After participating in the BruCON Student CTF this year, my team ended up being second. This meant the four of us won tickets for the main BruCON 0x0B event.
One of the challenges at the Student CTF was named “Fake Malware”. We were given a password locked zip file to start off with. Finding the password of this ZIP file was easy using fcrackzip.
As expected, the ZIP file contained a Windows executable. So heading over to my Windows 7 CTF virtual machine, I ran the executable in Sandboxie. I received a messagebox.
Now what I usually do is check both registry changes and file changes within the sandboxed environment. I was able to recover a file called challenge.bat. This file contained a BASE64 encoded Powershell command.
After copying the Base64 encoded string, I went back to Kali and decoded the string and wrote the output to a file named outFile. After that I used the file command to determine what filetype the decoded string was.
root@kali: echo "<verylongBASE64string>" | base64 -d > outFile root@kali: file outFile outFile: gzip compressed data, last modified: Sat Jul 6 10:30:03 2019,... root@kali: mv outFile file.gz root@kali: gunzip file.gz
After decoding the second Base64 encoded string, I finally found the flag.
Overall this was a pretty straight forward, but fun challenge!