Viettel MatesCTF May Qualification – Forensics 200

Challenge name : Hidden

Download

The challenge gives us a memory dump. We use imageinfo to identify the operating system, hardware architecture, etc..

We can use psscan or pslist to list the processes of the system. The difference between psscan and pslist is psscan can detect the hidden or unlinked processes:

I tried to extract screenshots of the system but did not find anything interesting. Scanning connection and command prompt history gave the same result. Since the challenge state “Hidden”, I was focusing on dumping “exited” processes. If a process uses DKOM technique to fills in thread’s ExitTime, it will appear as exited even if it’s still running. After one hour digging for nothing, I came to this command:

Shellbags in Windows are very useful to a forensic investigator. In this case, it gave us what we want – hidden.exe, and one more thing : sysWOW64 – This directory only exists on Windows x64, but the memory dump is of a 32bit one.

We can find offset of hidden.exe in the memory by using filescan, then dump it with dumpfiles:

The binary uses DLL Injection technique to inject a DLL into a process :

I used dlllist to display a process’s loaded DLLs, and there was a DLL in sysWOW64 directory loaded into mspaint.exe process :

So far so good. I extracted the suspicious DLL :

Load it into IDA. I found the flag is generated in getkey function :

Flag : matesctf{go to another place}

What a nice challenge 🙂

Viettel MatesCTF March Qualification – Forensics 150

Binary

We are given a memory dump. As usual when working with volatility, we check for memory profile first :

We use psscan to see any interesting process :

The first idea came into my mind, the flag could be painted in mspaint.exe. Since we can screenshot nearly all the things in the memory dump when the machine was running, we can easily get the flag in mspaint.exe.

Dump mspaint.exe memory :

Rename it into .data in order to import to GIMP as a raw data (GIMP support importing Raw data image). Although we didn’t see the flag, but an interesting thing :

screenshot

This mspaint.exe is not a normal mspaint.exe. It’s a console application and its size is too small. We dumped this process and loaded into IDA, figured out the main function and got the flag :

Flag : matesctf{mem_baby}

WhiteHat GrandPrix Global Challenge

I. Nhận xét về cuộc thi

  • Scoreboard đẹp.
  • Đề thi có sự đầu tư về mặt nội dung cũng như backup đề.
  • BTC nói chuyện thân thiện, support nhiệt tình.
  • Việc triển khai hệ thống còn gặp sự cố (service bị down, đổi đề, up source có cả flag ở trong …). Bkav nên cố gắng hạn chế triệt để trong vấn đề này bởi dù đây là kì thi CTF quốc tế đầu tiên nhưng không phải là kì thi CTF đầu tiên Bkav tổ chức.

Continue reading “WhiteHat GrandPrix Global Challenge”

Viettel MatesCTF – Vòng loại tháng 9

I. Nhận xét về đề thi

  • Đề không khó, ngoại trừ những bài không có đội nào giải ra.
  • Ra đề mà không có người giải được là thất bại của người ra đề.
  • Không có Cryptography.
  • Programming 200 điểm là quá nhiều. Nếu so với bài Misc 150 điểm Xếp hình thì bài Programming này chỉ xứng đáng được 100 điểm -_-

Continue reading “Viettel MatesCTF – Vòng loại tháng 9”