TET & 4N6 - Misc/Forensics

Task

Tet is coming, TetCTF is coming again. Like every year, I continued to register to play CTF, read the rules to prepare for the competition. After reading the rules, my computer seemed unusual, it seemed like it was infected with malicious code somewhere. Can you find out?

1. Find the malicious code and tell me the IP and Port C2

2. What was the first flag you found?

3. After registering an account, I no longer remember anything about my account. Can you help me find and get the second flag?

Format : TetCTF{IP:Port_Flag1_Flag2}

Ex: TetCTF{1.1.1.1:1234_Hello_HappyForensics}

Solution

The Challenge.zip file is attached to the task:

szczygielka@hacks$ file Challenge.zip 
Challenge.zip: Zip archive data, at least v2.0 to extract, compression method=deflate

Let's unpack the received zip archive:

szczygielka@hacks$ unzip Challenge.zip 
Archive:  Challenge.zip
  inflating: Challenge/Backup.ad1    
 extracting: Challenge/TETCTF-2024-20240126-203010.zip 

The archive contained two files: Backup.ad1 and TETCTF-2024-20240126-203010.zip. Let's extract the contents of the second zip file:

szczygielka@hacks$ unzip TETCTF-2024-20240126-203010.zip 
Archive:  TETCTF-2024-20240126-203010.zip
  inflating: TETCTF-2024-20240126-203010.raw 

After unpacking, we get a raw data file TETCTF-2024-20240126-203010.raw. Let's start the analysis from the file Backup.ad1.

The AD1 file format is a file-level disk image format, which might be perceived as a "forensics image container". The Access Data Custom Content Image (AD1) file format was created by AccessData's proprietary forensics software, such as FTK Imager. So we can analyze the contents of this file using the FTK Imager tool, which can be downloaded from here. A short tutorial about analyzing AD1 files using FTK Imager might be found here. The second file TETCTF-2024-20240126-203010.raw can be analyzed usingVolatility 3. Let's change the filename of the raw file format to a shorter one:

szczygielka@hacks$ mv TETCTF-2024-20240126-203010.raw dump.raw

First flag

We will use Volatility 3 and malfind functionality to check the list of process memory ranges that potentially contain injected code:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.malfind 

The output of the malfind command returned 4 results for the process with PID 1992, i.e. WINWORD.EXE:

WINWORD.EXE is the MS Word process. Let's check network connections, filtering them by process PID:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.netscan | grep "1992"
0x3c074d10 100.0TCPv4   192.168.88.140an49889fin184.26.91.163   443     CLOSED  1992    WINWORD.EXE     N/A
0x60bd9c80      TCPv4   192.168.88.149  49994   172.20.25.15    4444    ESTABLISHED     1992    WINWORD.EXE     N/A
0x81603450      TCPv4   192.168.88.140  49876   52.111.227.11   443     CLOSED  1992    WINWORD.EXE     -
0x128ae17e0     TCPv4   192.168.88.140  49939   172.20.25.15    4444    CLOSED  1992    WINWORD.EXE     N/A
0x128b1d530     TCPv4   192.168.88.140  49909   184.26.91.163   443     CLOSED  1992    WINWORD.EXE     -
0x13c2f5980     TCPv4   192.168.88.140  49910   184.26.91.163   443     CLOSED  1992    WINWORD.EXE     -

One of the network connections is in the ESTABLISHED state. If the WINWORD.EXE process is malicious, there is a high probability that a macro is responsible for the malicious content.

Output for the command line arguments for a process with PID 1992 allows us to associate this process with the TetCTF2024-Rules..docx file:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.cmdline | grep "1992"
1992    WINWORD.EXE     "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Stirring\Downloads\TetCTF2024-Rules.docx

Let's check the address of this file:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.filescan | grep "TetCTF2024-Rules.docx"
0x3c05af20 100.0\Users\Stirring\Downloads\TetCTF2024-Rules.docx 216
0x10bedee10     \Users\Stirring\Downloads\TetCTF2024-Rules.docx 216

And then we will extract it:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.dumpfiles --physaddr 0x3c05af20        
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                        
Cache   FileObject      FileName        Result

DataSectionObject       0x3c05af20      TetCTF2024-Rules.docx   file.0x3c05af20.0xe000f15ab010.DataSectionObject.TetCTF2024-Rules.docx.dat
SharedCacheMap  0x3c05af20      TetCTF2024-Rules.docx   file.0x3c05af20.0xe000f06ecdf0.SharedCacheMap.TetCTF2024-Rules.docx.vacb

The content of the task suggests that something malicious happens after reading the rules. The contents of the TetCTF2024-Rules.docx file contain CTF rules:

A discussion on the Microsoft website indicates that macros can be run in any Word document, but they can't be stored in .docx file format. We probably don't find anything interesting in this file, so we should keep looking. From absorbing article about macros, we know that:

Only specific files with enabled-macro can be used to contain VBA macros. The goal is to make it easier to detect files that have macros and to reduce the risk of attacks that use macros. Files with enabled macros use the letter m at the end of the extension such as .dotm, .docm, .xlsm, and .pptm.

