Skip to content

Commit

Permalink
added short trendmicro decription and J1 writeup
Browse files Browse the repository at this point in the history
  • Loading branch information
@Pharisaeus
Pharisaeus committed Dec 12, 2016
1 parent 25e98d9 commit aef2b39
Show file tree
Hide file tree
Showing 2 changed files with 108 additions and 0 deletions.
10 changes: 10 additions & 0 deletions 2016-11-18-trendmicro-2016-finals/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

Team: msm, shalom, rev, c7f.m0d3

### Disclaimer

Since it is always hard to find info on on-site competitions, I will provide a short recap of the Trend Micro Finals 2016.

* The competition lasted 2 days, about 8h each day.
* There were two types of tasks available - king-of-the-hill attack defence and jeopardy.
* Jeopardy had diminishing returns - first team got 1000p, next one 900p and so on. Jeopardy tasks were available only for the day they were released, so no chance on working through the night on those.
* Attack-defense were king-of-the-hill style, so there was a single game server and everyone was pwning it, trying to get control and protect from the others. There were pwn and web servers to work with.


### Table of contents

* [J1 (forensics)](j1)
98 changes: 98 additions & 0 deletions 2016-11-18-trendmicro-2016-finals/j1/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# J1 (forensics)

###ENG
[PL](#pl-version)

This was a multilevel forensics task.

We were given a windows virtual machine to work with.
The machine had user "M" with unknown password.
Intially we reset the password, but this turned out to be a bad idea since the user had bitlocker encrypoted files and the password was necessary after all.
So we used Ophcrack to recover the password hash `f6939966b0ffbc61c2c520cea20c2db0` and some online breaker told us this is `qwerty1234`.

Now we could decrypt the files:

* A picture with some meaningless email
* Email hinting that admin likes to use the same password in many places
* html page with some javascript

The javascript has some placeholders for parameters we had to guess/bruteforce but after a while we got:

```javascript
for (var d = 11; d < 12; d++) {
var key = "";
var clear = "";
var encrypted = "96.28.95.118.9.2.58.29.56.52.44.25.58.51.83.8.108.20.53.37.88.2.71.80";
secret = navigator.platform + "en-UStrue2000" ;

for (i=0; i < secret.length; i++) { key+= String.fromCharCode(secret.charCodeAt(i) ^ d);}
encrypted = encrypted.split ("."); for (i=0; encrypted.length > key.length; i++) { key += key; }

for (i=0; i < encrypted.length; i++) { clear += String.fromCharCode(key.charCodeAt(i) ^ parseInt(encrypted[i]));}
document.write (clear + "<br>");
}
```

and were left with the only interesting result:

```
<~:N0l_;flS`D]j3W/iG=:~>
```

It took us a while to realise that this is ASCII85 encoding and it decodes to `OpenStego v0.6.1`.

We used this tool on the picture we recovered, using the same admin password (as hinted in the recovered email) and we got a doc file from this.

This doc file contained a macro with flag decryption.
Sadly none of us had MS Word to open this :( Luckily quick thinking of one of our players saved us.
He uploaded this Word file to Malwr, which then opened the file inside a sandbox and provided us with a useful memory dump.
Among other things there was a base64 string, which decoded finally gave us the flag.


###PL version

Zadanie było wielopoziomowym problemem z informatyki śledczej.

Dostaliśmy windowsową maszynę wirtualną do pracy.
Na maszynie był użytkownik "M" z nieznanym hasłem.
Początkowo zresetowaliśmy hasło, ale to okazało się złym pomysłem, bo na dysku były pliku szyfrowane bitlockerem i hasło było potrzebne żeby je odzyskać.
Użyliśmy Ophcracka żeby odzyskać hash hasła `f6939966b0ffbc61c2c520cea20c2db0` a jakiś onlinowy hash breaker powiedział że to `qwerty1234`.

Teraz mogliśmy odszyfrować pliki:

* Obrazek z nieistotnym mailem
* Mail wspominający że admin lubi używać tego samego hasła wielokrotnie
* Stronę html ze skryptem JS

Skrypt miał pewne placeholdery które trzeba było zgadnąć / brutować ale po pewnym czasie uzyskaliśmy:

```javascript
for (var d = 11; d < 12; d++) {
var key = "";
var clear = "";
var encrypted = "96.28.95.118.9.2.58.29.56.52.44.25.58.51.83.8.108.20.53.37.88.2.71.80";
secret = navigator.platform + "en-UStrue2000" ;

for (i=0; i < secret.length; i++) { key+= String.fromCharCode(secret.charCodeAt(i) ^ d);}
encrypted = encrypted.split ("."); for (i=0; encrypted.length > key.length; i++) { key += key; }

for (i=0; i < encrypted.length; i++) { clear += String.fromCharCode(key.charCodeAt(i) ^ parseInt(encrypted[i]));}
document.write (clear + "<br>");
}
```

i otrzymaliśmy jedyny sensowny wynik:

```
<~:N0l_;flS`D]j3W/iG=:~>
```

Chwile zajęło nam odkrycie że to string kodowany jako ASCII85 i dekoduje się do `OpenStego v0.6.1`.

Użyliśmy tego narzędzia na odzyskanym obrazku, używając tego samego hasła admina (jak zasugerowano w mailu który odzyskaliśmy) i dostaliśmy z tego plik doc.

Ten plik worda zawierał makro które dekodowało flagę.
Niestety nikt z nas nie miał pod ręką MS Worda i nie mogliśmy tego otworzyć.
Szczęśliwie uratował nas świetny pomysł jednego z graczy.
Wrzucił on rzeczony plik na Malwr, gdzie plik został otwarty w sandboxie, z którego dostaliśmy użyteczny memdump.
Pośród różnych rzeczy był tam string base64, który po zdekodowaniu dał nam flagę.

0 comments on commit aef2b39

Please sign in to comment.