Skip to main content

Huntress CTF Challenge Writeups: VeeBeeeee & Fetch

 

VeeBeeeee: A Microsoft Script Forensics Challenge

VeeBeeeee starts with an extensionless file. When attempting to open this file, we get a bunch of random junk. I used PowerShell to display the content of the file and then dropped the output into CyberChef to decode it. Using the “Magic” function on CyberChef told me that it was a Microsoft Script, and CyberChef applied the Microsoft Script Decoder function to the text blob.


Copy/Pasting the cleartext code into VSCode lets us use the find and replace function to get rid of some of this junk data.


While going through the script and getting rid of the tacked-on strings and characters, we can see that there is an array being built called Request. If we follow the link in this array, we get to a Pastebin file with the flag.





 

Fetch: A Prefetch and WIM File Analysis Challenge

Fetch provided an unknown file with no extension. Like previous challenges, we can use the “file” command to determine the file type. Using the “file” command, we can see that the fetch file is actually a Windows Image Format file (WIM). Using Google, we can find the wimtools suite, which allows for the processing and handling of WIM files on Linux. After installing these tools, we can use the command “wimextract fetch 1 / --nullglob” to extract the files in the WIM file. I forgot to specify an output directory, so I moved all of the prefetch files to a new directory as well.



Eric Zimmerman has a great tool for analyzing prefetch files called PECmd. You can get it from his GitHub or website, alongside many other useful Windows forensics and response tools. In order to process all the files at once, I used a PowerShell one-liner. This puts the output of all the prefetch file analysis into one text file.


After opening the text file in VSCode, I did a simple ctrl+f to find matches to “flag”.



Comments

Popular posts from this blog

Using PGPy to encrypt and decrypt files and messages

 PGPy is a library for python that enables the creation, storage, and encryption/decryption of PGP keys and files in python. Recently, in a small project to reacquaint myself with python, I used PGPy for key generation and encryption and decryption. That project can be found in my github at  https://github.com/lpowell . The goal of the project was to use command-line switches to control the program, and to provide basic encryption and decryption capabilities, along with rot13 and base64 encoding.  First, to load in a key use key, _ = pgpy.PGPKey.from_file(keyfilename) . This loads the key from either a binary or ASCII armored file. You can swap out .from_file for .from_blob , if you plan on using a key stored in a string or bytes object rather than a file. In my example code, I pull the key from a file, as I found it to be the simpler method.  Next, you'll need to open a file or create a string or bytes object that contains the message you wish to encrypt. We'll cal...

Using the Ubertooth One to sniff and intercept Bluetooth packets

While researching for my individual video project I came across this tool which allows for the sniffing and interception of bluetooth packets. This article covers some of the basic functionality of an Ubertooth One.  It's really quite interesting to see all the possibilities with devices like these. The tech behind them is very interesting as well. Hopefully, I'll be able to integrate some of this technology into my project video and include a demo of some of the interesting things it can do.

Installing the Ubertooth on the Mac mini M1

 For my video project, one of the demonstrations included using an Ubertooth One to scan for Bluetooth and BLE packets. This blog post will cover the installation of the Ubertooth One on the Mac mini M1. The official install guide for Mac devices didn't work very well for me, and I had to install some extra tools in order to get it to work. The examples assume you are using Python 3, and have homebrew installed.  To begin, follow the instructions found here:  https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide . Additionally, you may find that you need to install pytq5, numpy, and qtpy. To do this, simply run Python3 pip install pyqt5, numpy, qtpy. This will install the required libraries needed to run the Ubertooth tools. There are multiple ways to install pip on an OS X device, but I suggest using homebrew to install python3, which should install pip as well. Next, you will need to update the firmware of the device. When downloading the tools, a firmware di...