The following paragraphs detail how the CTF can be solved, while fully recognizing there may be alternative solutions as well! If you solved them using a different approach, ping Devesh and let him know.
A text file named 'Grocery_List.txt' was provided for analysis.
The contents of the text file are trivial themselves, however it does contain two distinct Alternate Data Streams (ADS):
- :Password:$DATA 76
"y|}-{.~5."}w*y--1),|w#-wn[kerYk'IIa-[kNb[n4NO^.i1}J+/g0M)oOd[pn](|-Oh(K!7
- :URL:$DATA 118
57Gx57G957G957G557G857GD57C457C457G557Gq57G857G957Gu57Gr57Gy57G357C357Gs57G457G257C457G057Ge57Gq57GB57GK57GN57G/57Gw
The URL can be decoded using the algorithm: ROT8000 -> Base64. The Password can be decoded using ROT47 (w/ a counter of 24).
This results in the identification of the flag hadesctf{314211c1ff065a21dc7051fbd5823c0f2d57dfdc2f5cb7ca0e2dc98f6831fb77}.
A file named 'setup' is provided for analysis.
Running strings against will provide a false flag. Loading up the file in a disassembler will identify a list of functions, one of which is of import, namely compare. This contains a XOR-encoded array and the subsequent key used, which after decoding will result in the identification of the flag hadesctf{8504357666cde1a21f276da90299b5ddd0841b0aa59e089e5c9786}.
A forensic image of the challenge is provided, which is to be analyzed.
The first step is recognizing that the .vmx configuration file can be imported into a VMware hypervisor (e.g. VMware Workstation). Upon execution of the VM, the following activity can be identified:
- The Documents folder contains two sensitive files - 'Market Strategy.xlsx' and 'Design Requirements.docx' (false flags in .xlsx with a hidden spreadsheet).
- The file 'collector' is provided, which indicates that the contents of the download folder have been cleared.
- A file named 'server-private-key.pem' is also provided, which is useful for logging into the server who IP Address is obfuscated as part of the collector executable.
The file collector is to be analyzed at this stage. It also uses an XOR-encoded array which contains the flag, but instead of describing how to decode it, it elaborates on how it was encoded. Thus, the formula is to use subtract the observed value and subsequently XOR using the key present in the same function.
This will result in the identification of the flag hadestcf{bc569e8fb18544e3dc5e235492e82f0481dcc4266efb654445dcffbfe0c167c7}.
The extraction server can be logged in using the file 'server-private-key.pem', with the username '934mptuv', which is determined through basic static analysis of the collector file.
Logging into the server, a random set of directories are observed, one of which contains a .git directory - specifying the flag as well as the username of thanatos's hadesenterprisesinc email address.
This will result in the identification of the flag hadesctf{6bfdfdcb1bb5541744712def3a1f588aa67c202a26223a749d4cefdbe789c79f}.
A program (false_wiper) is provided for analysis, which upon execution and disassembly will detail that it is a simple "Hello, World!" executable.
However, there are two files embedded in the executable - a pcap and a sslkeylog file. The challenge is to use the sslkeylog file to decrypt the HTTPS traffic in the pcap file to determine the appropriate flag:
hadesctf{acc6f2140baf9cb0b40b8088e0d4166b78314958c22692a894c1ecf48e0330d1}.
Access to a docker container is provided, which contains a singular executable - wiper. This file contains the source code embedded in the executable, which can offer hints into the program workflow. Analysis of this workflow will detail that to print the flag placed at /root/flag.txt, the dynamic value generated by the rand() function will have to be "fixed" in the register.
A note is provided to participants that they have access to gdb with sudo privileges, which enables modifying the register values according to the user's desire (in this case, to match the value generated by rand()). Thus, the flag is identified to be:
hadesctf{809f21428001f8ccecaa47313d660ee22c986c0085045da3ec27310512fda6e6}
An email thread is provided, from which a binary is to be extracted. Using the symmetric key present in the cloned image of Thanatos's system, it is possible to decrypt the file into an image. The image contains a Location tag that uses Citrix encoding contains the geolocation co-ordinates.
The co-ordinates point to a physical location on campus where an individual will inform the team of Thanato's password if the correct passphrase is stated. The flag is the geolocation co-ordinates extracted from the image.
Once the password is identified, the winning team can successfully rollback the changes made to the victim's website!