F-Secure Cyber Security Competition 2020 Write-Up
[Crypto] AlgoABC
An encryption algorithm made by a hacker senpai for his team recruitment. Can you solve it? It's
easy as ABC.
Answer: fsEzEncAsABCcyberx
Solution: Basically, just reverse the encryption process from function c() -> b() -> a().
For function c()
•
•
Change ">" to "<"
Change "-" to "+"
For function b()
•
Change "-" to "+"
For function c()
•
Remain the same
Tips: Think reverse and get the flag. You can also see AlgoABC_solver.py
[Crypto] Can you image me
The following image was found in compromised server, it seem to have functions within it. Can you
extract it?
Answer: fs3cr1ptcyberx
Solution: The challenge is based on this script: https://github.com/peewpw/Invoke-PSImage. You
can also see Answer.ps1
The embed method is as the following:
1) The least significant 4 bits of 2 'b,g' color values in each pixel are used to hold the payload.
2) Each pixel of the image is used to hold one byte of script
3) Any tool to extract with the above settings will work. just make sure the length above 400
since its 4bits
[Crypto] dachshund
Yo dawg, did you ever heard the tragedy of darth dachshund the weak? No? Here's one.
Hints: Woof woof.. I like attacking hot ... never mind its a bit inappropriate... Try looking up
dachshund yourself...
Answer: fsWienerAttackcyberx
Solution: This challenge comes with an encrypted data and a public key. This would indicate that the
cryptographic function is most likely vulnerable to an attack in some way.
The de-facto standard of asymmetric cryptographic functions would be RSA, and the most common
attack tools is (RsaCTfTool)[https://github.com/Ganapati/RsaCtfTool].
Running python RsaCtfTool.py --publickey dachshund.pub --uncipherfile message.dat will reveal the
flag from the encrypted data.
[Crypto] EieeYes
Can you spot the weird logic in this encryption code? Maybe it can be done in a brutal way? I guess?
*Please run this in Linux Machine
Answer: fsY1sT2ByT3sAEScyberx
Solution: Based on the source code given, there is a flaw on the AES key generation (line 12 - 15).
longkey_splited will extract 2 bytes for each loop. Then, these two bytes will XOR with each other to
generate a key that will used in the AES encryption.
It can see that only the first two bytes of the key are XORed.
Therefore, you can write a AES decryption script to brute force the key and get the flag once you get
the correct key. You can also see EieeYes_solver.py
The first 16 bytes in the cipher.bin is the IV and the rest of of it is the cipher text (Encrypted
flag)
References:
https://pycryptodome.readthedocs.io/en/latest/src/cipher/aes.html
https://www.tutorialspoint.com/python3/string_ljust.htm
[Crypto] Ghost_sound
This ghost has message for you. Decrypt the message from his voice..huahuahuahua....ho ho ho
Answer: fsMusic4u5cyberx
Solution: Provided sound image (flag_sonicvisualizer.png) with hidden flag. To solve it:
•
•
•
Download Sonicvisualizer
Decode it by open the sound file -> Layer -> Add Spectogram -> All Channel mix
Zoom in the spectogram and you can see the flag in image file.
=================================================================================
[Forensics] 12345_Qwerty
I have created a python script to generate random password for me based on website name.
Unfortunately, I have accidentally deleted the script.
I have a memory dump from my previous execution of the script. Can you help me get my script
back?
Answer: fsrb-sobfceocyberx
Solution: Let’s first check the profile of the image :
Since it was mentioned that the memory dump was taken at the time of execution of the script, let
us using profile Win7SP1x64 and command pstree to see script execution.
Python was executed through command prompt, we can see the command line through cmdscan
command
We got the script name as PasswordGenerator.py. Let us try to find out the location of it using
filescan command
Dump the script using Dumpfiles command
We got the script dumped
Script tries to open 2 files C:\safe\secure.txt and C:\safe\backup.txt
Try to dump these 2 files using filescan and dumpfiles commands as used above
Backup.txt
Secure.txt
Now we got all the necessary files, lets put them in C:\safe\ folder and run our script
Script runs properly but there is no sign of flag here.
