Cyber SEA Game 2019 Write-up

Cyber SEA Game 2019 is a Capture the Flag (CTF) competition organized in Jeopardy-style by ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and Thailand’s Electronic Transactions Development Agency (ETDA). The competitor were selected to represent 10 counties among ASEAN member states such as Brunei Darussalam, Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam. There are a maximum of 4 players from each country who have to answer various questions under various categories such as Binary, Reverse Engineering, Forensic, Web, Misc and etc.

Below are some of the challenges that we managed to solve during the event.

Binary Ultra Introduction

We were provided with below challenge’s description and file.

Binary_Ultra-Introduction_bdb5baaf4b4f961738e1d1528f2efd35.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s try to unzip it.

We found a MS Windows executable file inside the zip. Let’s try strings command to see if the flag is stored as string or not.

As we had expected, the flag was stored as string in the executable file. As a result, the flag for this challenge is flag{Introduction to Binary}

dotNet Branch

We were provided with below challenge’s description and file.

dotnet_branch_fee.exe

Based on the file extension, it should be a MS Windows executable file, but in order to make sure it is really an executable file, we used the command file.

It is a MS Windows executable file, and it built using .NET language. Since application built using .NET is easily to decompile and debug, we tried use dotPeek.

We found IV, K (key), 2 encrypted texts and encryption algorithm which is AES CBC 128 bit. We also saw that the flag is in text1. We then tried to decrypt encrypted texts of text1 with the information we had got above using this online tool to execute the below code.

After decrypting text1, we got a Base64 encoded text as below
text1: ZmxhZ3tkb3ROM1RfcHIwZ3I0bV9kZTZ1Z2cxbmdfMXNfZTRzeX0=
We then decoded the Base64 encoded text.

Based on the output above, the flag for this challenge is flag{dotN3T_pr0gr4m_de6ugg1ng_1s_e4sy}

Unlock

We were provided with below challenge’s description and file.

64ef3b043d56cbbb8f873cfa96cd3e4e.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s unzip it.

There are Apache config files and a pcapng file in the zip. We then checked the config file of the Apache.

We found a config file named ssl.conf which had the SSLCertificateKeyFile pointed to a private key at /etc/pki/tls/certs/server.key.

We then opened the pcapng file in Wireshark.

These packets are encrypted with SSL or TLS public and private keys which we made us unable to read the content. We then tried to import the private key we had found earlier into Wireshark and see if it can decrypt these packets.

Some of the TLSv1.2 packets we saw earlier had been decrypted to HTTP and TCP packets now. We also saw an interesting HTTP packet at frame 24 stating that GET /flag.txt, let’s try to follow that HTTP stream.

Based on the output above, the flag for this challenge is flag{cf8236571e9dd3bcaf44b188bba4f15d}

Fraud(1) Whistleblowing

We were provided with below challenge’s description and file.

Fraud

We were giving the encoded text as above which looked like a hex value. We tried to decode it with this online tool.

The result seemed like a Base64 encoded text. We the tried to decode it with this online tool. However, the base64 value that we got from decoding the hex value is in unicode format, so it could’t be simply decode directly. We could just clear the format or type the text in manually to decode.

Based on the output above, the flag for this challenge is flag{Th3_Emb3zzl3r_15_Fumie}

The Sword

We were provided with below challenge’s description and file.

sword

We were giving the encoded text as above which looked like a Base64 value. We tried to decode it with this online tool.

We got a very long digit number. We then copied it into our notepad.

We barely saw the word PLUCK in the middle of the text. We just tried to submit it and got it correct, so the flag for this challenge is flag{PLUCK}

Shell Script

We were provided with below challenge’s description and file.

ShellScript_37a38110964818117708524363836b73

Based on the file extension, we couldn’t identify the file type, we used the command file to see what kind of file it is.

It turned out to be a text file. Let’s see what is inside.

It looked like a Base64 encoded text. We tried to decode it with the online tool.

We got a log script. After some inspection, we thought that the digit number seemed like decimal number which could use to represent character. We then tried to decode it with this online tool.

Based on the output above, the flag for this challenge is flag{Fileless_Malware_Often_Uses_ShellScript}

Fuzzy

We were provided with below challenge’s description and files.

