Post

AKASEC CTF 2024 Challenges

Write Ups of the challenges i made for the CTF.

Forensics Category:

Portugal :

Description :

I accidentally left my computer unlocked at the coffee shop while I stepped away. I’m sure that someone took advantage of the opportunity and was searching for something.

Author : d33znu75

Attachment : memdump1.mem

In this challenge, we have a memory dump. The challenge description says “was searching for something.”

Using Volatility 2, we find the chrome.exe process, so let’s check the Chrome history.

I used a Volatility 2 plugin from superponiblog

We can see the flag in parts, so let’s arrange them.

FLAG :

AKASEC{V0L4T1L1TY_f0r_chr0m3_s34rch_h1st0ry}

Sussy :

Description :

Something Fishy’s Going on in Our Network

Author : d33znu75

Attachment : packet.pcapng

In this challenge, we have a pcap file. Basic analysis reveals some suspicious requests.

Decoding the first subdomain from hex, we find a 7z extension.

Let’s retrieve that zip file by extracting it from the DNS traffic:

tshark -T fields -e dns.qry.name -r packet.pcapng | grep akasec.ma | uniq | sed 's/.akasec.ma//' | tr -d '\n'

We discover that the 7z file is password-protected, so let’s crack it with John the Ripper.

After extracting the zip, we find another password-protected PDF. Let’s crack it using pdfcracker.

FLAG :

AKASEC{PC4P_DNS_3xf1ltr4t10n_D0n3!!}

Sharing is not Caring :

Description :

My friends and I use the same computer on campus and have a shared folder to exchange files. After submitting the flag for the challenge, it was leaked, and someone obtained it without my knowledge. I’m unsure how they got it.

Author : d33znu75

Attachments : network.pcapng , disk.ad1

Analyzing the pcap file, we find that the user visited two websites:

1
2
1 - A website with a download link for malware.
2 - A flag submission website.

After downloading the malware and analyzing it, we use two methods:

First, we use the strings command on the file to reveal the PowerShell code.

Alternatively, VirusTotal shows that the malware drops an sslkey.log file in C:\.

Decoding the PowerShell script, we obtain:

Next, let’s look for the file in the .ad1 image using FTK Imager.

After extracting it, we decrypt the traffic to retrieve the flag.

FLAG :

AKASEC{B4s1c_M4lw4r3_4nd_PC4P_4n4lys1s}

Steganography Category:

Matry-Steg-oshka :

Description :

I hope you do not get a headache.

Author : d33znu75

Hints : “when you hear “the flag is” next part is corrupted, no noise reduction but you can see the flag 😘” “this is a steganography challenege. in the voice audio, the flag hidden in the corrupted part and you must SEE it (it is the reason why it is corrupted). switch it, a tool is needed.”

Attachment : National_Anthem_of_Palestine.wav

In this challenge, we have an audio WAV file. By opening it with any spectrum analyzer, we find some words at the end of the audio.

Using CFMVSUJD, we extract a file with steghide.

Opening the file with a hex editor, we see that every 16 bytes are reversed.

Let’s run a Python script to fix that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import sys

def reverse_chunks(file_path, chunk_size=16):
    with open(file_path, 'rb') as f:
        data = f.read()
    
    reversed_data = bytearray()
    
    for i in range(0, len(data), chunk_size):
        chunk = data[i:i+chunk_size]
        reversed_data.extend(chunk[::-1])
    
    output_path = file_path.replace('.wav', '_reversed.wav')
    with open(output_path, 'wb') as f:
        f.write(reversed_data)
    
    print(f"Reversed file saved as {output_path}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python reverse_wav.py <file_path>")
    else:
        reverse_chunks(sys.argv[1])

We received another audio file of a woman speaking, but there is some noise. The hint says that “we must see it.” By converting the WAV file to a PNG using wav2png, we can see the flag.

FLAG :

AKASEC{h1dd3n_1n_r4w}

This post is licensed under CC BY 4.0 by the author.