Let us look the script again
At line 21 password is generated based on website name first letter + md5 of salt + b64data and
website name + !@#
So the only encoded part here is salt + b64 data. Salt is generated using secure.txt file which we
already have
Lets try to decode base64.b64decode("Y3liZXJ4") , which is cyberx. So we got end of our flag
Only unknown part now remains is salt. So lets print it along with b64 decoded data
Run the script
And we got our flag as fsrb-sobfceocyberx
[Forensics] Guess_My_Passw0rd
Find the password of user account "test". While submitting answer prepend "fs" and append
"cyberx" to the found password.
Answer: fsadmincyberx
Solution: To analyze this image we will use
volatility(https://github.com/volatilityfoundation/volatility) tool
To know the Image Operating System, “imageinfo” command can be used
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#imageinfo
Imageinfo command shows Suggested profiles. We will try Win7SP1x64
To extract and decrypt cached domain credentials stored in the registry, use the hashdump
command.
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#hashdump
209c6174da490caeb422f3fa5a7ae634 is the Hash of the test user’s domain credential
Tools like “John the Ripper” can be used to crack this hash or use website like
https://crackstation.net/
We get the password as admin. Now Prepending “fs” and Appending “cyberx” to the result “admin”
We get the flag fsadmincyberx
[Forensics] Im_l0st
I only have the picture. But to reveal the answer you need to know where the file taken. Nearby
shop or supermarket will help you in the investigation.
Answer: fsFromPuchongWithLovecyberx
Solution: Participant given a picture. The picture consist the GPS location which can be seen by using
exif tool.
Convert the GPS coordinate to decimal
GPS Latitude : 2 deg 59' 59.17" N GPS Longitude : 101 deg 35' 46.12" E
2.999769,101.5961
Once got the location, use streeview to see around which they will see 'Pasaraya OTK'.
'Pasaraya OTK' is the password to extract the flag.zip.
flag is = fsFromPuchongWithLovecyberx
[Forensics] Simple Messenger
People won't find it with their plain eyes.
Answer: fsKoMm4nd64cyberx
Solution: First, install wireshark in your system.
1) Follow Tcp Stream.
2) Found b64 encoded message.
3) Decode it using CyberChef.
[Reversing] Chrome.js
Analyze the file and decode the flag.
Answer: fsFFFcyberx
Solution: File: Challenge.zip Password: 1nf3ct3d
**!!CAVEAT!! This binary is templated from a malware and should be analyzed in a Virtual
environment. All backdoor functionalities has been disabled and will only transmit the flag and
system version of the affected system There is no installed persistence **
How to solve:
This file compose of multiple staged functions.
Initial stager: Initial stager will drop a next stager in %TEMP% named Chrome.js It will overwrite is
self and execute the dropped JS file.
2nd stage function: This stage will decode and launch the 3rd layer function
3rd layer function: It will modify variable "callerFunctionText" if the script is being debuged in a
browser. This will cause decryption to fail.
Since this JS is NOT intended to run in a browser, this function should be bypassed.
try {
callerFunctionText += navigator.appCodeName;
callerFunctionText += 'callerFunctionText';
}catch(e)
It computes key using "arguments.callee.caller.caller.toString()" and "arguments.callee.toString()"
and proceed decrypting 4th stage function.
var thisFunctionText = arguments.callee.toString();
var callerFunctionText = arguments.callee.caller.caller.toString();
Any changes in "2nd" and "3rd" function will affect the computation of the decryption key and will
cause it to fail.
4th layer function: Flag is in a variable
creates "notflag.txt" to indicate that binary executed successfully.
