Our friends at Nuix put together an amazing Capture the Flag (CtF) contest at SecTor 2018. For those of you who attempted and succeeded, congratulations. There were numerous participants but only a select few made it to the finish line. For those who attempted but were unable to finish, or you didn’t know where to start, the Nuix team were kind enough to provide the following walk-through so you now know what it took to capture the five flags. Let’s get started!
First, when you checked-in at SecTor, you were given a badge. It looked something like this:
Did you see what was at the bottom when you unfolded it? Is that Morse code? Yes, it is!
“Look at page four”
On page four of the Sector guide details about the CtF could be found.
after the unfortunate arrest by the fBi of me0wAretech and their domain me0wareteCh.cOm iN 2017, gh0st and the CRew from shad0wlabs IS on the hunt for new recruits. they have decided that canada’s leading security conference, sector, is the PERfect location to Discover new talent. tO test the worThiness of the reCruits, gh0st has put together a series of challenges tO test skill and drive needed to join the teaM at shad0wlabs.
The inconsistency in the capitalization should have caught your eye (BACONCRISPER DOT COM or baconcrisper.com). If the inconsistency in capitalization wasn’t enough the creators added a few other Easter eggs.
A QR code was added for windows in case gamers couldn’t decipher the cryptic message. We added a street sign too!
After visiting the site gamers found this interesting image (a Cicada puzzle).
Opening the image in a text editor revealed more details. Scrolling to the end of the document gamers found the phase “et tu brute” printed. Could this indicate it was a Caesar cypher? Yes. Once the type of cypher was discovered a little bit of shifting and shad0wlabs.com appeared. Flag 1, Truffle Shuffle!
If gamers visited shad0wlabs.com they should have found a Zork PDF. This is where creators put your PDF forensics to the test! At first, it looks like a normal PDF but once analyzed things don’t seem to add up. Gamers should have noticed that “UseAttachements” was indicated. Little more digging leads us to an attachment titled, gohere.txt. In streams 83 and 84 we find another clue which tells us to go to baconcrisper.com/g00nies.txt. This could have all be easily solved using Peepdf.
If gamers didn’t like that option, they could have fixed the PDF. The creators purposefully made the document contain an error. This error revolved around embedded files or more specifically “/EmbeddedFiles”. The F was lowercase instead of the expected uppercase so traditional PDF readers couldn’t simply open it. Change capitalization from f to F and boom-shaka-laka the PDF opened! Tricky! Flag 2, Party on Garth!
Gamers then went on to download another flag zip file. Inside the file they found the text “Follow us on social media!” User should have located some social media account for shad0wlabs. The accounts would contain more clues. One of the clues talked about the Instagram account owned by them and posted on it were more clues to the puzzle. The most notable clue was a post of an email from tutanota to gh0st talking about a hidden directory on shad0wlabs.com. After scanning the email gamers should have found credentials. These could be used to login to the hidden directory on shad0wlabs.com. This could easily be done by visiting the index page of the site. An animated gif of a battlestag was the first clue.
Again, our creators like options! The text “That battlestag sure zips around” should have been the next clue. Guessing battlestag.zip would get them one step closer. Now, break out the hex editor it’s about to crazy! The zip file contained images which and once sorted by size and view in hex revealed the next clue. Gamers would then have to extract the hex which turns out to be a PCAP file and load it into Wireshark. Further analyzation would have revealed a password protected zip file. Do you think the password is “battlestag” ? Flag 3, Cowabunga Dude!
Do you remember the 80’s? Because the creators of our next flag sure do! Let’s play a game!
Users need to play the game to get the next flag, easily. They could have ripped the game apart line by line and found the answers but at this point the creators just wanted you to have fun! The goal of the game was to get a password for the storyteller.7z file. Playing the game revealed the clues, Book = all_your, Magazine = “base_are_, Dog tags belong_to, and Newspaper = us.
Now, let’s get back to the storyteller file and see what information we can get from it!
We need to get the user name first. In order to do this you have to deobsfucate for johndoe. It is broken down into several elements and then obsfucated futher via hex. (see below)
This will give you the username: lost_child
We are getting closer!
We now must work backwards from the variable ‘pass_input’
It is part of a nested for loop. One is ‘passes in pass_input’ and the subsequent is ‘char in chars’. Then passes is compared to ‘str(chr(char))’ if they are equal then it is correct. If not, then it fails. We will attack this from the ‘str(chr(char))’ side. First, we identify the char by adding ‘Print char’ into storyteller.py which will result in:
Next, we will create a for loop that will do what the code above requires.
Now that we have both the user name and password.
Once the gamer has both the user name and password they can return to the shad0wlabs.com site. Flag 4, Puddin Pop!
Are we there yet? Almost, hang in there!
Our final flag also dips its toes into the shallow pool of nostalgia by grabbing a DOS VM from shad0wlabs.com. As always, our creators like options to let’s see how this puzzle could be solved. The first option was to open your favorite forensic tool and parse the data manually. The VM was packed with numerous games but a couple stand out. Inside the Gorillas game players found a new IP address. The IP address sends us to an FTP site but it requires a password. The password for the file was located within the Hackman directory. After authenticating a zip file. The zip file contained a Windows 3.1 VM. Launching the VM would allow gamers to play the macro. The macro would point them to a new domain titled, Rustybucket.duckdns.org, but the clue was ascii85 encoded. At this point do you think the creators were just laughing in a rooming by themselves? The clue, once decoded, points to a Windows.exe file. The players would have to download the file in a sandbox. If they attempted to open the file on a normal PC the antivirus would flag, quarantine, or dismiss the file. I think the creators were hoping that no one just double clicks on an executable because who does that? Analyzing this file reveals another IP address and port number. The gamer would FTP to the address and they were able to claim… the … final…. Flag 5, Bazinga!