Monish Kumar's Blog

JITFP - PicoCTF 2026 Challenge Writeup

Fri, 20 Mar 2026 10:41:25 +0530

I took part in PicoCTF 2026, that happened between 9th March 2026 to 19th March 2026. I ranked at 570 globally and got a total score of 11,000 out of the maximum 14,500.

I didn’t plan on writing writeups for this one. But there was one challenge that was so good, that I had to write about it.

JITFP

Challenge Description

If we can crack the password checker on this remote host, we will be able to infiltrate deeper into this criminal organization. The catch is it only functions properly on the host on which we found it.

The challenge is now moved to picoCTF gym, you can access it here. In the live CTF, this challenge was for 500 points, which was the highest among all the other challenges (except for other 500 point challenge, of course).

Solution

The description doesn’t tell us much or doesn’t give us any files to actually reverse engineer binaries. However, there is an instance associated with the challenge. Launching it gives you credentials for a SSH login on a remote host.

Logging in, we are greeted with, uh well, a message. And put in a directory with only one binary. Assuming this is the target binary, I started to poke it.

The binary takes an arguement input and does something with it. There is a loading bar like output that takes some time to complete before printing the incorrect message. I wanted to time it, so I used time utility. It takes around 33 seconds to run once. This brings a thought, is this a timing side channel attack scenario? Perhaps if I give a correct character at a position it would speed up or slow down? I tried it but it still ran the same 33 seconds.

So to move further, we have to pop open and look under the hood. Since the binary was in a SSH instance, I used scp to make a local copy and then used it to analyze it locally. I loaded it in Binary Ninja and the main function looked like this:

We have a peculiar looking if statement, where if the condition is false, it calls another function, prints out “Incorrect” and then exits. The other flow is what we should be doing to get the correct message. We still need to know what the function sub_401932 does.

So basically, it prints out asterisk, sleeps and prints a new line and exits. Not that interesting except this is where the sleep happens.

Going back to the if condition, it didn’t make much sense to me, so I decided to get a second opinion from IDA (yes I have multiple decompilers, they are all awesome in their own way).

Now that is better. So we have one memory array that index into another memory array which has function pointers because whatever is in there is used to call a function, so the most sensible conclusion is that they are function pointers. So let’s take a look at the memory arrays. At the first layer memory array, that index into the function pointer array we have:

So we have a bunch of indices indeed. Looking at the second array, the one which should have function pointers, we have:

That don’t look like much. So I took a look at the same address in Binary Ninja:

There is nothing here. So I started to look around for other things.

Another important detail I found was that in the binary there are a lot of functions like these:

There were functions like these for all the lowercase and uppercase alphabets, digits, underscore and curly braces. So these functions basically check if the given character is the one there are validating or not. So it is logical to assume that, these are the functions that would be present and called from the function pointer array.

However that is empty. Or is it just uninitialized? Perhaps the function pointers are populated at runtime only? And then the title suddenly made sense, “Just In Time Function Pointers”, JITFP. So I just have to dump whatever that memory is in runtime and get the functions pointers. Easy, right?. Or that’s what I thought. But no, I can’t even run the thing in my local machine

Now, this shouldn’t really come as a surprise, because the description of challenge literally tells that we can only run it on the remote machine. So I have to rely on any debugging tools on the remote machine.

So, in terms of tools, there was none. Hence, the question became “how can I dump a memory of a live running process?”. Yes, the procfs at /proc. Every process’s has it’s mapping of memory at /proc/<pid>/maps and actual memory contents at /proc/<pid>/mem. So I opened two SSH shells into the remote machine with tmux and saw if I could access the procfs.

I could. Now we just have to dump the memory contents into a file and analyze it. Turns out the file system is read-only. Great. So I thought of redirecting the memory to xxd utility, copying the hex dump and then analyzing it. But before I could go further I wanted to check what kind of protection this binary has. Thankfully, checksec was installed.

We got PIE, Position Independent Executable. But this shouldn’t really be a problem as PIE just randomizes the base address of the virtual memory. If we had ASLR, then it would have been hell, because the entire layout of the virtual memory would be randomized, but thankfully no.

Now all I had to do was put together a bunch of commands that would take the /proc/<pid>/maps as input and dump the required memory. Since the memory we are interested is in 0x4120, the content would be present at base + 0x4120. We only need to read 264 bytes of information because that’s how long the function pointer array was. Put these together, I had this script to dump stuff:

./ad7e550b aaaa & pid=$!;
base=$(cat /proc/$pid/maps | grep -m1 "r--p 00000000" | cut -d'-' -f1);
target=$(printf "%d" $((16#$base + 0x4120)));
dd if=/proc/$pid/mem iflag=skip_bytes,count_bytes skip=$target count=264 2>/dev/null | xxd -p;

This gave an output like:

If I dumped the memory immediately, it is still uninititialized. So I had to add some sleep command to get some actual output. Right now it doesn’t look like much, but these do actually look like function pointers from a binary. I put together a small python script to parse this and print me the function offsets.

data = "<dumped hex>"

ptrs = [int.from_bytes(data[i : i + 8], "little") for i in range(0, len(data), 8)]

base = 0x....

offsets = [p - base for p in ptrs]

for i, o in enumerate(offsets):
    print(f"idx {i}: offset 0x{o:x}")

This prints out the offsets that are given by the addresses in the hexdump.

And good enough, these offsets correspond to actual function offsets in the binary. So the only thing now to do is index this offsets using the first memory array and see in which order, which functions are being called. I extended the previous script a little to get that part done.

data = "<dumped hex>"

func_map = {...} # A dictionary mapping which function offset correspond to which character

dword_4020 = [...] # The indices from the first memory array

ptrs = [int.from_bytes(data[i : i + 8], "little") for i in range(0, len(data), 8)]
base = 0x...
offsets = [p - base for p in ptrs]
flag = []

for idx in dword_4020:
    flag.append(func_map[offsets[idx]])

print("".join(flag))

Executing this gave:

Now that does not look like a flag to me. I checked my scripts and other things, everything seemed to be right. So I decided to do the same process one more time. And it gave me:

An entirely different output. But why? I did everything the same, except for one thing. I adjusted the sleep duration in bash from 5 to 2, thinking I need to read the memory early. At this point I had no idea what to do and I almost gave up. It wasn’t until later it struck me, “what if the entirety of the function pointer array changes every second?”. That would mean that only one memory address at a point of time would be the right one, the rest are just fillers.

I modified the bash script I used to extract the memory from procfs as:

./ad7e550b aaaa & pid=$!; i=1; cat /proc/$pid/maps; 
while [ $i -lt 35 ]; do
  base=$(cat /proc/$pid/maps | grep -m1 "r--p 00000000" | cut -d'-' -f1)
  target=$(printf "%d" $((16#$base + 0x4120)))
  dd if=/proc/$pid/mem iflag=skip_bytes,count_bytes skip=$target count=264 2>/dev/null | xxd -p
  i=$(($i+1))
  sleep 1
done

This dumped the memory address 33 times. I put 35 just to be sure, in case. So I put all those hex dumps in a text file and modified my python script to:

func_map = {...} # A dictionary mapping which function offset correspond to which character

dword_4020 = [...] # The indices from the first memory array

def parse_dump(line):
    hex_str = line.strip().replace(" ", "")
    data = bytes.fromhex(hex_str)
    return [int.from_bytes(data[i : i + 8], "little") for i in range(0, len(data), 8)]

lines = []
with open("dumps.txt") as f:
    for _ in range(33):
        l = []
        for _ in range(9):
            l.append(f.readline().strip("\n"))
        lines.append("".join(l))

base = 0x...

flag = []
for second, line in enumerate(lines):
    if second >= len(dword_4020):
        break
    ptrs = parse_dump(line)
    idx = dword_4020[second]
    ptr = ptrs[idx]
    offset = ptr - base
    char = func_map.get(offset, "?")
    flag.append(char)
    print(f"second {second:02d}: idx={idx:#x} offset={offset:#x} char={char}")

print(f"\nFlag: {''.join(flag)}")

Now, there is a bit of a timing requirement to this challenge, as the first time I ran it, it was some random output. But when I ran it again, it worked. I got:

I still didn’t get the ‘p’ in ‘picoCTF’ for some reason, but I could fill it, submit it and get the points. This was such a cool challenge, that I had to rethink everything again and again and again. And the part where the function pointer array getting randomized for every second execpt for the right index was absolutely devious. Loved it.

Barbwire: an eBPF based behavioral correlator

Sun, 08 Mar 2026 16:42:18 +0530

Introduction

After the eBPF learning phase I wrote about in the last post, I wanted to build something that looked like a real security tool. Not because I thought I’d ship it, but because the programs I tried before where stupid. At some point you need a problem with actual constraints.

Barbwire is that project. It’s a lightweight behavioral correlator for Linux. It watches for processes that open sensitive files and then make network connections within a short time window. This is classic exfil behavior and rough fingerprint for credential harvesting and so on. It’s not a production EDR. It’s an experiment. It’s on my Github if anyone’s interested.

The core design decision

The first instinct when building something with eBPF is to put logic in the BPF side. It’s running in the kernel, it’s fast, why not do the correlation there?

I thought about it and decided against it early. The BPF verifier gets unhappy with complex logic. It’s harder to debug, less portable across kernel versions, and for this use case, unnecessary. Userspace is fast enough. The design I landed on: BPF is a dumb data collector, userspace does the thinking.

The BPF side attaches tracepoints to three syscalls. sys_enter_openat for file opens, sys_enter_connect for network connections, and sys_enter_execve for process execution to track lineage. All three write into a single shared ring buffer with an event type field. Userspace reads and routes.

I used a ring buffer over a perf event array deliberately. Perf event arrays are per-CPU, so you have to poll multiple buffers and deal with out-of-order events. A ring buffer is a single shared buffer, better throughput, simpler consumer. So obviously I wanted the path of least resistance.

How correlation and scoring works

On the userspace side, three in-memory maps hold state. Recent file opens per PID, process lineage from exec events, and a deduplication map to avoid alerting on the same PID repeatedly. A cleanup goroutine evicts stale entries every 30 seconds.

The correlation window is configurable. I have it set to 5 seconds. When a connect event comes in, Barbwire looks back at that PID’s recent file opens and checks if any fall within the window. If they do, it scores the pair.

Scoring is based on file and connect pairs, not individual signals. A process connecting to the network is normal. Opening /etc/passwd on its own is normal. Both within 5 seconds is suspicious. The score comes from which file category was accessed:

suspicious_files:
  - category: "credential access"
    base_score: 3
    patterns:
      - "/etc/passwd"
      - "/etc/shadow"
      - "/.aws/credentials"
  - category: "ssh key exfiltration"
    base_score: 3
    patterns:
      - ".ssh/id_rsa"
      - ".ssh/id_ed25519"

Process lineage modifies the score up or down. A shell spawning a process that reads credentials and connects out is more suspicious than the same behavior happening under systemd:

suspicious_parents:
  - comm: "bash"
    modifier: 2
  - comm: "sshd"
    modifier: 3

legit_parents:
  - comm: "systemd"
    modifier: -2
  - comm: "dockerd"
    modifier: -2

Alert threshold and severity thresholds are decoupled. The threshold decides if the alert is an actual alert, severity is a classification of the alert. When a connect event comes in, Barbwire picks the highest scoring file match for that PID and emits one alert. One alert per connect event per process, no duplicates (hopefully).

A fired alert looks like this:

┌─ barbwire alert — PID 41890  ─────────────
│  command  : python
│  file     : /etc/passwd
│  connect  : 2404:6800:4007:821::200e:80
│  severity : HIGH
│  reasons  : credential access, suspicious parent: fish
│  parent   : fish (pid 13387)
│  gparent  : tmux: server (pid 9483)
└─────────────────────────────────────────────

My Screwups while building it

A few things broke in ways that were actually instructive. The first one was actually two bugs hiding behind each other, which made it genuinely annoying to debug.

There was a constant mismatch between the C and Go sides. EVENT_EXEC, the event type for sys_enter_execve tracepoint, was 2 and EVENT_CONNECT, the event type for sys_enter_connect, was 3 in the BPF code, but I had them swapped in Go. At the same time, I had attached the exec tracepoint and called Close() on it immediately without a defer, so it detached right after attaching (Yeah this is embrassing).

The symptom was simple, in terms of events I had none. Thing was execve events were being routed to the connect handler. Since those events carry no IP address family, they got dropped as invalid. Meanwhile connect events were being routed to the exec handler, which was already closed. Everything was failing quietly in a different place than where I was looking.

