I took part in the SecDSM MiniCTF in April of 2023 which involved some DNS OSINT, encrypted 7-zips, TOR knowledge and printer pwning.
At 12 PM, the website with the challenge was released. The site read:
Henry Hacker is in jail and is looking to fly the coop. You're in cahoots on the outside. He's printing the instructions for where/when you need to meet him. He's managed to sneak some information on chickenfliesthecoop.hackmeinc.com. It's a place where you've exchanged messages in the past.
My first instinct was to try to visit that domain in my web browser, that didn't work. Thinking the site was down, me and a few other people hopped into a Discord voice chat to try and understand what was going on. Eventually we tried to find hidden domains using Dns Spy, I brute forced for domains using Lepus as well as scanning the HTTP directory with dirbuster on the challenge page.
This revealed an instance of Office 365, the only hint we were given was A video on takeover with Lateral Movement of an organization. With this in mind, the first thing I assumed was we were going to start a takeover through a phishing link. I crafted up a very simple email to see if that was part of the challenge.
Rats! It's not happening this way.
While I was trying this, somebody managed to discover credentials in the video I mentioned worked on Office 365 and it had admin credentials. It kind of lined up that the next challenge may have involved finding some clue that lead to a compromised system, we searched several inboxes on the domain for any indications it had a path to another system. I went with a user that had a security alert that their endpoint had accessed a tor address, it seemed like a red flag.
I searched through that email and didn't find any letters that were direct clues, I found some deleted letters that had information about meetings, but that lead nowhere except to waste my time.
The group in the Discord voice chat decided to ask Tom(CTF runner) if O365 was part of the challenge, turns out the answer was NO. Everybody spent an hour sifting through a configured Office 365 which was probably being used for another training course or something.
Back on topic.
After spending time towards something unrelated, the ad-hoc group that formed initially went back to scanning DNS. Behold! A TXT record was discovered.
VGhlc2UgYXJlIGNyZWRlbnRpYWxzIHRvIGEgaG9zdCBvbiBvdXIgc2hhcmVkIGhvc3QuOnRvdHNsZWcuaXQvc2VjZHNtY3Rm
After decoding this from Base64, it was apparent what the next step was.
These are credentials to a host on our shared host.:totsleg.it/secdsmctf
Going to this url takes you to another Base64 string
N3q8ryccAATGmTVWQAIAAAAAAADqAAAAAAAAAJNCiMijlpZraxOYjuywpB/mCvCHcrYYzB5I/Z2i
xv0S7K7HvnTC2EnORwS581OMX3SkwIYN3LZZAq+LkUI/5HqU1rFGVt8q85qum/GiaBcdgIGgJtCk
br0yISzdMsHQ5tCPepal8N8S8VXBkoB5oOv2J6ma/KJbkzi3OacuQQ65psYHc7lBGzAXXCqh8Xbe
4cTm0BujsleNq5XcDZG4CUbxTbgafUqZp0ihFCsyGt4KpUjYNPKgVPrVuJUn0p+7nNDUdtLV7NSI
IWX5KfHtiESUgBnkXkjARJ/eJp1vGuwwo+ROBiEnKv+Z/aRbN5acwYX0Wl2OfCJLXiswsNoykzCS
mt9rTzOPxkD/qQej9xurroDTwawwTk2F2aCl7KYbp0xHUaJgGkt5n30xy8pSACailjvt7OLKKA8/
Vcnw2MPLJDmozDAlqby8ThdUrD/btv+rUi0vTFG8D3idBwQPpMsiFZISwmMzrPHwOAE7OQ0WJfLP
U04QFUPeTbZAagIVH57ryg2jELyUpZagN7YF2J1T2KG4jzsQTixcsZImM2QWGVnDE3AbuHjLegMS
9FfPC4KSamenT5QikFutHjFXpWpzaON1ppmd8TFft6aWezOZe4mYWtAfMBdaWfOXladADxBsKMxV
KEUEM/pQPF08sxh5c0oBdvxnMrvMGdQLmzxzZKGHVhrxwP3UqpY+c5DquQAsd4SeU+SAnrIokoio
icsWuBy8V4fGv9t1Uktb5qQFhRyvISqhjm2uJji8XYstg4SNp0MBBAYAAQmCQAAHCwEAAiQG8QcB
ElMP01LCEpsGn8ay7hzOP0cMWiEhAQABAAyCN4KCAAgKAUt7V9cAAAUBGQ0AAAAAAAAAAAAAAAAA
EYCDAFQAaABlAHMAZQAgAGEAcgBlACAAYwByAGUAZABlAG4AdABpAGEAbABzACAAdABvACAAYQAg
AGgAbwBzAHQAIABvAG4AIABvAHUAcgAgAHMAaABhAHIAZQBkACAAaABvAHMAdAAuACAAVQBzAGUA
IAB0AGgAZQAgAHUAcwBlAHIAAAAZABQKAQCAyamolWbZARUGAQAggKSBAAA=
Decoding this spit out a 7-zip file, an interesting turn.
Attempting to extract it reveals it was encrypted, however I still had the ability to list the files.
Considering it was encrypted, the first thing I tried to do was crack it, I decided to run rockyou against it. This took me about an hour on my graphics card. Nothing.
I then went to look at the first Base64 string, that "Use the user" text from the encrypted archive stuck with me. Looking at the first part, there was a colon in the text. That's it! That's the user! I tried that as the password and it worked!
Looking at the extracted file, it reminds me of nesting dolls.
I tried the password again, and it didn't work. Somebody mentioned they got the archive to extract using the file name as the password, that worked, there were a few more 7zip files to open, I'll just show the result.
The final file name was These are credentials to a host on our shared host. Use the username henry and password KCNKB2yJvaVJqz8hX9lnZUkxb
Inside of this file was another Base64 string, decoding this revealed an onion url.
I attempted to visit the onion URL provided as if it were a web server, and like before I was stumped. Not as long this time.
I tried SSH as I had seen a username and password and suspected it might be using ssh
Welcome to the pivotnet! it proclaimed, and disconnected. Hmm... SSH is known for being a way to connect to a shell remotely, but SSH can also be used to forward traffic.
I set up a SOCKS proxy with ssh using the following command to proceed
torify ssh -D 8888 -N henry@geqexk3birqwpp3zrlqk2wyjeqhi2gsnxgejwq5h3vyff2fsc4kwumyd.onion
The message from the SSH server mentioned there was a target at 192.168.1.2, so I simply tried to visit the IP like a webpage.
We have found a printer, now I can connect the dots with the clue video that was mentioned before the CTF opened!
I went to set up a mock LDAP server using the same tricks mentioned in the video
I attempted the steps shown in the video to dump credentials from the printer like shown in the video, however there was a technical issue with the CTF and the password was missing, I didn't know this at the start. I started attempting to scan the pivot network for any clues that there were other hosts I had to visit. I ended up doing this for a few hours before Tom came in to fix the bug.
With the CTF bug eliminated, I was able to change the LDAP server on the printer to my mock server and I had it send me the creds!
And there's our flag in the authentication field! Mission success!
In conclusion, I had a great time participating in the SecDSM April 2023 CTF. I learned a lot more about printer security and things you can use TOR for, and I met some great people along the way.
I am grateful for the opportunity to have participated in this event, and I look forward to participating in future CTFs.
I would like to offer some advice to other CTF participants. First, don't be afraid to ask for help. There are many people who are willing to help you learn and pass a roadblock. Second, don't give up. CTFs can be challenging, but they are also very rewarding. Finally, have fun! CTFs are a great way to learn and challenge yourself.
- Jordan