Posts: 19 Threads: 0 Joined: N/A October 25, 2022 at 2:01 PM (October 25, 2022, 01:37 PM)11231123 Wrote: For web challenge:
POST /api/getfacts
{
"type":true
}
thanks bro Posts: 74 Threads: 0 Joined: N/A October 25, 2022 at 2:10 PM All the answers for the Forensics POOF: Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!
What is the name of the malicious process? (for example: malicious)
> configure
[+] Correct!
Provide the md5sum of the ransomware file.
> 7c2ff873ce6b022663a1f133383194cc
[+] Correct!
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> mv18jiVh6TJI9lzY
[+] Correct!
Decrypt the given file, and provide its md5sum.
> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!
[+] Here is the flag: :)
Posts: 19 Threads: 0 Joined: N/A October 25, 2022 at 2:13 PM (October 25, 2022, 02:10 PM)11231123 Wrote: All the answers for the Forensics POOF:
Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!
What is the name of the malicious process? (for example: malicious)
> configure
[+] Correct!
Provide the md5sum of the ransomware file.
> 7c2ff873ce6b022663a1f133383194cc
[+] Correct!
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> mv18jiVh6TJI9lzY
[+] Correct!
Decrypt the given file, and provide its md5sum.
> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!
[+] Here is the flag: :)
bro which file to execute?
(October 25, 2022, 02:13 PM)Solo1 Wrote: (October 25, 2022, 02:10 PM)11231123 Wrote: All the answers for the Forensics POOF:
Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!
What is the name of the malicious process? (for example: malicious)
> configure
[+] Correct!
Provide the md5sum of the ransomware file.
> 7c2ff873ce6b022663a1f133383194cc
[+] Correct!
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> mv18jiVh6TJI9lzY
[+] Correct!
Decrypt the given file, and provide its md5sum.
> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!
[+] Here is the flag: :)
bro which file to execute? got it ty bro +1 Posts: 24 Threads: 0 Joined: N/A October 25, 2022 at 2:28 PM (October 25, 2022, 02:10 PM)11231123 Wrote: All the answers for the Forensics POOF:
Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!
What is the name of the malicious process? (for example: malicious)
> configure
[+] Correct!
Provide the md5sum of the ransomware file.
> 7c2ff873ce6b022663a1f133383194cc
[+] Correct!
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> mv18jiVh6TJI9lzY
[+] Correct!
Decrypt the given file, and provide its md5sum.
> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!
[+] Here is the flag: :)
Process would be great :) Posts: 0 Threads: 0 Joined: N/A October 25, 2022 at 2:29 PM Thanks! Posts: 16 Threads: 0 Joined: N/A October 25, 2022 at 2:29 PM Pwn day 4 is a string format exploit using %n to override something. Not working reading in on it. Posts: 46 Threads: 0 Joined: N/A October 25, 2022 at 2:30 PM Thanks Posts: 56 Threads: 0 Joined: N/A October 25, 2022 at 2:32 PM (October 25, 2022, 02:22 PM)NotEvenME Wrote: (October 25, 2022, 02:10 PM)11231123 Wrote: All the answers for the Forensics POOF:
Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!
What is the name of the malicious process? (for example: malicious)
> configure
[+] Correct!
Provide the md5sum of the ransomware file.
> 7c2ff873ce6b022663a1f133383194cc
[+] Correct!
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> mv18jiVh6TJI9lzY
[+] Correct!
Decrypt the given file, and provide its md5sum.
> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!
[+] Here is the flag: :)
You crazy!
How did you even begin this process? What was the first step? The URL and file are in the PCAP. Export the file, unzip it, and you'll find the program, configure. md5sum that and you'll get the hash. That's as far as I got. Posts: 19 Threads: 0 Joined: N/A October 25, 2022 at 2:37 PM (October 25, 2022, 02:32 PM)karhu Wrote: (October 25, 2022, 02:22 PM)NotEvenME Wrote: (October 25, 2022, 02:10 PM)11231123 Wrote: All the answers for the Forensics POOF:
Which is the malicious URL that the ransomware was downloaded from? (for example: http://maliciousdomain/example/file.extension)
> http://files.pypi-install.com/packages/a5/61/caf3af6d893b5cb8eae9a90a3054f370a92130863450e3299d742c7a65329d94/pygaming-dev-13.37.tar.gz
[+] Correct!
What is the name of the malicious process? (for example: malicious)
> configure
[+] Correct!
Provide the md5sum of the ransomware file.
> 7c2ff873ce6b022663a1f133383194cc
[+] Correct!
Which programming language was used to develop the ransomware? (for example: nim)
> python
[+] Correct!
After decompiling the ransomware, what is the name of the function used for encryption? (for example: encryption)
> mv18jiVh6TJI9lzY
[+] Correct!
Decrypt the given file, and provide its md5sum.
> 3bc9f072f5a7ed4620f57e6aa8d7e1a1
[+] Correct!
[+] Here is the flag: :)
You crazy!
How did you even begin this process? What was the first step?
The URL and file are in the PCAP. Export the file, unzip it, and you'll find the program, configure. md5sum that and you'll get the hash. That's as far as I got. bro the docker isnt working or something because i cant add anything Posts: 13 Threads: 0 Joined: N/A October 25, 2022 at 2:44 PM Forensics - Day 4
1. Wireshark > Right click anywhere > Follow TCP Stream > Find the URL
2. Volatility > Use the custom profil they gave you > "volatility -f mem.dmp --profile=LinuxUbuntu_4_15_0-184-generic_profilex64 linux_bash" > See in bash history that "./configure" is the last thing they typed
3. Wireshark again > File > Export Objects > Download the Zip file > "md5sum configure"
4. On the "configure" file > "strings | grep python"
5. & 6. Run Ghidra or any decompiler on the "configure" file and find the function |
