Here are my writeup for one of the challenges in Wargames 2024. I attempted this question post competition as a way for me to learn and for future references.
Tricky Malware
Level: Hard
Points: 481
Description: My SOC detected there are Ransomware that decrypt file for fun. The script kiddies is so tricky. Here some evidence that we successfully retrieve. (file)
Download the file in the link. Upon extracting the .rar file, there were two files, memdump.mem and network.pcap
Checking the PCAP file revealed quite a number of requests from different network protocols. Upon scolling through the packets, there was a few packets that caught my attention. It was a few DNS request to the pastebin website, which couldn't be coincidential in a CTF setup.
I tried using strings on the memdump.mem file, to look if there's any indications of pastebin in it. Found a few URLs to multiple pastebins website. One section, which appears to be part of a code, links to a specific URL.
Accessed the website and boom, there's the flag!
Flag: WGMY{8b9777c8d7da5b10b65165489302af32}
Wished I had enough time to submit this one during the competition, but oh well. Need to fix my skill issues before the upcoming CTF. I believe the intended solution is more technical than this method and I'll explore more and will update this post from time to time.
Overall, Wargames is a great CTF and often exceeds my expectations and pushed me to continue levelling up my skills. See ya in the next post!