Final layer:
//ABC
var
_0x137d=['\x66\x73\x66\x66\x66\x63\x79\x62\x65\x72\x78'];(function(_0x1a4248,_0xebe5d0){
var _0x51ad79=function(_0x357c9f){while(-_0x357c9f){_0x1a4248['push'](_0x1a4248['shift']());}};_0x51ad79(++_0xebe5d0);}(_0x137d,0x12
a));var _0x293f=function(_0x1a4248,_0xebe5d0){_0x1a4248=_0x1a4248-0x0;var
_0x51ad79=_0x137d[_0x1a4248];return _0x51ad79;};var flag=_0x293f('\x30\x78\x30');
try {
var tjesxoitji = window;
tjesxoitji[["U", "M", "c", "D", "g", "Z", "k"][(-205 + 207)] + ("Y", "c", "K", "b", "l") + "o" + ["t",
"s", "G"][1] + ("p", "M", "C", "e")]();
} catch (qrocse) {};
try {
var fso = new ActiveXObject("Scripting.FileSystemObject");
var s = fso.CreateTextFile("C:\\notflag.txt", true);
s.WriteLine("this is not the flag but in a variable");
s.Close();
} catch (qrocse) {};
[Reversing] Orwellian_Dystopia
A binary on a machine with its background reading "Big Brother is watching you"? Hmm.. this binary
can probably help us uncover the truth.
Hint 1: Yo dawg, we heard you like reversing, so we put a binary in a binary so you can reverse while
reversing.
Hint 2: Shellcode lives matter too! The shellcode must be allocated somewhere and executed
somehow... hmmm....
Answer: fsOrWeLlDyStOpIacyberx
Solution: File: orwellian_dystopia.7z Password: fscyberx
This challenge comes with a single executable (PE). Running the file gives the following output:
It reads the input and exits.
First things first, we want to check what type of executable it is, e.g. using a tool such as Detect It
Easy, we can see that it is a .NET binary:
.NET assembly files can be de-compiled using a tool such as dnSpy, which can provide us a high-level
overview of the code rather than looking at the assembly code:
Immediately, we can see external methods being imported, namely VirtualAlloc, CreateThread,
WaitForSingleObject, and Execute/Read/Write (ERW) flag being present, which screams injection.
We are interested in the entry point of the binary, which is the main method. This contains a nonreadable string, which is converted to a byte array, which is then copied to a newly allocated
memory region and executed (basically a PIC (position-independent code) shellcode, which is
injected into the running process, using the aforementioned methods).
Therefore, this is only a loader, and we can shift our attention to the shellcode, which should contain
the main payload. To analyse the shellcode, there are several methods (dumping it, and using tool
such as scdbg), but the most straight-forward way would be to analyse it through a debugger (such
as x64dbg) at runtime. Since we know that the shellcode is injected into the running process and
executed by in a new thread. We can change the debugger options to break on thread entry. After
executing the loader, the debugger will eventually break on the thread entry of the shell code (you
can also confirm this is indeed the correct thread executing the shellcode through bytes comparison
with the original shellcode, e.g. check the first 10-20 bytes of the injected shellcode with the thread
entry).
Checking the allocated memory region for the shellcode, there are no readable strings and/or
intermodular calls (which will probably be dynamically resolved). Therefore, we will place breakpoint
on the memory region in case it is a self-decrypting shellcode and also place breakpoint on
VirtualAlloc and continue execution, since we know that the shellcode is eventually going to print
out some text. The debugger will eventually break on VirtualAlloc. We can set a breakpoint on this
newly allocated memory region to check what is being written, and continuing the execution of the
shellcode, which eventually decrypts and writes another PE file at the end of the newly allocated
memory region.
We can dump this PE file and analyse it separately. This also appears to be a .NET binary and
executing it provides the same output.
Therefore, we can deduce that this is likely the decrypted payload, and we can decompile it using
dnSpy as well.
Looking at the logic, it appears to check the date time to see if it is 31/12/1984, if it is, then it will
XOR the supposed flag with 0x17. We can do this manually to get the flag:
[Reversing] PassGen
We've found this semi-broken password-generator on one of the production servers, can you figure
out how is it generating the password?
Answer: fs1s3imnno3drgg3dcyberx
Solution: File: PassGen.zip Password: fscyberx
This is an easy reversing challenge which consists of a single anti-debugging technique, after which
the flag is decoded into memory.