I spent a while staring at the correlation logic before going back to basics and checking whether the tracepoints were even active. Once I caught the missing defer, connect events started showing up, but in the wrong handler. That’s when I found the swapped constants. Two separate bugs, one symptom, neither pointing at the other. Really annoying

The most useful bug involved stale memory in the event struct. bpf_ringbuf_reserve gives you a pointer to uninitialized memory. If you skip the __builtin_memset before writing your fields, whatever was in memory from the previous event bleeds into the fields you didn’t set. I had filenames with garbage characters appended, leftovers from longer filenames earlier in the buffer. The fix is one line. But you have to know it’s needed.

Limitations and takeaways

The biggest problem with Barbwire is the one that can’t be tuned away.

For example, curl reads /etc/passwd on every invocation. Here is it making the call:

Not because it’s malicious, but because that’s how it works. I believe, basically any program using libc networking does this. Barbwire flags it every time. No matter how hard I tuned the knobs, I couldn’t get rid of such alerts. Then it hit me, single-process correlation without broader context has a ceiling.

Evidently, production security tools handle this differently. Binary hash whitelisting instead of process name matching, which is spoofable. Process ancestry graphs that track behavioral chains across multiple processes. Behavioral baselines built up over time. A shell that reads /etc/passwd and then forks a child that connects out would be caught by a graph-based correlator. Barbwire misses it because the file open and the connect are in different PIDs.

Building this made that limitation concrete in a way I don’t think I’d have gotten from just reading about EDR design. Honestly, I never even thought of these before. You also understand why process ancestry graphs exist when your tool fails exactly where they’d succeed.

The other thing I took away: the BPF to userspace boundary is unforgiving. Memory layout, pointer semantics, which helper functions apply where, what the verifier accepts. The documentation covers the what, but the why only shows up when things break.

All things considered, I had fun with all this. That’s the whole point if you think about it.

I wanted to poke at the Linux kernel. eBPF was the answer

Sat, 07 Mar 2026 20:32:58 +0530

Introduction

A while back I came across Cloudflare’s writeup on how they mitigated a 3.8 Tbps DDoS attack, the largest ever disclosed publicly at the time. The post goes deep into how their systems detected and dropped attack traffic autonomously (quite interesting stuff). One part that caught my eye: they used XDP and eBPF to drop packets directly at the NIC level, before the kernel network stack even saw them. I had zero clue on what eBPF was back then. I thought that was interesting, bookmarked it, and then forgot about it (Yeah I do that a lot).

When I eventually got around to it, I was looking to get into lower level Linux stuff anyway. How the kernel works, how you can poke at it from the outside. eBPF kept coming up. I also saw it framed as a safer alternative to writing kernel modules for certain use cases. That part made immediate sense to me, because writing kernel modules means one bad pointer dereference and your machine is just down. So I thought maybe I could look into it seriously.

What even is eBPF

eBPF lets you run sandboxed programs inside the Linux kernel without modifying the kernel source or loading a module. Before your program runs, the kernel verifies it. No unbounded loops, no out-of-bounds memory access, every code path has to terminate. If it doesn’t pass, it doesn’t load. However it doesn’t mean it’s bullet-proof, I still found some bugs and weird things happen now and then. But it catches the most obvious ones.

Evidently, it started as Berkeley Packet Filter, which was just a way to filter network packets efficiently. The “extended” part came later and expanded it well beyond that when people wanted better tracing options when debugging inside the kernel. These days it shows up in observability tools, performance profilers, security products, and a lot of infrastructure tooling that runs quietly in the background of production systems.

How I learned it

I started reading Learning eBPF by Liz Rice and went through it cover to cover. It builds up a solid mental model of how everything fits together, the verifier, maps, ring buffers, CO-RE, without throwing you into kernel internals from page one. Great book, would recommend it if you’re starting out.

After that I spent time staring and reading through examples at libbpf-bootstrap and cilium/ebpf. That was just to see how things are done in real projects and scripts.

Then I started writing stuff. A per-process file access counter. A pure C rough version of what would eventually become Barbwire. None of it was useful or anything. It was just to get familiar with the toolchain, get yelled at by the verifier, figure out why and repeat.

What I liked about eBPF

A couple of things genuinely impressed me.

The first was CO-RE, which stands for Compile Once, Run Everywhere. Despite my reservations on Java, I always thought the idea of Code once, run everywhere was pretty neat (Thanks to JVM). CO-RE brings the same thing to Linux kernel programming. It handles struct field offset relocations across kernel versions, so your program isn’t silently tied to the exact kernel it was compiled against. Without it, anything that walks kernel structs like task_struct breaks the moment you run it on a different machine. With it, the same binary works across versions. It is remarkable as far as I can tell.

The second was how dynamic the whole thing is. With kernel modules you write code, compile, load, and if something goes wrong you restart. With eBPF you attach programs to running systems and detach them without rebooting or disrupting anything. For observability and containers especially, that matters a lot. You can instrument a live system, see what you need, and pull the probe out. No downtime, no risk of leaving a bad module loaded.

What came next

After a few weeks of experiments I felt ready to build something with an actual purpose. That became Barbwire, a lightweight behavioral correlator that watches for processes opening sensitive files and then making network connections. I’ll write about that in the next post.

It’s not a production security tool. It’s an experiment. But building it was a good reason to use eBPF for something real instead of just counting file accesses forever.

Honeyfused: An intrusion detection script using FUSE filesystem

Tue, 26 Aug 2025 18:24:58 +0530

Introduction

First things first, what is Honeyfused? It’s a fun little side project that I spent some time on. It is on my github repo if anyone’s interested.

Honeyfused is in a sense an intrusion detection application using honey-files. The program emulates filesystem mounted on directories and presents files that are actually not part of the original filesystem. Since the program emulates folders that usually contains secrets and API keys, intruders and infostealers may try to access it and possibly exfil the files. Since we control the filesystem, we can generate alerts whenever the file is accessed or modified. That is the gist of it. In this article you’ll find why I did this, how I did this and things like that.

How did I get here?

I very recently learnt that you can implement virtual filesystems, that is, filesystem that are not actually present on the disk, using FUSE bindings. All one had to do is override the operating system filesystem function calls to mimic an actual filesystem and you can literally pull show a filesystem out of nowhere.

Armed with the knowledge, I thought “why can’t I just implement a decoy filesystem with decoy files and generate alerts whenever the files are accessed?”. But this is basically honey-files with extra steps, that is, the virtual filesystem. Then I thought a honey-file is always the same, always there in the same place, and it is usually something like “passwords.txt” or “keys.csv”. So what if I could dynamically generate new file contents in important places, places where applications usually keep their tokens, secrets and keys, places which are more believable and look like legit files to an attacker, places which an infostealer would automatically enumerate. And hence, I got started to find out.

The filesystem implementation

There are a few libraries that provide libfuse bindings in Python. Namely fusepy, python-fuse, mfusepy etc. I choose to work with mfusepy as it is one of the still maintained one. I couldn’t find any documentation about the module. But lucky for me, they maintain a folder of example implementations. One of those aligns closely with what I want, a pure in-memory virtual filesystem implementation. Even though it did not clearly specify what should be actually done, it did give me a gist of how to do it.

However the example script didn’t quite work out-of-the-box for me. So I made some modifications and additions of my own to emulate an actual filesystem. At the end of it, I had a script to create a virtual filesystem that can contain and display files, create new files, delete existing ones, create a directoy and so on.

What to generate?

Now that, I can mount an filesystem whereever I want, I need to generate files. Not just any files, files that appear to be legit, files that should be placed in places where popular applications places them. Then I spent some time researching in popular applications and their configurations. Nah, I’m kidding. I used ChatGPT to tell me how popular applications stored their configs and keys. At the end of it, I had a list of applications that seemed to be good candidates for the decoy files. I settled for Kubernetes’s kubeconfig, AWS’s credential and config file, Azure’s credentials.json, GCP’s default application config file, Terraform’s credential file, Docker’s config file and lastly Bitcoin’s config and wallet files. Mostly developer centric, I know.

With an list of candidate application, I then again asked ChatGPT to give me a blueprint of configuration files and what kind of data should I use to fill it with. With that, I used Python’s string.template to craft template of files and wrote generator functions to dynamically populate the templates. It took me some time to cover this aspect of the ground but it was fine.

Putting things together

At this point, I have a script to mount a fake filesystem anywhere I want and generator functions that can give me realistic looking files that popular applications use. Only thing left is to put these things together. I used a YAML file (config.yml) as the configuration file for user. With that user can specify which applications can the script emulate and present decoys for. Because we don’t want to present decoys for already present applications.

It took going a little back and forth on things, until I finally managed to put it together. So now my script (actually scripts), managed to generate decoy files for applications provided in config.yml and mount it in place I wanted.

The logging

I’ll admit, I haven’t done a lot of logging stuff in Python. Since mfusepy already provided debug logs for the filesystem, I tried to implement logging that gives debug information for my script. So I read the documentation (yes I actually did that), and implemented it. And then I remembered that I had to log alerts as well, because that is the whole point of the application. But I didn’t want to throw all the log at once. So I seperated logs from myfusepy, debug information from my script and the alerts I want to give out. Turns out it’s surprisingly easy than it sounds.

Conclusion

It took me over an week to put all these together. I mean I didn’t spent all my time on this, but okay. So basically I got an Intrusion detection system out that puts fake files on your filesystem and then alerts you when someone accesses it. It is geared more towards developers who keep these kinda files in their storage. But at the end this is just a stupid experiment. So I hope no one uses it as an actual security measure. Still it was pretty fun convincing the system that a filesystem exists when it doesn’t and generate configuration files for various applications.

Run Run, Ember Run! - EchoCTF Writeup

Sun, 22 Jun 2025 13:45:21 +0530

Introduction

This writeup deals with the Run Run, Ember Run! challenge from EchoCTF. This challenge focused on understanding the MBR boot record format and the bootstrap code it contains. A compressed gunzip archive run_run_ember_run.img.gz contains challenge file.

Challenge Statement:

A small challenge with only four questions for you to answer.

An attacker gained access to one of the systems leaving behind the file attached to this challenge.

Not many details are known about the file but there are at least two ways to get what you want. Depending on the road you'll take it can be as easy as walking in the park or hard as climbing the Himalayas.

You need to analyze the file and answer the following questions...

This is not a filesystem, even though you'll find it on disks... and although its not executable you can still run it!!!

Q1: What is the first thing you'd see from running this image? (200 pts)
The first thing that would greet you is a flag. Give it for answer to this question.

Q2: What do you get from address 0? (300 pts)
What are the values of the first 16 bytes starting from address 0. Remove any spaces from your answer.

Q3: What is the address backdoored by the attacker? (400 pts)
The attacker seemed to have added a backdoor at a certain address. When you try to print this address you will get a flag. What is the backdoored address in hex (prefixed by 0x).

Q4: What is the flag from the backdoored address? (500 pts)
What is the flag being displayed from the backdoored address?

Writeup

The question makes it look like the challenge has something to do with a binary reverse engineering analysis. But also there are points that suggest that it a disk? So first we need to understand what it is we are given.

It says that the file is a DOS/MBR boot sector. So we can’t “run” a boot sector right? That’s what I thought and decided to take a look at the hex dump of the file.

That’s all of the hex dump. So taking a preliminary look at it revealed nothing. I mean no hidden files, no corrupted data, nothing. But what caught my attention is how it is exactly 512 bytes. The boot partitions are indeed 512 bytes. So that suggested we really do have a MBR boot sector at our hands. Hence we should be able to look at the entries using something like fdisk.

So we have something. The partition data that the sector holds. But this is of no use without the actual disk (except for now we know what kinda partitions the computer this record belonged to had). But that can’t be it. I was missing something. And then looking at the wikipedia page for MBR boot record had the following table:

Huh, so there IS something that I was missing. There is an entire 446 bytes of “Bootstrap code area”. That should have been obivous but it wasn’t for me. After all this code region is usually targetted by malicious softwares called Bootkits.

According to the wiki at OSDev (not explicitly mentioned, the example provided there indicated it), this code is of 16-bit x86 instruction set. So all I have to do is disassemble the image provided. Easy.

But before going head first into assembly, recall that the challenge statement explicitly stated to “run” the image. Since we have a valid boot sector image, perhaps we can? Quick search on the internet showed QEMU is good for it. Using the command,

qemu-system-i386 -drive format=raw,file=run_run_ember_run.img

we are able to boot into the boot sector on a virtualized machine console.

