Skip to content

Commit

Permalink
Edit some post
Browse files Browse the repository at this point in the history
  • Loading branch information
COJII committed Jul 31, 2024
1 parent 893f423 commit d7afa8b
Show file tree
Hide file tree
Showing 8 changed files with 51 additions and 3 deletions.
2 changes: 1 addition & 1 deletion _posts/2024-01-08-Iris-CTF.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ date: 2024-01-08T07:42:50+07:00
tags: [osint]
categories: [ctf]
author : [1]
image: assets/posts/IrisCTF2024/logo_iris.png
# image: assets/posts/IrisCTF2024/logo_iris.png
---

For my first CTF tournament of the year, I mainly considered challenges related to Misc, Osint, Forensics but most of them were difficult for me, so I could only do 2 Osint problems. Too bad for that.
Expand Down
52 changes: 50 additions & 2 deletions _posts/2024-07-30-corCTF.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,12 @@ Hi guys, it's me again. Three months is long time for me to participate in a CTF
# Solution

## 1. Forensics/The-conspirasy
- Challenge give me 2 files : one is pcap, one is python code. I tried opening the pcap file to see what was there. At first glance, it contained TCP streams containing data in the form [x,y,z ...] with 2 types including numbers less than or equal to 100 and large numbers with 3 or more digits. Read the python code file further. That's a way to encode and send data.
- Challenge give me 2 files : one is pcap, one is python code. I tried opening the pcap file to see what was there. At first glance, it contained TCP streams containing data in the form [x,y,z ...] with 2 types including numbers less than or equal to 100 and large numbers with 3 or more digits.

![pic](/assets/posts/corCTF%202024/the-conspiracy/1.png)

![pic](/assets/posts/corCTF%202024/the-conspiracy/2.png)
- Read the python code file further. That's a way to encode and send data.

```python
import csv
Expand Down Expand Up @@ -134,4 +139,47 @@ print(decrypt(finalmessage, keys))

FLAG : *corctf{b@53d_af_f0r_th3_w1n}*

## 2. Forensics/Ilfiltration
## 2. Forensics/Ilfiltration
The challenge requires answering some questions to get the flag, the challenge file is an event logs file. Since I am not familiar with using chainsaw, I only use 2 tools here, event viewer and EVTXeCMD.

```Q1: We'd like to confirm what the username of the main user on the target's computer is. Can you provide this information? ```

ANSWER: slice1

SOLVE: Just go through some facts and we will have the answer to this question or check EID: 4798 (User's local group membership was enumerated.)

```Q2: Now, we'd like the name of the computer, after it was renamed. Ensure that it is entered in exactly how it is in the logs ```

ANSWER: lemon-squeezer

SOVLE: We can see it in EID 4673 (A privileged service was called) or other, like Q1.

```Q3: Great work! In order to prevent their lemons from moulding, the lemonthinkers changed the maximum password age. What is this value? Please enter it as an integer number in days```

ANSWER: 83

SOLVE: Check EID 4739 (Domain Policy was changed). Actually I didn't check EID 4739 immediately, I used another way which is to use EVTXeCMD to convert the evtx file to a csv file, then grep "age". You can see the 2 numbers are 42 and 83, but the correct answer is 83. Check the evtx file just to be sure.

```Q4: It seems that our targets are incredibly smart, and turned off the antivirus. At what time did this happen? Give your answer as a UNIX timestamp```

ANSWER: 1721946080

SOLVE: This was a question that I was pretty clueless about. So when a member of my team answered it first, I knew I needed to check EID 4699 (A scheduled task was deleted)
![pic](/assets/posts/corCTF%202024/ilfiltration/Q4.png)
We can see here, in my local time it is 5:21:20 AM on the 26th, converted to UTC it is 22:21:20 on the 25th. Then just use Epoch Converter to convert to Unix time.

```Q5: The main lemonthinker, slice1, hasn't learnt from the-conspiracy and has (again) downloaded some malware on the system. What is the name of the user created by this malware? ```

ANSWER: notabackdoor

SOLVE: Check EID 4672 (Special privileges assigned to new logon), we can see it in first line.
![pic](/assets/posts/corCTF%202024/ilfiltration/Q5.png)

```Q6: Finally, we'd like to know the name of the group that the user created by the malware is part of, which has the greatest security risk. What is this?```

ANSWER: Administrator

SOLVE: In this ques, i use [Timeline Explorer](https://f001.backblazeb2.com/file/EricZimmermanTools/net6/TimelineExplorer.zip) and filter `Username=notabackdoor`, we can see in EID `4672 line : Administrative logon`, so the answer is Administrator.
![pic](/assets/posts/corCTF%202024/ilfiltration/Q6.png)

FLAG: *corctf{alw4y5_l3m0n_7h1nk_b3f0r3_y0u_c0mm1t_cr1m3}*
Binary file removed assets/posts/corCTF 2024/corctflogo_32.png
Binary file not shown.
Binary file added assets/posts/corCTF 2024/ilfiltration/Q4.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/posts/corCTF 2024/ilfiltration/Q5.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/posts/corCTF 2024/ilfiltration/Q6.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/posts/corCTF 2024/the-conspiracy/1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added assets/posts/corCTF 2024/the-conspiracy/2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit d7afa8b

Please sign in to comment.