top of page
cosmodiumcs.png
Writer's pictureC0SM0

USB Drive

Updated: May 4, 2022

A NahamCon CTF 2022 Challenge...


Hey Hackers! The SAINTS have just completed NahamCon CTF 2022! This writeup is for the "USB Drive" challenge. I'll have a video walk through attached below in case if you are more of a visual learner.

 
 

// Prompt:

USB Drive was a malware themed challenge that gave us a ADATA_128GB.lnk file. Link [LNK] files are used as shortcuts that segway to executable files. You will often see them on your desktop as way to run programs. In this case, the link file was used to execute malware. But it was confusing at first.


// Executing The Link:

I put our link file in FlareVM. Flare is an Operating System used for malware analysis. I have a tutorial on how to install it here. We executed the link file but it simply opened a cmd.exe. I checked the file properties and and saw the that the file simply executed the cmd.exe, and nothing else.

After some research, it turns out that link files have a character limit of ~260 characters. So a hacker can attach a large amount of white space between the executable and any attached commands they want to run. I opened the link file in a hex editor and saw the attached code at the very bottom.

At the bottom, from hex address 0x3E0 to 0x410, we can see a weirdly formatted link in the ASCII section. I throw the text in a notepad and fix it up to find the following link.


// USB.TXT:

I searched the URL to to discover that the link was broken. It took me to a different website every time i searched it. Eventually, I came across Tinyurl.com. I connected the dots and added a "T" to the beginning our URL. Once I searched our new link, it opened a usb.txt file we could download.

The contents of the usb.txt file was some sort of encoding. So I threw it into Cyber Chef using their magic setting and was returned with a windows portable executable. I saved it as a download.dat file so we can perform some more analysis on it.


// Execution:

I ran a file command on the download.dat file and saw that it was an PE32 DLL file.

I renamed the download.dat to download.dll. I loaded our dll into Flare so we can continue the analysis. I open a x64 Native Command Prompt. It is a command line interface for that comes with developer tools. I run the following to get the exports.

dumpbin /exports download.dll

The two exports we got were _DllMain@12 and _MessageBoxThread@4. We can run the main function to get the flag.

rundll32 download.dll,_DllMain@12

Thanks for reading, and as always,


Happy Hacking!


// Socials:

© 2022 by Cosmodium CyberSecurity LLC

302 views0 comments

Recent Posts

See All

Comments


bottom of page