Hackvent 2024: Day 5

Hackvent 202450

[HV24.05] Last Password

Introduction
Last Password, I gave you away and the very next day, all my accounts where astray. This year to save me from tears, I'll give it to no one.

Please use the download mirrors first to not put too much stress on the HL infrastructure.
Download mirror: https://1drv.ms/u/c/0ee8a2263bd035f8/EQlBzcb6TMVKq42ODwd482wBSFPlUQ9QRAUWF97AmItunA?e=F7aMWc
Download mirror: https://gofile.io/d/utChqZ

Analyze the file and get the flag.
Flag format: HV24{}
sha256sum of last-password.zip: 84d0d36db1c5f4dfc63286d9f28ee9d852fdbbe8d99890d993b413372bcb6150
sha256sum of dump.raw: eedb621a62393714dfc04b6cdf8654c8b4cb3d20dc0b9ff144ff922beeb3268e

This challenge was written xtea418. Sipping tea while seeing others solve your challenge is a great feeling.

Solution

In this challenge, we are given a large ZIP file which, when uncompressed, reveals a huge 2GB dump.raw file.

After some time, it becomes clear this file is a memory dump, as it contains a lot of random data and many valid file magic numbers within it. It also contains references to DumpIt.exe, which is commonly used to create dumps on Windows.

We can use a memory dump analyser tool like Volatility v3 to explore the dump. Based on the challenge category, we know this is a Windows-based dump.

We run the windows.info plugin:

$ py -3 vol.py -f .\dump.raw windows.info

Variable        Value

Kernel Base     0xf80479c14000
DTB     0x1aa000
Symbols file:///C:/Git/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/BFF14F607A9930D2FDA0481A29685111-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf8047a823418
Major/Minor     15.19041
MachineType     34404
KeNumberProcessors      23
SystemTime      2024-11-24 15:04:30+00:00
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Mon Jun 10 14:11:02 2069

This validates that we have a valid Windows dump.

Next, we want to use various plugins to look around. This Memory Dumps (Volatility) page provides useful suggestions for CTFs.

We run the windows.cmdline.CmdLine plugin to see what processes were called with what arguments:

$ py -3 vol.py -f .\dump.raw windows.cmdline.CmdLine

...
7956	chrome.exe	"C:\Program Files\Google\Chrome\Application\chrome.exe"  https://www.youtube.com/watch?v=dQw4w9WgXcQ
8048	firefox.exe	"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" https://www.youtube.com/watch?v=dQw4w9WgXcQ
...
8064	soffice.exe	"C:\Program Files\LibreOffice\program\soffice.exe" -o "C:\Users\xtea418\Documents\nice-naugthy-list.ods"
8124	soffice.bin	"C:\Program Files\LibreOffice\program\soffice.exe" "-o" "C:\Users\xtea418\Documents\nice-naugthy-list.ods" 
...
7900	notepad.exe	"C:\Windows\system32\notepad.exe" 
...
2680	WinRAR.exe	"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\xtea418\Documents\Personal\secret.7z" C:\Users\xtea418\Documents\Personal\
11076	DumpIt.exe	"C:\Users\xtea418\Downloads\DumpIt.exe" 
...

We find some interesting leads. The browsers are running the Rickroll video, a standard feature of Hackvent CTF challenges.

soffice.exe is running a nice-naugthy-list.ods. We actually recover this file as a context.xml using a binwalk scan.

The list of names is here:

Nice List:
	alice johnson
	bob winchester
	peter john
	barbara meier
	john doe

Naughty List:
	elon tusk
	dill gates
	marc sugerberg

However, this does not seem to be relevant.

The notepad.exe could be interesting if it contains any useful information such as the flag in an open editor. However, it does not contain the flag for this challenge.


Lastly, we notice that WinRAR.exe is accessing and extracting a secret.7z file! We want to see if we can recover this file. The quickest way to do this is to simply dump all files belonging to the process id of WinRAR.exe which is 2680.

We run the windows.dumpfiles.DumpFiles plugin:

$ py -3 vol.py -f .\dump.raw windows.dumpfiles.DumpFiles --pid 2680

This dumps several files to our current directory, including:

file.0xc0833cb65e00.0xc0833c619ed0.DataSectionObject.secret.7z.dat
file.0xc0833cb65e00.0xc08338120a20.SharedCacheMap.secret.7z.vacb

Both of these files are nearly identical. The vacb simply has a bunch of extra NUL bytes at the end of it padding its size to 256KB. We will use the .dat version and so we rename it to secret.7z.

Running file on this file reveals that it is a valid 7 zip archive:

$ file *secret*
file.0xc0833cb65e00.0xc08338120a20.SharedCacheMap.secret.7z.vacb:   7-zip archive data, version 0.4
file.0xc0833cb65e00.0xc0833c619ed0.DataSectionObject.secret.7z.dat: 7-zip archive data, version 0.4

At this point, we want to brute-force the password. We will use hashcat to do this.

Our initial brute-force attempts do not work, until we receive the hint that we need to use a public wordlist such as rockyou.txt that is famously used in CTF challenges.

First we create a hash using 7z2hashcat64-2.0.exe:

$ 7z2hashcat64-2.0 secret.7z
ATTENTION: the hashes might contain sensitive encrypted data. Be careful when sharing or posting these hashes

$7z$1$19$0$$16$bbdbbf3fa3bf8efcdc05153543d31569$433149696$144$140$b0786fd9d9562032270c06f5ce5a2b0f22c76b4bd6ed13b94da50d7c4756fa4c2cdb5c08b4d8a5ec26a7872bc076c2b2ad88c31a5e153dd99658ba5825c22fba90ef6f2b30cfbdb8fb538980c15493a094c82576a8259822b232c0c787f9481ea556ae50c51af6ea3016891025b44bc2c4c262a1d4a29afcddd080f65d747b47f78a4b41aa35263a908d551789595f36$166$5d00100000

Then we begin our brute-force with hashcat in 11600 mode with the rockyou.txt wordlist which is for 7 zip archives:

$ hashcat -m 11600 -a 0 -o out.txt hash.txt rockyou.txt

Thanks to good old GPU acceleration, the hash is cracked in seconds and we are told the password is santa1.

We unzip the secret.7z file to see this memerific image of Bernie Sanders:

Hackvent 2024 - Day 5- Image.jpg (Bernie Sanders)

Raw file:

Hackvent 2024 - Day 5 - Image

We load this image into a hex editor and find a <?xpacket snipplet which is an indicator of hidden XMP data. We use exiftool to extract the XMP data to a binary file making sure we specify the -b flag.

 exiftool -xmp -b image.jpg > out.xmp

This reveals the following XMP data which contains our daily flag:

<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 13.03'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>

 <rdf:Description rdf:about=''
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
  <dc:description>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>HV24{t0t4lly_s3cur3_p4ssw0rd_l1k3_4ctu4lly_s0_v3ry_much_s3cur3}</rdf:li>
   </rdf:Alt>
  </dc:description>
 </rdf:Description>
</rdf:RDF>
</x:xmpmeta>
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
                                                                                                    
<?xpacket end='w'?>


Flag:

HV24{t0t4lly_s3cur3_p4ssw0rd_l1k3_4ctu4lly_s0_v3ry_much_s3cur3}

Bonus Hidden

This challenge also contained the solution to: [HV24.HM] Mrs. Claus's Secret

Leave a comment

(required)(will not be published)(required)

Comments

There are no comments yet. Be the first to add one!