Turkey Express Mini CTF

Since I have taken Antisyphon training in the past, I am on their email list. I noticed that I received an email from them on November 21st about their Turkey Express Mini CTF. I know about their cyber range but never signed up for it, even though I was curious. Since they released this CTF, I will treat this as a sample for their cyber range. It may not be fair, but I do not have anything to go on.

Challenges

When I signed up for their CTF, I was delighted to see there were only six challenges. While they were only six challenges, I did not want to underestimate them because organizers can make them hard. Surprisingly, only one was challenging enough to solve, at least for me.

Without further delay, I will show you how I solved each challenge.

Welcome to the Obfuscation Games!

Category: Reverse Engineering

During a recent incident response investigation, we came across this suspicious command executed by an attacker, and we’d like you to analyze it. Malware authors like to obfuscate their payloads to make it harder, but we’re sure you’re up to the task. See if you can figure out what’s happening without even running it!

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAR+eWMA/xXJMQrCQBCF4as8BtucQKwEO7uAZRict2Yh7oTMNCLefd3q4+d/HDU5rR4JmVeibPpCDdSG/Cfb042GXT+bq8kZp4IL5M7U63z7GsdfBu/9YMRi3viTDosm3BlXAAAA"));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

A lot of CTFs usually start with an easy question. At my current skill level, I do consider this as easy. If I encountered this challenge before my 2020 CTF experience, it would probably take a while for me to figure it out.

Solution 1: CLI

The challenge already gives us a clue that we need to decode Base64, so we will.

andrew@kali:~$ echo 'H4sIAAR+eWMA/xXJMQrCQBCF4as8BtucQKwEO7uAZRict2Yh7oTMNCLefd3q4+d/HDU5rR4JmVeibPpCDdSG/Cfb042GXT+bq8kZp4IL5M7U63z7GsdfBu/9YMRi3viTDosm3BlXAAAA' | base64 -d
~yc��1
Ԇ�'�Ӎ�]?�����f!��4"�}����59�	�W�l�B
             ����|��_��`�b���&�W

As you can see, it gives us non-alphanumeric characters. Sometimes these characters can redirect to a file, so let’s attempt it.

andrew@kali:~$ echo 'H4sIAAR+eWMA/xXJMQrCQBCF4as8BtucQKwEO7uAZRict2Yh7oTMNCLefd3q4+d/HDU5rR4JmVeibPpCDdSG/Cfb042GXT+bq8kZp4IL5M7U63z7GsdfBu/9YMRi3viTDosm3BlXAAAA' | base64 -d > challenge1

Let’s see if it is a valid file. I typically use the file command to find information about a file.

andrew@kali:~$ file challenge1
challenge1: gzip compressed data, last modified: Sun Nov 20 01:08:20 2022, original size modulo 2^32 87

It looks like it is a GZIP file. Let’s add a.gz extension and uncompress the file. Additionally, let’s inspect it using the file command.

andrew@kali:~$ mv challenge1 challenge1.gz; gzip -d challenge1.gz; file challenge1
challenge1: ASCII text, with no line terminators

Now that we know the type of file, we can use the appropriate software to open it. In this case, we will use the cat command to see the file’s contents.

andrew@kali:~$ cat challenge1
Write-host "The flag is in the encoded payload"; $f = "MetaCTF{decode_decompress_done}"

Solution 2: CyberChef

The fastest way to get the flag is by using CyberChef. I found out about this software during our internal CTF. The recipe that you need is Magic. The Magic recipe will attempt to automatically figure out the right combination of recipes to get the desired output. I suggest you not rely on it since it will not always work for every challenge.

Staging in 1…2…3

Category: Forensics

The Incident Response (IR) team identified evidence that a Threat Actor accessed a system that contains sensitive company information. The Chief Information Security Officer (CISO) wants to know if any data was accessed or taken.

There was a suspicious file created during the timeframe of Threat Actor activity: C:\xyz.tmp (mirror). Can you check it out?

Solution

First, we need to download the file.

andrew@kali:~$ wget https://metaproblems.com/89f75cd8a7cc6b82879c0821e00179e1/xyz.tmp
--2022-11-22 19:58:05--  https://metaproblems.com/89f75cd8a7cc6b82879c0821e00179e1/xyz.tmp
Resolving metaproblems.com (metaproblems.com)... 35.173.187.102
Connecting to metaproblems.com (metaproblems.com)|35.173.187.102|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 192993 (188K)
Saving to: ‘xyz.tmp’
xyz.tmp                                            100%[==============================================================================================================>] 188.47K  1.16MB/s    in 0.2s
2022-11-22 19:58:06 (1.16 MB/s) - ‘xyz.tmp’ saved [192993/192993]

Second, we need to inspect what kind of file it is.

andrew@kali:~$ file xyz.tmp
xyz.tmp: 7-zip archive data, version 0.4

We need to uncompress the file using the 7zip utility.

