InCTF 2018 Evil Crypter Writeup

I had a lot of fun organizing this year’s CTF. This was also my first time organizing a CTF. Working along with my teammates, for roughly 36hrs, talking to various people in the IRC was a lot of fun.

I made two challenges this year EvilCrypter and Winter Sport. I really expected a lot of teams to solve this challenge however only 4 teams could and all the teams loved it.

I have received requests from various people in the IRC to publish write-ups for these 2 challenges.

So let us get on with it.

Challenge Description:

Screenshot from 2018-10-12 11-10-54

So reading this description, we see that a suspicious script was run in the particular system which encrypted some precious text which possibly is the flag.

Downloading the file we find that we have received a windows memory dump.

Screenshot from 2018-10-12 12-56-19

Running the imageinfo plugin I found out that this is a Windows 7 memory dump. I selected the profile Win7SP1x86.

Let us run the plugin filescan now. You should notice that I have left out the use of other major and common plugins like pslist, psscan, envars etc. This is because I know there is nothing suspicious inside them. ( I made the challenge dudes ).

Screenshot from 2018-10-12 13-07-41

In Desktop, as you can see, there are 3 suspicious files with names evilscript.py, suspision1.jpeg and vip.txt

So what are you waiting for? Let us extract them by using dumpfiles plugin. If you don’t know how to dump a file from a memory dump. Don’t worry, I’ll be showing it.

So I’ll be dumping the image “suspision1.jpeg” now.

Screenshot from 2018-10-12 13-16-21

The hex data after -Q is the physical offset of the particular file. Similarly, dump the other 2 files.

Let us now see whats inside evilscript and vip. 

Screenshot from 2018-10-12 13-22-23

So basically, this python script accepts a command line argument, modifies it and stores it in vip.txt.

So we have to reverse this script. Reversing this script gives me inctf{0n3_h4lf

So we’ve got a half of the flag. We have to find the other half. Practically I think it would be in the image.

suspision1

All we can expect after getting this image is that there might be stego technique involved.

Using steghide on this and giving the password as the first part of the flag will give us the other half written inside a text file. The other half is _1s_n0t_3n0ugh}. Concatenating them gives us the total flag.

FLAG : inctf{0n3_h4lf_1s_n0t_3n0ugh}.

Happy Hacking!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: