Incredibly Covert Malware Procedures

Forensics [100 pts]

Description: We got hacked! Can you see what they took?

We are given a pcap file, when analyzing it, we see that it is full of ICMP information. Looking at the first packet, we see that it is the beginning of a PNG header:

The last packet also contains an IEND, which marks the end of a PNG file. So it looks like they are sending parts of a PNG for each packet. The only issue is that we have to parse and filter our data to capture the correct bytes.

Since the requests and replies are the same, using tshark to extract the unique data sections of the pcap, we can get a better picture for the png.

Our goal is to grab the correct position to get a valid picture, so using a valid png, we use this as a guide to get the correct bytes:

Grabbing the correct first line from the pcap data and iterating down to the end, we are able to form a png that gives us a flag:

Perhaps I could’ve parsed it better..but it is still readable.

Peculiar Packet Capture

Forensics [400pts]



We have a situation brewing. Last week there was an attack on the prime minister of Morocco. His motorcade was stopped by a road blockade where heavily armed men opened fire on them. Fortunately, the prime minister was able to escape safely but many personnel and a few other ministers did not.

ATLAS, a multi-national Private Military Corporation (PMC) based in Colorado, USA, is our main suspect. We believe they were hired to conduct the hit by the opposition political party.

We flew Agent Jason to Colorado to investigate further. He gained access to their building’s reception area dressed in a suit acting as a potential client with an appointment. He was able to intercept wireless network traffic from their corporate wireless network before being escorted out by guards when they realised the bluff.

The network capture is attached below, see if you can recover any important documents which could help us tie ATLAS to the Morocco incident.

We are given a Wireshark capture file and when looking at it, it seems that they are using the EAPOL protocol with authentication keys.

Looking at each of the keys, they are using 802.11 authentication to encrypt the keys. So I thought to decrypt them somehow.

This blog ( contained useful information on how to decrypt the keys.

But first, we needed to crack the WPA2 password in order to use this method. A popular tool is Aircrack-ng, which is what I used for this challenge.


#5 is the only bullet point I used for this challenge. Using rockyou.txt as my wordlist and the MAC address of the source:

It turns out the key was nighthawk.

So using the decrypt-wpa2-psk-using-wireshark method shown above, I had to generate a PSK using this link (provided as well in the blog above):

The SSID was ATLAS_PMC and passphrase was nighthawk. Our hex key is:


When applying the hex key (with key type: wpa-pwk) to our WEP and WPA decryption key in Wireshark preferences, we are now shown packets that were not shown before, most notable a PDF.

So after extracting this PDF from WireShark, we are presented with the flag at the bottom:

Disk Forensics Fun

Forensics [350pts]



Get your forensics gloves out.

We’ve managed to exploit a network service running on a C2 server used for orchestrating a large botnet. From there we were able to escalate our privileges and use that server as a proxy to pivot to other machines in the network.

It’s quite fascinating, based on the machines we have found, we think that these guys are a known bad actor, responsible for leaking private documents and data from corporate and government targets, which changes our current focus from a reconnaissance mission to a criminal investigation which involves gathering evidence on them so we can attribute names to actions for further prosecution in the courts.

Thus, we’ve started to image the disks of all the machines we have managed to pivot on. It’s not the most ideal circumstances for admissibility of evidence, but we do have a warrant on the guys involved and we can let our lawyers do the rest.

Anyway, I’ve attached a disk image of a small Linux server which we believe they’re using for temporarily keeping exfiltrated files.

Can you take a look and see what you find?

Good luck.

We are given an image.E01 file and are asked to investigate this. E01 files are Encase image file formats for disk evidence.

I viewed this file using Autopsy. We see a small Linux system in here:

Looking closely into the main files like HOME and ROOT, I found a PGP message long with PGP public and private keys:

To decode this, I exported the PGP message and private key and used gpg.

This manual is helpful for decrypting PGP using a private key:,output%20doc%20%2D%2Ddecrypt%20doc.

Initially, my output was to doc, but looking further it seems that doc contains HTML elements worth looking into. So I ran it again and extracted the output to an HTML file.

Looking at the doc.html, we see a rather creepy picture:

Those values in the picture seem interesting, so I copied those and decoded from hex, revealing our flag at the bottom:


A Monster Issue

Forensic [100pts]



We’ve got a case of industrial espionage, quite an unusual one at that. An international building contractor – Hamilton-Lowe, has written to us that they are having their private client contracts leaked.

After conducting initial incident response, they managed to find a hidden directory on one of their public facing web-servers. However, the strange thing is, instead of having any sensitive documents, it was full of mp3 music files.

