MITRE STEM CTF: Cyber Challenge 2016

Standard

Hello people!

I managed to participate in my first ever Capture the Flag event. It was fun, and challenging at the same time. I took part in this with one of my buddies (KiaM). So yeah our little ‘team’ consists of just us.

Our main objective was of course, to learn and gain experience. And for sure we did 🙂

I will be doing the write up of the challenges solved by me and my friend. Cheers!

Link to said CTF –
https://ctftime.org/event/330
http://mitrecyberacademy.org/competitions/
https://scoreboard.mitrestemctf.org/

Grab Bag – 10 points
==========
Welcome! 10 points

Knowing the flag format is important! It will help you a lot with this challenge. Read the rules and come on back!
==========
This was pretty simple and straight-forward, morale boost I suppose.

1

Grab Bag – 100 points
==========
Supa Hot Fire 100 points

Your obnoxious neighbor just installed a IP enabled household heating controller. You were able to get into his home network since he still uses a WEP key. Time to get him back with a harmless prank of burning out the heating coils in his house.
==========
The interface provided.

main
So basically we have to play around the switches D0-D9 and fake overheating. The switches can be clicked to switch between HIGH/LOW.

We’ve got to find a configuration that will cause a sustained increase in temperature.
Let’s lookup CD74HC4067.

Turns out it’s an Integrated Circuit. We’ll look for the Data Sheet and find the Truth Table to see how it works.
2

For the left circuit we want channel 11 to be selected. We set D0, D1, D3 to HIGH.
For the right circuit we want channel 6 to be selected. We set D5, D6 to HIGH.
The flag is revealed at the bottom right.

3

Grab Bag – 150 points (1)
==========
Its Over 150 points

Your friend thinks he’s really good at sending hidden messages, time to prove him wrong.
==========
This was solved using an online photo editor. For this challenge the flag will actually be 7 characters instead of the usual 8. (Was told ahead on the CTF website itself)

Upload the PNG provided to http://www194.lunapic.com/editor/
1
Not so straight-forward.
Add filters, select Neon lights, and the real flag will be displayed.
2

 Grab Bag – 150 points (2)
=========
Traffic Dots 150 points

Traffic Dots are devices used in roadways around the world for detecting car presence at intersections as well as highways. They communicate with the traffic light controller over an unprotected 2.4ghz connection. They report how many cars have passed as well as if a car is present over the sensor. These are battery powered devices that are put under roads and are expected to last from 5 to 10 years on battery. The more cars that go over the sensor the faster the battery will drain. The software to configure the Traffic Dots is openly given out by the manufacturer and through some clever social engineering you managed to get access. You put the software on your laptop and got the proper radio technology to use the software. You are near an intersection where the traffic is very busy in one direction but not the other. There has to be a way to increase traffic by modifying these Traffic Dots which may result in someone running a red light due to impatience
==========
Our objective is to “result in someone running a red light due to impatience”.

The traffic dots that have the most cars run over them communicate with the traffic light controller and the controller assigns more time for traffic in that direction.

By switching making the traffic light controllers that the traffic dots report to, we can create a situation that someone might run a red light due to impatience, as they would have expected to have more time.

tis1

Freq: The connection frequency
Volt: The amount of battery remaining. The lower the voltage, the busier the road.

From the voltages, we can clearly see that traffic in the East-West directions is higher than North-South.

Let’s swap the frequencies.
tis2

We use 2.440 as an intermediate swap frequency as there is no in-built function to swap dot frequencies.

Once you have swapped:

W1 with N1, W2 with N2, E1 with S1, E2 with S2,

The flag will be revealed.

tis3

Grab Bag – 200 points
==========
Alien Contact 200 points

After many years of investing funds into the search for extraterrestrial life it has finally paid off! We have managed to capture what we believe is a broadcast from an alien radio station. Why not give it a look?
==========
This challenge was about analyzing the spectrum in a .wav audio file.

apt-get install audacity
launch audacity
open the .wav file with audacity
select “View Spectogram”

1

2

Crypto – 50 points
==========
… Not! 50 points

The key is not MCA-3CD9E73E.
==========
3CD9E73E
Converted to binary: 0011 1100 1101 1001 1110 0111 0011 1110
After performing NOT binary operation: 1100 0011 0010 0110 0001 1000 1100 0001
Conversion to hex: C32618C1

Flag = MCA-C32618C1

Incident Response – 100 points
==========
PCAP Examination 100 points

Scenario:
One morning before the daily IT team meeting, Joseph Adams inadvertently installs malware posing as a software update onto his corporate Windows VM. The malware beacons out to a Linux machine outside the corporate network and the waiting attacker uses Joe’s Windows 7 VM as a pivot point to reach the rest of the internal, corporate network.

The attacker locates a Linux-based file server and uses credentials that Joe had stored in an unencrypted plaintext file to log in to the file server.

The attacker locates a Truecrypt file on the file server, exfiltrates the file, and replaces the original file with a second file that he/she has uploaded.

