Cyber Apocalypse CTF 2022 — HackTheBox
Cyber Apocalypse was an intermediate to expert level, 5 days CTF hosted by HackTheBox. It had around 60+ challenges divided into 7 categories. I was able to solve total of 8 challenges from different categories. The previous writeup i did was for web challenges (Read it here). This writeup contains 1 reversing, 2 forensics and 1 misc challenge.
The challenge files included a binary and an example db file. To run the binary, we need to provide the db file as command line argument.
When running, it presents the following menu. Entering a number it tells about the corresponding choice.
There are total six choices. The last one seems interesting but it says it’s encrypted. Selecting this choice, it asks for password.
So, decompile the binary using ghidra to understand what’s happening under the hood. Looking at the main function, it first checks for command line arguments, then prints welcome and then reads the provided file and prints the menu. At the last line it calls the menu function.
Looking at the menu function, it asks for user input for password and compares it with actual password. The good thing is the actual password is present in plain text.
So, we copy the password and re run the binary and then provide the found password and get the flag.
Downloading the challenges file, we are given windows event logs. So, i started with windows powershell logs.
These file can opened with windows event viewer. But, i wanted to analyze them in linux. So, searching on google, i came across the following python tool which parses event logs.
GitHub - williballenthin/python-evtx: Pure Python parser for recent Windows Event Log files (.evtx)
python-evtx is a pure Python parser for recent Windows Event Log files (those with the file extension ".evtx"). The…
Using it, i parsed the powershell logs file and saved the output in a file.
Looking at the contents of file, came across some comments which looked interesting. First, on marked line 1 and 2 there some shell code saved in variables name stage1 and stage2. Then, on line 3, these both shell codes are concatenated/combined into stage3 variable. Then on marker 5, a for loop perform bitwise XOR on shell code in variable3.
So, i ran the
pwsh in my linux and did the same. The for loop generated the ascii numbers.
I copied the ascii numbers and saved them in a list in python and converted them to text. The flag was half correct and half seemed reversed.
So, i reversed the last part and got correct flag.
2. Golden Persistence:
The challenge file contains MS windows nt user registry.
Using the reglookup tool on my machine, i parsed this registry and saved the output to another file.
Looking at the content, we get a base64 encoded string which is being decoded using powershell.
So, we copy this encoded string and decode it on cyber chef and get a powershell script. The script contained some dots.
So, copied the script to file and removed the weird characters that looked like dots.
Looking the powershell script, at the start it had 2 user defined functions. One was to encrypt or decrypt the string and other was converting hex to bytes.
The lines that gained interest were at the end. The highlighted part, gets some values from HKey_Current_User hives in windows registry and then concatenates them in encrypted variable.
So, i started searching for the the values of these hives in previous parse registry and found their content.
Finally, i found all 5 hive values and directly saved them in encrypted variable. Then, i made some changes in the script which are highlighted below.
Running the script, we get the flag.
This was a pretty easy challenge. We were given an ip and port. Connecting to it, it returns the following menu.
Selecting any choice, it return the following sub menu which actually will run the specified commands.
So, we select the 2nd option, which print current path and lists it’s content.
Since we now know the current path, we can easily use the 3rd option to read specified file and move back using
.. . Moving 2 directory back, we get the flag.
Thanks for reading.