Cyber SEA Game 2018 Write-up

Cyber SEA Game 2018 is a Capture the Flag (CTF) competition organized in Jeopardy-style by ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and Thailand’s Electronic Transactions Development Agency (ETDA). The competitor were selected to represent 10 counties among ASEAN member states such as Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam. There are a maximum of 4 players from each country who have to answer various questions under various categories such as Binary, Reverse Engineering, Forensic, Web, Misc and etc.
Below are some of the challenges that we managed to solve during the event.
Access Log
We were provided with below challenge’s file and asked to find the IP address with the most number of access to the web server and also count the number of time that client accessing the web server. The flag format is flag{IP Address/Number of Access}.
access_log_8F3488BA211F37373D5A207EAD12610D877E1698.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a really a zip file. Let’s try to unzip it and see what is inside.

There is a text file inside and it looks like an Apache access log file. We will use a tool named goaccess
to get the summary of this access log.

We then selected NCSA Combined Log Format, and here is what we got.

Based on the output above, the flag for this challenge is flag{24.27.34.165/913}
Acrobat
We were provided with below challenge’s file and asked to find the destination IP address and port that it tries to connect to after running this PDF file within the zip. The flag format is flag{IP address:Port number}.
acrobat_0718F9C940B9B2D97A53AD4EAD7FD6EF197BEF06.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. We unzipped it and found a PDF file inside. They asked us to find the destination IP address and port after running the PDF file, which to me looked like there is some kind of code to be executed when we open the file. Let’s try to check it with VirusTotal
.

It was identified as PDF exploit with CVE-2008-2992. After failure with online sandbox, I tried googling and found an article about CVE-2008-2992 ShellCode Extraction. We just followed the steps by opening the pdf file in PDFStreamDumper
and select Exploit_Scan.


It showed us that there is an exploit related to CVE-2008-2992 found on stream 6. We then opened the stream number 6 and saw this code which looks like a javascript code using unescape function.

We opened the Javascript_UI from the menu bar, then select the code that was wrapped in unescape function and click on Shellcode_Analysis and then scDbg to see the Hex encoding of the code.

Here we can dump the code to analyze or run the code to see what it does.

In this case, we just tried to run the code.

Based on the output above, the flag for this challenge is flag{23.37.151.67:443}
Execute
We were provided with below challenge’s file and asked us to find the flag.
D33A76EEB30217CD6ACE53910EC9078B62D54EF8.txt
Based on the file extension, it should be a text file, but in order to make sure it is really a text file, we used the command file
.

It is not a test file but a Windows executable file. Let’s try the command strings
to see if there any interesting text in there.


We saw flag{%s} and congratulations text which is interesting. However, we also see a string [email protected] which is also interesting. This string seems like a ROT-n. Let’s try it with this tool.

Based on the output above, the flag for this challenge is flag{[email protected]}
HKLM
We were provided with below challenge’s file and asked to find the username and password. The flag format is flag{username:password}.
hklm_CC691126366FC4AA5601BCE03B5039C8C5B38239.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s unzip it.

There are 4 files, SAM, SECURITY, SOFTWARE and SYSTEM. SYSTEM and SAM file can be used to get theusername and NTLM hash of user’s password.

We finally got the hash of an active user named test. Let’s try to crack it with an online tool.

Base on the above output, the flag for this challenge is flag{test:gorilla}
RAR
We were provided with below challenge’s file and asked to find the flag.
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s unzip it.

There are 7 files with the zip. 6 of which are dump file and 1 of them is rar file named flag. Let’s try to open the rar file.

It is password protected. Since they provide the dump to us, let’s if we can find the password in there.
Since the dump file has been split into 6 files, we need to reconstruct it into a single file and extract it.

We got the raw file. It looks like a memory dump file, let’s see if volatility
can read it.

Yes, it is a memory dump, and it was dump from 64-bit version of Windows 7 or Windows Server 2008. Let’s try to check a clipboard to see if there is any interesting info remains there.

It seemed like the password of the flag.rar file were captured in clipboard. Let’s try to extract or open the word file in flag.rar again with the password we found.

We used clipboard plugin to find the rar password. However, the intended solution was to use cmdscan plugin. Anyways, it doesn’t matter since we got the flag. 😀
Base on the above output, the flag for this challenge is flag{CdK8ksPF7bx6czi4LWmr}
Up
We were provided with below challenge’s file and asked to find the flag.
up_AE0272EE59D60539485723636359F1511899ECAD.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s extract it.

There is a network capture file inside the zip. Since we know the flag format, let’s try to run strings command on that pcapng file.

We got the flag by taking a shortcut, but it is not the intended solution. Let’s pretend that we do not know the flag format. 😀
We opened pcapng file with Wireshark
.

We saw some clear text protocol such as HTTP, ARP, … Let’s see if we can export objects transmitted using HTTP protocol.

Interestingly, we found 2 file. Let’s save it and see its content.

We can also follow HTTP stream of both file based on packet number which are 957 and 960.

Base on the above output, the flag for this challenge is flag{i_am_a_black_hat_hacker}
Files
We were provided with below challenge’s file and asked us to find a similar file. The flag format is flag{filename/proof}.
files_09898142C3D8F92E3DA17C008D66DB07AD7E93F7.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s extract it.

We got a file name File as a sample, memo.txt which contains all the sha256 signature of all the files and 1000 files for us to find the one that is similar to the sample file given.
We did not believed the memo.txt, so we tried to calculate the sha256 of a sample file and compared it to 1000 files given.

Fair enough, nothing identical. It is because the hash collision of SHA256 is very rare. Let’s try with MD5 as the chance of hash collision is very likely.