Fuzzy_b8631db482634410c2d75d03389793740270a4fe20a5482c70db4edc90d92f19.zip

Fuzzy_8648443b14887c07b7b458af70a59c5cb84cf1be123c9f88272e4034274bdc12.exe

Based on the file extensions, there should be a zip and an executable file, but in order to make sure what kind of file they are, we used the command file.

The executable file is just a data file. Let’s try to unzip the zip file.

There are 100 files with extension .exe inside the zip. Since they asked us to find a similar file to the given sample file. We tried MD5 hash collision with no success.

We then tried to run strings command on the sample file.

We then tried to find the first string which is YA_Y[u in the provided files.

We found a file named fuzzy034.exe which has the same string. We tried to compare result from strings command of both file, and they matched. As a result, the flag for this challenge is flag{fuzzy034.exe}

Starting

We were provided with below challenge’s description and file.

0c5aa56dfc17073fe503538974a17d23.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s unzip it.

It contained a MS Windows Event log file. They asked us to find start date/time of the attack and source IP address of the attacker. We then opened the file in Windows Event Viewer and saw many logs.

We suspected that the attack should be related to login attempt since they told us that it is a dictionary attack, so we did some googling about login event in MS Windows Event Viewer and found that the event id of login event as below.

Event ID 4624 (viewed in Windows Event Viewer) documents every successful attempt at logging on to a local computer.
Event ID 4625 (viewed in Windows Event Viewer) documents every failed attempt at logging on to a local computer.

Since we knew that the attack is a dictionary attack, there would be lot of fail login attempt. Therefore, we filtered for event id of 4625 and sorted it by date and time.

We found lot of fail login attempts form 192.168.1.33 trying to login with different username and workstation name. Output above is the first of the attempt from that IP address. As a result, the flag for this challenge is flag{2017/02/15 08:59:53 192.168.1.33}

PDF-JPGS

We were provided with below challenge’s description and file.

PDF-JPGS_d1633b9cc9fac22736e29a63eec14771.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s extract it.

There is a PDF file in the zip. Let’s try to open it.

There is nothing abnormal here. Let’s see if there any text we can find with pfdtotext command.

No text at all. We then tried to see its metadata using pdfinfo command.

There was still nothing found. It’s time to extract the image using pdfimages.

We got 1 image and it was the image used in the PDF. Let’s if we can get anything out of its metadata using exiftool.

We found a very long and unreadable content in Comment section. We tried to run binwalk on the file.

We found that there are actually 2 image files within file. Next, we tried to extract it using foremost command, but we can’t get the file hidden file out. We turned to use hex editor to do this task.

We copied all the data between Here is the comment part. This part is very important for this challenge and created a new file named extracted file. We then check the file type of that new file.

It is not an image. Maybe something wrong. We then checked the JFIF file signature, and it is suppose to start with FF D8 FF E0. However, our file start with 2E 00 FF E0. It is time to fix it.

After changing that, we finally got the image file. Let’s open it.

It is the same file but with flag, and it is flag{Two_Image_Files_In_This_PDF}

RLO

We were provided with below challenge’s description and file.

RLO_7904ba4cdb3b1cb4c6a9f767c9ef065c.exe

Based on the file extension, it should be a MS Windows executable file, but in order to make sure it is really a MS Windows executable file, we used the command file.

It is a MS executable file. We tried to run strings command but nothing important there. We put it into VirusTotal and found the following info.

We saw 7-Zip extraction, so we tried to extract the file.

All file are 0 byte in size, but with different date. We tried to sorted it by date but still not able to get anything out of it. We then tried to run it in sandbox.

We ran the executable file then listed the extracted file and sorted it by date/time. We noticed something different from the output in our linux machine as the file name now has a symbol “?” which did not exist on our linux extraction.

As the file name counting like from A to Z, we then tried to guess what is missing in that ? place, and we came up with the flag as flag{RLO_Disrupt_U}

The Public Document F

We were provided with below challenge’s description and file.

The_Public_Document_F_62801d2cd7c8b45cadc1834af13baf21cfe614ec.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s try to unzip it.

There is a PDF file inside. We tried to open it and got this.

We tried pdftotext command, and view the text file.

We found 1/3 flag. Let’s see if there any image in the pdf file by using pdfiamges command.

We found 2/3 flag. Let’s see if there any important info in metadata of the pdf file with pdfinfo command.

