Introduction to Mystery 013
Mystery 013” is a captivating digital forensics challenge featured in the Yukthi CTF 2024 prelims. Designed to immerse participants in the intricate world of cyber investigation and decryption, this challenge is a journey through the essential processes of digital forensics.
The Challenge Begins
The adventure starts with a seemingly innocuous image, which at first glance appears ordinary. However, within its pixels lie hidden secrets waiting to be uncovered. Participants must first employ steganography techniques to reveal concealed data embedded in the image.
Brute Force and Code Cracking
Once the hidden data is exposed, competitors are required to apply brute force techniques to crack the code. This stage tests their ability to break through encryption and access crucial information that will guide them further in the challenge.
RAM Analysis and Beyond
The final and pivotal task involves RAM analysis. Participants need to analyze memory dumps to extract valuable information, testing their skills in a real-world cyber investigation scenario.
Skills Learned
- Digital image forensics
- Effective decryption techniques
- Analyzing memory dumps for evidence
Enumeration
Initial Reconnaissance
We start our challenge by identifying open ports on the target IP using the nmap
command. This crucial step helps us find potential entry points on the server.
nmap -p- IPaddress
Exploring Port 84
Upon discovering that port 84 is open, we navigate to it only to find a web interface. This web interface presented another puzzle in the form of an image which we decided to download for further analysis.
Steganographic Extraction
Using Steghide, a tool for embedding and extracting data hidden within images or audio files, we extracted contents from the image:
sudo apt install steghide
steghide extract -sf hid.jpeg
cat secret.txt
echo "LOVtcGxPeWUxMg==" | base64 -d
This revealed a file named secret.txt
, which contained an encrypted key in Base64. Decoding this key unveiled an endpoint, /EmplOye12
.
Navigating to this endpoint displayed detailed information about employees without requiring login credentials.
Brute Force Attack
Using the names found on the employees' details page, we crafted a wordlist with cewl
, a tool that generates custom wordlists by spidering a target’s website and collecting unique words
cewl http://ipaddress:port/EmplOye12 >> wordlist.txt
This list was then used to conduct a brute force attack with hydra
, a popular network logon cracker, which successfully cracked the login credentials for the username "Chris".
hydra -L wordlist.txT -P wordlist.txt IPaddress http-post-form " /logic/v1/login:user=^USER^&password=^PASS^:login failed"
Using these credentials,
we accessed the login page and successfully breached it, unveiling the first flag.
username: Chris
password: hacking
Image Insight: The Second Challenge
After successfully accessing the page with the necessary credentials, we found ourselves needing to answer questions about Case 013. The answers were believed to be hidden in a RAM image extracted from the suspect's computer.
RAM Analysis
Introduction to Volatility
Volatility is an open-source memory forensics framework for incident response and malware analysis. It helps investigators analyze volatile memory (RAM) to extract artifacts that provide insight into the runtime state of the system.
Installing Volatility
To use Volatility, you typically need Python on your system. You can install Volatility by cloning its repository from GitHub and then installing it through Python's pip tool:
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
pip install .
Using the Volatility tool, we began dissecting the RAM image to uncover the required information.
We started with the imageinfo
command to identify the system architecture:
volatility -f testing.vmem imageinfo
This command confirmed the architecture as WinXPSP2x86.
Upon entering the architecture data on the browser and verifying it, we received confirmation that our answer was correct.
Detailed Analysis Using Volatility Plugins
We proceeded to use various Volatility plugins to answer the remaining questions on the case tab:
- OS & Architecture: Confirmed as
WinXPSP2x86
through theimageinfo
plugin. - Process IDs: Identified
VMwareService.exe
(PID: 1444) andwinlogon.exe
(PID: 632) using thepslist
plugin. - Shutdown Date: The last shutdown date was pinpointed as 2011-10-10 with the
shutdowntime
plugin. - Remote Connection: Uncovered a connection to
172.16.98.1:6666
via theconnscan
plugin. - Executed Commands: Found the last executed command
sc query malware
using theconsoles
plugin. - Internet Explorer History: Detected an open HTML file
license.html
during the memory capture with theiehistory
plugin.
Using the extracted data, we addressed all the questions posed on the case page, leveraging the insights gained to piece together the motives behind the criminal's actions and uncover the secrets hidden within the mysterious file. This comprehensive analysis ultimately led us to secure the second flag.
Conclusion
Each phase of "Mystery 013" is meticulously crafted to challenge participants and simulate the true essence of digital forensics. The journey through steganography, code cracking, and RAM analysis requires a keen investigative mind and perseverance, truly reflecting the essence of a cyber sleuth’s role.