April 2019 - Stark 4N6

Monday, April 15, 2019

CTF on a Budget - Magnet User Summit 2019 (Part 4) - Secret Project
April 15, 20190 Comments

I was planning on having this out last week but vacation got in the way (no complaints though). For part 4, we will walk through the Secret Project.

When I originally got the disk image prior to the start of the live CTF, I quickly came across the "EvenMoreSecretStuff.vhd" file. I was even to a point of wanting to try and crack the password as I couldn't find anything but gave up until playing. Little did I know completing the Mobile section would eventually reveal the Bitlocker password for the file, "protectedbyjubjub".

So once I had the password, I knew exactly what it was for and how to move forward during competition. After unlocking and loading the VHD into FTK Imager, I could see that there was some files in the recycle bin in the "software" folder.


1. Which language was used to create the secret projects executable?
When I originally played, I made a stab at this one quickly, assuming it was Python because of the icon for the “exe” file, which ended up being the answer.
2. Which Version - Which version of Python is used for the compiled binary? (format: N.N)
If confirmation was needed for Q1, we can load “at-5000.exe” into PPEE (puppy), and filter strings for python, showing that “python27.dll” was loading into the executable, answering this one was well, v2.7.

3. Which Compiler Tool - Which tool was used to create the compiled executable?
Running some quick string searches in PPEE for each option, the only one that showed up was PyInstaller, which was indeed the answer.

4. Processor Architecture - What is the Processor Architecture of the compiled binary?
A quick run through of the executable in exiftool and we can see the architecture was AMD64.

This was also confirmed through PPEE.

5. Redial - What number does the at-5000 redial?
As silly as it was at the time, I originally executed the file and let it running to see what it would do. It eventually stops calling and redials 555-8904.

6. Redialed Association - Who is associated with the number that gets redialed?
With some OSINT and Google we can look up the number 555-8904 and low and behold, someone associated every Simpsons phone number each a character. We can find here that it belongs to Ned Flanders.

Now going back through the question with some extra time to research, doing some quick Google searching I found some scripts to unpack and decompile the executable. We first unpack using Countercept’s python-exe-unpacker. I had next searched for a decompiler and came across this article from hasherezade. Using her instructions (as I’ve never really done much malware analysis) it’s easy to add the magic number (8 bytes) to the front of the “at-5000” file that was part of the extraction.

We then add the file extension “pyc” and run through EasyPythonDecompiler to get the code for the python script. We see that it indeed runs until it gets to Ned’s number.

We can use this code to pull out the information we want for the rest of the questions.

7. Call Time - How much time (in seconds) does the AT-5000 wait between dialing numbers?

Originally, I completely guess this one correctly, because I knew after executing the numbers incremented more quickly than 1 per second. Now, viewing the source code, we see it was 0.01 seconds.

8. Imports - What two libraries does at-5000 import?
Easy, look at the top of the source code and see time and random.

9. Max Calling - What is the max number of calls the AT-5000 can make?
Another easy one now we have the code, you can see it increments in a range up to 10000000.

And with that final question, it completes the Magnet User Summit 2019 CTF with 316 points!

Doing the CTF live was an amazing experience, especially to win 1st place. The second go around was just as invigorating as I got to learn so much more than I did before, specifically around network sessions, and as well as decompiling code.

I'm already looking forward to next years summit and any future CTF's Dave, Matt, and Jessica put on.

Wednesday, April 10, 2019

CTF on a Budget - Magnet User Summit 2019 (Part 3) - Activity
April 10, 20190 Comments

Part 1 - Desktop

For part 3, we will look at the activity portion that focuses on Sharepoint, network sessions, and notification popups.


1. Sharepoint - How many files were downloaded from the megnetic4nsics Sharepoint?
Parsed from the Chrome Downloads we can see one document was downloaded from the Sharepoint site.
In the Edge downloads we can see one zip folder was downloaded from the Sharepoint.
So we can infer that 2 files total were downloaded.

2. Sharepoint 2 - Whats the name of the archive that was retrieved from the sharepoint?
The name found in the previous question would be “OneDrive_1_3-18-2019.zip”.

3. Notify - On March 18th 2019 at 18:58:21 Selma saw a Windows popup notification. What type of notification was it?First we export the wpndatabase.db file from the following location:

We can then open the file with DB Browser for SQLite and run a simple query on the Notification table (thanks Yogesh!).

SELECT type, case ArrivalTime
when 0 then ''
else datetime((ArrivalTime/10000000) - 11644473600, 'unixepoch')
end AS ArrivalTime
From Notification
order by ArrivalTime desc

The results show that it was type “toast” for that date/time.

4. Sharepoint 4 - Which was retrieved from the sharepoint first?
From the previous questions we can see the date/times of when the files were download.

README came first on 3/14/2019 and followed by OneDrive_1_3-18-2019.zip on 3/18/2019.

5. Remote - At 6:35PM on the 18th of March, Selma logged into her account on the Desktop. What method of did she use to access the Desktop?
Filtering down to the day and the approximate time, we can see in the prefetch that TeamViewer was run right around the time period.

6. Host Name - What was the host name of the machine Selma used to remote into the Desktop at 6:35PM on the 18th of March?
Knowing that TeamViewer was used, we can find a connections log in the Program Files folder.

When opening the log, we see a list of connections, with hostnames and date/time stamps of connecting. The answer is “JHYDE-SP”.

7. Unique Access - How many unique machines accessed the Desktop via TeamViewer?
In that same "Connections_incoming.txt" log file, we can tell that there are 3 unique machines that connected. It appears that some sort of GUID is shown in column A.

8. Sharepoint 3 - What is the volume serial number of the volume the sharepoint archive was placed on (format: decimal number)?
Since we know the name of the file “OneDrive_1_3-18-2019.zip”, we can do a quick keyword search for it and look at LNK files to find the VSN.

