Deadface CTF 2021

Reverse Engineering

Luciafer's Cryptoware IOC 2 [10 pts]

Description

Luciafer's cryptoware causes even more ruckus by encrypting the victim's file names. Decrypt the filename and enter it as the flag: Example flag{important-document.ext}.

Solution

Flag: flag{

TheZeal0t's Fingerprints Are All Over This! [10 pts] (RJ)

Description

A "hash" is a "digital fingerprint" of a file that is astronomically improbable to duplicate with other content by accident, and nearly impossible to duplicate intentionally. Therefore, it is often used as a "shorthand" to identify a file. Calculate the SHA256 sum of TheZeal0t's cryptoware program, and its decryptor program. Enter the two hashes as the flag, separated by a pipe symbol, with the cryptoware's hash first, followed by the decryptor program's hash. Example: flag{435524cc4113668d3f1e1e761d1717ba1bcf8b86b6dfaab9d048338e4e00a764|5d213aa47efd7e255c8304f56f148f87488a4bd9488f631ac4ed87f02c85cdce}

Solution

Solved by calculating SHA256 sum of both files

Flag: flag{5A54FB61F7B1A9B1B7405602388ADD7E3323890BC74952A62803FFB1A535338B|969102C7FEB6003624C4CAF0E00FA9A60D96BC503EF0BEB71ED4AF68BA1FC047}

Luciafer's TOTAL Disaster [20 pts]

Description

Luciafer should learn to follow directions! Her "cryptoware" is a TOTAL disaster! She didn't realize that her choice of encryption algorithm, although a common encryption algorithm for hiding POCs from analysts because of its simplicity and lack of an obvious signature, it is terrible for cryptoware!Do some basic analysis on her malware and see what information you can come up with. There are some great, easy to use tools that can help a burgeoning malware analyst.

Solution

Picking out the key words I found malware and because someone I mentor called me the other day saying "how do I know if something is a virus". I just tried the advice I gave him of run it through online scanner, which I used VirusTotal. Kind of obvious once writting this that I missed the huge hint in the title of bolded letters but that is fine. I scanned the file and someone put a comment with the flag.

Flag: flag{together-we-can-defeat-Lytton-Labs!}

Cereal Killer [50 pts]

** Description ** spookyboi is really into Serial Killers. He loves to watch Mindhunter on NetFlix. He can also SLAY a bowl of his favorite cereal. ** Solution ** This was the lowest scoring Rev problem so I assumed it had something to do with strings so I entered 2 cmds to get the flag. First finding the password strings deadface_re01.bin and entering it when running the file ./deadface_re01.bin (of course also used chmod +x deadface_re01.bin) ** Flag: flag{c0unt-ch0cula-cereal-FTW} **

Steganography

Send in the Clowns [10 pts]

Description

There is a secret hidden somewhere in this image. Can you find it? Submit the flag as flag{this-is-the-flag}.

Solution

The flag was hidden in the exif data exiftool steg02.jpg

Flag: flag{s3nd_in_the_kl0wns}

Scary Bunny [10 pts]

Description

What could be inside this creepy rabbit

Solution

Flag: flag{

Behind the Curtain [30 pts]

** Description ** This image was intercepted from Ghost Town. We think Donnell has hidden information here, but there doesn't seem to be anything special about the image. Can you help find the hidden information? Submit the flag as flag{this-is-the-flag}. ** Solution ** I did binwalk as it is a Steganography problem and find that there is a hidden image but my regular binwalk -e steg01.jpeg is not extracting it. I learned online that it only extracts compressed files so I had to modify the command to binwalk -D='.*' steg01.jpeg which printed out the other image with the flag. ** Flag: flag{L3t_m3_in} **

V0icE [50 pts]

Description

A friend of mine sent me an audio file which supposes to tell me the time of our night out meeting, but I can't comprehend the voice in the audio file. Can you help me figure it out? I want to hang out with my friends.

Solution

Looking in audacity I found the spectrogram view of the audio file showed a flag.

