Cyber Hacktics group in support of NCSAM (National Cyber Security Awareness Month) hosted a CTF on 16–17 of October. The event challenges ranged from many topics , such as traffic analysis, forensics, stegnography and so on. While my teammates and I still working on writing all the write-ups, I thought about making a write-up on a couple challenges in which we struggled for a while.
Extracting Shell Code (Forensics )
This particular challenge was very interesting. We are giving a shell code in hex and nothing more. This was the first time I have ever seen a challenge like that. It brought back memories from reverse engineering classes, where we create our our malwares and shell codes to them study the behavior but never had to start with just hex.
My first thought was to turn this into a binary file and see if I could execute it or use strings to get any information from the shell code. In a Linux machine, you can use xxd to do so. However, once turned into binary, there wasn’t much info I could get out of it. It was just raw data.
After some some research, I learned that I would need to somehow execute this binary in a way to study what is actually doing it. Now comes the challenge: how do we execute something without any headers or signatures to tell the computer this is an executable? I decided to move it to a windows machine and compile it there.
Using the classic HxD program, we can accomplished the same thing as xxd and turn the hex into binary.
Trying to execute the binary we just created also does not do anything on a windows machine. It simply says it doesn’t know what this file it or what to do with it. I tried opening with Ghidra, and still nothing. GBD? Nope.
So I spent time and time researching for tools or ways to “study a shell code hex.” Bingo! I came across this little weird tool called scdbg. I looked at these old school windows forums and reverse engineering help pages where people recommended using scdbg to analyze shell code in hex format!
I just downloaded the tool and run it with the binary I created from the shell code.
A really important point here was to run with “FindSc” option checked. According to their manual (yeah, I read manuals) : “Findsc option will try to start execution at each offset in the file, and see how many steps it can execute without an error.”
There we have it, we see that the shell code creates an executable “ksjmdnu.exe” in the Roaming folder. That’s our flag!
Boney Boi Breakdance (Stegnography)
This challenge was specially frustrating to my team and I and it was simpler that we thought. This will be a short write-up, but I will explain the struggle and hopefully you can learn not to make the same mistakes.
The challenges states:
“We intercepted this image from a known DEADFACE affiliate. Some kind of tool was used to hide a file in this image. Unlike some of the other, easier images that used steganography, this one appears to require a passphrase. I bet it’s somehow related to the image used to hide the file.”
We quickly learned that this file contains a secret with steghide :
Now, how in the world would we find this password? The hint in the description of the challenge says it must have something to do with the picture.
Now , here is our mistake : OVERTHINKING!
I lost a couple hours in this challenge because I was overthinking it. First step was to find who created the picture. Easy enough, search “Dance of Death “ (name of the file), and you will find that Michael Wolgemut is the painter of that image. There you have it ! However, we decided the scrape the WHOLE Wikipedia website about Michael Wolgemut and use every word to brute force the steghide, which in theory would have work, but it didn’t for one reason : lowercase .
The brute force failed, and we though the challenge was broken or we were just going in the wrong direction. I talked to another player who have solved , and said that we were in the right direction, but we were overthinking it too much.
Simple enough, I tried his first and last name , and his last name was the password. Now I thought : How the in the hell the brute force failed if his name was in the wordlist? IT WASN’T LOWERCASE .
Interesting enough, even with the password, we still cannot extract the secret file because it does not have a name. So, we can just extract with an output name and retrieve the flag :
These are just a couple fun challenges we really got stuck on. More solutions are to come as we prepare to present to the rest of our team members who are just starting playing CTF and eager to learn about fun challenges.
Cheers and Happy Hacking :)
