[p0isonp4wn] Haxxor4.0 CTF Writeups
Haxxor 4.0 is an Information Security Competition / Hacking Game Competition at U.P. Diliman held on July 6, 2019.
p0isonP4wn decided to split into two teams and named it p0isonp4wn A & p0isonp4wn B. At first we thought that dominating in haxxor4.0 is impossible due to lack of members and versatility plus the competition has categories that are not included in our area of expertise. Despite of difficulties, we are very lucky that we managed to secure 2nd and 3rd place from the competition.
Following Writeups that are written here are selected challenges that we thought are new and fun to learn.
So Iโm not gonna waste more of your time so letโs start !
Challenge Write-ups
1. Unencrypted Chatter
Category: Network
We were given a .pcap file named UnencryptedChatter.pcapng
simple binwalk will show us ๐๐
UnencryptedChatter.pcapngOpps ! ๐ค We Got a bunch of data inside the .pcapng file so lets try to extract it root@kali# binwalk --dd=".*" UnencryptedChatter.pcapng
We have 201EB.zip file but we are unable to open it since it was a password protected zip. In this part we already knew that looking for a right password leads us to the flag.
Lets try to grep in recursive mode root@kali# grep -rn password
We see that the word โpasswordโ does exist in some binary files so letโs use the strings and grep once again
root@kali# strings * | grep password
Oops ๐ฒ? We got 13 passwords here so we can tell that we have to bruteforce the zip file by these passwords in order to open it but first we need to clean out those unnecessary characters and decode each line to base64.
strings * | grep password | sed 's/^.\{,9\}//' > password.txt
Since Iโm not a Linux expert, I deleted these characters โ<%3Dโ manually (not proud of myself, apologies for being n00bz ๐ฅ)
Here is a simple python script to decode each line to base64 and store it to passwords.txt file
I named it p0isonp4wn.py and run root@kali# python p0sionp4wn.py
bruteforce zip file by this command
root@kali# fcrackzip -v -u -D -p passwords.txt 201EB.zip
password = golfhotel , extracting zip file gives us secret.png
2. Try and Stop Them
Category: Network
In this challenge, we were given a .pcap file named 0x.pcap
Opening the .pcap via wireshark displays๐๐
Following UDP of the first packet ๐๐.
After seeing this, I can tell that the hex is actually a hex dump of JPEG image because of ffd8ffe0๐ obviously a file signature of JPEG image.
I can point out that the creator of the challenge wants us to export those hex that were split to all the packets and compile it to bin (Viewable JPEG image).
To get all the DNS queries , I found out that Tshark packet analyzer is the best tool for this.
tshark -Y "dns && dns.flags.response == 0" -T fields -e "dns.qry.name" -r 0x.pcap | cut -d '.' -f1 | tr -d '\n' > p0isonp4wn.txt
OK ๐คฉ! So we did it ๐ next is compiling it to bin (Viewable JPEG image).
xxd -r -p p0isonp4wn.txt > p0isonp4wn.jpg 
BOOM!๐
3. ID the Target
Category: Forensics
We were given a file named for_forensics.mem
Throwing strings command with grep is always our first step in every forensics challenge ๐๐
root@kali# strings for_forensics.mem | grep haxx4
What? ๐ฒ oh yeah!
== incorrect flag !!!! ===
?๐ข I thought that was a cheese ๐ญ
but w8 ? haxx4{comm1t_t0_m3m0ry} ? ๐ this flag tells us that we should commit to memory , oh okay ๐
Now we decided to run Volatility memory forensic tool to analyze the memory file
root@kali# volatility -f for_forensics.mem imageinfo
Okay, we verified that it is actually a memory file so letโs dig more.
Memory Forensics is very new to us and we have not encountered such challenge before so we spent a lot in google and wasted 2 hours of our time . We started at Volatility -h to know all the plugins and fired it one by one but the result is hopeless until we visited this link
We knew that SYSTEM registry of Windows machine holds a wealth of information about the system. One of which holds the hostname of the machine so we decided to visit that part of the memory.
root@kali# volatility -f for_forensics.mem --profile=Win7SP1x64 hivelist
Copying the offset and then ๐
root@kali# volatility -f for_forensics.mem --profile=Win7SP1x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName'
Computer Name Looks like a flag so we try to enclose it to haxx4{}
flag = haxx4{1D3NT1FYT4RG3TS}
CORRECT FLAG! BOOM! That was a very tiring challenge ๐
FINAL . . .
It was a good opportunity to compete in Haxx4 CyberSec Competition . It didnโt just gave us nice and memorable experience but also taught us new things as well . We admit that we still have a long way to go and a lot of things to learn so Team p0isonp4wn is open to listen for advises from professionals.
Contact me:
Facebook: babyjamex
Gmail: p0ison.b1tches@gmail.com
Discord: babyjamex#7781
