Morioh
Login
Zakary Schmeler

Zakary Schmeler

3 years ago

In this article, I will be demonstrating my approach to completing the Recovery Capture The Flag (CTF), a free room available on the TryHackMe platform created by _deltatemporal. _I have provided a link to the TryHackMe platform in the references below for anyone interested in trying out this CTF.

Disclaimer

I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the CTF more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint!

This is not your conventional CTF and so I found myself finding some flags before others. This will be reflected in my writeup , so just search for the flag you are stuck on if you don’t want any spoilers for other flags. Without any further delay, lets dive in!

CTF Background — Help Alex!

The following background is provided for the CTF and I have highlighted some important pieces of information in the description provided. Always read the challenge description carefully!!! (foreshadowing 😅)

Hi, it’s me, your friend Alex.

I’m not going to beat around the bush here; I need your help. As you know I work at a company called Recoverysoft. I work on the website side of things, and I setup a Ubuntu web server to run it. Yesterday one of my work colleagues sent me the following email:

_Hi Alex,_

_A recent security vulnerability has been discovered that affects the web server. Could you please run this binary on the server to implement the fix?_

_Regards_

_- Teo_

Attached was a linux binary called fixutil. As instructed, I ran the binary, and all was good. But this morning, I tried to log into the server via SSH and I received this message:

YOU DIDN’T SAY THE MAGIC WORD!

YOU DIDN’T SAY THE MAGIC WORD!

YOU DIDN’T SAY THE MAGIC WORD!

It turns out that Teo got his mail account hacked, and fixutil was a targeted malware binary specifically built to destroy my webserver!

when I opened the website in my browser I get some crazy nonsense. The webserver files had been encrypted! Before you ask, I don’t have any other backups of the webserver (I know, I know, horrible practice, etc…), I don’t want to tell my boss, he’ll fire me for sure.

Please access the web server and repair all the damage caused by fixutil. You can find the binary in my_ home directory_. Here are my ssh credentials:

_Username: alex_

_Password: madeline_

I have setup a control panel to track your progress on port 1337._ Access it via your web browser. As you repair the damage, you can refresh the page to receive those “flags” I know you love hoarding._

#tryhackme #malware-analysis #cybersecurity #reverse-engineering #capture-the-flag #data analysis

TryHackMe Writeup: Recovery CTF

medium.com

TryHackMe Writeup: Recovery CTF

In this article, I will be demonstrating my approach to completing the Recovery Capture The Flag (CTF), a free room available on the TryHackMe platform created by deltatemporal.

15.35 GEEK