🏳️‍🌈Trentskunk🏳️‍🌈Oct 3

In light of recent events, I've decided that this is an excellent time to distract myself by actually learning CommonLisp instead of just setting up SBCL and slime and then getting distracted. So, I am working my way through Practical Common Lisp and doing some Huntress CTF challenges on the side.
  

#CommonLisp
#SBCL
#ctf
#HuntressCTF

Daniel Chateau  (シャトー・ダニエル)Nov 2, 2024
We dropped the ball on those last few challenges with the #HuntressCTF cause other life stuff got in the way, but I'm still really proud of my team! 😁
🏳️‍🌈Trentskunk🏳️‍🌈Nov 1, 2024
Now that #HuntressCTF has ended, I can say that I think it's pretty funny that #wezterm almost auto-solves one of the challenges...
Baker Street ForensicsNov 3, 2023

This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into.

The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation.

If I do a search on ‘street’ I see that it’s part of an Output example for Get-AADintTenantDetails

Ok, let’s give that command a go.

And there’s the flag under the street value.

For the next one, It not so subtly says that Conditional Access Policies will be part of this, so again we reference the docs. Get-AADIntConditionalAccessPolicies seems like a good candidate.

Two for two.

Microsoft Teams will be our focus on the third one. There’s dozens of Teams commands available within AADInternals. If we focus on message, that will get us to Get-AADIntTeamsMessages.

Having the documentation for the syntax really helped on this one.

And for the last one, no there isn’t a Get-AADIntPresident command. That would be too easy. How about a command that will show us all the users?

Scrolling up through the output, we find that the President (PattiF), has a flag in the telephone number field.

4 out of 4.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

https://bakerstreetforensics.com/2023/11/03/huntress-ctf-week-3-m-three-sixty-five/

#AADInternals #CTF #HuntressCTF #M365 #O365

Documentation

AAD Internals PowerShell module

Baker Street ForensicsNov 2, 2023

Rock, Paper, Psychic

Do you want to play a game?

You can see the basic flow of the game above. You put in your choice, then after some calculation the game chooses, and what do you know – the game always makes the winning choice.

How about a nice game of Chess?

Having played the game a couple times to get familiar with the flow, I ran the program using x64dbg.

Hit F9 a few times until it the program gets to your input choice.

Once you’ve typed in your selection in the command window, back to x64dbg. From here we will step over (F8) the instructions 1 by one.

Continue to hit F8, observing as the rest of the game text appears.

Global Thermonuclear War

In x64dbg, we see that the program tests 2 values and then does a JNE (Jump if not Equal) command to another function 416C6A.

If we use the debugger and change this to JE (Jump if equal to):

Who you calling cheater?

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

https://bakerstreetforensics.com/2023/11/02/huntress-ctf-week-2-miscellaneous-rock-paper-psychic/

#CTF #DFIR #HuntressCTF #x64dbg

HuntressCTF – Baker Street Forensics

Posts about HuntressCTF written by Doug Metz

Baker Street Forensics
Doug MetzNov 2, 2023

Huntress CTF: Week 2 – Steganography: Land Before Time

Land Before Time Here's what we see when we open the image. Exiftool doesn't have any interesting metadata. Let's toss it into a iSteg. I think it found something. What about you? Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

http://bakerstreetforensics.com/2023/11/02/huntress-ctf-week-2-steganography/

Huntress CTF: Week 2 – Steganography: Land Before Time

Land Before Time Here’s what we see when we open the image. Exiftool doesn’t have any interesting metadata. Let’s toss it into a iSteg. I think it found something. What about you?…

Baker Street Forensics
Doug MetzNov 1, 2023

Huntress CTF: Week 1 – WarmUps

The team at Huntress pulled off an amazing CTF that ran through the month of October with new challenges released daily. In this series, I'll be providing my solutions to the challenges. WARNING Will Robinson, spoilers ahead! Use the tag #HuntressCTF to see all related posts. Technical Support There wasn't really a solve to this one, but I'm including here for consistency.

http://bakerstreetforensics.com/2023/11/01/huntress-ctf-week-1-warmups/

Huntress CTF: Week 1 – WarmUps

The team at Huntress pulled off an amazing CTF that ran through the month of October with new challenges released daily. In this series, I’ll be providing my solutions to the challenges. WARN…

Baker Street Forensics
MalwareLabNov 1, 2023

My write-ups from the #HuntressCTF by #Huntress and @JohnHammond and col.
I really enjoyed this #CTF, there were plenty of nice challenges, various categories, etc.

