BruCON 0x0B Student CTF: Fake Malware

After participating in the BruCON Student CTF this year, my team ended up being second. This meant the four of us won tickets for the main BruCON 0x0B event.

One of the challenges at the Student CTF was named “Fake Malware”. We were given a password locked zip file to start off with. Finding the password of this ZIP file was easy using fcrackzip.

Cracking the ZIP password using the default rockyou.txt wordlist

As expected, the ZIP file contained a Windows executable. So heading over to my Windows 7 CTF virtual machine, I ran the executable in Sandboxie. I received a messagebox.

Since the program terminates after clicking “OK”, I have to leave the messagebox open

Now what I usually do is check both registry changes and file changes within the sandboxed environment. I was able to recover a file called challenge.bat. This file contained a BASE64 encoded Powershell command.

Powershell -enc uses Base64

After copying the Base64 encoded string, I went back to Kali and decoded the string and wrote the output to a file named outFile. After that I used the file command to determine what filetype the decoded string was.

root@kali: echo "<verylongBASE64string>" | base64 -d > outFile
root@kali: file outFile
outFile: gzip compressed data, last modified: Sat Jul 6 10:30:03 2019,...
root@kali: mv outFile file.gz
root@kali: gunzip file.gz
The unzipped version contained another function with again a Base64 encoded string

After decoding the second Base64 encoded string, I finally found the flag.

Overall this was a pretty straight forward, but fun challenge!

1 reply on “BruCON 0x0B Student CTF: Fake Malware”

Leave a Reply

Your email address will not be published. Required fields are marked *