Yeah we are indeed greeted with a message. Hence our answer for Q1. It looks like a prompt waiting for input.

Hitting enter on the prompt gave some interesting output. It displays the memory dump of the sector. Since our second question is literally what are the values of first 16 bytes of address 0, we have our answer for that as well.

And for Q3, we apparently have a backdoor of sorts. I saw no other option than having to dive into the assembly code. We can dump the entire image using objdump, I specifically used the following command:

objdump -D -b binary -mi386 -Maddr16,data16 -Mintel run_run_ember_run.img

The options being:

-D : Disassemble the file
-b binary : target object is binary
-mi386 : target architecture is x86
-Maddr16,data16 : Disassembler options
    addr16 : Addresses are in 16-bit
    data16 : Data is in 16-bit
-Mintel : Use intel style assembly code

There was a lot of disassembly. As a matter of fact, we have dumped the entire image file, but the actual code is only 446 bytes, which would mean the offset upto 1bd is the valid code.

And now we read assembly.

Skimming through the assembly dump, the instruction at offset 86 caught my attention. A compare statement that compares the value at the register bx with 0x3750. As far as I could tell 0x3750 is nothing special. But the instruction checks for it, and then branches. So the question arises, what are the two branches?

86:   81 fb 50 37             cmp    bx,0x3750
8a:   75 30                   jne    0xbc
8c:   b0 6d                   mov    al,0x6d

Assuming the likely case that bx won’t be equal to 0x3750, it seems the code we want to execute is at bc offset. That begs the next question, how could bx be set to 0x3750.

74:   e8 c5 00           call   0x13c    
77:   72 05              jb     0x7e     
79:   93                 xchg   bx, ax

A little above the offset of 86, at offset 74, we can see that a call is made to the address 0x13c. In x86 convention a call’s return value is usally found in ax register (if it returns). Then instruction xchg exchanges or swaps the value between bx and ax registers. So bx depends on whatever is returned from the instructions at 0x13c.

13c:   e8 04 00                call   0x143
13f:   72 15                   jb     0x156
141:   88 c4                   mov    ah,al
143:   ac                      lods   al,BYTE PTR ds:[si]
144:   e8 10 00                call   0x157
147:   72 0d                   jb     0x156
149:   c0 e0 04                shl    al,0x4
14c:   88 c2                   mov    dl,al
14e:   ac                      lods   al,BYTE PTR ds:[si]
14f:   e8 05 00                call   0x157
152:   72 02                   jb     0x156
154:   08 d0                   or     al,dl
156:   c3                      ret

To be quite honest, I don’t exactly understand what’s going in here. The call to 0x13c in turn makes a call to 0x143 which is 3 instruction away and kinda confusing and we are missing a ret instruction.

But in a gist the instruction at 0x143 loads a string, an input string to be specific, and calls to another 0x157. It does the same set of instruction twice, but the instruction shl al, 0x4 (shift the contents of al[lower 8 bits of ax] to the left by 4 places), suggests it just processes an input of 16 bits, 8 bits each time. And then the processed contents is stored at the register ax.

So looking at 0x157 we have:

                    ; turns strings to ascii. Like '0' -> 0
157:   2c 30                   sub    al,0x30    
                    ; jump to ret if subtraction is negative. For cases less than '0'
159:   72 0e                   jb     0x169      
                    ; compare al and 10(in decimal)
15b:   3c 0a                   cmp    al,0xa
                    ; compliment carry bit, not sure why
15d:   f5                      cmc
                    ; jump to ret(0x169) if al is above or equal to 10.
                    ; so al must have value between 0 and 9
15e:   73 09                   jae    0x169
160:   2c 31                   sub    al,0x31
162:   72 05                   jb     0x169
164:   04 0a                   add    al,0xa
166:   3c 10                   cmp    al,0x10
168:   f5                      cmc
169:   c3                      ret

Now just looking at the first few lines of the routine, we can see that the call converts the string input to number input. So if we want 0x3750 as value of ax register, we just need to input it?

Yes. We just had to put it there and the flag is given. Could’ve tried that first, nevertheless it was good. So we have our answer for Q4.

We still need answer for Q3. Now this part, I think the question is kinda misleading. It asks for the “backdoored address”. Technically, the backdoor is at offset 86. MBR base address starts at 0x7c00, making the “backdoored address” as 0x7c86. But this is not it. The answer is the value we need to meet at this address. That is our answer for Q3. Or maybe I’m mistaken, but as far as I can tell, that is not an address.

Note

You can actually find the both of the flags in the hex dump from the beginning if you look for it (with some ‘pattern recognition’). I didn’t.But it’s just the flags.

Conclusion

It did take me quite some time to figure out Q3, but nevertheless, the challenge was fun and unique. There ain’t many challenges that require you to boot a boot sector. So all things considered it was a solid.

Binary Exploitation - Baby Buffer Overflow 32-bit

Sat, 26 Apr 2025 17:51:33 +0530

Baby Buffer Overflow - 32bit

Challenge Statement

Author: @aenygma

Can you command this program to where it cannot go?

To get the flag, you must somehow take control of its excecution.

Is it even possible?

Attachments: babybufov, babybufov.c

Note: This challenge was accompanied with a per-user instance

Solution

Opening the C source file given in the attachment section, we can see that it is a fairly straight forward program. There is the main function which requests some data using gets. If you have spent some time with C programming you would’ve known that this is a vulnerable function. The problem with this function is that it takes input with no limit on it’s length. Consequently, it writes data to addresses beyond the space reserved or allocated for the string causing a, that’s right, a buffer overflow.

Now due to some issues with the linker I couldn’t execute the binary provided directly. Luckily the source code had a comment to indicate how the program is compiled. So I used:

gcc -fno-pie -no-pie -Wno-implicit-function-declaration -fno-stack-protector -m32 babybufov.c -o babybufov

Notice that the compilation parameters turn off the stack protection, which makes write to stack possible. So obviously we are supposed to redirect execution flow to the uncalled target function in the code.

Here is a awesome video from liveoverflow that depicts this in a more illustratively. I suggest you watch the entire playlist if you are new to this sort of things.

So in a gist, function calls push return address on the stack so that when the function ends it can return the control to where it came from. The same stack also houses local variables such as the one that collects the string from the gets function. Now the idea is that we put enough characters in the string so that it overflows to the return address value and overwrites it.

A little knowledge of the GNU Debugger (gdb) is advisable for doing the below steps.

First we need to know how many characters it takes to overflow to the return address. Usually this is the string (buffer) size, but it can be more due to other variables. So I put in a recognizable string like ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ as input to observe the return address.

Of course it seg-faulted because there is no valid address as 0x46454443. But if you notice this is not a random address. 46 is the letter F in hexadecimal. So the address translates to FEDC. The reason why it is in reverse is because of the endianess. So now we now the address can be overwritten from the second C in the input.

Now we need to know the address of the function we need to redirect to. For this we can disassemble the target function to get the address of the first instruction in the address.

So the address to redirect the control is 0x080491a6. We can’t manually type in the return address is because it will be taken as string and stored differently in the stack. So I put together an python script exploitgen.py that generates an exploit input that can overwrite the return address.

import struct

buf = b"abcdefghijklmnopqrstuvwxyzab"
addr = struct.pack("I", 0x080491a6)
exp = buf + addr

with open("exploit", "wb") as f:
    f.write(exp)
    f.write("\n".encode())

The above code has the buffer required to fill the input buffer and adds the address at the end of it to overwrite the return address. The struct module offers packing and unpacking data between python and C data types with specific sizes. Since an address is 4 bytes long, I have used unsigned int (the I) as the target type. The newline is to mimic the press of enter button to finish input.

Once the exploit is generated, we can redirect it to the program directly like:

./babybufov_custom < exploit

Yup, we got the jackpot message in the target function. So we are successful in redirecting the execution. One might ask, is that it? Visiting again the source code for target we can see there is a shell that gets invoked. Since we give no more input it simply exits. So I added a little more to the exploitgen.py.

import struct

buf = b"abcdefghijklmnopqrstuvwxyzab"
addr = struct.pack("I", 0x080491a6)
exp = buf + addr

with open("exploit", "wb") as f:
    f.write(exp)
    f.write("\n".encode())
    f.write("ls\n".encode())

Now it lists the files in the directory it is on as shown below:

And now we have code execution as well. Now it’s time to test this on the real thing. The challenge came with a per-user instance. Spinning it up gave a netcat command to the program directly. So I redirected my exploit to the netcat program:

It didn’t work. I tried a couple more times to meet with the same result. But it worked on my machine. For those who already figured out what went wrong, well done. It took me quite a while, longer than I would like to admit. You see the problem is that I recompiled the code in my system, which made the addresses different. So I was redirecting the code to a wrong address.

Since we have the original binary, it will should the same addresses as the one over netcat. So I used objdump to get the address of the target function.

Armed with the actual address I need, I put that in my exploit program, generated an exploit and redirected it the netcat program.

So it appears there is a file flag in the same directory as the program. So I added a cat flag to my exploit and repeated the same.

So there it was, the flag. This is quite simple if you know your basics well (and don’t do silly mistakes like me).

Cryptography - No need for brutus

Sat, 26 Apr 2025 17:51:33 +0530

No need for Brutus

Challenge Statement

Author:@aenygma

A simple message for you to decipher:

squiqhyiiycfbudeduutvehrhkjki

Submit the original plaintext hashed with MD5, wrapped between the usual flag format: flag{}

Solution

The title includes Brutus who is known for betraying Julius Caesar. Caesar happen to be named after a cipher he created, The Caesar cipher, also known as ROT cipher.

This suggests that the cipher provided might be a ROT cipher for which we don’t know the key for.

Using Cyberchef we can use the recipe ROT13 Brute Force to list all possible plaintext for the cipher.

We find a plain text with key value of 10. Since the challenge requires us to use the MD5Sum of this plaintext we can calculate it using:

echo -n "caesarissimplenoneedforbrutus" | md5sum

Covering the obtained hash with flag format yields the flag

Cryptography - Strive Marish Leadman TypeCDR

Sat, 26 Apr 2025 17:51:33 +0530

Strive Marish Leadman TypeCDR

Challenge Statement

Author:@aenygma

Looks like primo hex garbage.

Maybe something went wrong?

Can you make sense of it?

Note: This challenge was accompanied with a per-user instance

Solution

On spinning up the per-user instance, I was given a command to use Netcat into the instance.

On connecting it just print out the following data and exitted.

Now if you have worked with cryptosystems you could have recognized what this is right away. But those who don’t, this is variable for a RSA public cryptosystem.

The given are everything that needed to encrypt and decrypt data.

A quick run down of that is:

p and q are supposed to be very large prime numbers
n = p * q
Now a value called Euler’s phi function for the value n is calculated as phi(n) = (p-1)*(q-1)
Now a random value e is selected such that e < phi(n) and e and phi(n) are co-prime
This e is the public key
Now the corresponding private key is derived such that d*e = 1 mod phi(n)
With this one can encrypt message m to cipher c with public key as c = (m^e) mod n
This can be reversed or decrypted using private key as m = (c^d) mod n

Since we have all the variables and assuming the data in the bottom is ciphertext, this boils down to a simple decrytion.

I used a tool called rsactftool to get it done.

By just plugging in the values of p, q, d, e and data to decrypt, the tool even decoded the output to UTF-8 making my job easier.

Forensics - Hidden Streams

Sat, 26 Apr 2025 17:51:33 +0530

Hidden Streams

Challenge Statement

Author: Adam Rice (@adam.huntress)

Beneath the surface, secrets glide,

A gentle flow where whispers hide.

Unseen currents, silent dreams,

Carrying tales in hidden streams.

Can you find the secrets in these Sysmon logs?

Attachment: Challenge.zip

Solution

The zip contains a EVTX Sysmon log file. You may use the windows event viewer to open this or you could use something like evtx_dump to dump it as XML.

Some time ago I have watched this video from John Hammond’s Channel where he explains about hiding data about alternate data streams. Since, he is working in Huntress, it gives me enough reason that this might exactly be the case. But we only have an event log.

A quick internet search on how to find alternate data streams yielded results, but nothing came up in context of event logs. So I had to broaden my search and checked if any event is logged when a data stream is created, written or modified. Soon I found out event ID 15, FileStreamCreateHash, logs creation of streams with hashes and contents in it. Since alternate data streams are also streams this seemed good.

