IIUC CyberCon 2022 CTF Write-ups

IIUC CyberCon 2022, a CTF competition was organized by IIUC Cyber Analyst Team (CyberWiz),sponsored by KSRM.The event was held on 24 January, 2022, on-site at IIUC Campus. Huge thanks to the organizing team members, Amir Hamza, Ansar Uddin, Tasdir Ahmmed, Rasel Bhuiyan and Jawad Mahdi.

The main objective of this event is to encourage students to develop their skills, to train and exercise both intellectual and practical abilities in the Cyber Security field — as future specialists.

Prize Ceremony event of IIUC CyberCon 2022

Here are the write-ups for some of the challenges that I was able to collect with proper descriptions.

Binary Challenges —

1. Chall0x00

We have binary file here named ‘chall0x00’.

At first I executed the file but no output was given.So I tried to read the readable characters from the binary using strings chall0x00`

As. we can see, the binary was packed with ‘upx’. So, I unpacked it with upx -d chall0x00 .

Now, I opened the binary file with gdb. You can use ‘Ghidra’ or ‘IDA freeware’ , but i used gdb as this was a simple binary file.

gdb chall0x00

Now, I just disassembled the main functions to see what’s going on in its little binary world..Ok bad joke.haha.

Aaaand we got a bunch of hex values 0x49 0x49 0x55 and so on. Now if we decode the hex values we get flag. See too simple, innit?

flag : IIUC{Upx_H1d3_Th3_Fl4g}

2. Chall0x01

Unlike the previous challenge, this one required some very basic knowledge of gdb .

So, we have binary file named chall0x01 . And, like always I executed it and to make too easy ,there was no output.

So, again, I used strings chall0x01 to read the readable characters from the binary and we can see that it was written in Golang.

Ok, let’s open it with gdb .

Let’s check what are the functions/methods defined in the binary.

info functions revealed two interesting functions — main.main and main.printFlag .

Now, if we disassemble the main.main function, we can see the call instruction of main.printFlag function there.

We didn’t get any kind of output when we executed the binary, no matter, if we set a break point in main function and give it a jump instruction to the printFlag functions, we’ll probably get the flag. Let’s try that.

So, we set a breakpoint at main by b main.main and then r for running the binary file. When it hit the breakpoint ,we gave a jump instruction by j main.printFlag .

And, voila, there’s the flag.

flag : IIUC {C0ngr4ts_Y0u_G0t_Th3_Fl4g}

These challenges covered the very basics of approaching a reverse engineering ctf or analyzing a binary file with gdb for the newbies.

Network Challenges —

Questions -

1. Q1: Which Tools Attacker Used to find vulnerability?
2. Q2: Which Port is Running Vulnerable Service?
3. Q3: Which Tools / Framework Attacker Used to Get Access on
   Victim Machine?
4. Q4: What is the root flag?
5. Q5: Attacker created a directory and file what was that?
   1. Flag Format: IIUC{Dir, file.ext}
6. Q6: How many packed captured on this file?
7. Q7: Which vulnerability was used for take control to the attacker
   victim machine

Flags -

1. IIUC{nmap}
2. IIUC{8080}
3. IIUC{metasploit}
4. IIUC{D0N7_U53_Kn0wN_VuLn3r4BiL17y}
5. IIUC{hacked, easy_exploit}
6. IIUC{ 14695}
7. IIUC{ProFTPD 1.3.3c}

Pcap analysis Images -

1st flag : In the network image-1, we can see that the attacker used nmap scripting engine (NSE), to find vulnerbility. Look here and here for more.

2nd flag : In the network image-1,we see that ProFTPD is using port 8080.

7th flag : In the network image-1, we can see that the attacker used the vulnerable version of proftpd and use that to exploit the victim machine. Details on ProFTPD 1.3.3c. So, this is the 7th flag.

network image-1

Then we get our rest of our flags from the tcp stream 1068.