Flag: flag{1257}

Cryptography

Big Boss [10 pts]

** Description ** An anonymous tipster sent us this photo alleging that it's a note written by b3li3f1203. The tipster claims that the note was intended for someone who works at De Monne Financial. They also said it's likely that it has something to do with a phishing campaign. Provide the name of the target individual as the flag in this format: flag{FirstName_LastName}. ** Solution ** a ** Flag: flag{ **

Poor MEGAN! [20 pts]

** Description ** Oh, NO! Poor Megan! She's just been bitten by a ZOMBIE! We can save her if we act fast, but the formula for the antidote has been scrambled somehow. Figure out how to unscramble the formula to save Megan from certain zombification. Enter the answer as flag{here-is-the-answer}.The formula for the antidote: j2rXjx9dkhW9eLKsnMR9cLDVjh/9dwz1QfGXm+b9=wKslL1Zpb45 ** Solution ** https://gchq.github.io/CyberChef/#recipe=From_Base64(%273GHIJKLMNOPQRSTUb%3DcdefghijklmnopWXYZ/12%2B406789VaqrstuvwxyzABCDEF5%27,true)&input=ajJyWGp4OWRraFc5ZUxLc25NUjljTERWamgvOWR3ejFRZkdYbStiOT13S3NsTDFacGI0NQ ** Flag: flag{Six-Parts-Honey-One-Part-Garlic} **

To Be Xor Not to Be [75 pts]

** Description ** .$)/3<'e-)<e':e&'<e<'e-)<5 Submit the flag as flag{here-is-the-answer} ** Solution ** https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(1,100,0,%27Standard%27,false,true,false,%27flag%27)&input=LiQpLzM8J2UtKTxlJzplJic8ZTwnZS0pPDU ** Flag: flag{to-eat-or-not-to-eat} **

Exploitation

Old Devil [30 pts]

** Description ** We found this program written by luciafer. She used it to hide a password in the form of a flag. See if you can find the flag in the program. ** Solution ** Thought looking at it would help, but disassembling it made me more confused. I just ran the file and decided, why not try and overflow it. That somehow worked entering a lot of 'A' just gave the flag. ** Flag: flag{AdraMMel3ch} **

Password Insecurities [50 pts]

** Description ** It looks like DEADFACE is going after the password of one of De Monne's customers: Haily Poutress. She has since changed her password, but De Monne is looking for ways to improve password requirements. De Monne would like you to crack the password from the database leak to determine if Haily's password was secure enough. Submit the flag as flag{password}.Use the MySQL database dump from Body Count. ** Solution ** a ** Flag: flag{ **

SQL

Body Count [10 pts]

** Description ** One of our employees, Jimmie Castora, kept database backups on his computer. DEADFACE compromised his computer and leaked a portion of the database. Can you figure out how many customers are in the database? We want to get ahead of this and inform our customers of the breach.Submit the flag as flag{#}. For example, flag{12345}. ** Solution ** a ** Flag: flag{ **

Keys [20 pts]

** Description ** One of De Monne's database engineers is having issues rebuilding the production database. He wants to know the name of one of the foreign keys on the loans database table. Submit one foreign key name as the ** Flag: flag{ **foreign-key-name} (can be ANY foreign key).Use the MySQL database dump from Body Count. ** Solution ** a ** Flag: flag{ **

Address Book [30 pts] (MayDay)

** Description ** It looks like DEADFACE is targeting one of De Monne's customers. Check out this thread in Ghost Town and submit the customer's name as the flag: flag{Jane Doe}. Use the MySQL database dump from Body Count. ** Solution ** MariaDB [demonne]> select * from customers where city='vienna' and gender='F'; +---------+-----------+------------+------------------------+--------------------------+--------+-------+---------+--------+--------+------------+ | cust_id | last_name | first_name | email | street | city | state | country | postal | gender | dob | +---------+-----------+------------+------------------------+--------------------------+--------+-------+---------+--------+--------+------------+ | 2574 | Allsopp | Collen | callsopp1zh@sbwire.com | 90360 Red Cloud Crossing | Vienna | VA | US | 22184 | F | 10/25/1973 | +---------+-----------+------------+------------------------+--------------------------+--------+-------+---------+--------+--------+------------+ ** Flag: flag{ **

City Lights [40 pts]

** Description ** De Monne wants to know how many branch offices were included in the database leak. This can be found by figuring out how many unique cities the employees live in. Submit the flag as flag{#}.Use the MySQL database dump from Body Count. ** Solution ** a ** Flag: flag{ **