I used to evtx_dump and grep to filter for event ID 15 and I got a hit. After some tinkering with the how much data I wanted grep to display, I got the event down.

Under the content section we can notice some base64 encoded data. Decoding it, got the flag.

Forensics - Keyboard Junkie

Sat, 26 Apr 2025 17:51:33 +0530

Keyboard Junkie

Challenge Statement

Author: @JohnHammond

My friend wouldn’t shut up about his new keyboard, so…

Attachment: keyboard_junkie

Solution

Running file command on the attachment reveals it to be a PCAP file. Opening it with a wireshark, a packet analyzer, we can observe USB capture data.

On top of the capture we can even see the request and response of USB device descriptor. This is what happens when you connect a USB input device to a host. The host requests the descriptor for what type of device it is and the device responds. Based on the response we can conclude that, the device is a Keyboard.

We can also observe a lot of URB (USB Request Block) interrupts in the capture. These are keystrokes recorded by the keyboard. We can’t directly see what was typed in as it is not that simple with keyboard. Keystrokes maybe a simple keypress, or a combination of control keys and others. So they have a representation format of their own. This has been explained to good detail in this blog.

To extract the keystroke data, I used tshark to extract the captured data. This is how the data actually looks like:

Now we need to decode this data. We can do it ourselves but I thought someone might have already put together a script for this. A quick internet search later, I found a page on hacktricks.xyz about usb pcap inspection and and how we can decode it using ctf-usb-keyboard-parser.

I then just cloned the repo, put the commands for extraction and execution in solve.sh. Executing them yielded the flag.

Forensics - Obfuscation Station

Sat, 26 Apr 2025 17:51:33 +0530

Obfuscation Station

Challenge Statement

Author: @resume

You’ve reached the Obfuscation Station!

Can you decode this PowerShell to find the flag?

Archive password: infected-station

Attachment: challenge.zip

Solution

Extracting the archive, we have a powershell script with the following contents:

The script seems to decode a base64 data, decompresses it to a stream and converts it to a string and then extracts some characters from an environment variable and joins them. I thought ‘iex’ and I was right.

So I tried to put the string into a variable and output it. But the script kept throwing errors at me. So I wrote another script mimicking the same logic, but cleaner. Putting them at solve.ps1, and executing it, gave the flag.

Forensics - Zimmer Down

Sat, 26 Apr 2025 17:51:33 +0530

Zimmer Down

Challenge Statement

Author: @sudo_Rem

A user interacted with a suspicious file on one of our hosts.

The only thing we managed to grab was the user’s registry hive.

Are they hiding any secrets?

Attachment: NTUSER.DAT

Solution

The attachment is the NTUSER.DAT file of some windows host. NTUSER.DAT is a special file that is located in the userprofile of each user. This file stores the registry keys of a particular user, also called as registry hives.

One may open it by loading the hive onto the windows registry editor or use tools to explore the keys directly. I used a tool called reglookup.

The challenge description says that the user interacted with a “suspicious” file. So, if a user interacted with it, then it must be noted under RecentDocs folder in the hive. Using reglookup I could list the keys under the RecentDocs folder using the command:

reglookup -p /Software/Microsoft/Windows/CurrentVersion/Explorer/RecentDocs NTUSER.DAT

There were several entries in there but not a lot. Going through those, the below entry caught my eye.

Why? It is unusually long. And it had a file extension type I didn’t recognize, .b62. Of course most of the data is URL encoded, so put it in cyberchef to decode it.

URL decoding didn’t change much, but allowed me to see that it was not a .b62 file but rather a .lnk file. But we don’t have access to the file, so we can’t analyze the file. Then it hit me, the name of the file was unusually long, and don’t seem random. Looks like a encoding, then it again hit me, .b62 refers to base62 encoding.

So I found a base62 decoder on the internet and put in the file name. Decoding it gave the flag.

Malware - Discount Programming Devices

Sat, 26 Apr 2025 17:51:33 +0530

Discount Programming Devices

Challenge Statement

Author: @sudo_Rem

I used a tool on the internet to obfuscate my script!

But I lost it, and I don’t know how to get it back.

Maybe you can help?

Attachment: oops.py

Solution

In this challenge, we have a python script that has a lambda function declaration assigned to an underscore _. It takes an argument __ and has the contents as:

_ = lambda __ : __import__('zlib').decompress(__import__('base64').b64decode(__[::-1]))

What’s going on here is simple. The argument __ is reversed, and passed to base64 decoder and then in turn passed to the decompress function from the zlib module.

Following this declaration, is an exec function call that references the function pointer and passes on a very lengthy argument. Since the size of the argument was long, I figured it might take several passes to get to the end, so I put a script together process.py.

With the script, we can see that it took 50 passes and finally we have another python code at the end of it. It seems to be of the same logic, but putting the contents in final.py and executing it gave me the flag.

Now it really seems straightforward. But did I actually do anything? I just did what the script would’ve done but in separate steps. So just to check, now that I know what the script is, I ran the oops.py directly. It gave the flag just like that.

So I was wondering what was the point, but didn’t really think much of it. Then going through the CTF discord server, the challenge author admitted it was indeed a mistake.

Malware - Eco Friendly

Sat, 26 Apr 2025 17:51:33 +0530

Eco-Friendly

Challenge Statement

Author: @JohnHammond

This sample is good for the environment!

Attachment: eco_friendly

Solution

For this challenge, we are given a powershell script, or I should say, one very long line of powershell. Opening the given file we can see an iex (Invoke-Expression) cmdlet that will execute whatever command follows it.

But the argument for the cmdlet seems to a string with random numbers in curly braces. If we scroll down for some time, we can find the end of the string with a option -f which is used to format strings in powershell.

What follows the -f is lots of environment variables with an index number. Which means the script uses, fixed environment variables that is uniform across all Windows machine to construct the payload from the individual characters indexed from said environment variables. The random numbers in curly braces are just positional parameters. This type of technique is used to evade detection from anti-malware solutions which may scan for suspicious keywords.

Now that we know this, we can just replace the iex at the starting with a Write-Host cmdlet to write whatever the string will be constructed to rather than executing it.

Doing that, saving it to payload.ps1 and executing the script, reveals another level of obfuscation with the same technique. So putting that in file stage1 and modifying the iex to Write-Host in stage1_modified.ps1 and executing again leads to another level of same obfuscation. Repeating the same with stage2 and stage2_modified.ps1 leads to another level of obfuscation. Doing it again with stage3 and stage3_modified.ps1 finally gave away the flag as a comment.

I should have anticipated nested levels of obfuscation and written a script to get the process done, but still unsure of what it might hold, I did it manually. But got the flag at the end.

Malware - Palimpsest

Sat, 26 Apr 2025 17:51:33 +0530

Palimpsest

Challenge Statement

Author: Adam Rice (@adam.huntress)

Our IT department was setting up a new workstation and started encountering some strange errors while installing software.

The technician noticed a strange scheduled task and luckily backed it up and grabbed some log files before wiping the machine!

Can you figure out what’s going on?

We’ve included the exported scheduled task and log files below.

The archive password is infected-palimpsest.

Attachment: Challenge.zip

Solution

The attachment archive contains 3 event viewer logs (Application, Security and System) and a Updater Service.xml. I first opened the XML file, which is the scheduled task that the challenge description tells about.

While most of the contents of the XML file is pretty much what you’d find in most scheduled tasks, I was more interested in the actions of the task. As we can see, it is a powershell line, that collects the DNS TXT records from the site 5aa456e4dbed10b.pyrchdata.com, base64 decodes it, builds a string from it and executes it. So I queries the DNS TXT records myself to find out base64 data in it.

Putting the contents in txt_records and decoding it, yields a powershell script with some obfuscation.

The first brackets reference the shell ID which I’m quite sure is constructing iex cmdlet. Putting that in stage1_payload.ps1 and modifying the iex with Write-Host should give us the next part of the payload.

Doing that does indeed reveals the next part of the payload. Now we still have an obfuscated script. The first line now tries to get a variable that matches the pattern *mdr* and constructs something. I was pretty sure that is also iex as well, but to be sure, I checked. Repeating the same trick we move on to the next stage of payload.

Now this payload doesn’t have any base encoded strings, on the contrary stage3_payload.ps1 does something else. But I couldn’t fully read it because of the garbled format strings. I decided to clean it and substitute those strings to their result, I had stage3_cleaned.ps1 which was more readable.

We can now see clearly, that the payload gets the application event log with source as mslnstaller (notice the typosquatting) and filters events with InstanceID within 40000 - 65000, extracts “data” from those logs and writes it to the a file named flag.mp4 in the AppData folder.

Now we have use for those event log files, opening Application.evtx in windows event viewer and filtering events between 40000 - 65000 with source as mslnstaller we have exactly 100 such logs.

Every record out of those 100 logs had a data node with some text and binary data. It is fair to assume that the binary data is what is being written to flag.mp4 all we have to do is extract it.

Now I can write powershell scirpts to some level, I didn’t know how to extract fields from saved log files in it at the time of solving this challenge. So converted the .evtx files to .csv using this tool.

Once I converted it, it was fairly easy for me to put a python script extract_data.py together to extract the binary data and write to a file. The logic behind the script is simple. It opens the csv file and parses it using the csv module and then checks each row for the condition required as in the powershell script. Then I used unhexlify from binascii module to convert the hex to actual binary data and wrote it to a file from_evtx_data.

Even though the powershell script tells us it is an mp4, I was still a little suspicious it might be something else. But when I ran file utility on it, it revealed that it is indeed a MP4 video file. Opening it got me:

So it says “It’s free real estate” and yeah the flag is there too. I tried using OCR to get the flag from the video, but it had a few mistakes which I had to correct it manually.

Malware - Ping Me

Sat, 26 Apr 2025 17:51:33 +0530

Ping Me

Challenge Statement

Author: @JohnHammond

We found this file in the autoruns of a host that seemed to have a lot of network activity… can you figure out what it was doing?

Attachment: ping_me.vbs

Solution

For this challenge we are given a VBScript.

Now I am not familiar with VBScript, but looking at the script we can observe an “Execute” at the start and a long expression. So it is logical to conclude that the expression evaluates to something and the “Execute” will execute whatever the expression evaluates to.

In order to know what it really does, we just need to replace “Execute” with some print statement from VBScript. So I opened onlinegdb and it already had boilerplate code to output something (Hello world). I just modified it to evaluate the expression and output it.

Now we can see, that it indeed gets another script which should be VBScript as well. After adding some spaces and newline to it we have:

This script seems to have a list of IP address and runs a ping command on all of them. Well that explains the part of challenge description that says “a lot of network activity”, but what now?

The IP address may seem random to an untrained eye. But I recognized them not to be random. You see the each octect in the IP address is a valid ASCII character and most of them are in alphabet and number character ranges.

So I copied the list of IP address, put them in a solve.py to process them and convert them to a valid string. The script just splits the octets put them in a list and uses chr function to convert the octets to valid characters.

ips = ["102.108.97.103", "123.54.100.49", "98.54.48.52", "98.98.49.98", "54.100.97.51", "50.98.56.98", "98.99.97.57", "101.50.54.100", "53.49.53.56", "57.125.35.35"]
chars = []
for ip in ips:
    chars.extend(ip.split("."))

flag = "".join([chr(int(i)) for i in chars])

print(flag.strip("#"))

This script gave away the flag.

Malware - Revenge of the Discount Programming Devices

Sat, 26 Apr 2025 17:51:33 +0530

Revenge of Discount Programming Devices

Challenge Statement

Author: @sudo_Rem

One of our security analysts learned to avoid printing out flag when obfuscating code!

Unfortunately, now they’ve lost that flag.

Maybe you can help them get it back.

Attachment: challenge

Solution

In this challenge we are given a binary, an ELF binary to be specific. Running strings utility on the binary among the entries we can find strong indicators (as shown below) that the binary has been compiled using pyinstaller. This is a tool to convert python source code files to executable binaries.

There is this tool called pyinstxtractor that can extract the contents of a binary that is compiled by pyinstaller. Using that tool I was able to dump all the contents of the binary into a folder. Since it is a statically linked binary there were quite a few things that got extracted. But we are focused on the challenge.pyc. This file contains the bytecode of the original file that was used to compile.

We still need to convert the bytecode to actual source code before we can work on what it does. For that we can make use of another tool called pycdc. Using the tool, I converted bytecode file challenge.pyc to decompiled.py.

