Siber Siaga 2023 CTF

Team name: Weeeeeeeeee

Forensics

Prefetch

Downloading the attachment given (Prefetch.7z), it is a zipped file containing many .pf files.

Based on the writeup, we used a tool named PECmd to parse the prefetch files using the command above which we modified based on the writeup.

The result was 2 .csv files:

1. 20230813174837_PECmd_Output.csv

2. 20230813174837_PECmd_Output_Timeline.csv

After that, we sorted the 20230813174837_PECmd_Output_Timeline.csv CSV file based on the timestamp column. As we analysed the events in the file, we found a suspicious line with a directory named “DEFCON”. Also, an executable named “DCONTROL.EXE” was run in that row.

A quick online search displayed an antivirus known as “Defender Control”.

With this, we tried submitting the flag as “sibersiaga{dcontrol.exe}” and we have solved the challenge.

Mft

We searched up how to analyze an MFT file, and after knowing that we can use “analyzeMFT.py” to analyze the file. We proceeded to use the following command.

First we specify the file by using -f, -a for analysis, -e for extract and -c to specify the criteria as time. The following picture shows the output.

By searching for the “imppsexec.exe” we were able to pinpoint the time of the artifact.

We solved the challenge by submitting the flag “sibersiaga{21/07/2023_03:01:42_AM}”

Incident Response

Linux IR - Who’s there?

After downloading the gz file, we opened it with FTK imager, based on the question we know we were looking for an IP address with a port number.

After opening a few compressed folders and browsing through the contents, the IP address and port number and we solved the challenge by submitting the flag as “sibersiaga{192.168.8.85_4445}”

Linux IR - What’s that?

This challenge requires us to find the name of the file.

After opening the “hashes.txt” file, we were able to find some hashes and also some file names from the links. Since we are looking for the fuke name of the webshell, it is highly possible for it to be related to “/var/www/html/system_sibersiaga/uploads/file.php” since threat actors normally install webshells by uploading scripts. Therefore, we tried to submit “file.php” as the flag and it was correct.

Linux IR - Unique things about you?

From the challenge description, we know that the aim of this challenge is to find the hash of the webshell and wrap the hash inside the flag format.

After opening the “hashes.txt” file, we were able to find some hashes. Since we are looking for the hash of the webshell, it is highly possible for it to be related to “/var/www/html/system_sibersiaga/uploads/file.php” since threat actors normally install webshells by uploading scripts.

The hash for the said PHP file is “4b4cc03dbf0e2479d9fc1aadd92ef1bcdce8787b”. We tried submitting “sibersiaga{4b4cc03dbf0e2479d9fc1aadd92ef1bcdce8787b}” as the flag and it was correct.

Linux IR - Who hit you?

After opening a few more files, we found an IP address that seemed like a potential IP address that accessed the webshell file. We wrapped the IP address (192.168.21.120) in the flag format and with that, we have successfully solved the challenge.

Linux IR - Bad IDs

From the challenge description, we know that to solve this challenge, we need to find the parent process ID of the reverse shell payload process.

For this challenge, we had some help from ChatGPT. By copying the file contents, more specifically, the list of processes provided in the challenge attachment and pasting it in ChatGPT, we asked the intelligent chatbot to analyse the text and give us the parent process ID of the reverse shell payload process.

After the chatbot analysed the text that we submitted as part of the prompt, it gave us an explanation for its answer like the user executing the payload process. Hence, from its answer, we can determine the parent process ID which is 16042.

We were able to solve the challenge after submitting the flag as “sibersiaga{16042}”.

Boot2Root

Nitrogen 1

For this challenge, we were only given a link.

Therefore, we decided to do some enumeration with a network scanner. We found that port 80 is open and then we found a suspicious /openvpn-admin directory (used in nitrogen 2).

Then, we used another bruteforce scanner tool named Gobuster to try to enumerate the website directories and files using the command shown above paired with a directory list text file. There is a very suspicious directory which is /flag1 in the output given by the tool.

By adding the directory name at the back of the URL, we find a flag1.txt file which was most likely the file for the flag for this challenge.

By adding the file name to the end of the URL, the flag is displayed.

Nitrogen 2

Running msfconsole round the credentials for phpmyadmin, which is admin:admin

In image below, hidden directory scanning reveals the .git page.

Navigate to the page below found the path

Figure above shows using gitdumper to dump the git repo to local machinel

Gitextractor was then used to extract interesting commits. However, flag2 couldn’t be found due to time limit.

Nitrogen 3

From the .bak file found in Nitrogen 2, we can find the mysql credentials for the user root.

Then using the mysql credentials to login as root, we found two credentials in phpMyAdmin for superadmin and securessh.

Then using the credentials for securessh user, we find flag3.txt. Using the cat command we display the flag for this challenge.

Nitrogen 4

Figure above shows enumeration with linpeas

Found flag4.txt

The file was directly accessible and flag4 is gotten.

That's all for this CTF, till I write again!