When Joe returns from his morning meeting, he notices the attacker is still connected to his VM. He immediately logs in to the hypervisor, suspends the VMs, and retains the volatile memory (raw/DD) and virtual hard disk (VMDK) files from the affected machines for forensic analysis.

Later that afternoon, the attacker contacts the company’s CIO Office and offers up the original file and password for ransom.

The corporate CIO would like the internal IR Team to investigate whether the exfiltrated Truecrypt file can be recovered without having to pay the ransom.

Evidence
Archive Password: fV9kilIT29ITiGrZkvrOjZ4ENEK82O5ble4F9l5imirhDZ92COp9uPEZTCjNrAY
Prove that you have found the stolen file by providing its sha1sum
==========
Always good to get an overall view of the traffic present.
Wireshark Menu Bar > Statistics > Protocol Hierachy

tis1
We can see a significant amount of FTP Data being present.
Apply the display filter ‘ftp’ to get a closer look.

tis2

At 17994, we can see a file ‘pictures.zip’ being transferred, with filesize 4194304 bytes.
Let’s apply display filter ‘ftp-data’ to obtain the file.

tis3

On 17995, using right-click > Follow > TCP Stream , we will see the data contained within the packets that are involved with this stream.

tis4

We can see that the amount of data in the ‘Entire conversation’ is 4194 kB, which matches the file size of pictures.zip as we would expect.
Now we show the stream data as ‘RAW’, and click ‘Save as…’

tis5

The sha1sum gives us the answer. (flag)
tis6

Incident Response – 200 points
==========
Windows Volatile Memory Analysis 200 points

Show that you have discovered the attackers persistence mechanism by providing the sha1sum of the registry key used.
==========
We will make use of Volatility, a built-in forensics tool available in Kali Linux.

First step, to get a profile of the image. (Win7SP0x86)
1

Next, we can proceed on to examine the hivelist.
I chose to use the vol.py instead of the Volatility command due to some weird errors.
If you want to use vol.py, make sure that you are in the volatility folder as shown.

2

We can proceed to discover what are the registry keys used for the attacker’s persistence.
To auto run a malicious file when Windows boots up, the usual place an attacker will tamper with is the CurrentVersion\Run registry path.
We will proceed to use the function printkey -K

3

We can see that the .vbs script seems very suspicious, and the key associated is “exWaMEoIW”

The flag for this challenge:

4

Incident Response – 300
==========
Didn’t take down the question 😦
But the challenge was basically finding the password of a .db file and getting the sha1sum of it
==========
The password can be found from Incident Response – 200 by doing a lsadump.
ir300

Essentially that’s the key step. The rest is just mounting the 2 .dd images, one of which was encrypted. The screenshot contains the password to the encrypted image, and the employee database is in there.

Web – 100 points
==========
Crisscross 100 points

Our favorite Harry Potter fan site seems to be experiencing some problems, see if you can help us figure out why.
==========
The provided URL.
whatsapp-image-2016-09-18-at-00-52-49

View page source…
whatsapp-image-2016-09-18-at-00-53-22

Pretty straight forward. The flag was revealed at the
/whereISend/allYourPasswordsAndStuff
directory.

Web – 150 points
==========
Welcome Home 150 points

You just got back from a long trip and seem to have forgotten the PIN to your home security system. Guess you’ll just have to break in…
==========
URL provided.
Possible usernames: guest, JohnSmith.
whatsapp-image-2016-09-18-at-00-55-15
Another possible username? donutsAreGr8, we will just take note for now.

whatsapp-image-2016-09-18-at-00-55-51
Ok, So basically if we succeed in logging in, we will be redirected to /login/$username/$pin

whatsapp-image-2016-09-18-at-00-59-37

I went on to look at the request/response via Burp Suite proxy. I discovered that if the request was wrong, I will be presented with a 30X HTTP status code, and then redirected back to /home.
Since the PIN is only 4 digits, it was feasible to attempt brute-force.

First, make use of the tool ‘crunch’ to create a 0000-9999 word list.
I went on to launch gobuster, a brute-forcing tool.

The first user I tried on was ‘guest’, it was discovered that guest’s PIN is ‘1234’ and the status code returned was 200. The homepage of the user guest indicates that the flag is in another user’s home.

The next user I tried on was ‘JohnSmith’, after going through the entire word list, JohnSmith’s PIN was not discovered. I figured out my approach was most likely correct, since I am able to obtain guest’s PIN.

I tried the user donutsAreGr8 instead, and boom!
1

2

The user ‘JohnSmith’ was a distraction, and my approach was right 🙂

========================================================================

Ok, that’s all the challenges me and my buddy managed to solve.
We concluded at 1510 points total.
The full categories of this CTF were:
Binary
Crypto
Forensics
Grab Bag
Incident Response
Web

I was quite disappointed with myself as I did not progress well enough in the Web category. I am excited to see the full solution write up!

I definitely had fun and learned a few new stuff as well.

Cheers people~

-9emin1

Advertisements