We are provided with a 1.8 GB CSV file which has the ‘network logs of a medium sized company’. We can use pandas dataframe to analyze it in python.

>>> import numpy as np
>>> import csv
>>> import pandas as pd
>>> df1 = pd.read_csv('challenge.csv',parse_dates=True, index_col=0, error_bad_lines=False)
>>> df1
src_ip dst_ip ... protocol payload
timestamp…

We are provided with c++ files which emulate a RISC processor. Main is as follows

The main program loads the user payload and the admin payload to be executed.

The payload consists of instructions defined in asm_instructions.c

Output operations:

  • PRINTC to print the lower byte of a register as a character.
  • PRINTDD and PRINTDX to print the value of a register in decimal or hexadecimal formats, respectively.
  • PRINTNL to print a newline.

Stack operations:

  • PUSH and POP.
  • PUSHCTX and POPCTX.

Flow-control operations:

  • RET, to terminate execution unconditionally.
  • RETNZ, to terminate execution if the given register is not zero.
  • RETZ, to…

There are a plethora of websites on which one can measure their click speed. One of them is
https://www.arealme.com/click-speed-test/en/

So I made an attempt to beat this with the help of selenium browser automation.

The idea was that the click are element would be located and clicked in an infinite loop till the timer runs out.

from selenium import webdriver
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
browser = webdriver.Firefox() #Using firefox webdriver
browser.get("https://www.arealme.com/click-speed-test/en/") #open website
print(browser.find_element_by_id('start'))#Find the start button and click on it twice. It is clecked twice as #the start…

Level01

We find ourselves unable to run this binary. Loading this into radare, we are unable to find a symbol table. Running binwalk on this, we find an executable at 254. We can extract this executable and analyse it using ghidra.

Level02

Trying to run the binary, we get

bash: file: cannot execute binary file: Exec format error

Running binwalk on this also returns nothing. However, running readelf -h shows that the magic bytes are missing from the header. Inserting the magic bytes using a hex editor gets the program running.

Finally….

After extracting the executables sucessfully, we can reverse the with help of angr.


We first open and analyze the file in ghidra. The main function turns out to be

void FUN_004008a8(void){
int iVar1;
char local_58 [76];
int local_c;

printf("Password: ");
fgets(local_58,0x40,stdin);
local_c = 0;
while( true ) {
iVar1 = FUN_00400699(local_58);
if (iVar1 < local_c) break;
if (local_58[local_c] == '\n') {
local_58[local_c] = '\0';
}
local_c = local_c + 1;
}
FUN_00400874(local_58);
return;
}

Clearly it prints a password and reads input using fgets into chararray local_58. Then FUN_00400699 is called on local_58.

ulong FUN_00400699(long param_1){
int local_10;
uint local_c;

local_c = 0;
local_10 =…

Problem : My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

Solution : Running volatility filescan with grep for .txt files gives a suspicious looking important.txt file. However dumping the file using dumpfile plugin does not work.

Running pslist gives a StikyNot.exe process. Running file scan with grep for .snt gives a StickyNotes.snt file which contains the text

The clipboard plugin works well but it doesn’t give the flag

Searching for recovery of deleted data on volatility yields results related to mftparser. Using the plugin with grep for important.txt gives the flag.

inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} Good work :P

Problem statement : A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?

Solution : Using Volatility pslist we see two notepad processes running. Both process memories are dumped using memdump.

The plugin cmdline is then used to see last run commands. We see the commands associated with the notepad process ids are used to open files evilscript.py and vip.txt.

The command strings -e l ./3736.dmp | grep "import sys" -B 1 -A 20 is used to extract the python script form the memory dump.(import is the…

Anarta Poashan

amateur

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store