Skip to content

Particles (Forensics 175) ASIS Final 2015

The challenge was a pcap file that uses zsync to transfer some files.

Zsync is basically a protocol implemented on top of HTTP that to implement rsync. It is simply rsync on top of HTTP. Looking at the requests and analysing the protocols, You can see clearly the header of that is being sent in each request looks similar to the following

 

The first idea I had is to try to download the file that has been downloaded. Analysing the file should contain the flag. The second idea is to just google the SHA-1 of the different files our there and see if it is online. If it was there, we can start download or read reports about them and see how this is related to the CTF.

The first idea looks more complex than the second one. As a result, I decided to try the second idea first.
I dumped all the SHA-1’s of the files that has been transferred on this pcap. I ended up with the following 8 SHA-1’s

9be3800b49e84e0c014852977557f21bcde2a775 >> Googled and found https://github.com/eset/malware-ioc/blob/master/potao/README.adoc
e227c6d298358d53374decb9feaacb463717e2d9 (not found)
2d27f6e5bafdf23c7a964a325ebf3a5ee9ca4b18 (not found)
8f1fa762c3bf865d0298e7a8fd3640c606962122 (notfound)
7e05370d87196157bc35f920d7fcf27668f8e8af (not found)
e8c7d65370947b40418af55bdc0f65e06b7b0c59 https://www.hybrid-analysis.com/sample/688a3ac91914609e387111e6382911ecd0aefe9f4f31bed85438b65af390cf6f?environmentId=2

The first link is a malware that is well documented. I read about it quickly but nothing interesting related to our CTF.

I checked the last link and the first thing that caught my eye was
“Submitted on October 10th 2015 06:37:34 (CDT) with target system Windows 7 64 bit”

This is the same day of the CTF! I have also noticed that this malware isn’t popular any other malware analysis websites like http://virustotal.com and http://malwr.com.

I read the analysis of the malware trying to find something related to the CTF. I have checked the screenshots found in the analysis and I saw this
screen_0

 

That’s looks pretty much like a flag!

I tried ASIS{c295c4f709efc00a54e77a027e36860c}
and it was the correct flag.

 

The challenge was OK but I wished for something more technical than that not just “searching”. I believe this is a more of a recon challenge not a forensics one.

Published inwriteups

2 Comments

  1. Hey,
    Dear Ibrahim,
    Please note that the intended solution is not the one you describe, one team, who the first one solve this challenge, upload the final patched file to this site and reveal the flag. You must find the first file form given sha1 hash and then patch file in 5 stage.
    thanks
    _factoreal

    • storm storm

      Hi Factoreal,
      Now it make sense because I expected something much better than that.

      Regards
      Ibrahim

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − 2 =