https://malwarelab.eu/posts/huntress-ctf-2023/

#CybersecurityAwarenessMonth #contest #reverseengineering #education

Huntress CTF 2023 - Write-ups :: MWLab — Ladislav's Malware Lab

During the October 2023, I participated in the Huntress Capture the Flag contest. It started with couple of warmups challenges on the first day. Then they published two or one challenge every day. There were various categories, such as Warmups, Malware, Forensics, OSINT, Miscellaneous and Steganography. The difficulty levels differs from easy (usually very easy), medium (usually easy, but educative for new players) and hard (usually medium). Couple of “lolz” challenges have an extreme difficulty, and they were some kind of…what?

Huntress CTF 2023 - Write-ups
Taggart Oct 30, 2023
I don't usually love CTFs for learning, but a few of the #HuntressCTF challenges very skillfully placed me at my Zone of Proximal Development and got me to learn some new, powerful skills. Well done to @JohnHammond, HuskyHacks, and the entire the Huntress team.
Vygotsky's Zone of Proximal Development

Vygotsky’s Zone of Proximal Development (ZPD) refers to the gap between what a learner can do independently and what they can achieve with guidance. Learning occurs most effectively in this zone, as the learner receives support from more knowledgeable individuals, such as teachers or peers, to help them reach the next level of understanding.

Simply Psychology
Baker Street ForensicsOct 30, 2023

Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges.

First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not observing the rules and using brute force tools where they weren’t needed (or allowed.)

Overall, I found the event to be a great learning experience that challenged me, increased my confidence, and gave me an avenue to pursue skills I want to develop further.

The challenges covered a wide area of subjects with the majority being DFIR related. The categories included:

  • Warm Ups (14)
  • Forensics (10)
  • Malware (16)
  • M365 (4)
  • OSINT (3)
  • Steganography (1)
  • Miscellaneous (10)

Today the final challenge of the event, graced us with another lovely malware sample to analyze.

I was very pleased with myself at having solved nearly 80% of the challenges. There’s still another 20 or so hours to go, so we’ll see if that improves any further. The only categories I didn’t have 100% in were Miscellaneous and Malware. I think this is fair considering my skill levels. The Malware scenarios were appropriately challenging for someone newer to this area. This is an area that I’ve been developing my skills in more recently. I’m looking forward to seeing others’ write-ups on those challenges where I didn’t make it all the way through, and following along with my own data.

Tools used in the CTF

I added a number of new tools to my toolkit throughout the CTF, and got more experienced with some old friends as well. Depending on the challenge I switched between operating systems including MacOS, REMnux (Linux), and a customized Windows VM with a plethora of malware analysis utilities. By the end of the event the tools used included:

  • PowerShell
  • Strings
  • CyberChef
  • Gimp
  • Curl
  • Firepwd.py
  • rita
  • the_silver_searcher
  • nmap
  • dcode.fr
  • meld
  • Cutter
  • Ghidra
  • Python
  • ChatGPT
  • Google Chrome Developer Tools
  • iSteg
  • exiftool
  • Google Lens
  • Google Maps
  • detonaRE
  • Process Monitor (procmon)
  • Visual Studio Code
  • Site Sucker
  • 7zip
  • Magnet AXIOM
  • olevba
  • x64dbg
  • AADInternals
  • Microsoft Excel
  • Event Viewer
  • chainsaw
  • PowerDecode
  • PowerShell ISE
  • rclone
  • Volatility3
  • hashcat
  • impacket

Write-Ups

Over the next few days I’ll be releasing the write-ups on how I solved each of the completed challenges. The organizers requested that no solutions be posted until 24 hours after the conclusion of the CTF.

Based on the amount of content, I’ll be breaking the write-ups down by week number (1-4) and challenge category.

Wednesday:

Thursday:

Friday:

Saturday:

You can follow along through the week, or come back on the weekend to read them all.

Once again, I want to extend my thanks to the Huntress team for a great event. I hope you’ll follow along with my solutions, and please comment with other ways to solve if you have them. It’s all about the learning.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

https://bakerstreetforensics.com/2023/10/30/huntress-capture-the-flag-a-ctf-marathon/

#CTF #DFIR #Forensics #HuntressCTF #MalwareAnalysis

HuntressCTF – Baker Street Forensics

Posts about HuntressCTF written by Doug Metz

Baker Street Forensics