icmp packet data contains the chars of the flag
tshark -r traffic.pcap -Y "icmp" -T fields -e data | xxd -r -p > tes.txt
by using protocol hierarcy we know that the mainly used protocol is SMB, and we can saw that there are encrypted SMB3 protocol.
based on the reference we have 3 ways to decrypt the encrypted data. and we use this one.
first we need to know which packet that contains the auth between the client and server
we use this commands to dump the data we needed to decrypt the SMB3 packets
tshark -n -r wgmy-ohman.pcapng -Y 'ntlmssp.messagetype == 0x00000003' -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.ntlmv2_response.ntproofstr -e ntlmssp.auth.ntresponse > dump.txt
tshark -n -r wgmy-ohman.pcapng -Y 'ntlmssp.messagetype == 0x00000002' -T fields -e ntlmssp.ntlmserverchallenge > dum
p2.txt
tidy it into format that given in the reference
and then use hashcat to find the correct passphrase
hashcat -O -a 0 -m 5600 dump.txt /usr/share/wordlists/rockyou.txt
after that we can use the passphrase to decrypt the NTLM Packets that we will use to find more data to decrypt the SMB3 packets.
here, we need to find the session id we need to specify which sessionkey of the SMB we will retrieve. since there are many attempt we need can choose it by finding which attempt that has sessionId
this sessionId is used to decrypt the encrypted session key using parameter we've got before and using this script
from Crypto.Cipher import ARC4
from Crypto.Hash import MD4, MD5, HMAC
password = 'password<3'
passwordHash = MD4.new(password.encode('utf-16-le')).hexdigest()
username = 'Administrator'
domain = 'DESKTOP-PMNU0JK'
ntProofStr = 'ae62a57caaa5dd94b68def8fb1c192f3'
serverChallenge = '7aaff6ea26301fc3'
sessionKey = '12140eb776cb74a339c9c75b152c52fd'
responseKey = HMAC.new(bytes.fromhex(passwordHash), (username.upper()+domain.upper()).encode('utf-16-le'), MD5).digest()
keyExchangeKey = HMAC.new(responseKey, bytes.fromhex(ntProofStr), MD5).digest()
decryptedSessionKey = ARC4.new(keyExchangeKey).decrypt(bytes.fromhex(sessionKey))
print('Decrypted SMB Session Key is: {}'.format(decryptedSessionKey.hex()))
and then we use it with the session key to decrypt the SMB protocol
after we've got the decrypted SMB, we can analyze the data that are exfiltrated. we can saw that it has 5 files that are being transported.
the nano.exe when i try to find out it seems to be nanodump.exe that usually used to dump LSA. and from this file we've got some hint related to the LSA minidump data.
by analyzing the .log file it seems to be broken, and we can use this script to restore it
https://github.com/fortra/nanodump/blob/main/scripts/restore_signature
this chall is a memory forensic. usually when doing this kind of challs we will check the program that has been ran. so we can use volatility plugin such as pslist. here we can saw that there is crypt.exe process that seems to be suspicious
i crosschecked it by checking the cmdline and noticed that the executable is ran by cmd (specifically by conhost)
so i dumped it using vol -f evidence.dmp windows.dumpfiles --virtaddr 0xtheoffsetoftheexe by filling the offset from the value i got by using windows.filescan and grep "crypt.exe"
after i've got the executable i decompile it using pyinstxtractor and convert the bytecode using pylingual
we can notice that the exe is encrypted some files, i try to find the file but couldnt find anything.
noticed that the key is taken from pastebin raw file, i try to access it and found the flag
the flag is in the pastebin on the decompiled code
based on the chall name we know that the file has "unwanted meow".
so we create a script to clean "meow" from raw data of the file and saved it as jpeg since the header is jpg magic bytes.
# Script to process flag.shredded and save as flag.jpg
input_file = "flag.shredded"
output_file = "flag.jpg"
try:
# Read the raw data from the input file
with open(input_file, "rb") as file:
raw_data = file.read()
# Replace occurrences of "meow" with an empty string
cleaned_data = raw_data.replace(b"meow", b"")
# Save the cleaned data as the output file
with open(output_file, "wb") as file:
file.write(cleaned_data)
print(f"Processed file saved as {output_file}")
except FileNotFoundError:
print(f"Error: {input_file} not found.")
except Exception as e:
print(f"An error occurred: {e}")
after that, we got the files but its still broken
and when analyzing it again, we notice that it still has "meow" junk
so we clean it once more by running the script
using frame browser, stegsolve
open gif using stegsolve and found 2 sus frame
extract both of 2 frame and we can saw that it has the content of the flag.
i saved it into 2 images and then combine it using image combiner in the stagesolve
sort the readable strings from the raw data using the given indices
# The list of indices provided in the challenge
indices = [25, 10, 0, 3, 17, 19, 23, 27, 4, 13, 20, 8, 24, 21, 31, 15, 7, 29, 6, 1, 9, 30, 22, 5, 28, 18, 26, 11, 2, 14, 16, 12]
# Read the binary file
file_path = 'challenge.dcm' # Update with the actual file path if needed
with open(file_path, 'rb') as file:
file_content = file.read()
# Decode the file content to extract readable ASCII characters
readable_data = ''.join(chr(byte) for byte in file_content if 32 <= byte <= 126)
# Remove 'WGMY' from the readable data
cleaned_data = readable_data.replace("wgmy", "")
# Extract characters from the cleaned data using the indices
flag = ''.join(cleaned_data[i] for i in indices)
# Wrap the flag in wgmy{} as per the challenge instructions
formatted_flag = f"WGMY{{{flag}}}"
# Print the flag
print(formatted_flag)
└─$ python3 1.py
wgmy{51fadeb6cc77504db336850d53623177}
rot bruteforce
this game is packed with Enigma Virtual Box so we will use evbunpack to unpack it
the resulted unpack data contains some json that we can manipulate to hack the game. here i manipulate the weapon damage and armor defense as 9999 so i'll be in god mode
everytime we've defeated the boss we will got the flags.
after defeating final boss, this pw is the same with the one we got from Map006.json (but its on ascii code)
got pw from viewing Map006.json data
we will submit the pw to the orb that we interact in the final map and we will got flag 5 item that is a qr
got flag 5 with this qr
3fcaac2}
part 4 is hidden in the lava map, unlocked after defeating the boss
43effd
full flag: wgmy{5ce7d7a7140ebabf5cd43effd3fcaac2}