POC WCH CTF

January 03, 2022

WHITEHATCREW CTF 2022

Writeups for CTF

Posted on january 3.2022

Category : Cryptography

1.Beginner Cryptograph

First, we will get a code like this =[ YmFzZTY0X2lzX292ZXJyYXRlZA== ]

Then, we decode it to base64 -[ base64_is_overrated]

The answer will be WCH{base64_is_overrated}

2.Anencephaly

First, we will get a file name anencephaly

There is a code inside it

Decode it to base64 and we will get :

Use C++ coding in https://www.cct.lsu.edu/~hkaiser/spring_2015/csc1254/code/bf_interpreter.cpp

And we will get a new code : [V0hDe0FQQV9LQUlUQU5fRE99]

Decode it to base64 and get the answer = WHC{APA_KAITAN_DO}

3.Botak

First, we get a pyhton coding

Open it with IDLE and there is comment with a code

Run the python coding that given and use cipher decoder to get the answer

Then we will get the answer = WCH{unclePenatLahSiapaBuatNiMemangNakKenaPukul}

4.XORing

We will get a zip file name XORing.7z

Inside it there is some clue:-

The ascii value of the character %c is %d

Sum of the ascii value of a string is: %d

XOR this: 'ZENvU=_9=OKX^N9Y<=Cp'

Key is '0x0d'

The key need to change into ascii value and we will get the key is actually = [\r]

I used https://www.101computing.net/xor-encryption-algorithm/ to solve it

The answer is Cipher (Ascii form): WHC{X0R40BFUSC4T10N}

Category : FORENSIC

1.Beginner Forensics

We get a file named set1.pcap

Open it using wireshark and search for readable text

So the answer will be = WCH{5:What, me worry?}

2.1 Penceroboh-1

We will get zip file name Penceroboh.7z

Inside there is penceroboh.pcap, open it in wireshark

And search for readable text, we will found three different user

Find Authorization: basic [user and pass] and decode to base64

For now we need to search user start with A letter
The answer will be = WCH{aoursler:Id10tExpert}

2.2 Penceroboh-2

Search another user starts with B letter
The answer will be = WCH{brodgers:TheyPlayedWithGreatCharacter}

2.3 Penceroboh-3

Search the last user
The answer will be =WCH{dmoyes:IAmAFootballGenius}

3. Topi Putih

First, we will get zip file name topiputih.7z
Extract and we will see a white hat picture
Open it in notepad and you will get the answer =WHC{wh1t3_h4t_cr3w!}

Category : MALWARE

1.1 Malware A-1

First, we get a zip file name Infected.7z
Extract and open it using virustotal
Look at detail: Basics properties: SHA-256

And we will get the answer = WCH{ba47f657a4745c96a62c444100d6c38bbff772b47ac03e83dc3ef5d94bc1d77c}

1.2 Malware A-2

At virustotal too we can get the answer

The answer will be = WCH{BitRAT|185.244.30.28|mal100.troj.evad.winEXE@14/11@0/1}

1.3 Malware A-3

Open joesandbox link analysis joesandbox

And use sample name for the answer
So the answer will be = WCH{0kEuVjiCbh.exe}

1.4 Malware A-4

Also look on joesandbox analysis
Search for icon hash

The answer will be = WCH{f14cd6920f4d8ed4}

1.5 Malware A-5

Open threatfox.abuse
search for oic:185.244.30.28(host)
And we get the answer
The answer will be = WCH{161038|botnet.cc}

2 Malware B-1

First , we will get zip file name infected-2.7z
Extract it and open in virustotal
Search for dropped file

Then we will get the answer =WCH{services.exe:bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c}

3.1 Malware D-1

Same process like before, extract and open in virustotal
Search for the SHA256

So the answer will be =WHC{bfe041c715d002fb780c6a359080dbe2e711fc1808785f22fbed1d524fb761e8}

3.2 Malware D-2

If there is no dropped file we can use execution parents
So the answer will be = WCH{125acc541a506336ba47892211c91e472d94f9160fbcf5ed6b364cbc67f4b410}

3.3 Malware D-3

Search at behavior
Then we will get the answer

So the answer will be = WCH{SE_LOAD_DRIVER_PRIVILEGE}

4. Adventure time

Open the file
Go to bin
open the adventure time.bat
There we will get the answer = WHC{FUN_PR4NKS_L0NG_AG0}

Category : DARK WEB

1.TorPaste

Copy and paste in Tor browser

The answer will be = WHC{D4RK_W3B_B3G1NN3R}

that's all from me thank you <3

Comments