x64. As usual we check running processes to find possible suspicious ones:

kaspersky-for-2

There are only two suspect processes: ‘Keepass.exe’ and ‘Cmd.exe’; The first one interested me more and probably I should try to find ‘kdbx’ or ‘kdb’ file, so I scanned for file lists to get something to start:

kaspersky-for-3

Yes, it is. Let’s dump it. It should be a known password like something inside ‘rockyou.txt’ or even numeric. I used my favorite password cracker to break it. It wasn’t in ‘rockyou.txt’. Then I checked for digits and again nothing! Hex range characters! No luck! Lower case letters! No luck! Really?!

So, what now? I thought maybe ‘KeePass’ has the flag as entire title so I dumped memory of ‘Keepass.exe’ and started looking at the memory as raw image in Gimp, definitely the worst decision, it took about 2 hours to get a clear shot and I wasted my time:

kaspersky-for-4

The flag was not the title and I had to crack AES256 hence I had no idea about password format or charsets. I looked at ‘KeePass.config.xml’ and understood it used ‘Windows Account’ as authentication:

kaspersky-for-5

OK, probably it has to be tricks or ‘Keepass’ vulnerability, I Googled and got some useful information:

` It may be possible to recover a KeePass database whose Master Key includes a Windows User Account (WUA) if certain user data is available`

So I had to follow the routines step by step to open the database. At first, I thought I have to find the user password (I still don’t know is it needed or not) but I tried any techniques I could think of: mimikatz (failed), hashdump and then try to crack (failed), and the last one was ‘lsadump’ which works and I found the password, it was ‘you_need_another_key_to_pass_this_level’. The Computer Name was ‘WIN-GFCKT3R8MQ2’, Domain was ‘WORKGROUP’ also I have ‘ProtectedUserKey.bin’; But something’s missing and that was master key and it was important to recover the master key. I tried so many times to dump it ‘\Device\HarddiskVolume1\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-196189514-4237867838-3788442389-1000\7315eeac-ce04-46ff-87ac-4fc9cf1d41d3’ but it failed, so I tried some abnormal way, built a database and used its header to find the master key in memory:

kaspersky-for-6

After I found this way the rest was simple, I had all I needed:

kaspersky-for-7

So, I imitated my machine with all I had, and now I had to use ‘DPAPI migration.reg’ Which I will refer to at the end of the post, and finally ‘c:\windows\system32\dpapimig.exe’…. And…..

Failed!!

WTF!!

kaspersky-for-8

OK, I did that… And….

kaspersky-for-9

YEEESSS! It works!! First blood on Kaspersky’s forensic challenge.

It was too much fun and tricky but I spent about 12 hours to solve this task. If you’re reading the article and you laugh because now the secrets revealed and I was blind on all steps and it was completely trial and error. This is it!

DPAPI migration.reg

Reference: https://sourceforge.net/p/keepass/wiki/Recover Windows User Account Credentials/

Ghaaf @ irGeeks

RC3 CTF – GoReverseMe

We were given a 64-bit ELF file and as the file name suggests, it was a compiled Go file. The file does not need any runtime hence there are too many functions which makes reversing difficult.
I was looking for some pointer or obvious place to start with; After running the file, I saw the message “Specify the file to package as argv1, will overwrite, existing”.
I tried searching the strings with no success, so I looked for a function that handles output and I found it: ‘fmt_Println’.
Search for functions that call ‘fmt_Println’ led me to the address 0x40120C; I scrolled up and found ‘main_step1’, ‘main_step2’, ‘main_step3’ and ‘main_step4’. I set a breakpoint at the beginning of the function and ran the file; The following picture shows the argument check after the breakpoint is triggered:

go-1Continuing the debug by checking ‘main_step1’ :,

go-2This function reads a part of memory and Xors it with 0x69 and generates ‘golang-or-bust’; Later I found out that it’s the password for the protected Zip file.
Most of the work is done in the ‘main_step2’: it reads the input file, encrypts it and compresses it into a Zip file. By tracing ‘github_com_alexmullins_zip___FileHeader__SetPassword’ function, I found out that the password is ‘golang-or-bust’. Also the exact code used in the program is copied from “github.com/alexmullins.zip”
Finally it’s time to review ‘main_step4’ (ignoring the ‘main_step3’); Here’s the algorithm used in this function:
1- Take the first and second byte
2- Subtract the first byte from the second
3- Replace the first byte with the result from step 2
4- Do it until the end of the file.

We have to reverse the above procedure: from the end of the file to the beginning. Here’s a quick script:

f = open('flag.enc', 'rb').read()
b = bytearray(f)
i = len(b)-1
o = ''
while i>0:
	res = ((b[i]) + (b[i-1])) 
	b[i-1] = (((b[i]) + (b[i-1])) & 255)
	o += chr(res & 255)
	i-=1
open('flag.zip', 'wb').write(o[::-1])

The output Zip file needs repair, so I used WinRAR to fix it and got the flag with the password we acquired earlier on:
RC3-GOLANG-BESTLANG-5435

Though I found the flag, it was late and we lost the 250 points because of less than a minute of being late 🙁