Tag: adversaryquest

Crowdstrike AdversaryQuest CTF – Much Sad

In January 2021 Crowdstrike opened up their AdversaryQuest CTF. The CTF consisted of 12 challenges split across three new “threat actors”: SPACE JACKAL, PROTECTIVE PENGUIN, and CATAPULT SPIDER. The challenges mostly focused on binary exploitation and reverse engineering which is a bit of a departure from my skillset. Nonetheless I was able to solve two of the twelve challenges; this one relating to the CATAPULT SPIDER adversary, and another from SPACE JACKAL.

Rabid fans of the memetacular Doge and the associated crypto currency, CATAPULT SPIDER are trying to turn their obsession into a profit. Watch out for your cat pictures, lest CATAPULT SPIDER intrude your network and extort them for Dogecoin.

Much Sad

We have received some information that CATAPULT SPIDER has encrypted a client’s cat pictures and successfully extorted them for a ransom of 1337 Dogecoin. The client has provided the ransom note, is there any way for you to gather more information about the adversary’s online presence?

NOTE: Flags will be easily identifiable by following the format CS{some_secret_flag_text}. They must be submitted in full, including the CS{ and } parts.

This challenge is more OSINT focused. The only information we are given is a text file containing the ransom note and some nice Doge ASCII art.

Aside from the ASCII art we have what is presumably a Dogecoin address…

DKaHBkfEJKef6r3L1SmouZZcxgkDPPgAoE

…and an email address.

shibegoodboi@protonmail.com

Searching Google for the username quickly gives us a few promising leads, including a Twitter account and a Reddit account.

I decided to start with the Twitter account, and noticed the link to a Github account named shibefan.

Examining the listed repositories it appears that the user is particularly interested in Dogecoin – no great surprise given what we have been told.

Exploring the repositories themselves we find an HTML page containing the flag.

There is probably much more that could be done around tracking the Dogecoin addresses, but this is enough for now.

Flag

CS{shibe_good_boi_doge_to_the_moon}

Crowdstrike AdversaryQuest CTF – The Proclamation

In January 2021 Crowdstrike opened up their AdversaryQuest CTF. The CTF consisted of 12 challenges split across three new “threat actors”: SPACE JACKAL, PROTECTIVE PENGUIN, and CATAPULT SPIDER. The challenges mostly focused on binary exploitation and reverse engineering which is a bit of a departure from my skillset. Nonetheless I was able to solve two of the twelve challenges; this one relating to the SPACE JACKAL adversary, and another from CATAPULT SPIDER.

Not to be confused with spaceflight enthusiasts, SPACE JACKAL have very strict opinions on source code indentation. Brought together by their unbounded hate for ASCII character 9, they will not rest until the last tab stop has been eradicated from the face of the Internet.

The Proclamation

A mysterious file appeared on a deep dark web forum. Can you figure out what we can’t see right now?

NOTE: Flags will be easily identifiable by following the format CS{some_secret_flag_text}. They must be submitted in full, including the CS{ and } parts.

We are given a 512 byte file proclamation.dat and left to get on with it. The first thing I did was use the file utility to determine what kind of data we are dealing with.

file proclamation.dat

The file is identified as a DOS/MBR boot sector. Interesting. Let’s see what strings gives us.

strings proclamation.dat > proclamation.dat.strings
cat proclamation.dat.strings

Ok. After a bit of digging on Google I was able to boot the file using the qemu emulation platform.

qemu-system-i386 proclamation.dat

Cool! Now what? Examining the file in a hex editor showed what looked like random data; maybe it is encrypted somehow?

I wasn’t really sure how to proceed with this – encryption and reverse engineering aren’t my usual thing – but I do know CyberChef! I have an instance of CyberChef installed locally on my SIFT VM so I used that instead of the hosted instance, but the process is the same.

Assuming that the random data was actually encrypted, my first guess was to use the XOR Brute Force operation with a Key Length of 1, but that didn’t output anything intelligible. Next I tried increasing the Key Length to 2 and, in an attempt to cut down on the output, set the flag format – CS{ – as a crib.

CyberChef chewed on this for a minute or so then popped out eight potential decryptions. Examining the output for Key = eaea, I found the same text that was displayed when I used qemu to run the file, and then, appended to the end of the text, the flag!

Flag

CS{0rd3r_0f_0x20_b00tl0ad3r}