IIUC CyberCon 2022, a CTF competition was organized by IIUC Cyber Analyst Team (CyberWiz),sponsored by KSRM.The event was held on 24 January, 2022, on-site at IIUC Campus. Huge thanks to the organizing team members, Amir Hamza, Ansar Uddin, Tasdir Ahmmed, Rasel Bhuiyan and Jawad Mahdi.
The main objective of this event is to encourage students to develop their skills, to train and exercise both intellectual and practical abilities in the Cyber Security field — as future specialists.
Here are the write-ups for some of the challenges that I was able to collect with proper descriptions.
Binary Challenges —
1. Chall0x00
We have binary file here named ‘chall0x00’.
At first I executed the file but no output was given.So I tried to read the readable characters from the binary using strings chall0x00
`
As. we can see, the binary was packed with ‘upx’. So, I unpacked it with upx -d chall0x00
.
Now, I opened the binary file with gdb. You can use ‘Ghidra’ or ‘IDA freeware’ , but i used gdb as this was a simple binary file.
gdb chall0x00
Now, I just disassembled the main functions to see what’s going on in its little binary world..Ok bad joke.haha.
Aaaand we got a bunch of hex values 0x49 0x49 0x55
and so on. Now if we decode the hex values we get flag. See too simple, innit?
flag : IIUC{Upx_H1d3_Th3_Fl4g}
2. Chall0x01
Unlike the previous challenge, this one required some very basic knowledge of gdb
.
So, we have binary file named chall0x01
. And, like always I executed it and to make too easy ,there was no output.
So, again, I used strings chall0x01
to read the readable characters from the binary and we can see that it was written in Golang.
Ok, let’s open it with gdb
.
Let’s check what are the functions/methods defined in the binary.
info functions
revealed two interesting functions — main.main
and main.printFlag
.
Now, if we disassemble the main.main function, we can see the call instruction of main.printFlag
function there.
We didn’t get any kind of output when we executed the binary, no matter, if we set a break point in main function and give it a jump instruction to the printFlag functions, we’ll probably get the flag. Let’s try that.
So, we set a breakpoint at main by b main.main
and then r
for running the binary file. When it hit the breakpoint ,we gave a jump instruction by j main.printFlag
.
And, voila, there’s the flag.
flag : IIUC {C0ngr4ts_Y0u_G0t_Th3_Fl4g}
These challenges covered the very basics of approaching a reverse engineering ctf or analyzing a binary file with gdb for the newbies.
Network Challenges —
Questions -
- Q1: Which Tools Attacker Used to find vulnerability?
- Q2: Which Port is Running Vulnerable Service?
- Q3: Which Tools / Framework Attacker Used to Get Access on
Victim Machine? - Q4: What is the root flag?
- Q5: Attacker created a directory and file what was that?
1. Flag Format: IIUC{Dir, file.ext} - Q6: How many packed captured on this file?
- Q7: Which vulnerability was used for take control to the attacker
victim machine
Flags -
- IIUC{nmap}
- IIUC{8080}
- IIUC{metasploit}
- IIUC{D0N7_U53_Kn0wN_VuLn3r4BiL17y}
- IIUC{hacked, easy_exploit}
- IIUC{ 14695}
- IIUC{ProFTPD 1.3.3c}
Pcap analysis Images -
1st flag : In the network image-1, we can see that the attacker used nmap scripting engine (NSE), to find vulnerbility. Look here and here for more.
2nd flag : In the network image-1,we see that ProFTPD is using port 8080.
7th flag : In the network image-1, we can see that the attacker used the vulnerable version of proftpd and use that to exploit the victim machine. Details on ProFTPD 1.3.3c. So, this is the 7th flag.
Then we get our rest of our flags from the tcp stream 1068.
3rd flag : Well, I attached a link in the ‘7th flag explanation’, we can see that using metasploit framework, attacker is able to exploit that. The ques was which tool / framework. So, you get it, right?
5th flag : In network image-2 , we can see that attacker created a directory called ‘hacked ’and created a file named ‘easy_exploit’.
4th flag : In the network image -3, we can see the root flag.
6th flag : 6th ques asks for the total packet captured.
These challenges covered some of the basics of pcap file analysis for the absolute beginners.
OSINT —
Chall_Name: Let Me Back
Title: Hi there, I’m Someone of this crazy world. you’ll never get my name.
but I can give a hint. I’m ‘knownuser1337’
Ok, when i saw this username, two of social media platform came to my mind, insta and twitter. So, I started with the twitter and I found a base64 encoded string in his tweet. Decoding the string gave me a blogpost link.
We can see a post there and my first thought was maybe it’s about ‘editing a previous/original post’ type thing. I solved kinda similar type of challenges before so, I checked the link with wayback machine.
I checked the very first snapshot 10 Jan,2022.
It was same post but Viewing the source code reveals the flag, which was obviously hidden by white color text and Background.
Flag : IIUC{50M3_71M3_W4y64cKURL_C4N_63_V3rY_U53FU11}
Cryptography : QR Code challenge —
Challenge name — Unknown Code
This challenge provided with 13220 png QR code images in a zip file.
So, after unzipping it, I scanned all the QR code image using a simple one line bash script
for i in {1..13220}; do zbarimg $i.png; done | cut -d ":" -f 2 > QrcodeValue.txt
I got some number values like this -
Looks like octal number system ,maybe. After arranging the numbers like image below, I decoded it CyberChef.
I got a message to decode a certain string to get the flag.
So, using CyberChef, I decoded the message and got the flag.
The method can be from hex to base64 or hex to pem.
Web —
Chal_Name: The Recorder
Title: There is a Flag in this subdomain, Someone Recorded the flag from this
domain cybercon.iiuc.ac.bd
Can you find the flag from this Website…?
Just a simple nslookup -
Forensics
So, we have a case.mem
file. And, I will be using volatility2 to analyze this file.
You can use this link to install volatility. How to install Volatility.
F-1 :
To get the informations I will use the imageinfo
plugin of volatility. This plugin gives information about the images used, including the suggested operating system and Image Type (Service Pack) , the Number of Processors used, and the date and time of the image.
Flag: IIUC{Win7SP1x64}
F-2 :
To, list all the process from the mem file, we can use the pslist
plugin and grep pid
to get the specific process name.
Flag : IIUC{FTK Imager.exe}
F-3 :
To see the command history I can use cmdscan
plugin.
I got a string and after decoding it there’s the flag.
F-4 :
To see the Parent Process ID, pstree
plugin will be helpful.
A simple google search about sass.exe
tells us it is a Troj/Funsta-A
Trojan.So, this must be the malicious software.
flag: IIUC{1220}
F-5 : [Will be updated later]
F-6 :
So, to get this flag we can use netscan
plugin.
We can see here that a connection has been established between local(victim) and foreign(attacker) machine and the foreign address is 192.168.47.129.
Flag : IIUC{192.168.47.129}
F-7 :
Okay, this one’s kinda tricky, because first we need to dump the executable, here it is notepad.exe
but also its contents in virtual space present in memory. It can be done by using memdump.
In short, using memdump
, we can capture the memory associated with a particular process so that we can then inspect its contents. After that we will use strings
and grep
to get the flag.
So first, find the notepad
process and its pid
. Then, use the process id to dump its memory contents. and then just a simple strings and grep.
flag: IIUC{s3cur1ty_1s_an_illus10n}
[N.A : These are some challenges I was able to collect from the participants , and if I get the rest of them, I will add the write-ups here in future inshaAllah.]
Assalamu Alaikum wa rahmatullah.