Now we have something to work on. On top of the code we can observe a lambda function that is assigned to a function pointer variable _ (underscore). It takes an argument which is __ (two underscores). The function reverses the data it gets, does a base64 decoding and uses the zlib module to decompress the decoded contents. Then there is a exec function that uses the function pointer _ and passes a very long string of data to it.

Since the string was very long, I suspected multiple levels of same obfuscation. So I wrote a python script solve_stage1.py to run the data till there is a exec function in the code.

As we see, after 50 passes, we get a long list of numbers. But this list is commented out. At the end of the list there are 2 print statements out of which is one commented out. The first print statement simply joins the result of chr function of each number in the list. The other prints out a string. I put this contents to stage2.py and reversed the comments.

Since this provides us with another python script, I put that in stage3.py, and cleaned the names of the variables. The variables were named with different number of underscores whose real names were declared at the start.

After cleaning them, the functionality was revealed to be just an XOR operation between the two long byte sequence and print the output.

Now we are once again facing the same function as the first round of payload. So I made a copy of solve_stage1.py as solve_stage4.py and swapped the argument payload.

And executing solve_stage4.py gave away the flag.

Malware - Russian Roulette

Sat, 26 Apr 2025 17:51:33 +0530

Russian Roulette

Challenge Statement

Author: @JohnHammond

My PowerShell has been acting really weird!! It takes a few seconds to start up, and sometimes it just crashes my computer!?!?! :(

WARNING: Please examine this challenge inside of a virtual machine for your own security. Upon invocation there is a real possibility that your VM may crash.

NOTE: Archive password is russian_roulette

Attachment: russian_roulette.zip

Solution

Extracting the archive outputs only a lnk file. LNK files are basically shortcuts in windows. There are special files that open other files or execute commands. LNK files are a common threat vector as phishers can disguise anything as LNK file.

For this challenge we have a Windows PowerShell.lnk. To see what it really opens we need a parser that can parse the LNK file contents. I found this tool called LnkParse3 that could do what I want.

So the target of the shortcut is not a file but a powershell command. The -e option allows encoded scripts or strings to execute. This is basically more powershell command but encoded in base64.

On decoding the argument, we can observe that it uses the iwr (Invoke-WebRequest) cmdlet to download the contents pointed by the link and save it to a file .cmd in the temp folder. Finally this .cmd file is executed.

Collecting the contents of the link downloaded a powershell.zip but it was in fact a batch script. So I renamed it to raw_payload.bat.

For some reason I don’t know, this batch file when opened with text editors showed garbled text, but when I used cat utility from the terminal it displayed the batch script. My theory was that it is because of the first two characters of the file where not recognizable. When I removed it and put the rest of the script in payload.bat.

There were a lot of Russian comments (or I should say quotes) in the file. So I put together cleanse.py to remove those commands and write the contents to payload cleaned.bat. Now I had more visibility over the code.

I have seen this type of obfuscation before. So at the start of the script we can see a variable ucbw to getting set as set. Following it are lines that start with using the variable ucbw. If we replace ucbw as set everywhere in the script, it is one step deobfuscating the script.

The variable qmy is not empty actually. It has a white space. So replace %qmy% with a single whitespace in the script and replacing %jxaa% with =, we get:

Now we can keep on replacing variables with characters till we hit this:

The expression set /a rtoy=9161456 %% 9161359 mean set the variable rtoy with the resultant value of arithmetic expression 9161456 %% 9161359. %% is the modulus operation. So rtoy will be assigned 97, in this case. Next up we have cmd /c exit=%rtoy%. cmd \c executes the command passed to it. And that command here is exit with the exit code specified by variable rtoy. Next up set ztq=%=exitcodeAscii%. %=exitcodeAscii% is an undocumented dynamic variable in windows, that for some reason returns the exit code of the last program as an ascii character.

Putting them together, the second line executes a cmd exit command with a exit code and the next command gets that exit code as ascii. In ascii 97 maps to the character ‘a’. Now the variable %ztq% can be used whenever you need a character ‘a’. So essentially for the next many commands are just construction of alphabets, numericals and symbols.

De-obfuscating all that yielded payload deobfuscated.bat. In that you will find another encoded powershell payload.

I copied that payload and put it in powershell base64.txt to decode the contents.

I put the contents obtained in powershell payload.ps1 and modified it to make it easy on the eyes.

Looking at the powershell script, we can see another sort of code in the variable $s. Since I spent some time with C#, I recognized it right away. So the code creates an compiler object, compiles the function Shot in the class X , then with a 1 out of 6 chance executes the function Shot.

The function Shot contains some areas of interest. It imports two functions from the ntdll.dll. And does AES decrytion on some data. But after some time of research on the internet, I found out that NtRaiseHardError is an undocumented API from windows, that can be used to force BSOD (Blue Screen of Death) errors. Effectively this will restart you operating system. So even if function Shot is executed it crashes the OS before it reaches the decryption code.

So I put solve.cs removing the DLL imports and put a writeline to output the decrypted content.

And that indeed was the flag. Also if you don’t want to dabble with C#, then you can just copy the decryption data on cyberchef and obtain the flag that way as well.

Malware - Strange Calc

Sat, 26 Apr 2025 17:51:33 +0530

Strange Calc

Challenge Statement

Author: @JohnHammond

I got this new calculator app from my friend! But it’s really weird, for some reason it needs admin permissions to run??

NOTE: Archive password is strange_calc

Attachment: calc.zip

Solution

Extracting the archive, we have a calc.exe that appears to be a PE executable. Running file command on the executable proves that it is indeed a PE executable but also reveals that it is a UPX packed executable.

UPX is a “packer” program that compresses executables making them effectively smaller. But since compression increases the entropy of the executable, or in other words garbles the contents in the executable, packers are used to sneak malwares and evade a number of security tools.

We can use the upx command line tool to unpack a executable using the command upx -d <executable>

I unpacked the binary to calc_unpacked.exe, but this will turn out to be not necessary at all.

I ran the strings utility on the executable trying to find some clues to deduce what kind of functionality the program has. While the unpacked version provided with function names used in the program they weren’t enough to make things clear. But then I saw a XML amidst the outputs.

It seemed to be a manifest of some kind, and has the name “AutoIT” in it. I actually had no idea what it was. I never even heard of it at that point. A quick internet search provided the needed details. AutoIT is a scripting language that can be used to automate windows UI and things.

So that led to another question “What is a script doing in a executable?”. That was also quickly answered with a few more searches and I even found a tool called AutoIt-Ripper that can extract AutoIT scripts from executables.

I didn’t understand what most of the code does, but the base64 string did catch my eye right away. So I decided to decode what it does.

I didn’t know what this was either. But the #@~^ at the start and ^#~@ at the end strongly suggested this is not random data. I found the start in Wikipedia’s list of file signatures and it seems it is encoded VBScript. If it’s encoded there must be ways to decode it.

After searching for a little I found several decoders for the job. Like this one, a vbe-decoder repo from the challenge author himself and even cyberchef had a recipe for it. I decided to go with cyberchef for the job.

Decoding the script, I noticed that it is not VBScript, but JavaScript. I put on a JS beautifier to read the code better. I put the code in decoded.js. The function does some decoding stuff, but I was more interested in the part below the function.

I did know what was in variable m though. This is called uuencoding. This is another binary to text encoding like base64 but was first devised to transfer data between unix machines. Hence the name u-u-encoding. So the script has function a to decode the data, create a new user LocalAdministrator, use the decoded data as password, add the user to administrator group and then run calc.exe (again I guess).

So it seems straightforward right? Decode the uuencoding and we should probably have the flag right? Well, yes but no. The encoded data in the javascript is not standard encoding. So only function a can decode it. So I put the function in my browser’s javascript runtime and used console.log to print the output.

No output? How? I know this was crazy thinking but I thought “Perhaps it will only work on a windows runtime”. The return value will be the password of the user LocalAdministrator. So if I execute calc.exe in a virtual machine and then extract password from the account, I could have the return value.

Guess what? The account was indeed created after I executed it, but it had no password. So I thought I went down the wrong rabbit hole and started performing dynamic analysis with flare-fakenet, ProcMon, x64dbg and quite others. But nothing seemed to make much sense.

After sometime I decided to take good look at the function code. And then it caught my eye.

The function returns only a substring of the decoded string. So what was in the entire string? I then added console.log(c) before the return statement and ran the code again in my browser’s runtime.

So yeah there was the flag. I was literally looking at it the whole time but it still managed to evade.

Miscellaneous - Base-p-

Sat, 26 Apr 2025 17:51:33 +0530

Base-p-

Challenge Statement

Author: Izzy Spering

That looks like a weird encoding, I wonder what it’s based on.

Attachment: based.txt

Solution

The attachment is a text file. Opening it, the contents were in a language I didn’t know.

I tried to translate the contents using google translate which detected it to be Cantonese. The title suggest some sort of base encoding so does the challenge description.

I was looking for encodings specifically base encodings that outputs such characters. Incidentally, I stumbled upon several writeups from Huntress 2023 challenge baseffff+1 such as this one . And it seems the challenge text followed a encoding base65536. It seemed similar to the one I have now.

I found a online decoder that decodes base65536. So I tried it.

It seems that now we just have a plain base64 encoded data. I put the contents in a file unbased.txt. So decoding base64 data, we have some more data.

At first I couldn’t make sense of what this is. But the ‘mg’ at the start of the file made me think it must be a file signature. So I ran the output through file utility.

So this is a gunzip archive. I put the output contents in a gunzip archive compressed.gz and extracted it using the gzip utility. Extracting the contents gave a single file. Running file utility reveals it to be a PNG image.

Since it is a PNG file, I opened it to view it’s contents. It seems to be a strip of colors. What it was? I had no idea.

I examined EXIF data, ran the strings utility, viewed the hex code of the image. After hours of scratching my head and searching for encodings in images and many more, nothing came up. Then I showed it to my friend, who jokingly told me what if the data is the hex codes of color of the images. But guess what, it made sense. There are 13 colors. 3 bytes for one color. 39 bytes of data. 39 characters. The flag usually contains 38 characters.

So I used a color picker to read the hex color code of each color and put them in the file color_codes.

Now this makes a lot of sense if you know your hex codes. So we just need to convert this to string. That can be achieved by:

cat color_codes | tr -d ' ' | xxd -p -r

There it was. Sometimes we just need a fresh perspective to look at things.

Miscellaneous - Linux Basics

Sat, 26 Apr 2025 17:51:33 +0530

Linux Basics

Challenge Statement

Author: @aenygma

You’re expected to answer a series of questions to get the flag.

To view the questions, and answer them, you’ll use the answer tool.

Display questions: answer

Answer a question: answer x where x is question number.

Note: This challenge was accompanied with a per-user instance

Solution

Spinning up the per-user instance for the challenge I was able to connect using netcat to a “shell”. Except it wasn’t a shell but a relay of data using socat. Anyway once I got in I was greeted with a message and as per the challenge description I ran answer to see the questions.

The entire challenge is easy if you know your way around a bash shell.

Question 0: What's your home directory?

Using pwd command I checked which directory I am currently at. I was in the home directory of a user named user. So the answer is /home/user

Question 1: Search the man pages. What command would you use to generate random permutations?

I didn’t refer the man pages, but a quick search on internet gave me the utility shuf. It’s one of the core utilities of linux systems apparently. So that was the answer.

Question 2: On what day was /home/user/myfile.txt modified? Use the date format 2019-12-31 Question 3: How big is /home/user/myfile.txt, in kilobytes? Round to the nearest whole number. Question 4: What user owns the file /home/user/myfile.txt Question 5: What's the 3-digit octal permissions of the file /home/user/myfile.txt? (e.g 777)

Now all these questions are centered around myfile.txt in the home directory. So all it takes is the output of ls -l command.

For question 2, the date modified is Aug 29 1997 as seen from the output. Putting it in format required it is 1997-08-29.

For question 3, the size of the file myfile.txt is required. It is the 22200 number that is the size. But this is in bytes. 1 kilobyte is 100 bytes. So 22200 bytes is roughly 22.2 kilobytes. Since they asked to round to the nearest whole number, 22 is the answer.

For question 4, the user that owns is the 3rd column in the output. The next to that is the group that owns the file. But since we just need the user who owns it, it is root user. So answer is root.