The catch here is that it is displayed in hex so we can convert it to the preferred format of decimal (2935122090).

9. Notify 2 - Again, on the 18th of March at 18:08:57, another notification was given. What did this notification say?
Using the same file from Q2, we use the following query:

SELECT payload, case ArrivalTime
when 0 then ''
else datetime((ArrivalTime/10000000) - 11644473600, 'unixepoch')
end AS ArrivalTime
From Notification
order by ArrivalTime desc

The payload dumps out to be:

In the CDATA tag we see the message You are now syncing "OneDrive - Magnetic4nsics".

10. Bytes Sent - How many bytes total were sent out on the network via the Team Viewer Service?
You need to first dump the SRUDB.DAT file found within System32:

Once exported we can use Nirsoft’s NetworkUsageView to open and filter on Team Viewer Service, and export the associated entries to CSV. Once we open that, we can calculate the sum of the Bytes Sent to be 95681804.

(A sample of the output in NetworkUsageView)

Tuesday, April 9, 2019

CTF on a Budget - Magnet User Summit 2019 (Part 2) - Mobile
April 09, 20190 Comments

Part 1 - Desktop

For part 2, we will take a look at the mobile image and the Google Takeout data to solve more questions.


1. Image Type - What type of mobile image do you have?

The file name of the zip export gives you a hint at to what type of image we are working with. It is a Quick Image.
2. IMSI - What is the IMSI for the SIM Card?

Under the Operating System > Android Device Information field we can see the IMSI should be 311480460682294.

3. Basic Info - What is the phone number for the device in the format 2125551212?

Another question that can be answered by looking at the Android Device Information, the phone number 3153165956.

4. Google Search - Which Google search was made on the phone on Dec 4, 2018?

For this we can look at the Cloud Google Activity and filter down to the date as well as the action as “Searched”. We see 3 results, but only one that matches any answers, so it is “iguana potty training”.

5. User Name - What is mobile device owner’s username on Kik?

A quick keyword search for “Kik” brings up some SMS messages that show a user name of "selmabspring".

6. Travel - What country was the mobile phone in on December 7th?

A quick timeline analysis for the date brings up a SMS message from TravelPass that shows the user was in Australia.

7. Pictures - What is the file name of the largest picture taken with the phone camera?

This is fairly simple, we can go Media > Pictures and then use the Make column to filter on “samsung”. We can then sort on size and get the picture name "20181209_144014.jpg".

8. Email Address - What is the home email address for the user that is texted on Feb 13, 2019?

Viewing the chat SMS messages, we only see one user was contacted on that day, Phoebe Washington. Under Identifiers, we can look at Phoebe’s contact information and see her home email address is phoeb5042002@icloud.com.

9. Invite - What email address sent the Mega invite?

A quick keyword search for “Mega” leads us to an Gmail message in the Inbox showing that “wdoobner@putinsangels.com” sent the invite.

10. Kik User Photo - Which imagery is part of the user’s kik avatar?

A quick search for Kik pulls up a few media files associated with the Kik folder on the phone:

This picture is a picture of a penguin swimming.

11. Domestic Travel - What state was the phone in on December 25th, 2018?

Timeline analysis reveals that a few searches were performed:

“Best tacos in orlando”
“Iguanas in orlando”

We also see a picture was taken of Bubblebee Man’s Taco truck.

A quick Google search reveals it to be in Orlando as well, so presumption and correct answer is Florida.

12. Theme Park - What theme park was the mobile device in on Dec 25, 2018?

After getting the last question correct, this question pops up. Since we knew the user visited Bumblebee Man’s Taco truck, we can infer that they were at Universal Studios.

13. App Download Methods - Which of the following apps was NOT downloaded from Google Play?

This one was a little tough, the only thing I could tell was that the install dates for Facebook, Skype and Kik all aligned together:

Where as for YouTube was installed around Samsung and Google default apps, which made me think it was installed from a base image and not through the Google Play store (which I was correct).

14. Timezone - What time zone was the phone in on Dec 9th?

Using timeline analysis we see a bunch of pictures being taken on that day. An interesting clue that we see is the exif data for some.

We can see the created dates are a bit stomped but the Last Accessed compared to the Date/Time - Local Time is exactly 12 hours ahead. I looked to see what countries were in that zone and New Zealand fit the mold but that was on 12/4 so that couldn’t be the answer. I did see evidence of travel to Australia on 12/7. This was later confirmed by looking at the pictures taken on 12/9 more closely and seeing the Sydney Opera House in the background.

Going off that I assumed we were set in UTC+11, which ended up being the answer.

15. What is the last name of the user whose email is pangolinsrock@outlook.com?

A quick keyword search for the email address brings up the full name of the user, Bri Frazier.
16. Content Distributor - What account posted the video that the mobile device visited on 4 Dec 2018 at 06:23 am UTC?

Looking at the Cloud Google Activity for that day and time we see a YouTube video for “Iguana Taming” was watched with the URL.

We can see that the account that published the video is DesertedReptile98.

17. Analysis - What country was the mobile device owner in when reading a document that was "IN MEMORY OF MOE"?

I did a search for the phrase across the images with no results which removed any documents locally out of the equation. I need took a look at browser history to see if anything popped up. There weren’t many actual articles so didn’t take too long to stumble across http://www.iguanaresource.org/pottytraining.html (as absurd as that article is).

Doing a date/time filter +-2 days, I was able to figure out that the user was in New Zealand, from an SMS message.

18. BONUS: HOLY COW BATMAN! - Congratulations! While searching the mobile device you found a bitlocker password! Here it is:

<REDACTED> I wasn’t just going to give you the password, finish the mobile section and get it yourself! (Or bribe me on Twitter)