HackFest iHack 2020 MalwareTheFlag Write-up

Posted by

HackFest conducted the iHack CTF on June 20th and 21st. iHack was targeted towards beginners who were looking to get a taste of CTFs. I was part of the MalwareTheFlag team and four of my challenges were available during the CTF. This blog is a write-up of the four challenges. Write-ups for the other challenges by the MalwareTheFlag team are written by Libra (challenges: Repetition is boring, Vault, Go with the flow, VBA hurts my eyes) and b1nary (challenge: Cant be real).

Challenge: Linkin The Flag

Your music was Crawling with passion,
Your screams brought us One Step Closer to Burn It Down,
Your pain made us Numb,
In the End, you helped everyone but no one helped you.
Rationale

Malware often store strings, configuration and other data in encrypted form. These need to be decrypted to determine more information about the malware such as C2 domains, target domains, etc. Using brute force to decrypt such data is useless in most cases. The easiest method is to find the encryption key. Sometimes, these keys are hard-coded in the malware binary which helps reverse engineers.

Solution

This challenge was created in memory of Chester Bennington, the lead vocalist of the music band, Linkin Park. The challenge required the user to install necessary libraries on a Debian distribution such as Ubuntu, listen to the melody played by the challenge script and identify the music band name. The script accepts user input (music band name) as a key to RC4 decrypt the flag.

$ python3 challenge.py
fluidsynth: warning: Failed to set thread to high priority
What is the band name? (Include space)
Linkin Park
Decrypted flag: mtf{ch35t3r_f0r_l1f3}
If the flag isn't l33t, neither are you.
Solve Stats
19 solves (24% solve ratio)

Challenge: Chronos

The Phantom Troupe had been going rampant for more than a decade with their malware
and development tools. Kurapika, head of the vigilante group Scarlet Eyes, decided
to bring them down. From underground intelligence sources, he knew that the leader
of the Phantom Troupe, Chrollo Lucilfer had malware development details on his system.
Kurapika decided to exfiltrate this information and also encrypt it.

Chrollo found out that critical malware development details had been encrypted on his
system. He saw that the access time of the encrypted files was 29 May 2020 12:23:13 PM
GMT. The malware binary was named, "chronos_encrypter.exe` and a note said, "The quest
for time reveals the answer".
Rationale

Ransomware encrypts files on its target. There is no guarantee that the ransomware operator will actually send them the decryptor on payment of ransom. In the absence of a data backup, it becomes critical for the organization to find a way to decrypt the files themselves. Encryption keys can be leveraged by ransomware in a variety of ways: hard-coded keys, pseudorandom key generator, etc. In the case of pseudorandom key generators, a seed value is used to initialize the generator. If the seed value is known, the generated values can be predicted.

Solution

The seed value can be determined from looking into the title and description (snippet below) of the challenge:

Chrollo found out that critical malware development details had been encrypted on his
system. He saw that the access time of the encrypted files was 29 May 2020 12:23:13 PM 
GMT. The malware binary was named, "chronos_encrypter.exe` and a note said, "The quest
for time reveals the answer."

Chronos is Greek for time. The description also mentions:

The quest for time reveals the answer.

The above two hints suggest that the decryption key is a timestamp. The description mentions a single timestamp but in human-readable form:

29 May 2020 12:23:13 PM GMT

The challenger was expected to convert the above human-readable timestamp into epoch using online tools such as this.

$ python3 challenge.py
Enter decryption key: 1590754993
Decrypted flag: mtf{chr0n05_n07_cr0nu5}
If the flag isn't l33t, neither are you.
Solve Stats
18 solves (23% solve ratio)

Challenge: Doppler

In the world of Witchers, none cause as much chaos in the public as a Doppler. They take
the form of another person and hide in plain sight. They frequent the XXD pub even
though that's where most Dopplers are apprehended.
Rationale

Malware often store C2 domain strings, configuration data and even have embedded binary files within them. One of the first steps in malware analysis is to check human-readable strings in the binary. This gives the analyst an understanding of what the malware might do. For example, if an analyst sees a domain name string they can infer that the malware must be using the network stack in some manner and can proceed to look for network-related functions inside the binary. While there are other tools to detect embedded binary files, the easiest way to
read human readable strings is to list them using strings or xxd command.

Solution

The name of the tool to use is hinted at in the challenge description:

They frequent the XXD pub even though that's where most Dopplers are apprehended.

Using the xxd tool, it’s straightforward to find the flag embedded in the challenge binary.

$ xxd doppler_effect
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
00000010: 0300 3e00 0100 0000 3005 0000 0000 0000 ..>.....0.......
...
...
00002070: 0000 0000 0000 0000 6d74 667b 6178 3131 ........mtf{ax11
00002080: 5f30 6e5f 6430 7070 6c33 727d 0a        _0n_d0ppl3r}.
Solve Stats
37 solves (47% solve ratio)

Challenge: Insider Trading

Kimimaro was a new recruit at the world renowned stock brokerage firm, "Binwalk
Associates". But he wasn't new to the dynamics of financial markets. He knew that the
prize money could only be made by looking inside the target rather than just the
surface. The rest is history.
Rationale

Malware often contains embedded data which it dynamically extracts, decrypts (if embedded data is an encrypted executable) and executes / leverages in memory. Anti-viruses have difficulty in detecting malicious executions in memory. The easiest of detecting embedded executables is to use the tool, binwalk.

Solution

The name of the tool to use is hinted at in the challenge description:

Kimimaro was a new recruit at the world renowned stock brokerage firm, "Binwalk
Associates".

The binwalk tool can be used to extract the embedded binary within the challenge binary.

$ binwalk -e insider_trading
DECIMAL     HEXADECIMAL     DESCRIPTION
0           0x0             ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV)
8312        0x2078          ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV)
$ cd _insider_trading.extracted/
$ chmod +x 2078.elf
$ ./2078.elf
Flag: mtf{f1l3le55_m4lw4r3_1s_r34l}
Solve Stats
20 solves (26% solve ratio)

Thanks for participating!

I was informed that all challenges by MalwareTheFlag team were solved atleast once. These challenges are a taste of CTFs. There are many CTF events that take place every month and they’re a great place to learn new techniques and develop a mindset necessary to keep poking around. Thanks for participating in iHack 2020 and solving my challenges. I shall see you again at another CTF event!

Leave a Reply

Your email address will not be published.