For question 5, we need the 3-digit octal permission of the file. We don’t directly have the answer, but we can calculate it from the permissions column which is the first column. The first column is filled with 10 characters. Ignore the first character as it tells us what type of entry it is. The rest of it can be used to derive the octal permission. Each triplet in the 9 characters correspond to one digit in the octal. With r - 4, w - 2, x - 1 and -(dash) - 0. So the octal permission is (4+2+1)(4+1)(4) = 754. That’s the answer.

Question 6: What is the user id of 'admin'?

We can simply use the id command to view the ID related to admin account. So according to the output, it is 1338.

Question 7: There is a user 'john' on the system. Can they write to /home/user/myfile.txt? (yes/no) Question 8: Can the 'admin' user execute /home/user/myfile.txt? (yes/no)

Now again we go back to myfile.txt. So again we just need the output of ls -l for this job.

For question 7, as we can see the ‘w’ is set only for the user. So only the user who owns the file can write to it. So, no, john cannot write to it.

For question 8, the execution flag ‘x’ is set for both user and group who owns the file. And admin happens to be the group. So yes, admin can execute the file.

Question 9: Which user on the system, except for you, root, admin and john, can execute /home/user/myfile.txt?

For question 9, if we recall from question 8, only the user and group who owns the file can execute it. So the user who owns it is root. But what about the group. If anyone other than the given list of user can execute it, they must be a member of group admin. So examining /etc/group, we can notice a user rose in the group admin. So yeah, that user can execute the file.

Question 10: /home/user/myfile.txt looks like a txt file, but it actually isn't. What kind of file is it?

So it is not a text file? When in doubt, use the file utility. It reveals that it is a JPEG image. So the answer is jpeg.

Once I give that answer, the program gives me the flag. So that’s it? Well yes, but no.

My curiosity wanted me to know what that image is. So I exfiltrated it. For anyone wondering, the tool xxd was available. So I dumped the image. Copied the dump to somehexdump and did the reverse operation on my machine to somejpeg.jpeg. Opening the file I found:

Hmm. That seems like something. Something great. Or some great rabbit hole. Or a wild goose hunt. I don’t know. I spend some time snooping around the instance trying to look for things but then I moved on to the next challenge. So if I find anyone who found it (if it is real) I’ll update.

Miscellaneous - Malibu

Sat, 26 Apr 2025 17:51:33 +0530

Malibu

Challenge Statement

Author: Truman Kain

What do you bring to the beach?

NOTE: There are two things to note for this challenge.

This service takes a bit more time to start. If you see a Connection refused, please wait a bit more.
This service will not immediately respond or prompt you… it is waiting for your input. If you just hit Enter, you will see what it is.

Extra tip, once you know what the service is, try connecting in a better way. Then use some of the context clues and critical thinking based off its response and the challenge description. You don’t need any bruteforcing once you understand the infrastructure and enumerate. ;)

Note: This challenge was accompanied with a per-user instance

Solution

Spinning up the per-user instance for the challenge I was given a command line to connect to a instance using netcat. It printed nothing. No prompt. Just like they told in the challenge description. So it seems it is waiting for some input, not sure what. I typed in a hello, because I had to give it something.

HTTP? Bad Request? So is this a HTTP server? One way to find out. I crafted a valid HTTP request (fancy way of telling I typed it). Since I did not know what endpoints are available I just requested a /testing endpoint.

This confirms this is definitely a HTTP server. And based on the reply we can deduce a few things. First thing is it is running a MinIO server. I didn’t know what it really was, so I looked it up. The website tells that it is a S3 compatible storage service. Since I have spent some time using AWS, I knew what S3 is. S3 is a simple object storage service that is part of the AWS infrastructure. Users can store their files and data in it.

The reply header X-Amz-Id-2 and X-Amz-Request-Id further supports this point that we are communicating with some AWS infrastructure.

Lastly, the endpoint name I gave is taken as a name of a bucket. Bucket? Yes, S3 allows user to separate files they upload by creating various “buckets”. Each bucket acts as a separately independent storage. So it is logical to assume that we are to query a endpoint that points to a valid bucket name.

Now that brings up the question what is the name of the bucket? I thought a clue to this was in the challenge description, “What do you bring to the beach?”.

I used Burpsuite’s repeater module to modify the endpoint and send requests rather than typing full request bodies. At this point, I was trying every object that I could think of. Sunglasses, towel, sunscreen etc, etc, etc. I even looked up websites with over 75 “essentials” for beach trip. But none worked. It was a 403 error.

You see the answer was right in the face all this time. After all the years I spent watching Tom and Jerry cartoon should have made me realize it. But one can take “bucket” to a beach. Quite ironic huh? Bucket as name for the name of the bucket. So yeah that returned a lengthy XML file.

I copied it and wrote it to xmlCon.xml. After some more internet searches I found that the node Key had the valid endpoints that pointed to files in the bucket. So I put together a python script collect.py to collect them all and write it to out.txt. For some reason I couldn’t find, the XML parser threw error after error. So I just wrote the program to check for the string ‘Key’ in the lines it read and collect the file that pointed.

import requests
import sys

with open('xmlCon.xml') as f:
    cons = f.read()
    
content = cons.split('\n')
keys = []

for line in content:
    line = line.strip()
    if line[:5] == "<Key>":
        keys.append(line[5:-6])

port = int(sys.argv[1])
with open('out.txt', 'w') as f:
    f.write(keys)
    for key in keys:
        con = requests.get("http://challenge.ctf.games:{}/bucket/{}".format(port,key)).content.decode()
            f.write(key+'\n')
            f.write(con+'\n')

Opening the file, I saw a lot of data. I mean lots and lots of data. My thought was that the flag should be encoded in one of these file data. With the amount of base64 encoding I have encountered I thought it was base64 encoded. But to my surprise, none was the data was valid base64 encoding.

So obviously, I thought I was missing something. Maybe a different kind of encoding perhaps? So search, search and search. After quite some time, in a moment of ‘I had no idea what I was even thinking’ I ran grep on the file with ‘flag’ as search string. And guess what, I found the flag. It was right in the face all along. Again.

Moral of the story, overthinking is bad.

Miscellaneous - Time will tell

Sat, 26 Apr 2025 17:51:33 +0530

Time will tell

Challenge Statement

Author: @aenygma

A side channel timing attack.

Figure out the password in 90 seconds before connection terminates.

The password is dynamic and changes every connection session.

NOTE, the password is eight characters long and will be hexadecimal.

Note: This challenge was accompanied with a per-user instance

Attachment: app.py

Solution

Oh this was a good one. I mean they did tell it is side channel timing attack right there. But still we can have fun. We are given a python script app.py. It is not a very big script, so if you want to go through it entirely you are free to do that, but here is the gist of the script.

def generate_password() -> str:
    tmp = secrets.token_hex(PASSWORD_LEN).lower()
    # with open("dump", 'w') as fh:
    #     fh.write(tmp)
    return tmp

This function generates the password that we need to find. It uses secrets module. So no pseudo random passwords. The password will be 8 characters long compromising hex characters as the challenge description tells us.

Now the big guns of the script:

def do_heavy_compute() -> None:
    time.sleep(SIMULATE_COMPUTE_TIME)

def check_guess(guess, realdeal) -> bool:
    if len(guess) != len(realdeal):
        return False
    do_heavy_compute()
    for idx in range(len(guess)):
        if guess[idx] == realdeal[idx]:
            do_heavy_compute()
        else:
            return False
    return True

We have a function do_heavy_compute that just sleeps for 0.1 second. It is made use by the check_guess function below that. Now this is where the base of exploit is. We can draw a number of points from here:

If the length of our guess isn’t equal to the length of the realdeal (the password to guess), it just exits right away.
If both have the same length, then the guesses are iterated with each index. So for every right character we guess from the start, the more number of times do_heavy_compute is called.
If we guess a wrong character in an index the function just returns.

So in summary, if our guess and the password is off same length, then the function or the program will sleep more with as many number of right guesses we have from the left.

One can think that it’s just 8 hexadecimal characters. So 16**8 = 4294967296. All we have is 90 seconds. So no, brute force is not an option.

What we can do is, we can guess 8 character passwords with the varying the leftmost character in the password. One of those guesses must take longer than the others to return. So if we record our timings, the character with most delay must be the valid character in that index. Then we can move the next one in the right. Moving right and right, the program will take longer periods of delay if we are building the right password.

I then spun up the instance just to see how the service is. It was a netcat connection.

So we got some text, a prompt and incorrect messages. In 90 seconds, I don’t really think it is possible to type in 128 guesses (16 * 8) and time it as well. Of course, python script to the rescue. I put together solve.py to read from the socket and send the guesses and record the timings in a list.

import time
import socket
import sys
import select

chars = [0]*8
seek = 0
timings = []

def getNext() -> str:
    global seek
    global timings
    if seek == 8:
        print("Password should have been obtained")
        exit(0)
    if chars[seek] != 16:
        nextstr = ""
        for i in chars:
            nextstr += hex(i)[2]
        chars[seek] += 1
        return nextstr
    else:
        selected = timings.index(max(timings))
        print("Selected: {}".format(selected))
        chars[seek] = selected
        timings.clear()
        seek += 1
        return getNext()

def readFromSocket(soc: socket.socket) -> str:
    readBuffer, _, _ = select.select([soc], [], [], 0)
    if readBuffer:
        fromserver = soc.recv(2048).decode()
        return fromserver
    else:
        return ""

if __name__=="__main__":
    nextpass=""
    cSoc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    cSoc.setsockopt(socket.SOL_SOCKET,socket.SO_REUSEADDR,1)
    cSoc.connect(('challenge.ctf.games',int(sys.argv[1])))
    start = time.time()
    while True:
        inLine = readFromSocket(cSoc)
        if inLine == "":
            continue
        diff = time.time()-start
        timings.append(diff)
        print("    Timing: {}, value: {}, Server: {}".format(diff, nextpass, inLine),end="")
        nextpass = getNext()
        cSoc.send((nextpass+'\n').encode())
        start = time.time()

The code is mostly self explanatory, but let me give a quick run down. Function getNext generates the guesses based on the value of variable seek starting from 0 to 7, hence mimicking moving left to right. I used a list of integers to house the guesses as we are working with hex numbers. On each complete iteration on a particular seek, it goes from 0 to f(15) and sets the character to the highest timing taken to come back. Function readFromSocket is just one of my arsenal functions to deal with the blocking thing of recv function. Then there is main that puts everything together.

All that’s left now is to execute the script, sit back and look out for flag. Since this operation is over the network, it might take more than a couple tries to get things right. Like for instance, in the below execution the timing of the return remains as 0.3 seconds on average across different seek positions. So it is safe to conclude that the right character was not set.

But with a few tries, the timings across the seek positions will vary reliably indicating right guesses. If you are patient enough to try multiple times, it should work. Like the one below:

Overall, this was a good challenge. I had fun will putting together the script. And it kind of mimics certain real-world scenarios based on timing based attacks. So yeah, I liked this one.

Reverse Engineering - GoCrackMe1

Sat, 26 Apr 2025 17:51:33 +0530

GoCrackMe1

Challenge Statement

Author: @HuskyHacks

TENNNNNN-HUT!

Welcome to the Go Dojo, gophers in training!

Go malware is on the rise. So we need you to sharpen up those Go reverse engineering skills. We’ve written three simple CrackMe programs in Go to turn you into Go-binary reverse engineering ninjas!

First up is the easiest of the three. Go get em!

Archive password: infected

Attachment: GoCrackMe1.zip

Solution

Extracting the archive we are provided with ELF executable (linux executable) that is obviously written and compiled with Go language.

Even though this is a reverse engineering challenge, my first thought was to run it. So when I ran it (of course in a virtual machine), I got an “Access denied!” straight. So there is a good chance there is a conditional statement in the binary, that controls the execution flow.

So I decided to do a static analysis and opened the file in Cutter which is a nice frontend for the radare2 tool. Opening it, there was a lot of functions inside that turned up in the analysis. But Go language like most language, starts it execution from main function, I decided to look for the main function.

At first I was focused on the hex data that was being declared and initialized. On a quick look they might seem like data put in different variables across different locations. But you see, they are being written to consecutive locations right after one another. The reason why they are broken is because they are moved to the memory in different instructions. Some decompilers may recognize this and collate them, but the one I used didn’t.

But then I looked below it, and saw a if-else statement. Since I already suspected a conditional statement somewhere that controls the flow, I thought this might be it. Both the if and else block contained a fprintln function which is basically print function in Go. Whatever the case might be, if this indeed is the check I’m looking for then reversing the jump statement that directs the execution flow should execute the other part.