We finally found 3/3 flag, so the flag for this challenge is flag{dog_monkey_grandpa}

Friend

We were provided with below challenge’s description and file.

Friend_0ad3d2abf5ededb11275ce89417f314e.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s unzip it.

We got a file name File as a sample, memo.txt which contains all the sha256 signature of all the files and 1000 files for us to find the one that is similar to the sample file given.

We did not believed the memo.txt, so we tried to calculate the sha256 of a sample file and compared it to 1000 files given.

Fair enough, nothing identical. It is because the hash collision of SHA256 is very rare. Let’s try with MD5 as the chance of hash collision is very likely.

Our assumption is correct. We found a file with MD5 hash that is the same as the given sample file.

Base on the above output, the flag for this challenge is flag{File0623_79054025255fb1a26e4bc422aef54eb4}

Hidden Message

We were provided with below challenge’s description and file.

car.png

key.ico

Based on the file extensions, it should be a png and icon file, but in order to make sure what type of files they are, we used the command file.

Both are image file. We then tried to check the image metadata with exiftool and also run strings command on them, but nothing found. We then try binwalk on both of them.

Zlib within PNG is normal, but we saw a zip file inside icon file. Let’s try to extract it with foremost.

We found zip file containing a RSA private key within key.ico file. We had no idea how to use RSA private key to get the flag. We then looked at file named car.png. we tried many tools without success. However, there is a tool named stegosuite, and we tried it.

It is able to extract a file named fl46.encrypted. Let’s see what it is.

It seemed like it was encrypted. Let’s try to decrypt it using private key we retrieved earlier.

We finally got the flag, and it is flag{nyan_stegano_image}

Intact

We were provided with below challenge’s description and file.

Intact_8688e1a1263c414450b12985e0d5620b.pcapng

Based on the file extension, it should be a network capture file, but in order to make sure it is really a network capture file, we used the command file.

So this is a PCAP-NG file which confirm it as a network capture file. Let’s try to open the file with tool like Wireshark.

There were many FTP packets. We then opened the file with a tool name NetworkMiner.

We found 2 files transferred using FTP protocol. We extracted both files from the pcap file.

We viewed the text file and found a password which we then used to extract a zip file. We found a GIF image file in the zip file.

We opened the GIF file and found the flag for this challenge which is flag{It’s_dangerous_to_use_FTP}

WLAN

We were provided with below challenge’s description and file.

WLANcapture_2c222708abc1c8406992bbb1e6004615.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s try to unzip it.

There is a PCAP-NG file within the zip. Let’s try to open the file with tool like Wireshark.

We saw protocols such 802.11 and EAPOL which are related to wireless communication. 802.11 protocol is data transmitted within wireless communication, but we can’t read that as it is encrypted. EAPOL is a network authentication protocol which used to exchange Cryptographic Keying information. Let’s see what is the security protocol of this wireless.

We saw that it is using WPA security protocol. WPA security protocol is known to be vulnerable to dictionary attack during authentication handshake. Let’s try to bruteforce the secret key of this wireless using aircrack-ng.

We found the password of the WiFi. We need to import the WPA password we found into wireshark in order to decrypt the traffic.

Let’s try to see if we can decrypt those 802.11 protocol.

Most of the traffics were decrypted, and we tried to follow HTTP stream of the connection.

Since the Host is 192.168.11.202 (client), we can assume that the server is 192.168.11.102. As a result, the flag for this challenge is flag{192.168.11.102}

Record

We were provided with below challenge’s description and file.

Record_0e21bfa6c6363fc984e796c39a2fec0f.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s extract it.

It is a file system. We then mounted it.

It seemed like a user partition. Let’s try to unzip the file.

The zip is password protected. Since all commands executed on the system is stored in .bash_history file, we will check this file first.

We found a history of command used to create a flag.zip including password. We then tried to extract the flag.zip again.

Based on the output above, the flag for this challenge is flag{Command_is_recorded_in_.bash_history}

Melancholy Holiday(1) Broken Head

We were provided with below challenge’s description and file.

Broken_Head_365a1c80b6ac1c5b908a3fa2526a3535320684e1.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s try to extract it.

We couldn’t extract the file due to error with file signature. Let’s check the file with hex editor.

We saw unusual file signature there as DE AD BE EF. We couldn’t identify the zip signature, so we looked at the end of the file.

