We’ve established a persistence mechanism on the attached disk. Can you determine what that is?

The flag is in the standard format. You’ll know it when you see it. :)

Given: non-stick-disk.zlib

First I had to figure out how to decompress a zlib file within a directory. I used this resource in order to do it and piped it into a directory. Full command:

zlib-flat -uncompress < non-stick-disk.zlib > nonstick

From there, I noticed there are a TON of files in the directory, so one trick of forensics (that I now know) is to check the etc/os-release and then do a diff on the filesystems. From cat-ing the os-release, we see this:

Now came the part that took me the longest…​ finding a root filesystem that I could diff on. At first, Rohan and I were pouring through FTK Imager and Autopsy to find sus things, but came to no promising findings (even had a little red herring). After a copious amount of researching, one key google search and many clicks later got me to Debootstrap. A little bit more reading on how to Debootstrap and understanding what architecture the nonstick filesystem is (there is a x86_64-linux_gnu directory in lib, which indicated amd64), we could create our own Ubuntu 20.04 Focal Fossa quick! Actual command:

sudo debootstrap --arch amd64 focal ubuntu (directory I want it to go to) http://archive.ubuntu.com/ubuntu

With my two filesystems, I could finally do a diff and see what things may be interesting to investigate…​ much better than having to search through each file (which I had already done plenty of by this point).

NOTE: the nonstick directory is actually mounted on a directory called mountpoint

To diff the filesystems: diff -qr mountpoint ubuntu > diffs.txt

-q for quick so we can see ONLY the files that differ between the two filesystems
-r for recursive

Investigating the diffs.txt, there is one sus line and that is File mountpount/lib/x86_64-linux-gnu/security/pam_unix.so and ubuntu/lib/x86_64-linux-gnu/security/pam_unix.so differ. So, I strings-d the file and saw /home/addisoncrump/git/tamuctf-2022/forensics/non-stick-disk/pam_backdoor/linux-pam-1.3.1/modules/pam_unix so that was pretty assuring that this was indeed the persistence mechanism.

But where is the flag? Well we have a binary so naturally, the next step is to boot it up in good ol Ghidra. I poked around for a good amount before I finally saw something that could be related to the flag and it was this little snippet:

Now there is an alternative and alternative_key stored in byte arrays, so that is interesting, but how are they used? Well if we look at the following code:

This indicates that each byte is xor-d with each other…​ so we can go in and grab that hex and xor them against each other.

The other thing to note here is the bVar9 = 0xea and bVar9 = 0x8d. When you xor these values, you get 'g', so we further know that this is an xor to get the flag. Using XOR calculator, we get 67656769675f617b6d5f7469625f6f6f746976626f5f73756f795f6669615f756f6d5f6b730000, which we put into Cyberchef. We did have to mess around a little to get the actual flag format (removing the beginning "67" and then adding a "65" at the end). Finally recipe:

Flag: gigem{a_bit_too_obvious_if_you_ask_me}

This challenge was incredibly infuriating, but really cool after solving it. Also being one of two solvers was really cool 😃.

After solving the challenge in the way described above, I wondered if you could solve it quicker using grep.

Turns out Addison didn’t strip symbols, so you could in fact grep -r "backdoor" and find the file 😔…​ but at least I learned a lot in the process!

Read, weep, seethe, and cope.

Only commits you need to consider are those made by VTCAKAVSMoACE.

Given: vanity-smurf-youre-so-vain.gif

So at first glance, the link goes to a git repo that is completely empty. There was only one commit and zero history so that was interesting…​.

The prompt and gif associated with this challenge gave a good amount away. Now I was not very smart and got caught in an article saying you couldn’t mirror a git repo and it wasn’t until Rohan looked into it that I realized my grave mistake…​.

Anywho, looking at this how to properly mirror a git repository, we could find the mirrored git repo.

Command: git clone --mirror vanityhttps://github.com/tamuctf/

Then we see the following and get the flag!

Flag: gigem{watch_the_night_and_bleed_for_me}

Have fun reversing this little crackme. :)

Given: existing-tooling binary

NOTE: I did not complete this challenge

First things first with any RE challenge is to check file type and run the bad boy:

Key thing: the flag is 72 characters long…​ we can look in a handy dandy tool…​

Ghidra time!!!

When you load the binary into Ghidra and start at the entry, we see this:

Going into that FUN_00101140, we find an interesting block of code…​ it is a pointer that points to null? Strange.

So there is probably something there, so let’s investigate! GDB gef is a life savior :D.

Commands:

Flag: gigem{im_curious_did_you_statically_or_dynamically_reverse_ping_addison}