Cutter allows one to patch binaries if opened in write mode. So I made a copy of the binary as a backup if it is not what I think it is and switch to write mode. In Cutter any changes made to the binary in write mode is instantly written to the binary which is in contrast to several other tools which requires some sort of explicit ‘Patch binary’ options to write to binary.

So now, I’m looking for a jump statement in the disassembly.

As I skimmed through the disassembly, the disassembler could locate the call that goes to the function checkCondition. Following it is a test instruction and a je (jump if equal) condition. So basically this je instruction is what I’m looking for.

Cutter provides option to edit the instruction in such a way to reverse the jump, that is change je to jne. This turns the execution around.

Now that I’ve reversed the jump now, all I have to do to test my theory is to run it. Which indeed provides the flag.

Even though I got the flag, I still wanted to check if the data I was focused on previously was indeed the data that was xored to give the flag. So I opened cyberchef, copied the data in it and put the key. You may find the key at the other end of the expression in the for loop which is 0x56.

And it indeed was that data. So this could be considered an alternate method to do the challenge.

Reverse Engineering - Stack It

Sat, 26 Apr 2025 17:51:33 +0530

Stack It

Challenge Statement

Author: @sudo_Rem

Our team of security analysts recently worked through a peculiar Lumma sample.

The dentists helping us advised we floss at least twice a day to help out.

He also gave us this weird file. Maybe you can help us out.

Attachment: stack_it.bin

Note: This challenge was accompanied with a per-user instance

Solution

Running file command on the attachment, we can see that it’s an ELF executable.

Since this is a Reverse Engineering challenge I decided look into the disassembly. I used Cutter with Ghidra decompiler plugin to disassemble and decompile the ELF binary for me.

Luckily there was only one function in the ELF executable and it was fairly easy to understand. Let me walk you through it. Below is the screenshot of the decompiled function:

First thing we can notice is some data is written directly to the memory addresses 0x0804a050 till 0x0804a054.

And if you look at the data it is writing, this is hexadecimal for the characters f, l, a, g and {. Seems familiar huh?

Next up we can notice variables puVar7 and puVar8 (names given by the decompiler), are initialized to some strings each. It doesn’t matter much right now, but it will in a moment.

We can also see another variable, a pointer to be specific, is made to point the address 0x0804a055. This is right after where the program wrote the ‘{’ character above.

Then there is a loop where the contents from puVar7 and puVar8 are XORed and put in the address of puVar4 incrementally, which is just a temporary pointer with same address as puVar2, the original pointer.

Once the loop is over, couple bytes of data is put at the end of it. It is 0x7d which is the ‘}’ character and the 0 is essentially the null terminator. So this is our flag. But if you follow along the code, you’ll notice data is written again starting from 0x0804a050 which is the start of the flag.

So essentially, our flag is written to the memory, actually in the stack as it is a local variable, and then rewritten again. So to acquire the flag, we have to stop the execution midway and read the memory directly.

We can use a debugger, a program that can stop execution of a running program and analyze it from various perspectives. It was originally intended for programmers to debug programs, but the print (or cout) statement method is widely used (so do I). So mostly it is used for reverse engineering and malware analysis.

Anyway I went with using the GNU debugger (gdb) to get the job done. Oh and yeah, we are about the execute an unknown binary in a control manner, but still executing it. So it is advisable to do this in a virtual environment so that your main system is not affected. Checkout my hacky script to quickly setup a arch linux vm.

On loading the program with gdb, we can see that there is no symbols loaded required for “debugging”. Simply put we cannot disassemble the code directly.

But we already have the address actually. Cutter already disassembled the code and the assembly code is under the disassembly section.

So we need address of the instruction right after the insertion of ‘}’ character into the address space. So that address seems to be 0x8049045. So all I have to do is set a breakpoint at that address and examine the address space at 0x0804a050.

Set up a breakpoint at 0x08049048 using command break *0x08049048, then run the program to hit the breakpoint. Examined the address 0x0804a050 with x/30s 0x0804a050 ( x - examine, 30 - 30 spaces, s - string format ). Why 30 strings? Not sure why but I do it like that. So yup, there’s the flag.

Scripting - Base64by32

Sat, 26 Apr 2025 17:51:33 +0530

Base64by32

Challenge Statement

Author: @JohnHammond

This is a dumb challenge. I’m sorry.

Attachment: base64by32.zip

Solution

Unzipping the archive we are given with a text file, base64by32. Opening this file, we see a lot of data in strings. If you are familiar with few types of encodings of binary as text, you may recognize this as base64 encoded data right off the bat. Or you can infer that from the title of the challenge as well.

So I decided to decode the data with command line base64 utility.

The result of the decoding is also base64 encoded data. Since the lines of data are huge, this made to believe there were lot of rounds of encodings done on the data. So how many times, since the title hints “-by32”, I thought this indicated 32 rounds of decoding is required. So I put in a python script solve.py with the contents:

import base64

contents = ""
with open("./base64by32") as f:
    contents = f.read()

for i in range(32):
    contents = base64.b64decode(contents.encode()).decode()
print(contents)

Basically I made use of the base64 module of python library and looped the data again and again for 32 times. And my hunch was right. After 32 rounds of decoding the program put out the flag.

Scripting - Echo Chamber

Sat, 26 Apr 2025 17:51:33 +0530

Base64by32

Challenge Statement

Author: @JohnHammond#6971

Is anyone there? Is anyone there? I’m sending myself the flag! I’m sending myself the flag!

Attachment: echo_chamber.pcap

Solution

We are presented with a PCAP file. This is data from packet capture and can be opened and read by tools known as packet analyzers. I used a tool called Wireshark.

Opening the PCAP file, I see only ICMP packets.

There were 31,934 of them to be exact. This could be overwhelming at the start. But we can cut the number to half because they are all echo request and reply packets. They are used to see if there is connectivity between two hosts. A host puts out an echo request packet with some data in it. If it reaches the destination host successfully, it is echoed back, that is, the data is sent back as it received it. So if the data in both request and reply is same, we can choose to filter only one of them.

I used the filter icmp.type == 8 as request packets have their type field as 8. Reply packets have type 0, so icmp.type == 0 will also achieve the same result, except it will display the reply packets.

We still have 15,967 packets. So somewhere in those packets, maybe one or a few packets should contain the flag. I don’t know any methods to sieve through them, I just press the arrow keys to move swiftly across packets.

Another thing about these kind of challenges is they try to bury us with the large number of potential targets. So as a rule of thumb I usually start from the bottom and make my way to the top. But that’s just the way I work and this case it was beneficial to me.

When I reached packet with ID 31847, I noticed the data filled with } character. Slowly moving my way up, it was filled with hexadecimal characters, then a { character and then the characters g, a, l, f. The f character was in the packet with ID 31773.

Hence I found where the flag is. I could have copied it down one by one. But decided to write a script to do the job for me. As always I put together a python script. But before that I need some utility to extract the from the exact packets. This can be done by many ways, but I chose to use the command line utility tshark.

First I need to devise a command with tshark to list just the data. The command I ended up using was:

tshark -r echo_chamber.pcap -Y "frame.number >= 31773  && frame.number <= 31847 && icmp.type==8" -T "fields" -e "data.data"

The -r switch specifies the file that the program should be reading from. The -Y switch is used specify the filter expression. We need packets of type 8 (echo request) and packets between ID 31773 and 31847. That is what the filter expression does. The -T switch allows us to edit the output and fields specify we are going the edit the fields that are going to displayed. The -e switch is used to specify the what we want to display and in this case we want the packet data.

Now that we have the data but it is repeated and appears to be in hex rather than characters shown in wireshark. This is probably because tshark deals with that as hex values or I should have been more specific in the command. Nevertheless this is fine.

So with this data I put together a python script solve.py, to take the output of the command, parse it, and the unhex the data to get the flag.

import subprocess
import shlex
import binascii

if __name__=="__main__":
    cmd = 'tshark -r echo_chamber.pcap -Y "frame.number >= 31773  && frame.number <= 31847 && icmp.type==8" -T "fields" -e "data.data"'
    content = subprocess.check_output(
            shlex.split(shlex.quote(cmd)), shell=True, stderr=subprocess.STDOUT
        ).decode()
    content = content.split("\n")
    hexvals = "".join([con[:2] for con in content])
    print(binascii.unhexlify(hexvals).decode())

I used subprocess and shlex modules from the python library to execute the tshark command and did some clean up. Finally used unhexlify from binascii module to decode the output.

Warmup - Cattle

Sat, 26 Apr 2025 17:51:33 +0530

Cattle

Challenge Statement

Author: @JohnHammond

I know it’s an esoteric challenge for a Capture the Flag, but could you herd these cows for me?

Attachment: cattle

Solution

After downloading the file given and reading it, I found it filled with variations of moo, ooo, mmo and so on.

Since I spend some time with esoteric languages I recognized this as a programming language called COW. So all I did was find an online code execution environment and ran it. I used this from JDoodle and got the flag.

Warmup - I Can't SSH

Sat, 26 Apr 2025 17:51:33 +0530

I Can’t SSH

Challenge Statement

Author: @JohnHammond

I’ve got this private key… but why can’t I SSH?

Attachment: privkey

Note: This challenge was accompanied with a per-user instance

Solution

Opening the file reveals that it is a OpenSSH Private key. So in theory it should be able to get us into a SSH server enabled account with the corresponding public key. So I try to SSH into the instance I spun up.

I get an error message stating that SSH key is too open. It is true that SSH keys should not be read by anyone other than the user it was intended to. So I fix it by setting the permission to 600 with chmod as:

chmod 600 id_rsa

Retrying to connect, I was met with another error message.

So I finally decide to take a close look into the file. After a few minutes and a few searches I noticed the newline character was missing at the end of the key file.

So I added a newline with:

echo "" >> id_rsa

Trying to SSH again, I was successfully able to connect to the instance via SSH. The flag was in a file flag.txt right there. Reading the file revealed the flag.

Warmup - MatryoshkaQR

Sat, 26 Apr 2025 17:51:33 +0530

MatryoshkaQR

Challenge Statement

Author: @JohnHammond

Wow! This is a big QR code! I wonder what it says…?

Attachment: qrcode.png

Solution

As we can see the given file is a QR code.

So obviously I scanned it using zbarimg with the command:

zbarimg -q --raw qrcode.png

On scanning the QR code I got a string that looked like this:

\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00 ... \x00\x00\x00\x00IEND\xaeB`\x82

This is binary data. And if you have worked with magic numbers and PNG files, you’d see the PNG file signature and IHDR and IEND which are PNG headers. So what we have is PNG data in binary encoded format.

But the problem is this not exactly in binary. So we need to convert the string to actual binary. So I used python to do the job.

binary_data=b"<data from the png>"
with open('qr1.png', 'wb') as png_file:
    png_file.write(binary_data)

Moving onto the next image, we find another QR code, hence the name of the challenge.

So again I scan the QR code using the same command as above and it gave the flag.

Warmup - Mystery

Sat, 26 Apr 2025 17:51:33 +0530

Mystery

Challenge Statement

Author: @Michael

Someone sent this to me…

such enigma, such mystery:

rkenr wozec gtrfl obbur bfgma fkgyq ctkvq zeucz hlvwx yyzat zbvns kgyyd sthmi vsifc ovexl zzdqv slyir nwqoj igxuu kdqgr fdbbd njppc mujyy wwcoy

Settings as below:

3 Rotor Model
Rotor 1: VI, Initial: A, Ring A
Rotor 2: I, Initial: Q, Ring A
Rotor 3: III, Initial L, Ring A
Reflector: UKW B
Plugboard: BQ CR DI EJ KW MT OS PX UZ GH

Solution

This challenge had no attachment to download. So all we have is a cipher text and some “settings”. From my recollection of the movie The Imitation Game I remember that the Enigma machine had rotors and some sort of plugboards.

That and the enigma in the challenge description strongly suggested we have a enigma cipher with key. I don’t have a enigma machine, luckily I found this decoder. I put in the ciphertext, plugged in the setting and got an output.

I don’t know about you all if you noticed. But I missed it. I thought there was another level of cipher to the output and tried a few cipher decoding but none worked. Then I saw it. The message is right there, except white space in the wrong place. I forgot enigma does that. So copying it to a text editor and modifying it I got:

After some text the flag is given. Since enigma doesn’t support anything other than alphabets, I guessed it is implied we have to put the curly braces in the flag. And it was right.

