Cyber Forensic — Famous CTF Challenges
For cybersecurity internals, CTFs are very attractive and fascinating events. I have mentioned six separate and independent digital forensic challenges with their latest writeups in this paper. The problems were clearly introduced in the 1st chapter and explored from different perspectives. The latter section would reproduce the answers for the chosen six challenges and analyze the learning outcomes of the task after discussing the current write-ups.
There are a number of CTF competitions hosted every year. In this story, with their current writeups, I examined six forensic problems from CTF events. I have chosen the following forensic challenges.
- Forensic Challenge 1: Io — CySCA 2017
- Forensic Challenge 2: Europa — CySCA 2017
- Forensic Challenge 3: Ganymede — CySCA 2017
- Forensic Challenge 4: Callisto — CySCA 2017
- Challenge 5: Enceladus — CySCA 2017
- Forensic Challenge 9: Dione — CySCA 2017
Ten forensic challenges, along with a memory and network (Pcap) dump files, were given to the CySCA 2017 Forensic Challenges. We have to find specific flags for each challenge using those two files. it asks to find the link that is used to compromise the victim’s machine in the forensic challenge 1: Io. The player should then identify which file to scan for such an attack-type. Windows memory dump file is like a RAM (Random Access Memory) screenshot of a computer. All the details about operating programs are included. So, for this challenge, this is not valuable. So the player has to examine the pcap file for the network traffics. The network-related data will be included. In order to complete this challenge, the player has to have network forensic experience.
CySCA 2017 is also the second forensic challenge I have selected. Again, this problem involves forensic knowledge of the network. The user has to select the file from which two files are given to investigate. Therefore, the user must decide which file contains the payload. It is also possible to overcome this problem independently. The user has to decide what the origin of the attack is. The user should then decide which file should be checked. The network dump file can be sued to extract the payload easily with the support of tools like Wireshark. Then the SHA1 of the payload just needs to be compared. The player needs an understanding of the hash functions for that.
In the third forensic challenge defined in the 2017 CySCA, we are asked to find the process ID of the attack-infected process. The same as before, two files were provided. The player probably has to examine the memory dump file to find a process ID. For this challenge, 6 there is no need to analyze the Pcap file. It seems that this challenge is related to the previous one. But by evaluating the unusual process from the memory dump, this can be solved independently. By knowing that the attack was launched using PowerShell, the player can get help from the previous challenge, too. But it’s a one-way of solving the challenge. This doesn’t always require solving the previous problem. This challenge requires both forensic knowledges of windows memory and knowledge of processes and threads in windows. The player can solve this problem and collect the flag very quickly by using suitable tools like Volatility.
The 2017 CySCA forensic CTF is followed by a story. But each stage, like the previous two challenges, can be solved independently. This 4th CTF challenge is about data tables stolen from the victim’s computer. The player needs to use their memory forensic skills to determine what the tables that have been stolen were. The player has to identify which file to examine for the retrieval of the names of the stolen data tables, as before in this challenge. This competition requires no data from the previous challenges. The only thing that can be used is the moment of initiation of the attack. But that is a very lengthy approach. In order to find the answer to this question, the player needs to think creatively
The fifth challenge is to find the resistance files for the attack that have been uploaded to the victim’s computer. Windows file systems are the subject of this forensic challenge. The player must have sufficient knowledge of what the default Windows files and their locations are. It is possible to solve this challenge individually or using the experience obtained from previous challenges.
The final challenge chosen is forensic Challenge 9: Dione of CySCA 2017. This challenge is about detecting the windows system’s irregular/malicious process. For that, from the given materials, the player has to analyze the windows process and filter the processes injected by malware. This is a separate challenge. This needs no information from past challenges. From various perspectives, the user has to think about how to solve the challenge.
Forensic Challenge 1: Io — CySCA 2017
The CySCA 2017 Forensic challenge guideline simply mentions that the victim’s machine was compromised by a link. We have to identify what kind of traffic to scan for.
To examine the malicious email that has come to the victim, first, the user has to fire up the Wireshark software and open the pcap file.
Depending on the demand, we can add a variety of different filters. We must find a malicious email in this challenge. So we just need to filter POP entries from the content.
