For the activity, a series of challenges were designed on the FBCTF platform, the theme was based on an attack that was being carried out and different security mechanisms had to be planned and implemented to block different types of attacks.
Each challenges was divided by country, below you can see the solution to the last challenge:
ARGENTINA
Unfortunately none of us did kid...
This has to be confirmed, though, but if it turns out to be true, then we have a malicious insider and he or she may even be in this very war-room hearing everything we're doing to stop this.
Look... we had to bring back the guys from Trend Micro. They connected a device called Deep Discovery Inspector which can detect suspicious activity and this thing came up just in time. It is some kind of spam or phishing email that was tagged by this DDI. The weird thing is that the recipient is a user that left the company a couple of months ago.
The mail admin showed evidence that the mailbox was in fact disabled/deleted at that time, but somehow "someone" enabled the mailbox again from inside the company. I don't have to tell you that Karen, the mail admin has been isolated and is right now been investigated.
I've sent Carlos to give you a USB pendrive (he doesn't know what it contains). Copy the file in C:\Users\Administrator\VirtualBox\suspiciousEmail.d4a on your pivot machine.
I couldn't get a copy of the mail but I managed to get the SMTP conversation where the mail was transmitted, before access to the DDI console was closed (to only Trend and members of the Board).
I need you to get me as much information from that mail as you can. It is supposed to have some sort of Trojan or Rootkit attachment, you can use Deep Security again to see if it can detect it. It can also tell us who is behind this attack and what will be their next step...
This information is now Top Secret, call me when you're done and don´t tell anyone what you're doing.
::FLAG::USE THE FOLLOWING SYNTAX:
MALWARE DETECTION NAME FROM DEEP SECURITY:PASSWORD FOR THE ZIP FILE:NAME OF THE HACKERS OPERATION:NAME OF THE SUPPOSED TRAITOR
SolutiĆ³n:
I took the copy of the email that was obtained from the pivot server (pivot7.cyberwomen.rootrenders.co) and analyzed it on a local machine: The first thing I tried to do was run the command strings to see what was obtained from the mail, the headers and an encrypted text are observed:
This has to be confirmed, though, but if it turns out to be true, then we have a malicious insider and he or she may even be in this very war-room hearing everything we're doing to stop this.
Look... we had to bring back the guys from Trend Micro. They connected a device called Deep Discovery Inspector which can detect suspicious activity and this thing came up just in time. It is some kind of spam or phishing email that was tagged by this DDI. The weird thing is that the recipient is a user that left the company a couple of months ago.
The mail admin showed evidence that the mailbox was in fact disabled/deleted at that time, but somehow "someone" enabled the mailbox again from inside the company. I don't have to tell you that Karen, the mail admin has been isolated and is right now been investigated.
I've sent Carlos to give you a USB pendrive (he doesn't know what it contains). Copy the file in C:\Users\Administrator\VirtualBox\suspiciousEmail.d4a on your pivot machine.
I couldn't get a copy of the mail but I managed to get the SMTP conversation where the mail was transmitted, before access to the DDI console was closed (to only Trend and members of the Board).
I need you to get me as much information from that mail as you can. It is supposed to have some sort of Trojan or Rootkit attachment, you can use Deep Security again to see if it can detect it. It can also tell us who is behind this attack and what will be their next step...
This information is now Top Secret, call me when you're done and don´t tell anyone what you're doing.
::FLAG::USE THE FOLLOWING SYNTAX:
MALWARE DETECTION NAME FROM DEEP SECURITY:PASSWORD FOR THE ZIP FILE:NAME OF THE HACKERS OPERATION:NAME OF THE SUPPOSED TRAITOR
SolutiĆ³n:
I took the copy of the email that was obtained from the pivot server (pivot7.cyberwomen.rootrenders.co) and analyzed it on a local machine: The first thing I tried to do was run the command strings to see what was obtained from the mail, the headers and an encrypted text are observed:
This address led us to pastebin where we found another encrypted text (Meeting information):
Converting characters from Base64 gives the following clear text:
In this case it is evident that probably it have a txt file, this file was exported to zip to try to crack the password:
Without satisfactory results, I analyzed the email headers again parsing the Message-ID parameter of suspicious.pd4 I could see a weird format, converting this text from hex I got:
Converting the hex text I got:
Now, from base64:
Finally, I got the zip's password:
Reading the appointment file I got another text with hex data:
Converting from hex file, It return another Base64 text:
Converting from Base64, I got another hex data:
Converting from hex data, I got another base64 data:
Converting from base64, I got another hex data:
And finally I got the first part of the flag:
::FLAG::USE THE FOLLOWING SYNTAX:
MALWARE DETECTION NAME FROM DEEP SECURITY:PASSWORD FOR THE ZIP FILE:NAME OF THE HACKERS OPERATION:NAME OF THE SUPPOSED TRAITOR
Supposed traitor: Sophia
Operation name: OL****
Password for zip: Y0u***
To get the malware detection name I used VirusTotal in order to analized the malware sample:
and the name of the malware detected by TrendMicro is: R****A
So that I got the flag:
R****A:Y0u***:OL****:Sophia
::FLAG::USE THE FOLLOWING SYNTAX:
MALWARE DETECTION NAME FROM DEEP SECURITY:PASSWORD FOR THE ZIP FILE:NAME OF THE HACKERS OPERATION:NAME OF THE SUPPOSED TRAITOR
Supposed traitor: Sophia
Operation name: OL****
Password for zip: Y0u***
To get the malware detection name I used VirusTotal in order to analized the malware sample:
and the name of the malware detected by TrendMicro is: R****A
So that I got the flag:
R****A:Y0u***:OL****:Sophia
And with this flag We won the CTF :)
Thanks to @TrendMicro and @OEA_Cyber
