daffainfo
/
ctf-writeup
mirror of https://github.com/daffainfo/ctf-writeup.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: added TetCTF

main
daffainfo 2024-01-29 07:42:41 +07:00
parent b1ee240294
commit fcd4cdb0ee
7 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
2024/TetCTF 2024/README.md Normal file
View File

@ -0,0 +1,6 @@
# TetCTF 2024
CTF writeup for TetCTF 2024. I took part in this CTF competition with the HCS team and secured the 8th place out of 838 teams
| Category | Challenge |
| --- | --- |
| Misc | [TET & 4N6](/2024/TetCTF%202024/TET%20&%204N6/)

37
2024/TetCTF 2024/TET & 4N6/README.md Normal file
View File

@ -0,0 +1,37 @@
# TET & 4N6
> Tet is coming, TetCTF is coming again. Like every year, I continued to register to play CTF, read the rules to prepare for the competition. After reading the rules, my computer seemed unusual, it seemed like it was infected with malicious code somewhere. Can you find out?
> Find the malicious code and tell me the IP and Port C2
> What was the first flag you found?
> After registering an account, I no longer remember anything about my account. Can you help me find and get the second flag?
> Format : TetCTF{IP:Port_Flag1_Flag2}
> Ex: TetCTF{1.1.1.1:1234_Hello_HappyForensics}
## About the Challenge
We got 2 files, `Backup.ad1` and `TETCTF-2024-20240126-203010.raw` and we need to find the malicious code, first flag, and the second flag from these 2 forensic artefacts
## How to Solve?
First, we need to find the malicious code. If we open the `Backup.ad1` file using FTK Imager and go to `Roaming/Microsoft/Windows/`, you will find a dotm file.
And if you run `olevba` you will get the ip, port, and the first flag
![ip-port](images/ip-port.png)
And it the end of the VBA script, there is a Base64 encoded msg
![baes64](images/base64.png)
![flag 1](images/flag1.png)
And I managed to get the second flag using `strings` and `grep`
```
strings TETCTF-2024-20240126-203010.raw | grep "Flag 2"
```
![flag 2](images/flag2.png)
```
TetCTF{172.20.25.15:4444_VBA-M4cR0_R3c0v3rry_34sy_R1ght?}
```

BIN
2024/TetCTF 2024/TET & 4N6/images/base64.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 386 KiB

BIN
2024/TetCTF 2024/TET & 4N6/images/flag1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 182 KiB

BIN
2024/TetCTF 2024/TET & 4N6/images/flag2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
2024/TetCTF 2024/TET & 4N6/images/ip-port.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 301 KiB

2
README.md
View File

@ -44,6 +44,8 @@ List of CTF events that i have joined before
| New Year CTF 2024 | No | - |
| UofTCTF 2024 | Yes | [Link](/2024/UofTCTF%202024/) |
| KnightCTF 2024 | Yes | [Link](/2024/KnightCTF%202024/) |
| Mapna CTF 2024 | No | - |
| TetCTF 2024 | Yes | [Link](/2024/TetCTF%202024/) |
### Local Events
| Event Name | Writeup Available? | Writeup Link |