Huntress Capture the Flag - A CTF Marathon
Throughout October, as part of Cyber Security Awareness Month, the team over at Huntress put on a ~30 day Capture the Flag event with 58 unique challenges.
First and foremost, kudos to the organizers for pulling off an event of this size and duration. There were only minor technical difficulties noticed throughout the month, and on more than one occasion those were due to people not observing the rules and using brute force tools where they weren’t needed (or allowed.)
Overall, I found the event to be a great learning experience that challenged me, increased my confidence, and gave me an avenue to pursue skills I want to develop further.
The challenges covered a wide area of subjects with the majority being DFIR related. The categories included:
- Warm Ups (14)
- Forensics (10)
- Malware (16)
- M365 (4)
- OSINT (3)
- Steganography (1)
- Miscellaneous (10)
Today the final challenge of the event, graced us with another lovely malware sample to analyze.
I was very pleased with myself at having solved nearly 80% of the challenges. There’s still another 20 or so hours to go, so we’ll see if that improves any further. The only categories I didn’t have 100% in were Miscellaneous and Malware. I think this is fair considering my skill levels. The Malware scenarios were appropriately challenging for someone newer to this area. This is an area that I’ve been developing my skills in more recently. I’m looking forward to seeing others’ write-ups on those challenges where I didn’t make it all the way through, and following along with my own data.
Tools used in the CTF
I added a number of new tools to my toolkit throughout the CTF, and got more experienced with some old friends as well. Depending on the challenge I switched between operating systems including MacOS, REMnux (Linux), and a customized Windows VM with a plethora of malware analysis utilities. By the end of the event the tools used included:
- PowerShell
- Strings
- CyberChef
- Gimp
- Curl
- Firepwd.py
- rita
- the_silver_searcher
- nmap
- dcode.fr
- meld
- Cutter
- Ghidra
- Python
- ChatGPT
- Google Chrome Developer Tools
- iSteg
- exiftool
- Google Lens
- Google Maps
- detonaRE
- Process Monitor (procmon)
- Visual Studio Code
- Site Sucker
- 7zip
- Magnet AXIOM
- olevba
- x64dbg
- AADInternals
- Microsoft Excel
- Event Viewer
- chainsaw
- PowerDecode
- PowerShell ISE
- rclone
- Volatility3
- hashcat
- impacket
Write-Ups
Over the next few days I’ll be releasing the write-ups on how I solved each of the completed challenges. The organizers requested that no solutions be posted until 24 hours after the conclusion of the CTF.
Based on the amount of content, I’ll be breaking the write-ups down by week number (1-4) and challenge category.
Wednesday:
Thursday:
Friday:
Saturday:
You can follow along through the week, or come back on the weekend to read them all.
Once again, I want to extend my thanks to the Huntress team for a great event. I hope you’ll follow along with my solutions, and please comment with other ways to solve if you have them. It’s all about the learning.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.