Running the program normally, we can see that the program asks for an input, while executing it in a
debugger, we can see that the output shown is "Error encountered".
This immediately means that there is an anti-debugging within the program. Looking at the program
logic (starts at the beginning of code section), we can see that after initialization, the program
immediately reads the 0x18 offset of fs register, which holds a pointer to TEB. Then it offsets 0x30
from the pointed memory address, which holds PEB, and finally offsets 0x2 from the pointed
memory address, which holds a flag IsBeingDebugged. Finally, we see a compare and a jump if it is 1
(which indicates that a debugger is attached), as shown below:
We can bypass this by changing the zero flag (ZF) to 0. The program continues, and we can now
search for the flag in the program.
The program initializes some strings (including the input string), and we can see two interesting
blocks are XORing two strings stored in memory (initialized strings), as shown below:
The first XOR block is XORing the following two strings: ABCDEFGHIJKLMNOPQRSTUVW
'1r7v/&'%x(?)(c5160$/ which results in: fs1s3imnno3drgg3dcyberx (the flag)
The second XOR block is XORing the following two strings: fs1s3imnno3drgg3dcyberx
<YOUR_INPUT_STRING> which will result in the the outputted "password"
[Reversing] Phantom Eclipz
We have found this empty document file on a shared drive... but is it really empty though...? Time to
find out!
Hint: Check out EvilClippy
Answer: fsevilclipzzzcyberx
Solution: This challenge is a word document file challenge. One of the most common tool set for
analyzing OLE files is oletools.
The most common thing to check within a doc file are the macros. In its most basic form, you can do
so with the following command olevba Phantom_Eclipz.docm
However, the output from olevba shows the macro contents as "Huh... is the macro missing?
Weird.... ;)", as shown below.
This is done through abusing certain undocumented specifications for MS-OVBA. To achieve this, a
tool called EvilClippy was used. Opening the document file, nothing appears to happen. However,
when the document file is closed, an input box is prompted asking for a secret key. When you input
a value, save changes dialog box will be displayed, indicating that something may have been
changed.
One solution to analyze code-stomped macros is to use the old-fashioned inbuilt VB editor that
comes with Word. Opening the macros, you can see the original macro code, as defined below.
AutoClose() is a special macro which will execute the defined macro automatically when the
document file is closed, which in this case will execute Macro1(). In Macro1, you can see a variable
called flag, and secret_key which is the value of the input box, and the two are passed into a
function called Shamboozle. This function takes two string parameters by reference (which indicates
that the original values can be altered). We can also see a variable called key_value, which reads the
first footer value. Lastly, we see that the footer value is changed to the value of flag.
Placing a breakpoint on the instruction following the call to Shamboozle, and adding key_value, flag,
and secret_key to the watch list, and executing the macros on the original file, we can see the
following values:
We can notice that the value of flag has changed, and key_value is "M", which was 'hidden' in the
footer due to the text color being white. Looking at the Shamboozle function, it is performing an
XOR operation. key_value is a straight giveaway as to what the value of the key is supposed to be.
Running the macro again, and inputting "M" as the secret key, you can now view the flag, as shown
below.
The footer value is also replaced by the flag, which will be shown if you copy the value or change the
text color to black, as shown below.
[Reversing] Round & Round
Find and fix final script to get flag
Answer: fsIHaveBackUPcyberx
Solution: Powershell script on execution shows output as “Pay me 10 Bitcoin for answer!!!”
Powershell script is obfuscated and compressed using Raw Deflate-Stream and Base64
We will use CyberChef (https://gchq.github.io/CyberChef/) to decrypt this script.
First we will decode the base64 data using Regular Expression and Base64 decoder
After this we will Raw Inflate the base64 output
After Raw Inflate, the output is changed, but the output is still a similar obfuscated script.
Therefore, we have to think of a solution where we can recursively decrypt the output to get the
final script.