There are a large number of entries with different IP addresses from the source, although with the POP filter. But I discovered an unusual email with many data fragments attached to the packets. And that’s certainly an email attachment. So we have to follow the TCP stream to find out what the IP 192.168.26.1322 attachment to this email is.
The attachment of the email is encoded and “barracuda.pdf” is the name of the file. So, in order to analyze its substance, we have to decode this data. This must be base64 encoded because it is an email attachment in order for base64 to be popular. We need to save this as a text file first and delete the unnecessary metadata from the file.
We should decode the file using a base64 decoder to get the content. The file after decoding. With this malicious link, we get “barracuda.pdf”. “ — http://miscemails.dyn.nerds.lu/miscemails.hta”
In order to complete this CySCA 2017 forensic challenge, the player should have a broad knowledge of the network forensic to identify the correct filtering protocols, what are the 20 common encoding standards, etc., and forensic knowledge of Windows to identify which file contains the Windows system data. In practice, the insight gained from this challenge is more realistic. This kind of attack can occur frequently and is a way to analyze them.
Forensic Challenge 2: Europa — CySCA 2017
The challenge is to locate the initial attack’s payload and assess the payload’s SHA1 sum. First, where to begin with, the user has to decide. There are several distinct ways of overcoming this problem. We can use and use information from the previous challenge, or we can use an adaptive way to detect the payload.
We examine the given Pcap file in the Wireshark tool as a first move. The payload should be downloaded to the victim’s computer, like in the guidance. So we have to examine the HTTP objects from the supplied Pcap file. In order to find out what the artifacts that are transmitted over the HTTP protocol are, we can use the following integrated HTTP object export function.
A large number of objects are detected by the HTTP object export function. “There is one very interesting object from that list, that is” miscemails.hta. This is a VB script capable of running a Powershell command on the computer. This is the payload that the malicious link is downloaded from. So, without running an executable program, we have to export it and calculate the hash.
I used an online hash calculation tool named HashCalc tool to calculate the hash of the exported ‘miscemails.hta’ file. The hash value for the flag at this stage is 282cb147aa0a2d803a28c9fe0eff917dcbd5d39e.
Solving this challenge requires knowledge of the hashing, network forensic, and Windows file systems. First, the player has to determine which file to examine, then the malicious file that contains the payload has to be detected by the player. The player must have knowledge of the Windows file system and various types of files to do that. The player should know how to measure a file hash after file identification. All of these skills have helped an IT person’s day-to-day life.
Forensic Challenge 3: Ganymede — CySCA 2017
The only guidance for this challenge is to identify the process ID of the infected process. evaluate the process of the victim’s computer, what the user should do so. In other writeups, there are several ways of overcoming this problem. They were all slightly different from one another. But it seems that the overall method is identical.
We’re going to have the victim’s computer memory dump file. But we’ve got to load a memory analyzer tool into it. The Volatility framework for memory analysis is the best option available. We have to specify what the running process of the victim’s computer is. First, we have to define what the victim’s machine is for that. In order to get information about the victim’s 23 machines, we should run the command “volatility imageinfo” against the memory dump and get the machine profile. It’s named “Win7SP1x64”
After that, we have identified the victim’s system, we have to get the running programs and the victim’s machine’s process list. All the details about the running process, such as process IDs, parent process IDs, name, memory offset, etc., will be included in the process list of the system so that we can examine irregular processes like PowerShell. We used the “Volatility PSLLIST” command to get this process list as follows.
In this process list, I have found three processes to be really interesting. All the others are standard processes for windows. PowerShell processes were running on the machine there. Much as follows.
This is a quite spacious one. There were only 2 PowerShell processes in the relationship between parent and child. So we need to use the command “Volatility Netscan” to decide which processes are accessing the network. If it’s a PowerShell, the malicious process is.
I searched for the PowerShell processes in the Volatility Netscan output. Fortunately, I found one. That is on 2017–04–25 and has a process I d of 1272 and connects to 192.168.26.136 in port 4444 12:41:31Z. This is, thus, the malicious process that has compromised the device of the victim.
The memory of the forensic experience and the knowledge of processes and threads in windows is the foundation for this challenge. For anyone, not just forensic investigators, the experience gained from the challenge is valuable. The majority of users nowadays are users of Windows. It is therefore important to examine the memory of Windows and identify whether or not there is any malicious process running on the device.
