WolvCTF 2024: Forensics Challenges

WolvCTF 2024

Hello Fellas, How are you guys doing? I hope you are all well. Today in this writeup, we will solve all the challenges of forensics from the WolvCTF 2024. Kudos to the forensic challenge author and all the team members for making this CTF go smoothly, and honestly, I enjoyed this CTF.

Let’s begin….

Challenge 1:

Level: Beginner
Challenge Title: Hidden data
Challenge Description: WOLPHV sent me this file. Not sure what to comment about it

Link for challenge: https://mega.nz/file/Z9JhVDaA#A5tunQhSxWZZkb4K_I9A9E3mq6ae81Gp0Wa81Mve0m4

Challenge File

So, let us start with the file command.

And there it was: in the comment’s value is the flag. (The file command is used to see what type of file it is).

Challenge 2:

Challenge Name: Eternally Pwned: Infiltration
Challenge Description: I recently had my passwords and other sensitive data leaked, but I have no idea how. Can you figure out how the attacker got in to my PC?

Link for challenge: https://mega.nz/file/RloS0LoI#1twPNxzOwEKgO8Pl-Drpi9ablFG1Cj1QuxooiUWyhmY

A Pcap file was given to us, and I was struggling like hell to solve this. This was pretty hard for me. I left it for some time and started it fresh (pro tip).

Anyway, let us start fresh by looking at all the tcp streams via using the filter named “tcp”. Now, let us go through each and every stream one by one, in tcp stream 4.

This was mainly a conversation between the systems. If we thoroughly check the file then we can see that there are some parts of bytes data which are encrypted with base64 at the end.

Now this is easy as they are base64 encrypted, we can straight away go to cyberchef and by keeping them one by one we will get our flag.

d2N0ZntsM3RTXw== → wctf{l3tS_
M3RlUm40bEx5X2cwXw== → 3teRn4lLy_g0_
YkxVM183bjl3bTRpV25MfQ== → bLU3_7n9wm4iWnL}

Challenge 3:

Challenge Title: Eternally Pwned: Persistence
Challenge Description: I get that the attackers were in my PC, but how did they achieve persistence?

Link for challenge: https://mega.nz/file/p8gEzBKC#TQlEBklmQefkBn_FAJv8QsOTsg2DrAZxI6m4eltcCx8

Here, we will use the volatility3 tool for memory analysis(Which I love).

After, unzipping the file, at first we will check for the basic information of the memory dump file. (I will share the meaning of the plugins I have used at the end of this challenge)

Command: python3 ~/Toolkit/volatility3/vol.py -f MEMORY.DMP isfinfo

We can check these json file but we don’t have that much time. Hence, to cut time here one can see the path it says, “/symbols/windows”. Thus we can try for windows scan.

Command: python3 ~/Toolkit/volatility3/vol.py -f MEMORY.DMP windows.info

And we were right this memory dump belongs to a windows system. Now we need to analyze this dump. So, at first let’s see what all files does this system has.

Command: python3 ~/Toolkit/volatility3/vol.py -f MEMORY.DMP windows.filescan

As we can see there are lots of files, and we can see the files from system32. But wait a minute, the description said that the hacker has made its persistence which means there might be a file be running in the system. So why not we see the list of processes.

Command: python3 ~/Toolkit/volatility3/vol.py -f MEMORY.DMP windows.pslist

Okay!!! sooo… mostly the same processes svchost.exe, cmd.exe, lsass.exe and all, but wait what’s that at pid 1804. It seems something different, Let’s take it to cyberchef.

PID: It’s full form is process id. It is a unique numerical identifier assigned to each running process in an operating system.

A pastebin? okk so we are on right track, so we need to investigate more on this particular file. Now for a minute let’s think like an attacker. If we have attacked a system, to execute file we will use the cmd. Which means while we can try to look for the way into the cmd. Thankfully volatility has a plugin for that.

Command: python3 ~/Toolkit/volatility3/vol.py -f MEMORY.DMP windows.cmdline

Now look at the pid 1804, the argument related to it. It looks like the same string, so let’s cook it.

And we got the pastebin link, after visiting this site, we will have our flag.

Plugin information:

1. isfinfo: This plugin is used to get the utmost basic details regarding the dump file. Such as which system it is, its users and different things. The output of this comes in a json file.
2. windows.info: This plugin is used to get the all the details regarding the OS, its time, the time when the dump file has been made and etc..
3. windows.filescan: As per name suggests this plugin is used to see all the files in the windows system, along with its size and offset.
4. windows.pslist: This plugin will print out all the process which were running on the system, at the time of dump was taken. (Dumping a system’s memory is one of the fragile process while doing the forensics analysis in real world scenario as if any single command is wrongly entered then it could jeopardies the system’s memory and forensic investigator can’t analyse the file with efficiency).
5. windows.cmdline: This plugin will print out all the arguments(or commands) which were made on the system, along with its pid and processes.

Challenge 4:

Challenge Title: Eternally Pwned: Exfiltration
Challenge Description: Ok yeah, they are definitely in the machine. But how did they manage to take my data?

