CTF on a Budget - Magnet User Summit 2019 (Part 4) - Secret Project

I was planning on having this out last week but vacation got in the way (no complaints though). For part 4, we will walk through the Secret Project.

When I originally got the disk image prior to the start of the live CTF, I quickly came across the "EvenMoreSecretStuff.vhd" file. I was even to a point of wanting to try and crack the password as I couldn't find anything but gave up until playing. Little did I know completing the Mobile section would eventually reveal the Bitlocker password for the file, "protectedbyjubjub".

So once I had the password, I knew exactly what it was for and how to move forward during competition. After unlocking and loading the VHD into FTK Imager, I could see that there was some files in the recycle bin in the "software" folder.


1. Which language was used to create the secret projects executable?
When I originally played, I made a stab at this one quickly, assuming it was Python because of the icon for the “exe” file, which ended up being the answer.
2. Which Version - Which version of Python is used for the compiled binary? (format: N.N)
If confirmation was needed for Q1, we can load “at-5000.exe” into PPEE (puppy), and filter strings for python, showing that “python27.dll” was loading into the executable, answering this one was well, v2.7.

3. Which Compiler Tool - Which tool was used to create the compiled executable?
Running some quick string searches in PPEE for each option, the only one that showed up was PyInstaller, which was indeed the answer.

4. Processor Architecture - What is the Processor Architecture of the compiled binary?
A quick run through of the executable in exiftool and we can see the architecture was AMD64.

This was also confirmed through PPEE.

5. Redial - What number does the at-5000 redial?
As silly as it was at the time, I originally executed the file and let it running to see what it would do. It eventually stops calling and redials 555-8904.

6. Redialed Association - Who is associated with the number that gets redialed?
With some OSINT and Google we can look up the number 555-8904 and low and behold, someone associated every Simpsons phone number each a character. We can find here that it belongs to Ned Flanders.

Now going back through the question with some extra time to research, doing some quick Google searching I found some scripts to unpack and decompile the executable. We first unpack using Countercept’s python-exe-unpacker. I had next searched for a decompiler and came across this article from hasherezade. Using her instructions (as I’ve never really done much malware analysis) it’s easy to add the magic number (8 bytes) to the front of the “at-5000” file that was part of the extraction.

We then add the file extension “pyc” and run through EasyPythonDecompiler to get the code for the python script. We see that it indeed runs until it gets to Ned’s number.

We can use this code to pull out the information we want for the rest of the questions.

7. Call Time - How much time (in seconds) does the AT-5000 wait between dialing numbers?

Originally, I completely guess this one correctly, because I knew after executing the numbers incremented more quickly than 1 per second. Now, viewing the source code, we see it was 0.01 seconds.

8. Imports - What two libraries does at-5000 import?
Easy, look at the top of the source code and see time and random.

9. Max Calling - What is the max number of calls the AT-5000 can make?
Another easy one now we have the code, you can see it increments in a range up to 10000000.

And with that final question, it completes the Magnet User Summit 2019 CTF with 316 points!

Doing the CTF live was an amazing experience, especially to win 1st place. The second go around was just as invigorating as I got to learn so much more than I did before, specifically around network sessions, and as well as decompiling code.

I'm already looking forward to next years summit and any future CTF's Dave, Matt, and Jessica put on.