Hack The Box – Keep Tryin’ (Forensics Challenge)

This packet capture seems to show some suspicious traffic.

All that is provided for this challenge is a small PCAP, and the observation that it contains “some suspicious traffic”. Let’s go!

Opening the PCAP in Wireshark we find that it only contains 26 packets.

The first thing my eye was drawn to was the DNS traffic. The use of TXT records with long, seemingly random hostnames looks a lot like DNS tunnelling, but let’s see what else we have.

Looking through the PCAP we find that Packet 10 contains a HTTP POST request to a resource named /flag. Following the HTTP Stream (tcp.stream eq 0) shows the following text:

TryHarder

Similarly, in Packet 21 we find another HTTP POST request to a resource /lootz.

Following the HTTP Stream (tcp.stream eq 1) give us what appears to be base64 encoded text.

S2VlcCB0cnlpbmcsIGJ1ZmZ5Cg==

Decoding with CyberChef gives us the following:

Keep trying, buffy

Neither of these have any immediately obvious use, so let’s go back to the DNS traffic and take a closer look.

dns

The first DNS request is for the following TXT record:

init.c2VjcmV0LnR4dHwx.totallylegit.com

We can drop the first part of the hostname (init) and the domain (totallylegit[.]com), leaving us with a seemingly random string. From the character set we could be dealing with more base64, however as the standard base64 character set is not safe for use within URLs, we will have to specify the base64url decoding instead. Fortunately CyberChef makes this trivial by offering multiple Alphabets as an option in the From Base64 operation.

c2VjcmV0LnR4dHwx

This looks promising! The first DNS request did in fact contain base64 (strictly speaking, base64url) data, which decoded to:

secret.txt|1

The second DNS request is for the following TXT record:

0.0ejXWsr6TH-P_1xkEstaVwi7WDy8AcxufnGotWXH3ckb2Lh5A-qFljIWOAOLUS0.T1W8P4CpiCZbCM7_QKcv-r0JG29RpsyYY5YkZRxo7YDIYUJpHlGgxu5PWV1G_DA.KNrmnrktfbeDgzcpPJBjPTeMYx3Qs1Q6bAuFhROWXemJ80gPTYIz0xl8usJQN3m.w.totallylegit.com

Again, after dropping the first, and trailing parts of the request we are left with the following base64url encoded string:

0ejXWsr6TH-P_1xkEstaVwi7WDy8AcxufnGotWXH3ckb2Lh5A-qFljIWOAOLUS0.T1W8P4CpiCZbCM7_QKcv-r0JG29RpsyYY5YkZRxo7YDIYUJpHlGgxu5PWV1G_DA.KNrmnrktfbeDgzcpPJBjPTeMYx3Qs1Q6bAuFhROWXemJ80gPTYIz0xl8usJQN3m

As before, decoding this in CyberChef with the URL Safe alphabet works, but the data appears to be corrupt…

…or encrypted. Thinking back to the first HTTP POST request in Packet 10, the form data might have been a hint.

Key: TryHarder

My first thought was to add an XOR operation to my CyberChef recipe, using TryHarder as the key, but no luck. Fortunately CyberChef makes it easy to try other ciphers, and not too long later I found that decrypting using RC4 with TryHarder as a key successfully produced a Zip archive containing a file named secret.txt – as per the first encoded DNS request.

Adding the Unzip operation to the CyberChef recipe gives us our flag, and the challenge is complete.

Flag

HTB{$n3aky_DN$_Tr1ck$}

Hack The Box – Took the Byte (Forensics Challenge)

Someone took my bytes! Can you recover my password for me?

This time all we are given is a single file named password,  which is identified simply as data.

Examining it in a hex editor doesn’t give many more clues.

I began thinking that the data might be encrypted somehow, and threw it into CyberChef.

Using the XOR Brute Force module with the default key length of 1 byte, I noticed that using 0xff as a key output a PK header associated with a ZIP archive which appeared to contain a file named password.txt. Quickly building a new recipe, I used the standard XOR module to decrypt the data using key 0xff, then used the Unzip module to extract and view the contents of password.txt which contains our flag.

Flag

HTB{27AjFDkqi1wJ}

Hack The Box – Forensics Challenges Overview

Hack The Box is a fantastic free (mostly) resource for anyone wanting to improve their offensive security skills. I’ve had an account for years but since I moved away from offensive work to full-time DFIR I haven’t paid much attention to it. Until, that is, I was pointed at their section of forensics challenges.

Rather than logging in to a lab environment via VPN the forensics challenges are standalone downloads of artefacts with a single flag to discover. Points are awarded based on complexity of each scenario while the challenge is active. Every so often a new challenge is added, and an active challenge is retired. No points are awarded for retired challenges, although they are still available to play for those with a Hack The Box VIP subscription.

Due to the distinction between active and retired challenges I am publishing Hack The Box write-ups slightly differently from my usual CTF write-ups. Write-ups for active challenges will be published, but password-protected. The password for each write-up is the Hack The Box flag associated with the challenge. Once a challenge is retired I will remove the password-protection and the write-up will be open to view by everyone.

I realise this might seem strange given all my other write-ups are open, but Hack The Box have a rule prohibiting spoilers for active challenges.

Besides, even if the write-up is password-protected it is often helpful to read other approaches to solving the same problem.

Active Challenges (password-protected)

Retired Challenges

Crowdstrike AdversaryQuest CTF – Much Sad

In January 2021 Crowdstrike opened up their AdversaryQuest CTF. The CTF consisted of 12 challenges split across three new “threat actors”: SPACE JACKAL, PROTECTIVE PENGUIN, and CATAPULT SPIDER. The challenges mostly focused on binary exploitation and reverse engineering which is a bit of a departure from my skillset. Nonetheless I was able to solve two of the twelve challenges; this one relating to the CATAPULT SPIDER adversary, and another from SPACE JACKAL.

Rabid fans of the memetacular Doge and the associated crypto currency, CATAPULT SPIDER are trying to turn their obsession into a profit. Watch out for your cat pictures, lest CATAPULT SPIDER intrude your network and extort them for Dogecoin.

Much Sad

We have received some information that CATAPULT SPIDER has encrypted a client’s cat pictures and successfully extorted them for a ransom of 1337 Dogecoin. The client has provided the ransom note, is there any way for you to gather more information about the adversary’s online presence?

NOTE: Flags will be easily identifiable by following the format CS{some_secret_flag_text}. They must be submitted in full, including the CS{ and } parts.

This challenge is more OSINT focused. The only information we are given is a text file containing the ransom note and some nice Doge ASCII art.

Aside from the ASCII art we have what is presumably a Dogecoin address…

DKaHBkfEJKef6r3L1SmouZZcxgkDPPgAoE

…and an email address.

shibegoodboi@protonmail.com

Searching Google for the username quickly gives us a few promising leads, including a Twitter account and a Reddit account.

I decided to start with the Twitter account, and noticed the link to a Github account named shibefan.

Examining the listed repositories it appears that the user is particularly interested in Dogecoin – no great surprise given what we have been told.

Exploring the repositories themselves we find an HTML page containing the flag.

There is probably much more that could be done around tracking the Dogecoin addresses, but this is enough for now.

Flag

CS{shibe_good_boi_doge_to_the_moon}