andrew@kali:~$ 7z x xyz.tmp
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,1 CPU Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz (306A0),ASM,AES-NI)
Scanning the drive for archives:
1 file, 192993 bytes (189 KiB)
Extracting archive: xyz.tmp
--
Path = xyz.tmp
Type = 7z
Physical Size = 192993
Headers Size = 422
Method = LZMA2:192k
Solid = +
Blocks = 1
Everything is Ok
Folders: 4
Files: 3
Size:       193257
Compressed: 192993

Once uncompressed, we need to figure out what files or directories are present.

andrew@kali:~$ ls -l
total 236
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Desktop
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Documents
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Downloads
drwx------ 5 andrew andrew   4096 Oct 20  2020 MetaCTF{you_might_consider_using_encryption}
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Music
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Pictures
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Public
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Templates
drwxr-xr-t 2 andrew andrew   4096 Jun 11  2021 thinclient_drives
drwxr-xr-x 2 andrew andrew   4096 Jun 11  2021 Videos
-rw-r--r-- 1 andrew andrew 192993 Nov 19 16:56 xyz.tmp

It looks like we do not need to dig further for the flag!

The Impossible Survey

Your company just developed a new product, and before releasing it to the public, they decided to gauge the reactions from their employees through a survey. As an incentive, the participants get a gift card after completing it. A company-wide email was sent a while ago, yet no one has submitted the survey or claimed the gift card code.

Can you be the first one?

Solution

My first instinct was to enter something in the form. The first value I entered was 42. Yes, it is in reference to The Hitchhiker’s Guide to the Galaxy. When I hit the Next button, I received an error message: “Too short (need at least 50 characters)”.

Next, I entered a bunch of random words to be over 50 characters, but I got the same error message. From there, I decided to look at the page source.

Once I looked at the source, I searched for MetaCTF{ keyword. Sure enough, I found the flag.

Diving into the Announcement

Category: Reconnaissance

Vulnerabilities are patched in software all the time, and for the most serious ones, researchers work to build proof-of-concept (POC) exploits for them. As defenders, we need to continuously monitor when new public exploits drop, figure out how they work, and ensure we’re protected against them. At some point, Microsoft announced CVE-2020-1472. Your task is to locate a public exploit for it and identify the vulnerable function that the POCs call. The flag will be the function’s name.

Solution

Using the CVE-2020-1472 exploit keyword on Google, the first result points to this GitHub page. According to the Read Me file, the software will reset the DC’s account password with an empty string if it is vulnerable. Armed with this information, we need to find the function within the script that sets the password with an empty string.

After skimming through the code, I found a section talking about passwords. Then, I noticed a line that has \x00. This Hex value means NULL in Python, so I figured the function I am looking for is nrpc.NetrServerPasswordSet2.

    ClearNewPassword: A NL_TRUST_PASSWORD structure, as specified in section 2.2.1.3.7,
    that contains the new password encrypted as specified in Calling NetrServerPasswordSet2 (section 3.4.5.2.5).
        typedef struct _NL_TRUST_PASSWORD {
            WCHAR Buffer[256];
            ULONG Length;
        }
    ReturnAuthenticator: A NETLOGON_AUTHENTICATOR structure, as specified in section 2.2.1.1.5,
    that contains the server return authenticator.
    More info can be found on the [MS-NRPC]-170915.pdf
    """
    request = nrpc.NetrServerPasswordSet2()
    request["PrimaryName"] = dc_handle + "\x00"
    request["AccountName"] = target_computer + "$\x00"
    request["SecureChannelType"] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
    authenticator = nrpc.NETLOGON_AUTHENTICATOR()
    authenticator["Credential"] = b"\x00" * 8
    authenticator["Timestamp"] = 0
    request["Authenticator"] = authenticator
    request["ComputerName"] = target_computer + "\x00"
    request["ClearNewPassword"] = b"\x00" * 516
    return rpc_con.request(request)

A Confident Hash

Check out this hash. Can you crack it? Here’s a wordlist you can use (mirror). You only have 5 attempts to get the flag right.

$2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS

This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.

Solution

With our internal CTF, I had so much practice with password cracking. The first task in cracking hashes is to find out what kind of hash it is. With hashcat, we can look at the help menu to identify.

andrew@kali:~$ hashcat --help | grep '$2'
   3200 | bcrypt $2*$, Blowfish (Unix)                        | Operating System

Once we identify the hash, we can perform a dictionary attack using the wordlist provided.