3rd flag : Well, I attached a link in the ‘7th flag explanation’, we can see that using metasploit framework, attacker is able to exploit that. The ques was which tool / framework. So, you get it, right?

5th flag : In network image-2 , we can see that attacker created a directory called ‘hacked ’and created a file named ‘easy_exploit’.

network image-2

4th flag : In the network image -3, we can see the root flag.

network image-3

6th flag : 6th ques asks for the total packet captured.

network image-4

These challenges covered some of the basics of pcap file analysis for the absolute beginners.

OSINT —

Chall_Name: Let Me Back

Title: Hi there, I’m Someone of this crazy world. you’ll never get my name.
but I can give a hint. I’m ‘knownuser1337’

Ok, when i saw this username, two of social media platform came to my mind, insta and twitter. So, I started with the twitter and I found a base64 encoded string in his tweet. Decoding the string gave me a blogpost link.

We can see a post there and my first thought was maybe it’s about ‘editing a previous/original post’ type thing. I solved kinda similar type of challenges before so, I checked the link with wayback machine.

I checked the very first snapshot 10 Jan,2022.

It was same post but Viewing the source code reveals the flag, which was obviously hidden by white color text and Background.

Flag : IIUC{50M3_71M3_W4y64cKURL_C4N_63_V3rY_U53FU11}

Cryptography : QR Code challenge —

Challenge name — Unknown Code

This challenge provided with 13220 png QR code images in a zip file.

So, after unzipping it, I scanned all the QR code image using a simple one line bash script

for i in {1..13220}; do zbarimg $i.png; done | cut -d ":" -f 2 > QrcodeValue.txt

I got some number values like this -

Looks like octal number system ,maybe. After arranging the numbers like image below, I decoded it CyberChef.

I got a message to decode a certain string to get the flag.

So, using CyberChef, I decoded the message and got the flag.

The method can be from hex to base64 or hex to pem.

Web —

Chal_Name: The Recorder

Title: There is a Flag in this subdomain, Someone Recorded the flag from this
domain cybercon.iiuc.ac.bd
Can you find the flag from this Website…?

Just a simple nslookup -

Forensics

So, we have a case.mem file. And, I will be using volatility2 to analyze this file.

You can use this link to install volatility. How to install Volatility.

F-1 :

Forensics 1

To get the informations I will use the imageinfo plugin of volatility. This plugin gives information about the images used, including the suggested operating system and Image Type (Service Pack) , the Number of Processors used, and the date and time of the image.

imageinfo

Flag: IIUC{Win7SP1x64}

F-2 :

Forensics 2

To, list all the process from the mem file, we can use the pslist plugin and grep pidto get the specific process name.

pslist | grep

Flag : IIUC{FTK Imager.exe}

F-3 :

Forensics 3

To see the command history I can use cmdscan plugin.

I got a string and after decoding it there’s the flag.

F-4 :

Forensics 4

To see the Parent Process ID, pstree plugin will be helpful.

A simple google search about sass.exe tells us it is a Troj/Funsta-A Trojan.So, this must be the malicious software.

pstree

flag: IIUC{1220}

F-5 : [Will be updated later]

F-6 :

Forensics 6

So, to get this flag we can use netscan plugin.

netscan

We can see here that a connection has been established between local(victim) and foreign(attacker) machine and the foreign address is 192.168.47.129.

Flag : IIUC{192.168.47.129}

F-7 :

Forensics 7

Okay, this one’s kinda tricky, because first we need to dump the executable, here it is notepad.exe but also its contents in virtual space present in memory. It can be done by using memdump.In short, using memdump , we can capture the memory associated with a particular process so that we can then inspect its contents. After that we will use strings and grep to get the flag.

So first, find the notepad process and its pid. Then, use the process id to dump its memory contents. and then just a simple strings and grep.

flag: IIUC{s3cur1ty_1s_an_illus10n}

[N.A : These are some challenges I was able to collect from the participants , and if I get the rest of them, I will add the write-ups here in future inshaAllah.]

Assalamu Alaikum wa rahmatullah.