Home Unlabelled TAMUctf 18 Writeup: BadBob

TAMUctf 18 Writeup: BadBob

By
Sunday, February 25, 2018
Read
Add Comment

Scenario - BadBob

In this scenario we are provided an OVA image for virtual box. It’s the Windows 10 machine image of an employee Bob who has been terminated for doing a bunch of shady stuff.

00_Bob's Machine

Q 1: When Bob was setting up his computer he said he had put a secret key in the description. Can you find this secret key when setting up the copy of his computer?
A 1: gigem{d!D_Y0u_S3e_tH|$?}

This is the first challenge. Once you import the VM you can find this flag stored in the description.

01_Bob's Account

Q 1: Can you give us the content of "easy_login_flag.txt"?
A 1: gigem{Ea$y_L0g!n_P@ssword_l3ks0dk}

At first I decided to boot the machine using a live CD to checkout the image I was about to boot. From the live cd I could browse the file system and located the easy_login_flag. However the real goal of this challenge is to make sure we can login as Bob. We can recover the hashes from the system and crack them, or guess Bob's password based of the hint they provide (the meme at the start), which is “incorrect”. I also took the opportunity to backdoor the system w/ a sticky keys style backdoor, so I could easily privesc later if I needed to.

02_Deleted File

Q 1: Bob deleted a very important file called "not_deleted_file.txt". Can you give us the content of that file?
A 1: gigem{F!le_n0t_d3leted_jsn1fk234}

Now that we can login as Bob, it’s easy to pull the deleted file from his recycle bin.

03_Chrome Login

Q 1: The company website is ctf.tamu.edu and his username was bob. Could you give us his password?
A 1: gigem{chrome_login_such_wow_jdfksj34lek2n}

Now that we are logged in as Bob we can decrypt his default stored Chrome passwords using his account password.

04_File Recovery

Q 1: Could you get the contents of the file Bob deleted, because obviously the IT Department hasn't been able to yet?
A 1: gigem{F!le_r3covered_mwodlp9682@!sf}

This was a really cool one. Bob had file recovery enabled which caused a backup of files to another drive. In that backup we can find these files.

05_ Incorrect Login

Q 1: One of the systems saw the unknown user and deleted it locally from the computer, but the IT Department fears that the account could be a backdoor left by Bob. Can you help the IT Department out by giving them the name of the account?
A 1: gigem{Us3R_AuD!t_2!}

We can find this by looking through the event logs for login failures.

06_ Hidden File

Q 1: The IT Department has tried to retrieve a file from Bob's Document's folder, but they can't seem to find it. Bob seems to have hidden this file very well. Could you see if you could find the file?
A 1: gigem{F!le_H!dD3n_xxxxxxxxjL09b5!Nk}
This was a tricky one to find. I had to go back to the live CD and to do a forensic analysis of the file system, which revealed these files hidden in Alternate Data Streams.
The 7zip was also encrypted, requiring we solved the Chrome Login challenge first.

07_Sticky Login

Q 1: Can you retrieve the document from the Administrator's Web Interface?
A 1: gigem{$t!cKy_L0g!n_P@ssw0rd_6!klpC4g}

Using our privesc trick from before (the sticky keys implant from the first challenge) we can browse through the file backup of the hidden admin user (Guest). In their backups we find a strange Chrome plugin. When we restore this plugin we find several notes, with the flag.
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us