Files with the extensions .dotm and .docm are Microsoft Word files. Let's check if there are any files in the system that have the macro enabled:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.filescan | grep ".dotm\|.docm"
0x680b42e0 100.0\Users\Stirring\AppData\Roaming\Microsoft\Templates\Normal.dotm 216

Grep output indicates that there is only one.dotm file, this is the Normal.dotm file. According to the Microsoft documentation:

The Normal.dotm template opens whenever you start Microsoft Word, and it includes default styles and customizations that determine the basic look of a document.

So it's a standard Microsoft Word file. Let's see if anyone has tried to "improve" it. I wasn't able to dump it using Volatility:

szczygielka@hacks$ python3 vol.py -f dump.raw windows.dumpfiles --physaddr 0x680b42e0
Volatility 3 Framework 2.5.2
Progress:  100.00               PDB scanning finished                        
Cache   FileObject      FileName        Result

But we can extract it using FTK Imager:

A .dotm file is a collection of XML files inside a ZIP archive. The contents of a .docx document can be viewed by unzipping it. Let's copy the extracted Normal.dotm file to the Linux virtual machine, and unpack it using unzip:

szczygielka@hacks$ unzip Normal.dotm          
Archive:  Normal.dotm
  inflating: [Content_Types].xml     
  inflating: _rels/.rels             
  inflating: word/document.xml       
  inflating: word/_rels/document.xml.rels  
  inflating: word/vbaProject.bin     
  inflating: word/theme/theme1.xml   
  inflating: word/_rels/vbaProject.bin.rels  
  inflating: word/vbaData.xml        
  inflating: word/settings.xml       
  inflating: word/glossary/document.xml  
  inflating: word/glossary/settings.xml  
  inflating: word/glossary/_rels/document.xml.rels  
  inflating: word/styles.xml         
  inflating: word/webSettings.xml    
  inflating: word/fontTable.xml      
  inflating: word/glossary/styles.xml  
  inflating: word/glossary/webSettings.xml  
  inflating: word/glossary/fontTable.xml  
  inflating: docProps/core.xml       
  inflating: docProps/app.xml

We can see that this file contains vbaProject.bin. First, we can use strings to check whether this file might contain something interesting:

szczygielka@hacks$ strings -a -n 6 vbaProject.bin                         
Attribut
e VB_Nam
e = "Thi
sDocumen
0{00020P906-
$0046}
|Global
dCreat
ateDeriv
Bustomi
WSAStartup
connect
WSACleanup
getaddrinfo
closesocket
RtlMoveMemory
WSAGetLastError
CreateProcessA
RtlZeroMemory
WSASocketA
172.20.25.15
172.20.25.15
WSAStartup failed with error 
Cannot resolve address 
 and port 
, error 
Vmxjd2VFNUhSa2RqUkZwVFZrWndTMVZ0ZUhkU1JsWlhWRmhvVldGNlZrbFdSM2hQVkd4R1ZVMUVhejA9
<SNIP>

We can see that this file contains a string in Base64. Let's use CyberChef to decode it:

We captured Flag 1:

VBA-M4cR0

IP and port

Strings in the vbaProject.bin file also contains an IP address 172.20.25.15 with port 4444:

The same address and port appeared in the network connection results for the WINWORD.EXE process. So we can assume that it is IP and Port C2:

172.20.25.15:4444

Second flag

Now we have to find login data. We know from Backup.ad1 file that the user had at least 2 Internet browsers: Internet Explorer and Google Chrome. Let's start by analyzing the data of the second one.

Let's search for the Google Chrome directory, which should contain browser settings, bookmarks, extensions, etc. From this website, we find out that the Google Chrome user profile folder in Windows should be found in the following location:

C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default

Chrome logins are stored in the Login Data SQLite database in logins table. Search results, visited pages, and downloaded files should be included in a SQLite database called History which is also in this directory:

Since I was looking for a malicious macro, I wanted to check the history of downloaded files and visited websites to understand what happened. I extracted History file:

Next, I transferred this database to a Linux virtual machine and opened it with DB Browser for SQLite. After analyzing the downloads table I found the second flag:

We captured Flag 2:

R3c0v3rry_34sy_R1ght?

This type of capturing the second flag wasn't intended. The author of the task was intended to solve this task in the following way:

Mimikatz is an open-source tool for collecting and using credentials on Windows systems. However, this tool is not malware, although it is commonly detected as malware.

Whole flag

The whole flag is as follows:

TetCTF{172.20.25.15:4444_VBA-M4cR0_R3c0v3rry_34sy_R1ght?}