Our assumption is correct. We found a file with MD5 hash that is the same as the given sample file.
Base on the above output, the flag for this challenge is flag{File0510/79054025255fb1a26e4bc422aef54eb4}
dotNET
We were provided with below challenge’s file.
dotnet_987E040B267F83D77CB57C17B39642FF4D4DAFCE.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s try to unzip it.

We got a Windows executable file. According to its name, it should be written in .NET programming language. .NET compiled is easy to decompile. In this case, we are using a tool called JetBrains dotPeek
. We loaded the executable file and navigate the decompiled classes.

We stretched the this.Flag.Text together and get this value ZmxhZ3suTkVUIGFwcGxpY2F0aW9ucyBjYW4gc2VlIHRoZSBzb3VyY2UgY29kZS59Cg== which looks like a based64 encoded text. Let’s try to decode it.

Based on the output above, the flag for this challenge is flag{.NET applications can see the source code.}
Build
We were provided with below challenge’s file and asked to find the last modification date of the file in zip. Flag format is flag{Year-Month-Day Hour:Minute:Second}
build_C1D35757B7ADA7549543ED34F4D6609ED86561E3.zip
We unzipped the file and checked the property of the file inside the zip.

We tried to submitted the flag with modified date and time above, but it was not correct.
We then used the file
command to check the file type.

Oops! It is not an excel file. Let’s check it with VirusTotal.

We saw the creation time which is different from what we got early with file property. We tried to submit the flag again, and we got it right this time.
Based on the output above, the flag for this challenge is flag{2017-11-01 02:03:56}
XML
We were provided with below challenge’s file.
FLAG_B8C966907F0EC665EF4A452DD5E8EB9EA75DCA4A.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

We unzipped it and checked the file inside.

There is an xml file called FLAG.xml. Its structure looked like an XML file, but its data seems like coordinate system which uses for drawing. We also saw the word svg on the header of the file which made us assumed that this is a svg image file instead since svg can be used to draw image. We found an online tool which draw svg file in real time.

It couldn’t render the image. Maybe something is wrong. We then tried to create a new svg file and saw that the structure of svg file should be as below.

We then tried to replace the <xml> … </xml> with <svg> … </svg>

We got something this time but no the flag. We then see the parameter viewBox="-80 0 146.2 14.54"
in header, and we tried to remove it and render again.

We got it right this time, and the flag for this challenge is flag{HIDDEN}
Invoice
We were provided with below challenge’s file.
Invoice_980756195BC258338EA193F9B8841B9A1198F9AA.zip
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s unzip it.

We found a MS word file inside the zip. We were not sure if this file contains any malicious macro code, so we uploaded it to VirusTotal to check.

There are malicious inside this word document which will download payload file once we run the macro. We then checked it in olevba
.

We found macro code embedded inside the word document.
So we tried to run the file in a sandbox environment. We got a dropped file name WupHaNASQ.exe in %userprofile%.

We took the dropped file to our Linux machine and run the strings
command on it.

Finally, we got the flag, and the flag for this challenge is flag{TygerTygerBurningBright}
Capture
We were provided with below challenge’s file.
cap_DE8DCB2D24043D8DD5A8141CD386948A8A34D048.pcap
Based on the file extension, it should be a network capture file, but in order to make sure it is really a network capture file, we used the command file
.

So this is a TCPdump file which confirm it as a network capture file. Let’s try to open the file with tool like Wireshark
.

There are a lot of things going on here, but if you looked closely, you will see an interesting DNS query packet. Let’s try to list all DNS query.

There are interesting DNS queries with the domain *.iotc.ru. Let’s try to find all DNS query for domain.

Based on the output above, flag for this challenge is flag{DNSlogShouldBeChecked}
For
We were provided with below challenge’s file.
for015_6982df65101ad2ed138e4c516f0bf7ac%20(1).pdf
Based on the file extension, it should be a pdf file, but in order to make sure it is really a pdf file, we used the command file
.

It is a pdf file. Let’s dive into it.


We saw an interesting article about File Carving and links to suggested tools. We tried binwalk
and foremost
to extract the included file from the pdf file.

We got 2 files, pdf and jpg. We checked both files, but there is nothing interesting within pdf file, so we moved to jpg.

We found this image from the extracted file. We ran exiftool
on it.

We didn’t get any interesting information here. We then tried strings
command.

We found this text with XOR ME, but we have no idea what to XOR it with.
If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
Guess Cipher
We were provided with below challenge’s file.
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s unzip it.

We found a password and a file encrypted with OpenSSL.
We then make a list of all cipher in OpenSSl and brute force the encrypted text to find the clear text of the file using given password.

Yet we failed to decrypt the encrypted text.
AES
We were provided with below challenge’s description and file.

aes_4880758C2BDF84C375A6C6D93155C99479F830A6.zip
We have not found the solution for this challenge yet. If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
Ransomware
We were provided with below challenge’s file.
Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file
.

It is a zip file. Let’s unzip it.

The password for the ransomware zip file is infected.
We planned to do it with a sandbox, but I do not have time for it yet. If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
Down
We were provided with below challenge’s file.
down_7DD45627BAA941F6891F5476FA988BA3BB687B94_.zip
We have not found the solution for this challenge yet. If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
Serial Code
We were provided with below challenge’s file.
We have not found the solution for this challenge yet. If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
Exam
We were provided with below challenge’s file.
exam_BD0B0F479A3380CED5CB6D5C771DECD69286D600.zip
We have not found the solution for this challenge yet. If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
Updater
We were provided with below challenge’s file.
We have not found the solution for this challenge yet. If you have solved it, you can send a writeup to us so that we can update the writeup for this challenge.
History
We were provided with below challenge’s file.
However, we lost the record of challenge description, so we couldn’t do the writeup of this challenge.