We found that this is a PKzip file which should start with 50 4B 03 04. We then change the file signature and save.

We tried to extract the zip again.

We still didn’t success, but this time we got different error. We saw that the file name is strange. Let’s see zip detail.

From here, we saw file name length is very long 1F55 (8021 byte) since this file name is just 13 byte which should be 000D. We tried to fix the file with hex editor again.

We changed 551F to 0D00 and saved the file. Next, we tried to extract the file again.

We then noticed 2 headers within the zip, local header with store compression and central header with deflate compression. Let’s try to change the local header to deflate also.

We then tried to unzip again.

It did extract the image. Let’s view the image.

Finally, we got the flag for this challenge which is flag{konya_ha_onabe_yo}

Which

We were provided with below challenge’s description and file.

afceb650873868ddce494d292050d46f.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s extract it.

We found a disk image. We opened the image file in FTK Imager and extracted Windows/System32/config folder.

Then we used a program named OfflineRegisterView to view registry at HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName

Based on the output above the flag for this challenge is flag{WIN-8J3FQE2BKHF}

Calc

We were provided with below challenge’s description and file.

bc9710be573f764afca1f40b450534ba.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s unzip it.

We found a file named RAM_SOME-PC.aff4. We used file command but it showed as zip. After some googling, we found that it is a memory dump file. We tried to put it into volatility, but it did not work. We then found a tool named rekall which can work with AFF4 file.

We used it to export the memory dump to raw image and work on it with volatility. As they asked for the last execution time of Calculator (calc.exe), we used plugin called userassist to get this info.

Based on the output above, we saw that the Calculator was opened 12 times and the last time it was opened was on 20-12-2017 at 06:07:07 UTC. As a result, the flag for this challenge is flag{2017-12-20}

Notepad?

We were provided with below challenge’s description and file.

notepad_2976ac4a36456915d06ad80bac402917.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s unzip it.

We got a MS Windows executable file. We then ran the file sandbox.

Since they asked for a name of famous cryptosystem, we built a list and loaded all famous cryptosytem names from a file as an argument of the file. Here is our command: for /f “tokens=*” %a in (cryptosystem_name.txt) do (?txt.eton_c?.exe %a)

Based on the output above, the flag for this challenge is flag{DoNotTrustTheApparentExtension}

Notes

We were provided with below challenge’s description and file.

ab84c90fc41c3da32ebcf55a0e8f3c02.zip

Based on the file extension, it should be a zip file, but in order to make sure it is really a zip file, we used the command file.

It is a zip file. Let’s unzip it.

We found MS Office word file inside the zip. We ran olevba on the file.

We found that there is a macro to drop file in user directory, so we tried to run the file in sandbox and got the dropped file to analyse. Firstly, we ran file command on it.

We then tried to run strings command on it.

We couldn’t see the flag just yet. We then tried to execute it in sandbox.

Based on the output above, the flag for this challenge is flag{Jwj6TGtg3QDqd0NAnaXKxk7UHu}

If you would like to know the different approach to solve this challenge, check write up from Philippines team here.

Well-Known Vulnerability

The web server is using Apache Tomcat is 7.0.96 which is vulnerable to CVE-2018-11776 exploit. Exploit and retrieve the flag at /flag.txt.

Well-Known Vulnerability 2

The server is using SSH-2.0-libssh_0.8.1 which is vulnerable to CVE-2018-10993 exploit. Exploit and retrieve the flag at /flag.txt.

WAF

There is a filter for Base64 value of flag.txt (ZmxhZy50eHQ=). In order to bypass this filter, we used double encoding technique by encoding flag.txt with Base64 two times (Wm14aFp5NTBlSFE9).

Shared

We were provided with below challenge’s description and file.

Shared_04dca129c011213979aded2e7bef71d3.zip

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

ccTLD

We were provided with below challenge’s description and file.

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

Sleepy

We were provided with below challenge’s description and file.

sleep

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

Present

We were provided with below challenge’s file.

present.zip

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

Trim Auth

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Philippines team.

Broken Router

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

Broken User Management

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

CAPTCHA Challenge

We did not managed to solve this challenge. If you would like to know the solution to this challenge, you can visit this writeup from Thailand team.

Operand Mistake

We did not managed to solve this challenge.

You may also like...

Leave a Reply

%d bloggers like this: