“DEADFACE is a group of hackers founded in 2018. We are a collection of pentesters, hobbyists, and activists. In the spirit of Halloween we come together to wreak havoc on the population. We target big banks, schools, social media, anything we can get our hands on.
Our mission is cause as much mayhem on IT systems as possible. October is our prime month. We strike terror into the hearts of poor doughy IT bois at these big companies. We do this by grabbing password hashes, breaking systems, and stealing personal and proprietary data.”
We are given a short code and then this image to download. The image is interesting because it has a time and date, and also an IP address. Maybe those will come in handy later?
The code is solved easily using an online tool:
So we are looking for more info on Ali Tevlin. Let’s check out what we already know from the intel page:
A quick Google search pulls up a Facebook page:
Um…ok.
He lists his company in plain sight, so this is an easy one.
We’re continuing with our investigation on Ali. This one is also very easy:
And another! If you check out the “About Me” section of his profile, he has his birthday conveniently filled out.
For this one we are given a .pcap file to analyze using Wireshark or something similar.
If you go to the top and export the HTTP objects:
A window will pop up that shows you the name of the executable file that was transferred:
Another .pcap file to analyze. I saw an HTTP packet that looked questionable, so I right-clicked and chose to follow the stream:
I think this is what we are looking for, because you can see it’s disguised as a picture file but is actually a program:
Windows freaked out when I tried to download it, so I used my Kali VM. I used the same process as the last question to export the HTTP objects. Then I saved it to my Desktop so I could check the hash.
You can get the hash by using md5sum:
Remember to delete that file from your system.
For this one I just sorted by protocol to get to all the HTTP packets, then found the .dll file transfer that I was looking for:
The source address is requesting it, so the destination address was the one that delivered it.
Looks like we are logged in with luciafer:
I was able to find three of the flag locations right off the bat using the find command:
Flag1 came easily, but I will need to get different permissions to read the others:
I found Flag2 by exploring around a bit. It was in the luciafer’s Documents:
I could have used different syntax with my initial find search in order to avoid missing it:
While checking the SUID bit sets, I noticed something weird called “ouija”. It apparently lets you read files in the root directory:
It worked! Now I just need Flag3. I need spookyboi’s password.
So I found this question and was hoping it would give me a password to try for spookyboi on the SSH server.
I opened it up in the SQLite Browser on Kali. There are two tables of interest, passwd and users:
Here are all the users:
And here are their corresponding passwords:
Spookyboi is number 8. I used CrackStation to get his password in plaintext:
Now let’s see if it works for our other question:
Woooow, spookyboi. Maybe you should change your password…
With the help of the old database from the web server he used to run, I found spookyboi’s password and was able to get Flag3.
For this one, I basically just opened it up in a text editor, pressed CTRL+F and searched for “Lucia”.
I also found a username for her, so maybe that will come in handy later.
This one uses the same file as the last question. If you noticed my screenshot of Lucia’s email, it shows that she is #49 in the database. So I just scrolled all the way to the end and looked at the last entry.
900 users.
If you look at the order in Console.WriteLine, you can see how the message will output.
I just used steghide here:
I used Stegsolve to find this one. In the grey bit plane you see this:
You can see here that the ‘middle’ value is set to DEFAULT NULL. So that’s the first part of the flag.
I started overthinking the second part, but eventually just chose the simplest option I could think of, which worked:
flag{middle, SHOW}
We know that HTTPS traditionally uses port 443, so I just looked through the packets until I found one that was using it:
This was frame #665
For this one I searched online for past attacks on financial institutions, but of course many different types came up. I just kept trying a bunch until eventually “watering hole” worked.
My accuracy really took a hit here, lol.
Donnell’s turn in the spotlight:
For this one, read the message from top to bottom:
“Remember to tell Spookyboi about the new targets of our next attack”
I am really bad at forensics, so I was avoiding these ones. I just downloaded a tool called volatility today because I saw everyone talking about it in the Slack channel.
I then found a blog post that shed some light on what I would need to do:
Frankly, I just guessed the PID…and astonishingly got it right on the first try. I chose 3348 because it had “mem” in the name.
Feeling good about my forensics success, I attempted the next question that dealt with the same mem.raw file. Using that very same blog post to guide my efforts, I noticed that explorer.exe was listening on port 6666, which seemed weird.
I also noticed that there was an established session going on.
On this one I tried basically every tool I could think of, until I eventually found some random tool online (HERE) that worked perfectly.
For this one I looked for HTTPS traffic involving that particular IP address:
Then I looked through the TLS details to find the Certificate information:
After finding the Ghost Town forums, HERE, I started looking through the posts, eventually finding THIS one:
That link brings you to this weird coded string in pastebin:
I was confused at first, but looking back at the forum, you see this gif of Shrek:
That’s a major hint that you should use TOR (The Onion Router). You just need to put .onion on to the end of that string of characters and you will be directed to the DEADFACE website.
If you use “Inspect Element” you will see this:
So that weird statue on Ali Tevlin’s Facebook page is actually the main hint for this question. You can see he posted about it in August:
I did a Google Image search and found a bunch of hits:
On this one I used a website called Packet Total because sometimes it can recognize Malware Signatures.
Here we can see a couple instances of the Trojan, Dridex.
Here, I searched for DNS traffic and saw one that looked pretty weird down at the bottom:
It was “vlcafxbdjtlvlcduwhga.com”
Last but not least…this one drove me crazy. If you look up that picture you are immediately drawn to a Wikipedia page about the “Danse Macabre”, the Dance of Death.
I scraped that page with CeWL to create a custom wordlist, which did not work. Then scraped a couple links connected to that page, which also did not work.
After that I figured I would just throw it in stegcracker with rockyou and move on to other things. About 4 hours later, I accidentally closed that terminal…lol.
At that point, I realized that the wordlist from CeWL wouldn’t work if the capitalization was off, so I went through that page by hand and just picked a list of the top names that stuck out to me. Things that might not be in rockyou.
And it worked!
I really loved this CTF! I liked how a lot of the questions provided information and insight into other questions, and especially the backstory about the different personalities of DEADFACE. You can tell a lot of thought went into this. There was even a Spotify playlist to get you in the mood!
I also appreciated the diversity of skill level required. I hope to see another Hacktober next year.
Happy Hacking! ❤
