During the past few months, I have had the privilege of being the Events Administrator at Security Blue Team, and as part of that experience, I got to lead the Hilltop CTF event from May 23rd, 2020 – June 1st, 2020.
The following are the write ups for the challenges that I developed personally, links will be at the bottom for the full Security Blue Team Write-up.
Difficulty: 10 Points Category: Forensics
The challenge starts off with the following: A Photographer was found dead in his apartment. Forensic investigators are looking for clues of what might have happened to him. They found a folder labeled Censored Photographs. Can you find any information on his passing.
The challenge also contained the following hint: EXIF
It included the following ZIP folder to analyze
This challenge was meant to be for beginners to CTFs and give some players some easy points. After unzipping the folder, the following files were inside:
To get the flag for this challenge, the player had to use EXIFTool or something similar to examine the EXIF data of the images.
To install EXIFtool, the player would need to run the following (if running a Debian-based distro)
sudo apt install libimage-exiftool-perl
After installation, the player would be able to examine images using the following syntax:
exiftool <image name>
The flag was hidden inside of the man-walking-on-bridge-2083797.jpg, so after running
exiftool man-walking-on-bridge-2083797.jpg, the comment on the photo reveals the flag
Something Smells Phishy
Difficulty: 25 Points Category: Analysis
The challenge starts off with the following: You have received an email from your Project Manager. However, it looks out of the ordinary. Investigate the source of the email.
The challenge also contained the following hints: Check the Sender (5 Points) and WHOIS/DNS Tools are powerful (10 Points)
It included an EML file that you could open up in an email client or a text editor
This challenge is based off of one of the most common tasks of entry-level security professionals; blocking phishing or malicious emails. To be able to solve this one you would have needed to look at the DNS records for the different mail domains involved including wendigo.pw, secureinthedeepblue.com, and invirtutedei.com. When looking up the DNS records for Wendigo on DNS Dumpster, the student would have found the flag as a TXT record.
Quick Side Note: I forgot to remove my personal email address from the return-path, resulting in an unintended rabbit hole. Sorry about that!
Deep Dark Forest
Difficulty: 50 Points Category: OSINT
The challenge starts off with the following: You work as a security researcher and you recently have come across some phishing emails.After some research you found that they are linked to a hacker group called the Druids or DOC. Find their hidden website.
The challenge also contained the following hints: Tweet Tweet (5 Points), Find the link to the Dumped Creds (10 Points), and From the Dumped Creds, Go to the Dark Web. There you will find your answers (15 Points).
Starting this challenge, you can go at it from a few different angles, but one of first places I check when conducting OSINT is social media platforms because of the ease of use and for the face that people love to post more than they should. By the far the most common social media platform I’ve seen used in this manner is Twitter so that is where the player would want to go.
By searching for either of these queries
#DOC AND #hilltop or #druids AND #DOC, you would have been able to find the twitter account, the group used @druids_of
When looking at their past tweets, their are two mega links that are posted, the first one on April 17th leads to a empty mega folder and the second on on May 7th, leads you to the next part of the puzzle.
The mega link will take you to a Word Document called 68.docx
After downloading the file, you will open it and see the following inside:
By the way that the characters look, we can still that the information is in Hexadecimal format. That’s no problem! By opening up our handy Cyber Chef, we can decode it and see the following Onion Link inside:
So I know what you’re thinking, Oh no! That’s an onion link, that means I need to go on TOR. And that is correct! If you don’t already know how to access TOR, it’s as simple as going to their website and downloading the browser. After opening your TOR browser, you will want to navigate to the link it showed: http://4fauv4kildn4e4qb.onion. On this page you will see the following:
This page is used merely as a cover and you will need to look at the pages source code (Right click -> View Source) and then you would see the following:
Okay, now we found a new lead, by the look of it, that string of text is encoded in Base64. After deciphering it in Cyber Chef, you wil get the new address: http://4lay3l2aifrr7rxk.onion/ Open up a new tab in your browser and go to that address.
Congratulations! You found their website! Now where could that flag be…. after poking around, you view the source code again and there it is!
Another 50 points earned!
Easter Egg Hunt
Difficulty: 50 Points Category: OSINT/Password Cracking
The challenge starts off with the following: Secure in the Deep Blue is at it again! Go to their website and follow the rabbit trail to reach the password list to crack these company documents.
The challenge also contained the following hints: secureinthedeepblue.com (5 Points) and Some strings may be double or triple encrypted (10 Points).
It included a ZIP file that contained some company documents:
So this challenge was a bit unfair at times, but lets look to see how to solve this challenge, even if you banged your head against a wall trying to decode some things.
