Forem: Muhammad Fathy Rashad

APU Battle of Hackers Final 2019 Write Ups

Muhammad Fathy Rashad — Sun, 24 Nov 2019 18:55:48 +0000

This is a write-ups on how my team solved the challenges in the APU Battle of Hackers 2019 (APUBoH) capture the flags in the final round. We were ranked 9 at the end of the CTF and managed to solve 3 questions, 2 forensic questions and 1 steganography.

The challenges can be download on github:
https://github.com/mfrashad/apuboh19

So, onto the writeups.

Steganography

Nyanyanyanya

When we download the attached file in the challenges, we are given an mp3 file called All_Star_-_Smash_Mouth.mp3. Opening the file, it was a song, however one peculiar thing is that it has a cover image.

Afterwards, we tried out common tricks like strings command, and seeing the spectogram of the file, but it doesn’t lead us to any clue.

Spectogram of the file

However, we found that a png file is embedded in the file when we use binwalk to carve out the file.

Carving out file with binwalk

Next, we proceed to extract the image, and opening it unsurprisingly give us the same cover image we previously seen.

Extracted image

But now, since we have a png file to work on, we can try various image steganography programs. So, the first thing we did is opening the image in Stegsolve.jar, a java program that will apply various operation to the image such as inverse, xor, or noise etc. And surprisingly it revealed the flag for us in red plane 1 straight away.

Stegsolve.jar

The flag is apuboh2019{s0m3b0dy_h1d_th3_fl@g}.

Forensics

Neighbors

For this challenge, we are given a pcapng file neighbors.pcapng. Since it’s a pcap file, we proceeded to open it in wireshark. Next, we just start searching for some keyword in the flag format which in this case is ‘apu’ , and it luckily gave us the flag straight away.

Wireshark

The flag is apuboh2019{cdp_spoofed}.

Zip it

The next challenge was also a network forensic challenge, and we are given zipit.pcapng, a pcapng file again. However this time, searching for strings doesn’t lead us to anything. After looking around, we found some suspicious HTTP packets that might be the clue. So, we use the export objects function in wiresharks.

Wireshark export objects

After exporting the files. We ran file command to check the files.

File commands

Based on the output, the smss.doc file stood out as it is a zip file, which is related to the title. Therefore, we tried to extract the smss.doc file, but it asks for a password. By this time, we know we are on the right track and this might be the file that have the flag. Next, we started searching for the passwords, and we found a lead in one of the exported files, share.

share file

We found a text about rockyou.txt, a very well known password list used for cracking. Therefore, we tried to bruteforce the zip file using fcrackzip, a zip file cracking tool, and the rockyou.txt dictionary.

Cracking with fcrackzip attempt

However, it gave us an error that it is not a zipfile. After some searching around, we found that the file is not the usual PKzip file but 7zip and fcrackzip cannot work with 7zip file (Took me quite a long time to figure out this, I thought I just need to use different version). Hence, we searched for other cracking tool and found 7zip-crack.
https://github.com/Goron/7zip-crack

Then, we start cracking the file using rockyou.txt dictionary with the 7zip-crack. After a while it finally give us the password godisgood, yay!.

Cracking with 7crackzip

Extracting the zip file with the password will give us a PE32 Windows executable file smss. The first thing we tried is always strings, but sadly it does not give any result.

Checking the extracted file

As this is an executable file, we thought that this will be a reverse engineering challenge, and tried to run and reverse engineer this. But we didn't manage to run the program even in dos mode, as it give some error. And trying to reverse engineer the program in IDA pro just confused us even more, since we can only do static analysis, but cannot debug the program.

Fortunately, we tried to hexedit the file.

$ hexedit smss

File in hexeditor

And yay, we found the flag! We suspect the reason that strings command didn't pick up the flag is because the characters are not adjacent and spaced. This challenge really took us quite a long time, and quite frustrating as well. We are really lucky to open the file in hexeditor, else we would have missed out the flag.

The flag is apuboh2019{7z1PIsuS3Fu|}

Conclusion

Although the challenges above may look simple, we really spent a lot of times doing other challenges, although we did made some progress, we still didn't manage to solve those, hence our struggles for those challenge are not written here.

One regret that I have, is that I didn't study binary exploitation topic more thoroughly before coming to the competition. I was expecting basic reverse engineering challenge, but was given binary exploitation challenge such as basic stack overflow or buffer overflow instead. We could have boosted our ranking a lot more if I studied those beforehand.

Overall, it was a great experience and we learnt a lot from the competition. Also, I'd like to thank my teammates Faris Rosly and Tan Li Tung for performing well during the competition and spending time to practice for the competition. And thank you also to APU (Asia Pacific University) for hosting the event! There should be more CTFs around here!

For other participants of APU BoH 2019, feel free to post your solutions or link to your writeup on the comments!