Forensic Challenge 4: Callisto — CySCA 2017
The instructions for the challenge state that the data tables were stolen from the victim’s system and we have to find the names of them. So it should certainly be a method that steals the data tables from the system.
First, for SQL operations, we have to define which file to search. So it needs to be a memory dump. The first step is to use the “volatility mftparser” command to parse the memory dump’s Master File Table.
We can go line by line through the parsed outcome. It is too big a file. So we have to use the only clue in the challenge description that was given. We should scan the files for “.sql.” Because the stolen stuff is SQL tables of info.
I found three newly generated data tables from a search for the .sql file in another location that is not a regular SQL location. Files have been generated in a temporary folder called “temp/”.
I found a rather interesting batch file, which was in the same “temp/” folder, to dig deeper into this result. This is the batch file that was used to steal three data tables “departments.sql”, “employees.sql”, and “salaries.sql” from the database. The batch file “steal table.bat” was used to steal this file.
To complete this task, the player must have sufficient knowledge of the standard file locations and file forms of Windows files.
Forensic Challenge 5: Enceladus — CySCA 2017
The challenge guideline states “find the file was uploaded for persistence”. So the task is to examine the system for Windows files.
First, with the “Volatility Filescan” command, we have to list the files on the memory dump. This will classify all the files and list them in the original system with their paths.
Windows 7 is the victim’s system. Then it should be an executable or command file (batch) if a persistence file has been uploaded. Uploading a batch file is the most likely process. So I searched the results of the file scan to see if there were any batch files at the malicious site. As follows, I have found one.
The filename ‘bc2d.bat’ was not the default file for Windows, and this file was located under ‘c:\users\john\appdata\local\.’ so it’s supposed to be a custom file placed there by someone. I checked for the name of the file in the output of the Master File Table that was collected from the “mftparser” volatility command and found another file with the same name. After analyzing this file, I found that the file “bc2d.bat” was the one that began the PowerShell with the aid of the file “\bc2d.b4mee”.
For players with knowledge of Windows file systems and memory analysis, the challenge was very interesting. To find the solution to this problem, the player has to think from multiple perspectives.
Forensic Challenge 9: Dione — CySCA 2017
There is a particular viewpoint on this challenge. The user has to find the processes that the attack has infected. So, from various viewpoints, the user has to consider.
We’ve got to identify the malicious process first. We already knew that two PowerShell instances existed. I used the “volatility malfind” command to verify if the malicious process signatures were an initial phase of the investigation.
We have to filter malicious signatures from the result. The two PowerShell processes have been found to be malicious. That’s known already. Besides that, I found two inserted binary files of the lsass.exe process running on the PID 480. Interesting, that is. This can’t usually happen. We need deeper research. The binary injected processes defined are listed as follows.
Address — 0x200000 , PID — 480 , Process — lsass.exe
Address — 0x180000000, PID — 480, Process — lsass.exe
We’ve got to check now that these two binary files have been injected. Then we have to run the MD5 sum of the two virus database binary files. I calculated the MD5 sum of the two binaries with an online hash generator as the following figures and ran the generated values 33 against https:/www.virustotal.com/. Malicious database findings show that both binaries were injected with malware code.
The benefit of experience from this challenge is very distinct from the other five. In order to find a better solution, this challenge requires both forensic and malware detection skills.
CONCLUSION
The six challenges were chosen from the CTF case of CySCA 2017. The player needs to have a special skill set to accomplish each challenge. The six challenges are focused on the memory dump of Windows processes and a network dump. The player needs to successfully decide which file to examine for each challenge, so they can pick the wrong path. To complete the first challenge, simple forensic network skills and an understanding of forensic network software has to be present. In addition to knowledge about hashing, the next challenge also includes network forensic knowledge. The player has to pick a safer approach to this challenge. This is like testing skills for creative thinking. The player must then have forensic knowledge of Windows memory to complete the next 4 challenges. The player should have experience in Windows file systems, malicious signatures, Windows file types, and knowledge of process analysis techniques in addition to each challenge. Overall, these six issues cover a broad region of the digital forensic world.
