First con experience plus CTF write-up

Updating this blog has taken a backseat to real life. After a crazy couple of months of searching, it looks like we’ll be moving into our new home in June.  Sometime after that I might be able to settle into a less chaotic routine.

This past weekend I attended my first security conference, BSides Chicago.

A contingent from Michigan all got on the same train in. We dubbed it Hackers on a Train.  Each person had to give a short presentation on the train ride, so I put together a short slideshow based on a bit of coding I’d been working on recently.  I might put it up here when it’s in a more polished state, but for now only those who were present know my secrets….

BSides Chicago was a fantastic experience with a lot of interesting talks, great people, and a Capture the Flag (CTF) event.  The efforts of the organizers (@securitymoey and @elizmmartin)  and volunteers (too many to name) really showed.  I’ve participated in a few CTFs with #misec, but this was the first time I got to work on one at the event hosting it.

This time around, we couldn’t field much of a team with #misec, since many of our usual CTF participants contributed challenges towards the cross-city BSides Chicago / BSides Detroit CTF. Luckily for my final scoring, I did have one teammate, Zandi, who used his lockpicking skills to get the flags tied to the Toool booth.

The computer based challenges were all on me. Here’s my write-up for one of the more interesting ones that I solved.

Phone Home Write-up:

The premise of this challenge was that a piece of malware was discovered attached to a Word document, and we needed to discover where that malware was communicating back to.
The first hurdle was that my antivirus killed the document upon download. Blindly trusting the CTF organizers, I disabled the antivirus and got the file.
I opened the file in Notepad++ to see what dangers lay inside.


click to embiggen

So, there’s a huge block in there that looks like a binary of a separate file.  Staying in Notepad++, I copied the block to a new file, stripped out the ‘&H’ characters, and was left with the hexadecimal representation of a file.  The first two bytes were 4D 5A.  Coincidentally, I had just seen @jwgoerlich’s excellent talk where that same header was pointed out  as the indicator of a Windows executable file.

So next, I fired up a hex editor (HxD), and pasted in the bytes.  Then I could save it out as an EXE. In case there was any checks for it somewhere, I gave it the same randomized name that was expected from the Word macros that were meant to trigger the code installation (AeAIJGcsSqmKdm.exe).  I tried running it and it showed up as a background process.

This is where I hit a wall.  A hint was given out that the key was going to be an IP address, but I had blanked on what to do next.  I wasted some time looking at the macro code inside the original Word document, and switched gears to work on some other challenges.  Later, while walking through Chicago with some #misec colleagues, it hit me.  In retrospect it should have been obvious, but I needed to check my outgoing TCP connections while running that executable!

When I got back to my computer  I launched the executable again, and then ran:
netstat -naob

The ‘b’ switch in netstat (on Windows only) identifies the executable attached to the network connection, so I could easily see my answer.


Flag: Captured!

I entered and completed the challenge!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s