HeroCTFv6 - Moo

Writeup - Moo

Difficulty : easy

Statement

Just read the flag, it’s all there.

Credentials : user:password

Deploy on deploy.heroctf.fr

  • Format : Hero{flag}
  • Author : Log_s

Solve

ssh [email protected] -p 14912
The authenticity of host '[dyn04.heroctf.fr]:14912 ([172.232.42.224]:14912)' can't be established.
ED25519 key fingerprint is SHA256:8UwtZVfNTvorDdtJPF7cu2Kv3+f80osZROhuWohi46A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[dyn04.heroctf.fr]:14912' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux moo 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 ______________________________________________________
/ Welcome dear CTF player! You can read the flag with: \
\ /bin/sudo /bin/cat /flag.txt. Or can you?...         /
 ------------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
user@moo:~$ ls -al /flag.txt 
-r-------- 1 root root 22 Oct 25 18:18 /flag.txt

We are in a restricted shell :

Midnightflag 2024 - I want my tickets back

Info
Hello everyone, I created a forensic challenge for the 2024 edition of Midnight Flag CTF in collaboration with @Niceclear. The challenge was divided into 5 parts. Here is the writeup

Writeup - I want my tickets back

Difficulty: easy to medium

Warning
Be careful when handling files

Step 1

Statement

Jean discovered a package in his mailbox. Inside was a USB key and a letter announcing that he had won tickets to the Paris 2024 Olympic Games. The letter specified that the tickets were on the USB key. Intrigued, Jean inserted the key into his computer and opened the file : an information note in HTML format. As instructed, the ticket downloaded automatically. After consulting his ticket, John realized that it was all a hoax and, disappointed, he went away for a few days. When John returned, he was stunned to find that he was now unable to open his files. All now had the .enc extension.

Cyberdefenders - EscapeRoom

EscapeRoom

Info

  • Category : Digital Forensics
  • SHA1SUM : 4dd5e257c4bef0f950a37bb1e401f3dd990929bf
  • Published : Aug. 18, 2020, midnight
  • Author : The HoneyNet Project
  • Size : 15 MB
  • Tags : PCAP Wireshark Linux Network

Unzip the challenge (pass: cyberdefenders.org) and use your analysis tools to examine provided PCAPs and log files.

Scenario

You as a soc analyst belong to a company specializing in hosting web applications through KVM-based Virtual Machines. Over the weekend, one VM went down, and the site administrators fear this might be the result of malicious activity. They extracted a few logs from the environment in hopes that you might be able to determine what happened.

Cyberdefenders - Hammered

Hammered

Info

  • Category : Digital Forensics
  • SHA1SUM : c5282824e485cbafe4b13a942759fd6720433929
  • Published : Oct. 25, 2020, midnight
  • Author : The HoneyNet Project
  • Size : 944 KB
  • Tags : Apache2 Honeypot Log Analysis WebServer

Unzip the challenge (pass: cyberdefenders.org), examine artifacts, and answer the provided questions.

Challenge Files

  • kern.log
  • auth.log
  • daemon.log
  • dmesg
  • apache2

Challenge

This challenge takes you into the world of virtual systems and confusing log data. In this challenge, as a soc analyst figure out what happened to this webserver honeypot using the logs from a possibly compromised server.

Cyberdefenders - Szechuan Sauce

Szechuan Sauce

Info

  • Category : Digital Forensics
  • SHA1SUM : bce93945a6637ad0ff0fa25eee4cf0c5f9639474
  • Published : Oct. 5, 2020, midnight
  • Author : James Smith
  • Size : 13 GB
  • Tags : PCAP Memory Windows Disk

Unzip the challenge (pass: cyberdefenders.org), examine artifacts, and answer the provided questions.

Challenge Files

  • 20200918_0417_DESKTOP-SDN1RPT.E01: EnCase image file format (2 GB)
  • 20200918_0417_DESKTOP-SDN1RPT.E02: EnCase image file format (2 GB)
  • 20200918_0417_DESKTOP-SDN1RPT.E03: EnCase image file format (2 GB)
  • 20200918_0417_DESKTOP-SDN1RPT.E04: EnCase image file format (2 GB)
  • autorunsc-citadel-dc01.csv
  • autoruns-desktop-sdn1rpt.csv
  • case001.pcap (189 MB)
  • citadeldc01.mem (2 GB)
  • DESKTOP-SDN1RPT.mem
  • E01-DC01
  • 20200918_0347_CDrive.E01: EnCase image file format (2.4 GB)
  • 20200918_0347_CDrive.E01.txt
  • 20200918_0347_CDrive.E02 EnCase image file format (2.2 GB)

Case Overview

Your bedroom door bursts open, shattering your pleasant dreams. Your mad scientist of a boss begins dragging you out of bed by the ankle. He simultaneously explains between belches that the FBI contacted him. They found his recently-developed Szechuan sauce recipe on the dark web. As you careen past the door frame you are able to grab your incident response “Go-Bag”. Inside is your trusty incident thumb drive and laptop.

Cyberdefenders - The Crime

The Crime

Info

  • Category : Endpoint Forensics
  • SHA1SUM : 3eb40fd0257dd3bf7d7513e1423e54c8fced4706
  • Published : Sept. 29, 2023, 4 p.m.
  • Author : Infern0o
  • Size : 330 MB
  • Tags : Android ALEAPP sqlitebrowser
  • Password : cyberdefenders.org

Scenario

We’re currently in the midst of a murder investigation, and we’ve obtained the victim’s phone as a key piece of evidence. After conducting interviews with witnesses and those in the victim’s inner circle, your objective is to meticulously analyze the information we’ve gathered and diligently trace the evidence to piece together the sequence of events leading up to the incident.