andrew@kali:~$ hashcat -a 0 -m 3200 '$2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS' confident_dict.txt
hashcat (v6.2.5-364-g308d8f227) starting
* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.
METAL API (Metal 306.2.4)
=========================
* Device #1: Apple M1 Max, 10880/21845 MB, 32MCU
OpenCL API (OpenCL 1.2 (Sep 30 2022 01:38:14)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M1 Max, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 100c
Host memory required for this attack: 70 MB
Dictionary cache built:
* Filename..: confident_dict.txt
* Passwords.: 75
* Bytes.....: 1099
* Keyspace..: 75
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJVgirU/MWOS:galactica_hash
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$04$KMCaaiytS5OIsg2UZtthzugkZUPDqQ/Zyoys8XAY6AJV...U/MWOS
Time.Started.....: Tue Nov 22 22:33:04 2022 (0 secs)
Time.Estimated...: Tue Nov 22 22:33:04 2022 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (confident_dict.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      957 H/s (8.56ms) @ Accel:2 Loops:4 Thr:8 Vec:1
Recovered.Total..: 1/1 (100.00%) Digests
Progress.........: 75/75 (100.00%)
Rejected.........: 0/75 (0.00%)
Restore.Point....: 0/75 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:12-16
Candidate.Engine.: Device Generator
Candidates.#1....: runtime_colossus -> spartan_windows
Hardware.Mon.SMC.: Fan0: 0%, Fan1: 0%
Hardware.Mon.#1..: Util: 93%
Started: Tue Nov 22 22:33:03 2022
Stopped: Tue Nov 22 22:33:06 2022

King to Queen 3

Category: Cryptography

An employee on the network has been emailing these chess puzzles everyday to someone outside of the domain, and nobody really thought it was suspicious until they saw this weird string sent to that same person on the following day:

F^mY;L?t24Zk.m^-hnWl,[l)[ku

The SOC team has provided an archive (mirror) of the email attachments, and has tasked you to investigate the actual contents of the ciphertext. Can you figure out what they’ve been saying?

Hint: The flag is wrapped in MetaCTF{}. This should be enough to help you figure out the encoding.

Solution

I played chess in my teens and was one of the representatives of our school in competitions. That said, I knew how to record chess moves. No, I was not very good. My record was one game, and it was a draw. Anyway, I figured I must solve each chess puzzle to help figure out the plaintext.

Chess puzzles, typically, give you information about whose turn it is and how many moves before checkmate. Since there was no information, I analyzed each puzzle and figured out that it was white’s move and was checkmate in one.

In the first image, we need to move the queen piece to box H7. If we were to record this, the chess notation is Qh7.

Now, we need to solve the second chess puzzle. Again, we need to use the queen piece and move it to A8. The chess notation is Qa8.

Looking at the third chess puzzle, we need to use the rook piece and move it to E7. The chess notation is Re7.

When we look at the fourth chess puzzle, we need to use the pawn piece and move it to D5. Typically, the chess notation for this is d5. However, some folks write it down as Pd5. For this challenge, we will jot it down as Pd5. You will find out why later.

Looking at the fifth chess puzzle, we need to use the bishop piece and move it to B5. The chess notation is Bb5.

When we look at the sixth chess puzzle, we need to use the knight piece and move it to B6. The chess notation is Nb6.

Looking at the seventh chess puzzle, we need to use the rook piece and move it to A8. The chess notation is Ra8.

Looking at the eighth chess puzzle, we need to use the rook piece and move it to H8. The chess notation is Rh8.

Lastly, the ninth chess puzzle requires us to use the queen piece and move it to H8. The chess notation is Qh8.

Bringing it all together

If we add the chess notations together, we have 27 characters. If we count the characters of the ciphertext, we also get 27. It seems like we are in the right direction.

What took a while for me was trying to figure out what everything meant. I knew I needed to figure out what cipher the challenge creator used to encrypt the plaintext.

My first instinct was to use ROT13 because it is a commonly used cipher in CTFs. Without thinking, I used it, and it did not work. Then, I realized that the ciphertext had a bunch of special characters. It makes sense that ROT13 did not work.

I then tried other ones, but they did not work. My gut feeling was that the cipher was a derivative of ROT13, so I browsed through CyberChef and found the ROT47 Brute Force recipe.

Looking at the screenshot below, you will notice that the first three characters match exactly the flag format. Also, if you look at the rotation number, it is the same number in the chess notation of the first puzzle.

To confirm this is not a coincidence, change the recipe to ROT47, then change the value to 8. As you can see, the following three characters match the flag format. If you follow the same methodology for the rest, you will get the complete message, which is the flag.

Final thoughts

The CTF seems geared toward beginners, and that is okay. We all have to start somewhere. The challenges are not that hard for my current knowledge and skill level. Admittedly, I do consider King to Queen 3 the most challenging one out of all of them.

Participating in CTFs is addicting, at least for me. It can also be infuriating sometimes when I cannot solve the challenges. One of the reasons I like participating in CTF is that I always learn something new. This time around, I learned about ROT47. If you have not participated in one, you should try it and not feel intimidated. I suggest you start with easy ones first and build your skill level to where you can solve more challenging questions. Happy hunting!