Boom [100 pts]

** Description ** DEADFACE actors will be targeting customers they consider low-hanging fruit. Check out Ghost Town and see who they are targeting. Submit the number of target candidates as the Flag: flag{#}Use the MySQL database dump from Body Count. ** Solution ** a ** Flag: flag{ **

El Paso [250 pts]

** Description ** The regional manager for the El Paso branch of De Monne Financial is afraid his customers might be targeted for further attacks. He would like you to find out the dollar value of all outstanding loan balances issued by employees who live in El Paso. Submit the flag as flag{$#,###.##}.Use the MySQL database dump from Body Count. ** Solution ** a ** Flag: flag{ **

All A-Loan [375 pts]

Description

De Monne has reason to believe that DEADFACE will target loans issued by employees in California. It only makes sense that they'll then target the city with the highest dollar value of loans issued. Which city in California has the most money in outstanding Small Business loans? Submit the city and dollar value as the flag in this format: flag{City_$#,###.##}Use the MySQL database dump from Body Count

Solution

SELECT em.city, SUM(lo.balance) AS highest_outstanding_loans FROM loans AS lo JOIN customers AS cu ON cu.cust_id = lo.cust_id JOIN employees AS em ON em.employee_id = lo.employee_id JOIN loan_types AS lt ON lt.loan_type_id = lo.loan_type_id WHERE em.state = 'CA' AND lt.loan_type_id = 3 GROUP BY em.city ORDER BY highest_outstanding_loans DESC

Flag: flag{Oakland_$90,600.00}

Programming

Unfinished [5 pts]

Description

There seems to be something wrong with this code. Can you figure out how to make it return the flag? Modify the code to show the flag. Submit the flag as: flag{flag-goes-here}. #!/usr/bin/env python3

from binascii import unhexlify as u

def get_flag():

flag = '666c61677b30682d6c6f6f6b2d612d466c61477d'

return u(flag).decode('utf-8')

print(f'The flag is: ')

Solution

I didn't want to take a chance someone went wrong with python so I just ran hex to string online converter.

Flag: flag{0h-look-a-FlaG}

Trick or Treat [200 pts]

** Description ** A user on Ghost Town created a game that he claims no one can beat. Check out the game and find the flag hidden inside. Submit the flag as: flag{flag-goes-here}. ** Solution ** At first I thought it was to beat the game but no matter if I got 1 or 10 I would just get printout of flag{. That ruled out my idea and just looked in the code of what we were printing and I only found 2 print statements. I moved that print statement from the middle of the code to after the intro and it printed out the rest of the flag. print(b.prnt([2, 26, 13, 19, 62, 28, 33, 54, 55, 45, 62, 29, 54, 55, 45, 33, 65])) ** Flag: flag{CaNT_ch34t_d34th} **

The Count [275 pts]

Description

Apparently DEADFACE is recruiting programmers, but spookyboi is a little apprehensive about recruiting amateurs. He's placed a password hash in the form of a flag for those able to solve his challenge. Solve the challenge and submit the flag as flag{SHA256_hash}.

Solution

from pwn import *
binary = remote("code.deadface.io", 50000)
print(binary.recvuntil(bytes('Your word is:' , 'utf-8')))
word = binary.recvuntil(bytes('\n','utf-8')).strip()
print(word)
print("Made here")
sums = 0
for c in word:
    print(c)
    sums += c - ord('a')
print(sums)
binary.sendline(str(sums))
print(binary.recvuntil(bytes('\n', 'utf-8')))
print(binary.recvuntil(bytes('\n', 'utf-8')))

Flag: flag{d1c037808d23acd0dc0e3b897f344571ddce4b294e742b434888b3d9f69d9944}

Forensics

Blood Bash [10 pts]

** Description ** We've obtained access to a system maintained by bl0ody_mary. There are five flag files that we need you to read and submit. Submit the contents of flag1.txt.Username: bl0ody_mary Password: d34df4c3bloodbash.deadface.io:22 ** Solution ** Connect through SSH using ssh bl0ody_mary@bloodbash.deadface.io and once logged on navigate to Documents folder cd documents and read the flag cat flag1.txt ** Flag: flag{cd134eb8fbd794d4065dcd7cfa7efa6f3ff111fe} **