This is a serious affair as Hamilton-Lowe constructs facilities for high-profile clients such as the military, which means having building schematics leaked from them could lead to a lapse in national security.

We have attached one of these mp3 files, can you examine it and see if there is any hidden information inside?

So looking at the mp3 file, I ran a quick binwalk to see if there are any hidden files. It turns out there is a compressed zip folder containing a .wav file.

Further examination of the .wav file using the strings command, we see that there is a flag.png hidden in the file.

Now running binwalk on the .wav file and attempting to extract the image, we are stopped by a password:

Looking further into the .wav file, we don’t find anything interesting. So now we look at a wav spectrum analyzer to see if we can get anything.

We see that the password was hidden here the whole time: Shad0ws

Extracting the flag.png will give us our flag:


[OSINT?? 200 pts]

This 200 point “OSINT” problem kind of strange. I would classify this as more of a Forensics problem, since I generally think that they way you solve this one is forensics based… right?

Part of the description reads: ‘Agent. We found a target posting strange images of boarding passes to his Instagram. None of the guys at base can figure it out, but we think he’s been using the images to exfiltrate data.’

An interesting title for an OSINT problem, but whatever.

Everything looks normal, except instead of a map locator like the 5 others, this one had the standard text Flag format

So right away we know we are looking for an actual flag.
Lets take a look at the attached image.

Immediately I began searching for the details on the flier, but found nothing. RAirway does not seem to be any reference to anything, and the flight numbers and details don’t reveal anything. I spent about 15 minutes searching for a way ti solve this using typical OSINT techniques.

I kept on looking at the Enigma code book under the flier, and the numbers and the barcode and the letters, and my mind kept thinking of forensics and cryptography techniques I might be able to use to extract data from the image – but I kept reminding myself, “No no no, this is a OSINT problem – I’m not gonna be able to extract any data that’s hidden under layers of the image.” So I just left it at that.

After thinking for a while, I thought, ‘hmm I might as well check out that barcode anyway’. and so I did. I opened it in Gimp and turned it into a computer-readable barcode.

rotating the image
cropping the image

Now I went to an online reader, selected the type of barcode this is (it appears to match the PDF417 type), uploaded the image, and let it process it.

However, it detected no barcode. Strange, I thought – until I realized that the colors of the barcode may be different.

Comparing this stock PDF417 barcode to ours, it looks like the the color scheme is inverted.

This image has an empty alt attribute; its file name is image-36.png

White-on-Black background ^ instead of Black-on-White background.

This was easily fixable with Gimp’s color-invert function:

After uploading that to the online barcode-reading site, we get the flag.

…Yep, I solved the OSINT problem using standard Forensic tactics…
(In not sure how Open Source Intelligence was supposed to be used to solve this problem, because I sure didn’t use any)

Flag: ractf{B0ard1ngP4ssD4t4}


Forensics [25 pts]

This problem is titled Hexillogoly, so right from the start we know it has something to do with Hex and Hexadecimal.

 Okay, lets open the link in a new tab. Its a png.


 Nothing too particular stands out, just some rather bland colors and shapes.

Originally, when I heard the word Hex my mind automatically went to hex editors. So I quickly jumped into my good friend and uploaded the image.


 Nothing really stands out, I see two repeating lengths in the hex, but I didn’t look too long at that. Of course, I did a quick Ctrl + F to search for the string ‘tjctf’ but found nothing.


 After a few minutes of searching and thinking, I nearly facepalmed myself in the head because I missed something really obvious. Hex doesn’t mean just hexadecimal used in files and memory. Hex can also be used as a format to store Colors in, on websites for example. “hurr durr let me open up this image in a hex editor and search the hexadecimal for clues hur durr”


Anyway, after my idiot phase ended I quickly opened up the image in Gimp and took a look at the colors it contained.


 I used the Color Picker tool to pick out the first greyish color, so I could view the color hex.


 In Gimp’s case, the Hex number is shown as ‘HTML notation’:


 I went online to color hex lookup site to verify that what I was looking at was the real color.


 After that, I simply copied the 6-digit number into a Hex-to-Ascii converter and


 ta-da! It begins to spell out the flag!

 Okay, lets repeat the process for the other colors. Grab the HTML notation of the middle shape next and enter it into the converter alongside the first one.


 It follows the pattern, so I continue.


 After I have entered all the colors into the converter, we are left with what appears to be a flag. It doesn’t seem to have a readable message in it, but when I tried it it worked. Here is the flag:


Flag: tjctf{pYJrfQK0dbaTPG}