You will likely find both the packet capture from Eternally Pwned: Infiltration and the memory dump from Eternally Pwned: Persistence to be useful

While doing this challenge, I spent around 3–4 hours or more than that but still couldn’t figured it out. However, I used another approach.

Command: strings -el MEMORY.DMP | grep “wctf”

yeah this gave me the flag, but this wasn’t the way to actually do it. This was the unintended way. I have given the link below the intended way, it was shared by the challenge author after the CTF was over.

The right way: https://github.com/dreeSec/exfiltration_intended/blob/main/solve.md

In this the way she got the PowerShell script wasn’t the actually way, it was something else, but just to show that the script exists she did this way.

Challenge 4:

Challenge Title: Log Analysis
Challenge Description: Hi there incident responder. So we have this company that was breached sometime last week, but their SOC team only keeps HTTP request logs :( We took down all of our wolvsecsolutions websites as a precaution.

Maybe there’s still a way to figure out what happened? Why did they click on a suspicious link? Somebody told me there’s a flag on the link now?

Link for challenge: https://mega.nz/file/YtxWjCQC#dZ-vAc-fKTYFn2yALWIuPkSNpzNxMon--_s1Enljl2o

So, let us start with looking at the sites mentioned, but almost all are not useful, and we can try to open all the links with cloudfront as their domain (which was not at all a good idea) . In the description, it is mentioned that the SOC team has taken all the wolvsecsolutions websites. So, let’s start from there.

Let us first take our file, to our machine and sort some things out.

Command: cat logs.txt | grep “wolvsecsolutions”

Yes this is what we want, now lets save this in a file. (I named it as urls.txt)

Command: cat logs.txt | grep “wolvsecsolutions” > urls.txt

To delete those “Host: ” string, we can use delimiter but I am gonna use the traditional way.

and we got our urls. Now if you analyse these urls, you will see that there are duplicates. so lets sort them out.

Command: sort urls.txt | uniq

Finally!! very less urls, now here we can either look for all the url one by one. Otherwise, we can think in a different way.

See almost all the files are the subdomains of the website wolvsecsolution, but there is only one website which is the actually domain. Moreover, if one willl check the web challenges of wolvCTF 2024, the ending domain is always like <some_string>.run.app. Thus, we can directly look for that url instead of looking all the urls.

And as soon as we go to the url, we will get our flag.

Challenge 5:

Challenge Title: Site Secret
Challenge Description: There’s been a secret flag on this website the whole time???

That’s an interesting background…

Link for challenge: https://mega.nz/file/J0AEVaIA#-lNh6b_yrVWuMaZVr1TkGXLw24_feJkabG9jgqSsVNU

Challenge photo

So, this is the background. Now here we can think of two things. First Stego, so at first we will put this file in an all-in-one stego website(I named this).

Well it didn’t gave any leads for this challenge. Now lets do the second way, analysing the file. The background seems bit off isn’t it. The background is filled it binary data, maybe we can convert these binary to ascii.

TIP: Your eyes are going to be destroyed. hahaha

Now to get the binary data, there are three different ways.

1st way: Stare into the file and type down each binary code one by one, line by line. This will take so much of your time and very harmful for your eyes too.

2nd way (I used this way): Upload the file into the google images, here you can scan the binary data, copy it.

From here you can take the binary data and put it in a binary to ascii converter. (I used this site: https://www.prepostseo.com/tool/binary-translator)

3rd way (After the CTF this way was shared by one of the player): We know the flag format is wctf{}, thus, we can take the binary of “wctf{“ (without the quotes), and then we can search for that binary in the given image’s binary data.

NOTE: All the ways are good, a player can use which ever they can.

So now we have the data, let us put them in the converter one by one.

So what I did was I took the binary data and tried to convert them but they were unreadable characters, thus, I tried to delete the data from front and got parts of flag.

For example, I have taken data from here,

and pasted them in the converter,

As I mentioned we will get unreadable characters, but I tried to delete binary data one by one from the front (00001 -> from here).

Now, this looks like a part of the flag, doesn’t it? So I tried the same with other binary data too.

Yep the middle had the flag, so I checked all 4-5 lines of the middle and got my flag,

011101110110001101110100011001 → wct
011110110111010000110000001100000110101101011111011110010 → {t00k_y
01110101010111110110110000110000010011100110011101 → u_l0Ng
00110011011011100011000001010101011001110100100001011 → 3n0UgH
01101000001100110110100000110011011111010000010 → h3h3}

wctf{t00k_y0u_l0Ng_3n0UgH_h3h3}

So this was the final challenge in the forensics.

Tip: Whenever you solve forensic challenge, always think of different possibilities, and test those possibilities, if its right then you will definitely get a lead.

Honestly, I loved these challenges, even I learned from this forensics challenges too.

So this is it, for the writeup. I hope you guys enjoyed, learnt and had fun while reading this writeup. Thank you for reading my writeup.

See you next time till then sayonara…