Blood Bash 2 [15 pts]

** Description ** We've obtained access to a system maintained by bl0ody_mary. We believe bl0ody_mary stole a sensitive document and is storing it on her Linux machine. Search her system for any files relating to De Monne Financial.Username: bl0ody_mary Password: d34df4c3bloodbash.deadface.io:22 ** Solution ** a ** Flag: flag{ **

File 101 [200 pts]

** Description ** An email, containing a photo of pumpkin, was found in an employee's Gmail inbox. The photo looks normal, but looks can be deceiving sometimes. What secrets could it be holding? ** Solution ** Found Dropbox link in image to download and crack with Rockyou then fixed the file with FF D8 FF E0 for the file header ** Flag: flag{Easy_Right} **

Traffic Analysis

Monstrum ex Machina [30 pts]

** Description ** Our person on the "inside" of Ghost Town was able to plant a packet sniffing device on Luciafer's computer. Based on our initial analysis, we know that she was attempting to hack a computer in Lytton Labs, and we have some idea of what she was doing, but we need a more in-depth analysis. This is where YOU come in.We need YOU to help us analyze the packet capture. Look for relevant data to the potential attempted hack.To gather some information on the victim, investigate the victim's computer activity. The "victim" was using a search engine to look up a name. Provide the name with standard capitalization: flag{Jerry Seinfeld}. ** Solution ** I was looking through the HTTP traffic as it says using a search engine and found entries with queries. Upon further investigation of this packet it shows who specifically we are searching for. ** Flag: flag{Charles Geschickter} **

The SUM of All FEARS [50 pts]

** Description ** After hacking a victim's computer, Luciafer downloaded several files, including two binaries with identical names, but with the extensions .exe and .bin (a Windows binary and a Linux binary, respectively).What are the MD5 hashes of the two tool programs? Submit both hashes as the flag, separated by a |: flag{ExeMD5|BinMD5}Use the PCAP from LYTTON LABS 01 - Monstrum ex Machin ** Solution ** a ** Flag: flag{ **

Release the Crakin'! [50 pts]

** Description ** Luciafer cracked a password belonging to the victim. Submit the flag as: flag{password}.Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina. ** Solution ** a ** Flag: flag{ **

Luciafer, You Cleaver Little Devil [50 pts]

** Description ** Luciafer gains access to the victim's computer by using the cracked password. What is the packet number of the response by the victim's system, saying that access is granted? Submit the flag as: flag{#}. NOTE: Use the packet response from her login, not from the password cracker.Use the PCAP from Monstrum ex Machina ** Solution ** a ** Flag: flag{ **

A Warning [150 pts]

** Description ** Luciafer is being watched! Someone on the inside of Lytton Labs can see what she is doing and is sending her a message.One of them says: "Stay away from Lytton Labs... you have been warned."To find the flag, find the message. You'll know it when you see it. Submit the flag as flag{flag-goes-here}.Use the PCAP from LYTTON LABS 01 - Monstrum ex Machina. as ** Solution ** a ** Flag: flag{ **

Bonus

Jailbird [20 pts] (RJ)

** Description ** It looks like authorities arrested a member of DEADFACE. But who was it? Submit the member's username as the flag: flag{username} ** Solution ** Solved by searching through their threads in their communications platform of Ghost town https://ghosttown.deadface.io/u/dr.acula/summary The dr acula account was found and that is the flag ** Flag: flag{dr.acula} **

OSINT

Occupation [20 pts] (RJ)

** Description ** Which employee at De Monne Financial was the target of DEADFACE that resulted in a data leak? Submit the employee's job title as the flag: flag{Job Title} ** Solution ** a ** Flag: flag{ **

Meetup [20 pts] (RJ)

** Description ** A member of DEADFACE suggested that they all meet up at some point. With this information, we'd be able to contact law enforcement to get them all at once! What does the picture say about their meetup location, though? Submit the flag as: flag{location}. Example: flag{Golden Gate Bridge}. ** Solution ** Solved by reverse image searching and finding the center at which it was located. Flag was the name of the location. ** Flag: flag{Eastern State Penitentiary} **

Last updated