Department of Defense CyberSentinel Challenge Write Up
I was selected to compete in the CyberSentinel Capture the Flag competition hosted by Correlation One and the United States Department of Defense. It was an 8-hour long competition with several technical categories. I placed 201st out of approximately 5,000 challenge participants who were selected to compete from an application. I was able to complete 6 of the competition challenges, written up below.
Have you bean here before? (OSINT)
In this challenge, we were given a photograph and were tasked with identifying the MAC Address of the Wifi network that the person who took the photo was connected to:
I first tried to determine if the image had any location metadata attached to it but was unsuccessful. I then read the coffee cup which said PAUL. I googled the company and found that it was a worldwide coffee chain with one location in the United States — in Washington DC. I went to Google Maps in streetview to confirm the location, which was the location this photograph was taken at.
Then I had to figure out how to find the WiFi address at this coffee shop. I did some research and found that I had to use a tool called WiGLE to find the WiFi network as well as the MAC Address. I entered in the address of the coffee shop and looked at the entry for their guest WiFi and then found the MAC Address, which was the flag.
Printer (Web Security)
This challenge was a very basic introduction to web security. I was presented with a login page that I had to access to get the flag. I checked the robots.txt endpoint of the site (one of the first things I check when doing web challenges for CTFs) and saw that an endpoint /notes.txt was blocked from crawlers. I navigated to the /notes.txt endpoint, obtained the password, and signed into the website to successfully find the flag.
NOTE: Many of the web challenges had technical difficulties throughout the competition, so I was not able to attempt them. I came close on the web challenge having to do with Git versions, JWTs, and environment variables but was not able to solve it. Therefore, I focused more of my attention on the forensics and malware analysis components of the challenge as these are areas I am looking to learn more about.
Filing Problem (Forensics)
In this challenge, we were given a corrupted file that we had to uncorrupt to get the flag. I opened the file in GHex and saw that it was supposed to be an Adobe Acrobat file. I then manually edited the hex code to include the magic number for PDF files and changed the file type to .pdf. I was then able to load the PDF. Some of the text was redacted, so I had to select the text in order to read it and obtain the flag.
Exfil (Forensics)
This was my favorite challenge — it was incredibly unique and creative. I will also be releasing a video on this challenge which I will link to this post.
We were given a .pcap file to analyze in Wireshark for a hidden message. When analyzing the packets, I noticed lots of DNS requests to a site called SUB[.]data[.]exfiltrated[.]com, with unique subdomains that seemed to represent codes in the SUB position of the URL. The challenge hint suggested to filter the traffic with the filter “dns.qry.name contains “data.exfiltrated.com” && ip.dst == 8.8.8.8", which confirmed my thinking on that URL containing the data. I filtered the traffic to only that data, and the only traffic left were the web requests to the URL described above. I then used tshark, a command-line interface to WireShark, to print only the URLs. I copied the output into a text file, where I removed the .data.exfiltrated.com portion and made sure all of the subdomains were combined into one long string. I then went to my favorite cipher identifier and input the code, which came back as a Base32 code. I then attempted to decrypt the code and received a file in return. The first time I attempted this process, I messed up the text edit process and received a corrupted file. I opened it in GHex and noticed it was created in GIMP, a photo editor (shown below).
I redid my subdomain cleanup and combination process using the process listed above (I had used perplexity.ai to do it automatically for me the first time which messed it up), recracked the cipher, and to my amazement, received an IMAGE back, which had the flag.
I did not know that images could be represented in Base 32 code, and was totally amazed by the whole process and the output. It got me thinking in the mindset of a person who might use this to transmit sensitive information in a way that only an extremely skilled person could ever detect.
Packer’s Paradox (Malware & Reverse Engineering)
This challenge was my first attempt at reverse engineering malware! We were given a defanged C2 Windows binary to find a flag in. I downloaded Ghidra to attempt to analyze the file but only was able to access the first layer. This malware was a packed malware with multiple layers in it. I then found an incredibly useful site called UnpacMe in which I uploaded the file and it automatically unpacked it and showed me the different layers of the file. In addition, it provided tons of useful information about each layer, some of which is shown below:
I found the flag in the Strings section of the child layer. While this tool automatically unpacked the malware for me, I look forward to learning more about how to manually perform this process!
Important Document (Malware & Reverse Engineering)
This challenge presented us with a phishing web-page to find the malware (flag) in. I inspected the elements of the webpage and found some obfuscated Javascript code that looked suspicious.
I used a Javascript deobfuscator to deobfuscate the code and found a suspicious looking hash.
I decoded it from base 64 and it was still scrambled. I then determined it was ASCII cipher text and decoded it using dcode.fr again and got the flag:
Overall, this challenge was very advanced, but I learned a lot! I’m proud of placing among the top 4% of competitors, but I’m more proud of myself for learning and growing continuously and persevering through technical challenges.
Thanks again to CorrelationOne and the United States Department of Defense for hosting this wonderful challenge!