Warmup - The Void

Sat, 26 Apr 2025 17:51:33 +0530

The Void

Challenge Statement

Author: @JohnHammond#6971

When you gaze long into the void, the void gazes also into you…

Note: This challenge was accompanied with a per-user instance

Solution

This challenge had no attachment to download. We are to use netcat to connect to a given instance. Doing so printed grey block characters such as in the image below:

At first I had no idea what it was. I redirected the output to a file with the below command and opened it in a text editor and it was not really readable to start with.

So based on the challenge description I decided to run it for something thinking it was a sort of timing thing. Run it long enough and maybe it prints out the flag. So I did it.

I ran it quite a while and got bored. I have habit of dragging and selecting text when I’m waiting for some command to finish up. I did that and noticed some text move in the output. I stopped the program and started selecting the text and the flag was right there.

I’m not sure whether this is the intended way to solve this. But yeah, got the flag.

Warmup - Too Many Bits

Sat, 26 Apr 2025 17:51:33 +0530

Too Many Bits

Challenge Statement

Author: @JohnHammond

What do all these ones and zero’s mean!?! We are in the Warmups category after all…

01100110 01101100 01100001 01100111 01111011 01100100 00110000 00110001 00110100 00110111 00110001 00110111 00110000 00110010 01100001 00110001 00110000 00110001 00110011 00110100 01100011 01100100 01100001 01100100 00110001 01100100 01100100 01100100 01100101 00110000 00110110 00110110 00110111 00111000 01100110 00110010 01100110 01111101

Solution

This was a challenge from day one. Pretty obviously binary data. Pasted it in Cyberchef and got the flag.

Warmup - TXT Message

Sat, 26 Apr 2025 17:51:33 +0530

TXT Message

Challenge Statement

Author: @JohnHammond

Hmmm, have you seen some of the strange DNS records for the ctf.games domain? One of them sure is odd…

Solution

The challenge description suggests some strange DNS records with ctf.games I decided to lookup the DNS records. Further the title of the challenge says more. Since I put some time studying DNS protocol I am familiar with a TXT query type that pulls the text data given by the domain administrator.

Hence using the dig command from the bind with the query:

dig -t TXT ctf.games

We find a bunch of data in the answer section. It took me a few minutes but I recognized it is octal data. So plug it into Cyberchef and I got the flag.

On a unrelated note, I found there is a link to od in the challenge description which is a tool for octal dump while writing this writeup, suggesting we might encounter octal data. But I didn’t notice it.

Warmup - Typo

Sat, 26 Apr 2025 17:51:33 +0530

Typo

Challenge Statement

Author: @JohnHammond

Gosh darnit, I keep entering a typo in my Linux command prompt!

Note: This challenge was accompanied with a per-user instance

Solution

This challenge requires us to SSH into a provisioned per-user instance with the given password. While doing so, I was met with a train.

If you have been around the linux community for sometime, you should have been familiar with the sl command. This command was intended to show the user that they mistyped ls in a fun way.

But our problem is the connection shows us the train and exits without providing us a chance to interact with the instance. I thought it was because of hard-coded .bashrc file that contained sl command and made the shell exit.

So I worked around it with by specifying the shell to use when connecting to the instance. Since my theory was that it was because of .bashrc file, I intended to use another shell other than bash. Since almost all system contains the sh shell, I thought of using it.

With the following command, I SSHed into the instance and this time I got an interactive shell.

ssh -p <port> user@challenge.ctf.games -t /bin/sh

The flag was in a flag.txt in the directory right there.

Warmup - Unbelievable

Sat, 26 Apr 2025 17:51:33 +0530

Unbelievable

Challenge Statement

Author: @JohnHammond

Don’t believe everything you see on the Internet!

Anyway, have you heard this intro soundtrack from Half-Life 3?

Attachment: Half-Life_3_OST.mp3

Solution

Downloading the file, it seems to be an MP3 audio. So I played it with aplay from ALSA driver. It actually played but it was just random noise for a couple seconds.

Since the challenge description tells about misinformation I decided to check if it is really a audio file. So I checked it with the file utility.

So it appears this is not an audio at all. I have no idea how aplay played it. So anyway treating it as a image file and I opened it and the flag was in the image.

One might use OCR techniques to read the flag or just type from it manually.

Bonus point: If you use something like the ranger file browser, it just shows you the flag directly. No fuss.

Warmup - Whamazon

Sat, 26 Apr 2025 17:51:33 +0530

Whamazon

Challenge Statement

Author: @JohnHammond

Wham! Bam! Amazon is entering the hacking business! Can you buy a flag?

Note: This challenge was accompanied with a per-user instance

Solution

Starting the instance, I was provisioned a URL to an page. It was a GoTTY application. I was greeted with a menu to begin with.

Examining the inventory, it tells that we have to buy something.

So, I decided to look at what was for sale.

It appears we have 50 dollars in my account and among many items the flag was also listed. So I went ahead and tried to buy it.

So we need quite the sum of money to buy the flag. At this point I thought there would be some session variable or token that contains the available balance on my account. I even went to inspect the web socket traffic and decode it in attempts to find it.

And then it hit me. I tried to buy -1 quantity of Apples. And it worked.

So it is one of the oldest tricks in the book, insufficient input validation. So we should be able to use this to add money to our account and buy the flag. And that’s exactly what I did.

So now that I have the balance I went ahead and bought the flag. But that’s not it. I was invited to a Rock, Paper, Scissors and the program said it won’t choose scissors. So I chose rock. It was a tie.

It played rock everytime, so when I chose paper I won and it said the flag was added to my inventory.

Then I quit the game and the buy menu and opened my inventory. The flag was right there.

The Bin in the Dump - EchoCTF Writeup

Mon, 21 Apr 2025 22:27:44 +0530

Introduction

This writeup deals with the The bin in the dump challenge from EchoCTF. This challenge focused on forensic examination of a filesystem image. A compressed gunzip archive the_bin_in_the.dump.gz contains the filesystem image to be examined.

Challenge Statement:

This forensics exercise is about demonstrating some basic tasks that are required in order to trace an attack on a compromised system.

The actual data are illustrative and no actual trojans or exploits exist in any of the files

You are given a filesystem dump and you are tasked to find and report the following details...

Writeup

First things first. Before jumping into the questions we need to understand what kind of file system we are dealing with.

So the output of file command tells us this is a linux-based EXT3 file system. Now we can try to list some contents of the file system using fls from The Slueth Kit.

It looks like we got a root file system at our hands.

Now the questions. The questions are not answered in order as a single output command can give more than one.

Q3. What is the UUID of the filesystem? (100 pts)
Analyze the file and provide the UUID of the filesystem as an answer

As from the file command, we already know the UUID. So that’s one.

Q1. What is the filesystem LABEL? (100 pts)
Analyze the file and provide the filesystem LABEL as an answer

Q2. What is the last folder this file system was mounted under? (100 pts)
Analyze the file and find what was the last folder this file system was mounted under. Provide the folder name verbatim as an answer.

Q4. When was the filesystem created? (100 pts)
Analyze the filesystem and report what was its creation date and time in UTC. The date format is: YYYY-MM-DD HH:MM:SS

Q5. When was the filesystem last write time? (100 pts)
Analyze the filesystem and report what was the last write date and time in UTC. The date format is: YYYY-MM-DD HH:MM:SS.

Now, all this information can be obtained in a number of ways. Here we use debugfs. Using the tool with the -R option allows us to execute a single “request” command. Otherwise the tool is interactive. It’s quite the loaded tool for debugging and examining EXT2/3/4 file systems.

Now we have a lot of information on the screen. We have our filesystem label as the volume name, Last mounted on folder name, file system creation date, last write date among them. Note that there is a matter of localization in the dates. The question specifies we need it in UTC, but I’m on IST, so I had to convert the time.

Q6. What is the file modified by the attacker? (150 pts)
Analyze the filesystem and report what was the full path of the filename that was modified by the attacker?

Now it’s time to get a little creative. Assuming that the file system dump was created after the supposed “attack”, the file modified by attacker needs to have the most recent last modified date. Now I’m not familiar with ways to directly find out the most recently modified file directly.

So I dumped all the files in to my local file system using a tool called testdisk (about the tool). This can also be used to recover recently deleted files.

The tool has a ncurses-like interface with nice hints. So it is pretty self-explanatory. One can also use tsk_recover tool from TSK for the same purpose as well. But the problem is tsk_recover does not preserve the modification date from the original file.

Now you can use the basic ls command in long list mode to find the most recently modified one manually. But we can use find tool with some pipeline magic to do that for us. The following is the command I ended up going with:

find output -type f -exec stat --format '%Y |%y %n ' '{}' \; | sort -nr | awk -F'|'' '{print $2}' | head -10

On top of the list we have our answer which seems to have modified in 2006. The others are from 2002. So that’s our answer.

Q7. What is the full path of the ETSCTF binary that got deleted? (250 pts)
Analyze the filesystem and report what was the full path of the ETSCTF file (the file may have extension)?

Now any file we delete is not actually wiped from the disk by default. Their inodes are declared as free and will be overwritten eventually. But until that happens the data is still present in the same location. Most data recovery programs use this.

Parsing through all the inodes can be a tedious task. Lucky for us, TSK provides a tool fls that is used to list all the files in a file system image. One can make it to return only deleted entries with the -d option.

Above is a snippet of the output. Note that we have a few entries with a non-zero number and others with a 0. As far as I know we can only recover the non-zero entries. The numbers are nothing but the inode numbers of that particular file or directory. So I think a zero means overwritten inode.

Among the entries we have a peculiar directory w0W_d1s_iz_a_hidden_f0ld3r. Yes it is a directory. Notice the ’l’s, ‘r’s and ’d’s? That’s what kind of data was stored in that inode. ’d’ means directory.

But the question is for a file. So maybe it is in the directory? But if it was in the directory and if it was recoverable it should be in the dumped files right?

Nope. Not there. It’s an empty directory. But let’s not give up just yet. There is tool called extundelete(about the tool) that is specific for recovering data from EXT partitions. Using the --restore-all option we can see 2 inodes are recovered.

Listing the files recovered, we have:

So there is our deleted file and the answer.

 Q8: What is the flag that would have been displayed by the ETSCTF binary? (300 pts)
Analyze the filesystem and restore the deleted ETSCTF file. If you only change the first 2 bytes you may be able to run this... If you run this you will be able to get a flag. Give it as an answer here verbatim

By looking at the hex dump, we can say it is not a JPEG. But it doesn’t have any other known file signature as well. But the question says we have to modify the first 2 bytes. So what should we change to? The third and fourth bytes are ‘L’ and ‘F’ respectively. So it is safe to assume that this may be an ELF binary.

Open the binary in a hex editor of choice and change the first two bytes to “7F 45” as the file signature for ELF is “7F 45 4C 46” according to wikipedia.

Do that and slap on the executable bit on the binary with chmod +x, we can execute it. Executing it yields:

Conclusion

And that brings the challenge to an end. I wouldn’t say it as easy as the challenge description puts it. But if you’re strong with the fundamentals and know how to search for tools to do things, it is doable.

About Me

Mon, 01 Jan 0001 00:00:00 +0000

Hello there!!

I’m Monish. Generally speaking a Cybersecurity and Linux Enthusiast, but always curious about computers in general.

Education and Certifications

Masters in Technology: Computer Science and Engineering (Pursuing).
Bachelors in Technology: Information Technology (2020 - 2024).
CompTIA Security+ SY0-701 Certified.
CCNA: Introduction to Networks.

Skills and interests

Proficient in Python, Go, Bash, C/C++, Javascript, Java. Quite good with the backend stuffs, frontends on the other hand are not really my forte. Can also work with SQL and NoSQL databases.
Know my way around operating systems. Linux, BSDs and even Windows. Have been a mainstream linux user for several years. I use arch btw.
In Networks, I have spent a fair share of time studying protocols, inspecting packets in Wireshark and socket programming.
Good with cloud environments. So far played around with AWS and GCP only. But you know names change, but the tech is mostly the same.
And can go on and on about tools. Familiar with operational tools like virtualization(QEMU), Containerization(Docker and Kubernetes) to Security tools like Firewalls, Pentesting tools (Metasploit, Burpsuite, etc…).
Thanks to the endless CTF challenges, I can do anything from Static and Dynamic Malware Analysis, basic forensics, web exploitation, log analysis etc. Quite good with tooling around these areas as well.
Lately been experimenting and learning on using eBPF.

Contacts

Search

Mon, 01 Jan 0001 00:00:00 +0000