Avatar
CTI Analyst at @ActiveFence
Forensic at @World Wide Flags
Operator at @Cookie Han Hoan

OSCTF 2024 - Forensic

OSCTF Writeup Command and Control Powershell Blue Team
Published on 13 Jul 2024

Hi guys, this time I joined HITCON CTF with my team: World Wide Union, but because of no forensic challenges, I had to go here and try to solve some challenges. Now it’s my writeup for them, let’s go!

The Lost Image Mystery

They gave us a corrupted image and we need to recover it. I used xxd to check hex values inside:

image

You can guess easily it must be JPG or JPEG file because of …IF. From here you can use this list to check the signature for the file:

image

Use hexedit to edit hex value, open the file again and enjoy your result:

image

Flag: OSCTF{W0ah_F1l3_h34D3r5}

The Hidden Soundwave

We got an audio file, and as the title, you need to find hidden information inside the audio file. Very basic, I always check spectrogram because it appeared in many CTFs 😂😂😂. From here I used audacity to open audio file, change to spectrogram view and I got the flag:

image

Flag: OSCTF{M3s54g3_1nt3Rc3p7eD}

Mysterious Website Incident

Now we had a nginx log, and very simple, we just open in text editor and analyse it:

image

After searching, I found a GG drive link, open it and I got the flag:

image

image

Flag: OSCTF{1_c4N_L0g!}

Phantom Script Intrusion

For this challenge, they gave us a PHP code, and it was obfucated:

image

To make it easier to follow, I deobfucated it and this is my final script:

${"GLOBALS"} = "hXXps://sh0rturl.at/s1fW2";
${"var1"} = str_rot13("${\"\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53\"}");
${"var2"} = base64_decode(${${"var1"}});
if (strlen(${"var2"}) > 0) {
    ${"var3"} = ${"var2"};
} else {
    ${"var3"} = "";
}
${"var4"} = "";
foreach (str_split(${"var3"}) as ${"var5"}) {
    ${"var4"} .= chr(ord(${"var5"}) - 1);
}
eval(${${"var4"}});

There’s a shorturl link, access it and got the flag:

image

Flag: OSCTF{M4lW4re_0bfU5CAt3d}

PDF Puzzle

Just check the metadata of the file => get the flag:

image

Flag: OSCTF{H3il_M3taD4tA}

Seele Vellorei

In this challenge we had a docx file. At first I tried to find out VBA code inside, but there’s nothing, so I think maybe flag was hidden somewhere inside the file. Because word structure is same with zip file, you can use binwalk to extract all files inside:

image

Navigate to document.xml where content of file was stored, use grep and I found the flag:

image

Flag: OSCTF{V3l10n4_1s_Gr43t}

FOR101

I love this challenge most, so I will explain it carefully. In this challenge we had a zip file contains datas inside an User directory. I opened it by 7z:

image

After searching, I found an .eml file at \Users\Administrator\Downloads\Outlook Files named Notifications.eml:

image

I extracted it to my machine and use ThunderBird to open the file:

image

You can see that there’s a zip file and the password is CreditsCardForFree. Now let’s open this file and see what inside:

image

There’s a xlsm file, and as usual, I always check VBA code inside by using olevba:

image

You can see that there’s a VBA code and it’s obfucated, and we don’t any choice except deobfucate it by your hand or you can read code by Ctrl+F+the_name_of_func. After this I found that function will process a string looks like URL:

image

image

From here I can realise that our function are trying to decode that string. Based on their function, I rewrote a Python script for automatic decoding:

def decode_string(encoded_string, decode_table, encoded_substitution):
    decoded_string = ""
    for y in range(len(encoded_string)):
        char_index = decode_table.find(encoded_string[y])
        if char_index > -1:
            decoded_char = encoded_substitution[char_index]
            decoded_string += decoded_char
        else:
            decoded_string += encoded_string[y]
    return decoded_string
encoded_string = "ܳ³Bb://B_b³Ekài~B#/jàEÄ/²_Ä/À60äm_§À"
decode_table = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂĂÄÅÓÔƠÖÙÛÜàáâăäåض§Ú¥"
encoded_substitution = "ăXL1lYU~Ùä,Ca²ZfĂ@dO-cq³áƠsÄJV9AQnvbj0Å7WI!RBg§Ho?K_F3.Óp¥ÖePâzk¶ÛNØ%G mÜ^M&+¡#4)uÀrt8(Sw|T*Â$EåyhiÚx65Dà¿2ÁÔ"
decoded_string = decode_string(encoded_string, decode_table, encoded_substitution)
print(decoded_string)

image

I got a link, now let’s open it and see what inside:

image

You can see that there’s a Powershell script and it will execute a command that was encoded by base64. Now we continue to decode base64 string:

image

There’s a base64 string again. I decoded it and got one more script:

image

In $galf variable, it will take each elements in $qwedfaz and decode it to ascii character. From here I wrote a Python script again:

arr = [104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,112,108,47,118,105,101,119,47,114,97,119,47,98,100,99,97,49,55,48,50]

for i in arr:
    print(chr(i), end='')

image

I got a link again, opened it and I got the flag:

image

Flag: OSCTF{JU5t_n0rmal_eXE1_f113_w1th_C2_1n51De}

Thank you for watching, hope you enjoy this. I solved other challenges but I still love forensic so I just wrote writeup for it 😂😂😂. See you in other CTFs, bye!!!

related posts

all tags

AES Decrypt AKASEC BITSCTF BYUCTF Blue Team CTFtime Command and Control DES3 decrypt DFIR DUCTF Email forensic Forensic Git log HackTheBox ILSpy ImaginaryCTF JavaScript KCSC Macros Malware Memory Forensic MireaCTF Network Forensic OSCTF OSINT Powershell PyInstaller Python Real Case Redis Reverse Engineering Stealer Telegram TheCyberCoopCTF Threat Hunting TrueCrypt UIUCTF Vidar Virustotal Volatility WWF WaniCTF WannaGame Wireshark Word Writeup dnSpy