First things first, we need to find Secure in the Deep Blue’s website, this is as easy as typing in secureinthedeepblue in any search engine or guessing their website domain
After going onto the website, you will be greeted with a beautiful blue ocean, but that is not what you are here for! You can navigate across the various pages, but the one you want is under the What We Do tab and that is where the hunt begins! There are seven eggs in all that you need to collect.
By going to the first egg, you will land at https://pastebin.com/YHkkEG9u and are presented with the following:
Alright! Easy enough, there is going to be a lot of baking today with Cyber Chef, so you will want to keep that tab handy. The way that these pastes were structured, was the top half was a random method of encryption/encoding which was the egg and the second half was the next stop on the bunny trail.
By using cyber chef, we can see that the first egg says Secure, by using the From Binary recipe
When decoding the first trail we see that it shows Secureinthedeepblue.com/Shawn (Please note: all of the trails are in Decimal Format, so I won’t show what it looks like in Cyber Chef after this one
So now that we have that done, off to the next part of the trail! Looks like we came to a password protected page, use the first egg to unlock it.
Now we have that we have found the next egg, lets unlock its secrets by going to https://pastebin.com/gzTuBjFY
This is where it starts to get tricky, to decode this egg, we will need to use the From Binary and From Octal recipes together to get the second egg, In
By using the From Decimal recipe, we can see that the next trail leads us to Secureinthedeepblue.com/Raj.
So now that we have that done, off to the next part of the trail! Looks like we came to another password protected page, use the second egg to unlock it.
Now we have that we have found the next egg, lets unlock its secrets by going to https://pastebin.com/arwqu5ZS
To decode this egg, you will want to use the From Binary, From Base62, From Base58 and then From Base32 recipe to get the third egg, the (I made alot of enemies on this one! )
By using the From Decimal recipe, we can see that the next trail leads us to Secureinthedeepblue.com/Mary.
So now that we have that done, off to the next part of the trail! Looks like we came to another password protected page, use the third egg to unlock it.
Now we have that we have found the next egg, lets unlock its secrets by going to https://pastebin.com/ymRUihYc
To decode this egg, you will want to use the From Binary recipe to get the fourth egg, deep.
By using the From Decimal recipe, we can see that the next trail leads us to Secureinthedeepblue.com/Martin.
So now that we have that done, off to the next part of the trail! Looks like we came to another password protected page, use the fourth egg to unlock it.
Now we have that we have found the next egg, lets unlock its secrets by going to https://pastebin.com/hXQ63QGv
To decode this egg, you will want to use the From Binary and From Octal recipe to get the fifth egg, blue.com.
By using the From Decimal recipe, we can see that the next trail leads us to Secureinthedeepblue.com/Kylie.
So now that we have that done, off to the next part of the trail! Looks like we came to another password protected page, use the fifth egg to unlock it.
Now we have that we have found the next egg, lets unlock its secrets by going to https://pastebin.com/YWe4GAXV
To decode this egg, you will want to use the RC2 Decrypt recipe to get the sixth egg, /master. (This was the second one, where people probably hated me)
By using the From Decimal recipe, we can see that the next trail leads us to Secureinthedeepblue.com/Anita.
So now that we have that done, off to the next part of the trail! Looks like we came to another password protected page, use the sixth egg to unlock it.
Now we have that we have found the next egg, lets unlock its secrets by going to https://pastebin.com/yfS7panq
But wait? There isn’t any encoding or decimals to decode. To find the last page you would have needed to put all seven eggs together to form: SecureInthedeepblue.com/mastermind
Once you went to the URL, you would enter that same url as the password and that would unlock the password list you needed to crack open the User Folders!
One way to break into the zip files was to use the tool fcrackzip and that can be installed (On Debian-based distros) using the following command:
sudo apt-get install fcrackzip
After installation you would use the following command to crack open the file:
fcrackzip -v -u -D -p PasswordList.txt UserFolder.zip
The v switch makes the command more verbose, the u switch allows unzip to be used to weed out wrong passwords, the D switch is used to specify a Dictionary-based attack to use and the p switch is used to specify what file the attack should use
Success! The password to the zip folder is s3cure2020.
Using that password, you are able to navigate through the directories and are able to find a file called Ascii.txt (UserFolder/John/Work/Spring 2020/New Website/Ascii.txt) which contained an Ascii Easter Egg and is where the flag was hidden!
Thanks again to all of the 550+ players who participated in this event and to all of the content engineers who made this event possible.
You can find the rest of the writeups here: https://securityblue.team/hilltop-ctf-blog/