kangwijen
Back to home

Cyber Investigator CTF – Cyber Crime Writeup

kangwijen

kangwijen

4 min read
Cyber Investigator CTF – Cyber Crime Writeup

Welcome to the fourth and last part of Cyber Investigator CTF Writeup. Cyber Investigator CTF is a jeopardy style CTF organized by Cyber Security Society of Cardiff University. This CTF is tailored towards enthusiast in OSINT (Open-Source Intelligence), Threat Intelligence, digital forensics, and more. In this writeup, I’ll be explaining the Cyber Crime section challenges.

mysterymachine

We are given a MAC address: 00:0a:95:10:e2:1b, and asked to find the device's manufacturer. To do this, we use an online OUI (Organizationally Unique Identifier) lookup tool. A quick Google search for "OUI Lookup" brings up websites that offer this service. By entering the MAC address into one of these tools, we can quickly find out the name of the manufacturer.

mulemobile

We need to find the weight difference of a smartphone using its IMEI "352602081794916". By entering the IMEI on a site like imei.info, we get the phone's original weight. We then subtract the current weight from the original to find the difference, which is the answer.

databreach

We are given Elon Musk’s email address: elon.musk@gmail.com, and the task is to find the name of the company where it appeared in a data breach. To do this, we can use a tool like haveibeenpwned, which checks if an email has been involved in any known data breaches. By entering the email into the site, we can see which company’s data was leaked and where the email was found. That company’s name is the answer to the challenge.

stencil

We are given an image with a unique font and asked to find its name. To do this, we use a font recognition tool called WhatFontIs, which we found by Googling "font finder." By uploading the image to the website, the tool analyzes the font and identifies its name, which is the answer to the challenge.

unmonitored

We are given a text file with a game script and asked to find out which game it's from. To start, we search parts of the script on Google. This leads us to a Wiki page called Pawn Tutorial, which explains the Pawn scripting language used in games. We then search for pawn scripting online game, which brings up several tutorial sites. By exploring these, we find the name of the online game that uses this scripting language. That game is the answer to the challenge.

nationstate

We are given a network traffic log file related to an attack and asked to find the two countries involved.

accesslog
REQUESTING IP ADDRESS, DATETIME, REQUEST URL, HTTP VERSION, HTTP RESPONSE, BYTES SENT, REFERER, USER AGENT

175.45.176.212 - - [14/Jan/2021:16:00:16 +0300] "GET /vips/%u0412%u043B%u0430%u0434%u0438%u043C%u0438%u0440%20%u041F%u0443%u0442%u0438%u043D/ HTTP/1.1" 200 18298 "-" "Java/1.6.0_24" "-"
175.45.176.180 - - [14/Jan/2021:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
175.45.176.212 - - [14/Jan/2021:16:00:16 +0300] "GET /%u0412%u043B%u0430%u0434%u0438%u043C%u0438%u0440%20%u041F%u0443%u0442%u0438%u043D/ HTTP/1.1" 200 18390 "-" "Java/1.6.0_24" "-"
175.45.176.180 - - [14/Jan/2021:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
175.45.176.180 - - [14/Jan/2021:16:00:16 +0300] "\x03\x00\x00)$\xE0\x00\x00\x00\x00\x00Cookie: mstshash=NCRACK_USER" 400 173 "-" "-" "-"
175.45.176.212 - - [14/Jan/2021:16:00:16 +0300] "GET /documents/staff-roster.doc HTTP/1.1" 200 33660 "-" "Java/1.6.0_24" "-"

The first part is straightforward, by looking at some of the IP addresses on the left side of the log and checking them with Cisco Talos, we can identify the first country.

The second part is trickier. After some trial and error, we discover that a specific part of the log needs to be decoded:

llvm
/vips/%u0412%u043B%u0430%u0434%u0438%u043C%u0438%u0440%20%u041F%u0443%u0442%u0438%u043D/

Pasting this into CyberChef and use the URL Decode function reveals a familiar name, which helps us identify the second country, the one the person is associated with.

stolenidentity

In this challenge, we are given a disk image (.dd) file of a USB drive and asked to find the name shown in a passport stored on it. To solve this, we use a forensic tool called Autopsy. By opening the disk image in Autopsy, we can explore the contents of the USB drive. Using its search and analysis features, we locate the passport file and extract the name, which is the answer to the challenge.

remoteaccess

We are given an SSH private key and asked to find its passphrase. To do this, we use a tool called John the Ripper along with a wordlist like rockyou. First, we convert the SSH key into a hash format that John the Ripper can read. Then, we run John the Ripper using the rockyou wordlist. Eventually, it finds the correct one. That passphrase is the answer to the challenge.

d3c0d3r

In this challenge, we are given two parts: one in hex and the other in binary. We use CyberChef to decode them by applying the "From Hex" and "From Binary" functions. The first part is not that useful.

In the second part, the output is a Roman numerals. After converting them to regular numbers, we get a string of digits that looks like coordinates. We enter these numbers into Google Maps and find that they point to a real location.

And there we have it. Thank you for taking the time to read through this.

Categories

cyber-security

Tags

#writeup #cyber-investigator #osint