My First CTF Writeup : KPMG Cyber Security Challenge 2019

Muhammad Fathy Rashad — Thu, 17 Oct 2019 06:45:57 +0000

CTF: A fun way to learn hacking

A few months ago, I discovered about CTFs or Capture The Flags. CTF is a type of computer security competition. There are different types of CTF, but the jeopardy style is the most commonly used in CTF where players are given many security challenges covering various fields such as forensic or reverse engineering and needed to solve it as many and as quickly possible. Each challenge solved will be rewarded with certain points based on the difficulty, and the player with highest points wins.

I found that CTF is a really fun way to learn cyber security. The excitement you get when you've used real exploits or tactics that you learned and seeing it actually works (you've hacked something) or the "Aha!" moment when you finally found the solution is what makes CTF really fun to play.

My First CTF

I immediately joined KPMG Cyber Security Challenge 2019 in Malaysia when I first discovered the event. CTF is still a rare event in Malaysia compared to hackathons (the hackathons are almost weekly here). Hence, I just jumped at the rare opportunity there. Unfortunately, it was a 4-member team competition, and out of my 3 teammates, only 1 of them is available during the competition.

Sadly, my team was ranked at 32th place out of 60+ teams and did not manage to pass the qualifier round. But nonetheless, I had a lot of fun, learned many things, and it was a great experience overall. And I personally think the result wasn't too bad considering I just knew about CTF a few weeks prior and I was missing 2 members.

The Challenges

The qualifier round doesn't have a lot of questions, there are around 7 questions and only comprised of steganography, forensic, and reverse engineering challenges. I managed to solve 3 challenges, 1 from each field. I had a hard time solving the other RE challenges as they gave Windows executables and I was expecting ELF files. So, without further ado, here we go.

Steganography

Steganography is the art of hiding data such as embedding secret message in an image. One example application of this in security is malware hiding.

Angola - Least Significant Failure

So first we are given a link to a zip file.

Least_Significant_Failures_95988b81547c2be1431cfd83199c573c.zip

So we just unzip it, using unzip command.

$ unzip Least_Significant_Failures_95988b81547c2be1431cfd83199c573c.zip

And we will get an image file kanye.png.

Before we do anything, we should check the extension is correct using the file command as file can be deceiving sometimes, and it is indeed a png file. As this is steganography challenge, and from the zip file name, this seems to use LSB techniques to hide the flag somewhere inside the image. So first, we used zsteg , a program which usually will reveal texts hidden in an image using LSB technique.

However, this only result in gibberish text as shown in the image above.

Next, we try to use Stegsolve.jar, a java tool for steganography by processing the image with various techniques (invert color, xor, etc.) or filters.

And yes, we found some kind of text on the green plane, but it does not look like a flag so it might be encrypted or a cipher.

Then we tried to use some general online decoder at first, but it does not give the flag. Then we assume it may be a caesar cipher, and tried to bruteforce it.

But all result in nothing and does not give the flag. Finally we tried to decode it as base64.

And yes! Surprisingly, we got the flag.

KPMG{3V3RY0N3_L0V3S_ST3GGY</3}

This is quite tricky as we did not think of it as base64 at first since it does not end with the usual == padding.

Forensic

Forensics is the art of recovering the digital trail left on a computer. In this case, it is related to network forensic where we try to find the flag in .pcap file.

Canada - Project Searching MH370

First, we download the zip file. After unzipping it we will get a pcapng file Essence.pcapng. Then we open the file using wireshark. On the wireshark, we searched for any strings that might give us the flag such as ‘KPMG’, ‘flag’, ‘ctf’, ‘pass’, etc. And luckily, we quickly found a zip file CTF_Flag.zip, which might contain the flag.

Then we proceed to try extracting the file and unzipping it. However it is locked with a password.

At first we were thinking to just bruteforce the password using cracking tool like fcrackzip, but fortunately we remember that we saw a pass.txt file which might contain a password when we were browsing around the .pcapng file previously.

Next, we proceed to extract the password text file and use it for unzipping the zip file.

And yay! By using the password W@k@nd@_s0m3tim3s to unzip the file. We get the flag!

KPMG{I_CAN_SAVE_IRONMAN}

Reverse Engineering

Reverse Engineering in a CTF is typically the process of taking a compiled (machine code, bytecode) program and converting it back into a more human readable format.

Usually this would involve disassembling a program and trying to make sense of the assembly file produced. And indeed, some of the RE challenges given required you to disassemble a Windows PE file or executables. However, I didn't manage to solve these, and instead solved the easy one that only needed some python knowledge.

Russia - GateToRiches

First, we download the zip file and unzip it, this will give us a python code GateToRiches.py. By looking at the code. It will ask a username and somehow calculate flag. We can easily solve this by modifying the code to print the produced flag res.

Now, when we run the python script, it will give us the flag.

KPMG{f00d}

Conclusion

I was a bit disappointed with the result, but I learned a lot from the competition and definitely would join more CTFs in the future. In fact, I just participated another CTF a few weeks ago and will make another writeup about it soon.

And to readers who are interested to get into cyber security, I really encourage to try playing CTF regardless of your skill level! You can start with picoCTF, a beginner friendly CTF.

This is my first post, feel free to leave a feedback about my writing.