In this case we will use “loops” and “labels” in CyberChef to achieve our goal
Add a “label” named “start” at the top of Recipe
Add a “jump” with Label name “start” at the end of the recipe
This will run the Recipe recursively 2 times.
Now manually increase the Maximum jumps field to 4 and you can see the De-obfuscated script
And you can see the flag of this challenge in output.
Directly Load this Recipe in cyberchef to see the output:
Label('start')
Regular_expression('User defined','[a-zA-Z09+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Raw_Inflate(0,0,'Adaptive',false,false)
Jump('start',4)
------------------------------
Another way to solve this challenge is to enable powershell logging in windows and searching for
“cyberx” string in log
https://www.secjuice.com/enterprise-powershell-protection-logging/
This challenge is based on post-exploitation framework Empire Agent
(https://github.com/EmpireProject/Empire) payload obfuscation
https://twitter.com/pmelson/status/1078776229996752896
==================================================================================
[Misc] aah
The file was found in /tmp folder and it was found to be used by a simple ransomeware in an
infected server.
Answer: fseasyonecyberx
Solution:
1) Take file name.
2) From hex-->ascii
3) the flag will be the converted text
[Misc] Tri_angle
Combination of events produce the flag
Answer: fs3kali_3kalicyberx
Solution: File: triangle.zip Password: fscyberx
This binary will do the following actions:
1) Create folder and text file
2) Create registry
3) Create task scheduler
Combine all those value above in sequence will produce the flag in base64 which you would then
need to decode to text.
ZnMza2F + saV8za2FsaW + N5YmVyeA==
[Misc] Yet Another Ridiculous Acronym
Create a file to satisfy condition of Yara Rul
Answer: fs"YaaaaaRaaaaa\135!#%"cyberx
Solution: YARA is a tool aimed at (but not limited to) helping malware researchers to identify and
classify malware samples. With YARA you can create descriptions of malware families (or whatever
you want to describe) based on textual or binary patterns. (ref :
https://yara.readthedocs.io/en/latest/)
To run yara rule : https://yara.readthedocs.io/en/latest/commandline.html
Looking at the yara rule
We have 3 variables $a, $b ,$c where $c is kind of regex and we have conditions to satisfy
Let’s look at $c first :
https://yara.readthedocs.io/en/latest/writingrules.html#regular-expressions shows condition of
regex in yara
start and end ‘/’ defines that string is regex
\” = ”
Y=Y
[a]{5} = aaaaa
R=R
a{5} = aaaaa
\\ = \
\x31 = 1
35!#% = 35!#%
\” = ”
i.e. $c is matching “YaaaaaRaaaaa\135!#%”
-----------------------------------Let’s look at the conditions now.
All the conditions should be satisfied .
$a should be at 100 position , $c at 102
File should be greater than 2kb
Should not be a Portable Executable file i.e. should not start with 0x4d5a
And all three variable should appear 1 time in file
We already have a hint now what is our flag
fs“YaaaaaRaaaaa\135!#%”cyberx
but to confirm our verdict we can create a test file where fs is at 100th position,
“YaaaaaRaaaaa\135!#%” at 102nd position and rest of the part in file can be dummy.
Test yara rule now and it will detect the file.
[Misc] Where_Code_Starts
Sort the files in ascending order according to their Address Of Entry Point
Answer: fspythonpepyparsecyberx
Solution: File Where_Code_Starts.zip Password: fscyberx
The address of the entry point is the address where the PE loader will begin execution; this is the
address that is relative to image base when the executable is loaded into memory.(ref :
https://resources.infosecinstitute.com/2-malware-researchers-handbook-demystifying-pe-file/)
To find Address of EntryPoint (AEP), we will use a python module “pefile”, Portable Executable
reader module https://pypi.org/project/pefile/
Install pefile using command : pip install pefile
Now print the AEP using pefile
0x14026 is the AEP of file c.exe
Based on this write a simple python script AEP.py
Following is the output :
Sort the filename according to AEP addresses : fspythonpepyparsecyberx is the flag
