The Amazing CyberHunt Writeup

Posted Jul 21, 2024 Updated Jul 21, 2024

5 min read

The Amazing CyberHunt Writeup

This write-up documents our journey through The Amazing Cyber Hunt 2024 as team RE:UN10N Jr, comprising myself (whymir), Sara (ssi51), and Firdaus (vicevirus). We tackled various challenges with determination and teamwork.

Files

All challenge are given. Refer to this link.

Physical Challenge

As the competition started, we have 2 category as mentioned before which is physical and digital competition. For physical challenge, the organizer give us an USB thumb drive.

The USB thumb drive are empty when open in Windows host, but if you open in Ubuntu, it contains two file, WPSetting.dat and iforgotthename. Sorry.

This means, the USB either corrupted or file being deleted. To gain back what data or documents , I’m using “Recuva” to recovers files. Evidence3.wim and Evidence4.jpg.xz.

WAVing Flags

It seems like people hide secret in all sort of files these days. If they cant see it, they cant hack it. Using the pendrive you received, locate a file named ‘Evidence 3.jpg’ and find the hidden flag inside. note: there is no header for this flag. enter the ‘flags’ directly without the UTAR{}

Evidence3.wim is Windows Imaging Format which mean we can open or extract the data directly. For this, I’m using file archiever to extract it.

Starting with simple command such as file and exiftools. There is nothing insterest.

Next, since this category belonging to Forensics Challenge, it might be some steganography technique apply to this. To prove it, im using binwalk.

As can see, there are 7zip file embeded with this images. Even the extension are .jpeg, we still can extract it using 7z.

We found new file name as “secretmessage.pdf”

Being stuck here for long time since Im being thinking about pdf challenge where im using pdfid,pdfinfo and pdfparser. But nothing can be done. But the crucial hint is about challenge name and in pdfparser, I manage to capture some WAV header.

But it look impossible to extract all this bytes. Pass to my teammate Sara to have a look on it.

She manage to get Wav file by using foremost command.

Open the wan file using Audacity and check into spectogram.

FLAG: UTAR{UNMASKING CYBER SECRET}

GEOmancer

Looking ‘deep’ at the pendrive you received, you should see a ‘**.xz’ file. It was a picture I took during my cuti cuti Malaysia trip last month, but somehow i cant remember where it was. Can you help me find the city name? note: the flag is the city name, without the UTAR{} header.

Using Evidence4.jpg.xz as file.

XZ compression can be extract using 7z.

Open the image and as challenge name, it might be something related to OSINT

Since I have been visited this place before which TRX Exchange, I believe the flag is Kuala Lumpur. Unfortunately it wrong. Reading again the challenge decription, it mention about “deep”. That mean there is something else in this images. During the competition, I being try a lot of stuff such as stegsolve, xxd, aperisolve but it return nothing. Untill I remember one tool namely as Foremost.

Notice that the jpg now become 4. The images actually only 2 which one full color another black and white.

Luckily, I manage to find it GPS in metadata and using this tools to get direct answer.

FLAG: Kota Bharu

Digital Challenge

This challenge are hosting in their CTFd platform.

a Letter Please

We found a zip file ‘Evidence 2.zip’, which we suspect to contain a hidden flag. Can you find it? Flag format: UTAR{flags}

We try to open, but it not in zip format.

Check into what file its. Using strings.

It actually .eml file. How I know? This is email formated when we download our email from any email platform.

The eml file are can be open using Thunderbird if they only one file. But the providen eml consist of multiple eml that be combine in one file. The only way to do this is by finding content-type.

Content-Type is any attachment being attach in email and it in format base64. Depends on what it being setted. Why must looking at file content? Most phishing attempt come with attachment file.

Only this content-type are different and have document file. Moving to that line and get brief information about the file.

It mention about base64. Using this link to convert base64 to file.

Donwload the file and get the flag.

FLAG:UTAR{InvisibleEvidenceSpeaks}

bad http

We have intercepted unsecure HTTP traffic from the network. The http.pcap file contains the traffic captured during a SQL injections conducted on a HTTP site. Analyze the pcap file to uncover the hidden flag. The flag is hashed using some common hash function. Flag format: UTAR{your_flag_here}

This challenge can be done using 2 methods.

String pcap file strings http.pcap

Analysing using Wireshark This challenge are very straigth forward. It mention about SQL injection.

– Follow the TCP stream Keep on increase the stream untill find the flag.

– search frame contains “UTAR”

Then follow the TCP stream or HTTP stream.

The flag is hashed so we need to crack it. Using this tool to crack.

FLAG: UTAR{Philosopher}

Forensics 200

Given a shell script file ‘persistence.sh’, find the flag.

Check the file and strings the file to understand more.

It have encoded part with base64. Manually decode the base64 part.

FLAG: UTAR{9ce23f07e6b9bfc37508163b07e4d1b5}

Hex is Fun

here we go again… I found another file named ‘Evidence 5.gif’. So i guess there is another flag inside. What is it? Flag Format: UTAR{flags}

The file are gif. One again, I to overthink since gif might be something to frame. Extracting the frame but nothing can be found. Using most powerfull tools in this competition. binwalk.

It have secret file. Open the file and get the flag.

FLAG: UTAR{BitsNeverLie}

Message in Picture

One day, during a covert mission, Mrs Smith left a photo ‘Evidence 1.jpeg’ of their cute baby to Mr Smith, and then she disappeared. Is Mrs Smith trying to tell Mr Smith something? Could it be a flag? Flag Format: UTAR{flags}

Given the file name as Evidence 1. Check the file.