By Archit VatsOn

 HACKTOBER CTF



 

This post contains the writeups for:

Crypto

Hail Caesar

Down The Wrong Path


Forensics

Captured Memories

Amcaching In

Prefetch Perfection

Prefetch Perfection 2


Linux

Talking to the dead 1

Talking to the dead 2


Programming

Message in an array

Trick or treat


Steganography

You believe in ghosts

Start digging

Blasphemy

 

1 OSINT

       n Creeping 1

       n Creeping 2

       n Creeping 3

       n Past Attacks

 

 

 

Hail Caesar




In this question we have to decrypt TGG KUSJWV QGM and the question gives us a hint that its a caesar cipher. Although we don’t know the key but we really don’t need one for this. Loading it up in dcode gives us the answer as BOO SCARED YOU

 


And thus the flag is flag{BOO SCARED YOU}

 

 

 

 

 

Down The Wrong Path




The given image shows a transposition cipher.

 



So reading it in a similar fashion results in this message: REMEMBER TO TELL SPOOKYBOI ABOUT THE NEW TARGETS OF OUR NEXT ATTACK

 

So the message is intended for SPOOKYBOI and thus our flag is flag{SPOOKYBOI}

 

 

 

 

 

 

Captured Memories




The first thing that I did here was run imageinfo in order to determine the profile to be used in volatility framework.



 

OUTPUT: Suggested Profile(s) : Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393

 

Then I used pslist to take a look at all the processes that were running on the system when the dump was taken.

 



This returned a list of processes. Where the last process’s ID was our answer.



 

So the flag is flag{3348}

 

 

 

 

 

 

 

 

Amcaching In




For this question I used regripper and then used its amcache module. Finally I used grep to take a closer look at mpower’s interactions with the system.

 



The image shows that mpowers is trying to install python.

So the flag is flag{python}

 

 

 

 

 

Prefetch Perfection




For this question I download and compiled the prefetch.py file from github.

The question asks for Internet Explorer and from the long list of file the only file pertaining to it is IEXPLORE.EXE. Now how do I know that. Pure experience. I guess you can also trying running it on windows and checking this in task manager. You should be able to see the iexplorer.exe process running along with others.

 



This gave me the last executed time of the process and thus the flag is flag{2017-05-01 21:11:41}.

 

If you’re doing this in WinPrefetchView then remember to change the time format accordingly. This is a mistake I made and thus making sure you understand this if you made it on this path.

 

 

 

 

 

Prefetch Perfection 2




Now this was a difficult task. We have to state the name of the path which loaded the cookie belonging to cmaldonado. And that too from all of those prefetch files. So what I did for this is made a script which uses python to run prefetch.py and stores there output to a text file. The script looked something like this.



 

Then I opened the file in gedit and find cookies in the text document (CTRL+F) which were somehow related to cmaldonado in there path. This gave me a list of some processes.

 

cookie

IEXPLORE.EXE

DLLHOST.EXE

WINSAT.EXE

 

Finally I used hit and trial and loaded all these one by one in the flag field of the question. The answer was DLLHOST.EXE I guess. I’m not very sure for this one but its in the list for sure. So the supposed flag is flag{DLLHOST.EXE}

 

 

 

 

 

 

Talking to the dead 1




This one’s dead simple. Entering into the server via ssh I used find to take a look at the locations of the flag file. The command for which was $ find . -name flag*.txt

This gave me the location of flag1, flag3 and flag4.

Then I simply went to the location of flag1.txt and used cat to get the flag.

So the flag for this one is flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}

 

 

 

 

Talking to the dead 2




This one’s a little bit challenging as the location of flag2.txt wasn’t revealed with the find command as the file is hidden. For this I had to manually go to the directories which could house the file and use $ ls -lah to check if the file was there or not. Finally I found the file at /home/luciafer/Documents. However I feel that there could have been a simple approach to this mess I made. So then the flag was extracted by using cat and the flag is flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

 

 

 

 

Message in an array



This one’s also very simple. You just need two lines of code and a little bit of programming knowledge to get the flag. 




Reaaranging the array as shown in the next line the flag is obtained and is flag{Nothing Will Stop DEADFACE}

 

 

 

 

Trick or treat




This one’s fun. Looking at the programming jargon baffled me for a minute but then I saw that the required function wasn’t even called and some other useless function was being executed. So all I did was changed it with the required function and voila.



 

The flag for this one is flag{2f3ba6b5fb8bb84c33b584f981c2d13d}

 

 

 

 

 

You believe in ghosts




After fiddling and failing with some image stego tools when I had almost given up on it, I found the answer in by its error level analysis (ELA) on imageforensic.org.

 



A bit difficult to read but its the flag alright. In case you want to know more about ELA you can check out this tutorial on fotoforensics.

 

The flag is flag{ghosts_everywhere}

 

 

 

 

Start digging




A binwalk into the image revealed that we have some other images inside it. So i extracted them using binwalk itself and took a look at it and there was the flag inside one of the images.

Commands used: binwalk steg06.jpg and binwalk –dd=’.*’ steg06.jpg




So the flag for this is flag{buried_s3cr3ts}

 

 

 

 

Blasphemy




Trying to extract the file with an empty password with the help of steghide turned out to be a very good choice when it gave me the password in another text file hidden in the given image.

 

The flag here is flag{950634ccc97ca3ef03e22c759a356973}






Creeping 1




Ali Tevlin has a facebook profile which has some very interesting information about him. We can also confirm that he’s actually the guy that we’re after by comparing his facebook and hacktober DP’s.

 

The flag for this one is flag{F. Kreuger Financial}

 

Creeping 2




This is also available on his facebook profile.

 

The flag is flag{Senior Acquisitions Supervisor}

 

Creeping 3




This information is again on his facebook profile

 

The flag here is flag{17 Jun 1973}






Past Attacks




A simple google search led me to this site which had the answer for this question.

 

The answer and the flag is flag{Watering Hole}